In recent months, there has been a noted increase in the number of questions and conversations about the Bank Service Company Act (or "BSCA"). In this article, responses will be offered for several frequently asked questions, such as:
- What is the Bank Service Company Act?
- What is a "bank service company?"
- Why is this coming up now?
- What are financial institutions required to do for BSCA?
- Are there any BSCA tools which could help?
What is the Bank Service Company Act?
The BSCA is a regulation which establishes a set of rules regarding financial institution relationships with certain third-party service providers, AKA "bank service companies."
What is a "bank service company?"
According to the act, a "bank service company" is a service provider who provides one or more of the following services:
- check and deposit sorting and posting;
- computation and posting of interest and other credits and charges;
- preparation and mailing of checks, statements, notices, and similar items; or
- any other clerical, bookkeeping, accounting, statistical, or similar functions, including "data processing, internet banking, or mobile banking services," per FDIC FIL-19-2019.
In addition, the regulation states that the company must be solely owned by financial institutions.
However, section 1867(c) goes on to explain that any vendor which provides one of the services identified above may be subject to examination and the bank is expected to notify their primary federal regulator within 30 days of beginning a relationship with one of these vendors.
Why is this coming up now?
Increased emphasis is being placed on the BSCA now for three primary reasons:
- Financial institutions continue to rely on bank service companies for products and services which are critical to their operations.
- Financial institutions have not been consistent in notifying federal regulators of new bank service company relationships in accordance with the act.
- Incidents affecting bank service companies could cause significant damage to the greater financial sector.
Additionally, the FDIC, FRB, and OCC have published a new rule titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers. The rule requires bank service providers, subject to BSCA, to provide notification to "at least one bank-designated point of contact at each affected banking organization customer." To learn more about this new rule and how it applies to bank service companies, see our blog: The New Incident Notification Rule: What Banks Need to Know.
What are financial institutions required to do for BSCA?
The original BSCA requires financial institutions to notify their federal regulator, in writing, within 30 days of signing a contract or beginning service with a bank service company. The FDIC has developed a Notification of Performance of Bank Services form to assist with this notification.
To determine if you are complying:
- Review your vendor management processes to ensure there is a mechanism in place to identify bank service companies.
- Confirm notice was provided to your federal regulator of all relationships with bank service companies. If you find any gaps, use the form above to provide notice.
- Determine if any incident notification requirements need to be included in current or future contracts with bank service companies. Learn more in our blog on The New Incident Notification Rule.
Are there any BSCA tools which could help?
Yes, Tandem Vendor Management is designed to help financial institutions oversee their third-party service provider arrangements, in accordance with applicable guidance and regulations. Tandem offers several useful features for addressing the BSCA requirements, including:
- Compliance Categories to identify and label vendors as bank service companies.
- Required Documents to track which bank service companies were reported to federal regulators.
- Contract Review Templates to ensure agreements with third parties address incident notification requirements.
To see how Tandem Vendor Management can help you, learn more at Tandem.App/Vendor-Management-Software.
Update Log:
- 11/24/2021 and 01/31/2022 - This article was updated to include reference to the new Computer-Security Incident Notification rule.
- 02/01/2024: The Bank Service Company Act URL was updated from a source on the FFIEC's website to the official U.S. Code website.