US Agencies Finalize Rule on Security Incident Reporting
US Agencies decided to terminate the temporary supervisory and enforcement flexibility that was announced for the mortgage servicing rule in April 2020, amid the COVID-19 pandemic. These agencies are Board of Governors of the Federal Reserve System (FED), Consumer Financial Protection Bureau (CFPB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the state financial regulators. Additionally, FDIC, FED, and OCC approved a final rule that requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a notification incident. The final rule takes effect on April 01, 2022, with full compliance extended to May 01, 2022.
The final rule on security incident notification requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred. The rule defines computer-security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. Notification is required for incidents that have materially affected—or are reasonably likely to materially affect—the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector. The final rule also requires a bank service provider to notify the affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours.
With respect to the Joint Statement on mortgage servicing rules, in April 2020, the US Agencies (including CFPB, FDIC, FED, NCUA, OCC) had announced that, until further notice, they would not take supervisory or enforcement action against mortgage servicers for failing to meet certain timing requirements under the mortgage servicing rules as long as the servicers made good faith efforts to provide those required notices or disclosures and took the related actions within a reasonable period of time. More than 18 months have passed since issuance of the April 2020 Joint Statement. While the COVID-19 pandemic continues to affect consumers and mortgage servicers, the US Agencies believe the temporary flexibility described in the April 2020 Joint Statement is no longer necessary because servicers have had sufficient time to adjust their operations by, among other things, taking steps to work with consumers affected by the COVID-19 pandemic and developing more robust business continuity and remote work capabilities. The agencies will now apply their respective supervisory and enforcement authorities, where appropriate, to address any noncompliance or violations of the Regulation X mortgage servicing rules that occur after the date of issuance of this statement.
Related Links
- Statement on Mortgage Servicing Rule (PDF)
- Press Release on Security Incident Reporting
- FDIC Letter on Incident Reporting Rule
- Final Rule on Security Incident Reporting (PDF)
Effective Date: April 01, 2022 (Final Rule)
Keywords: Americas, US, Banking, Mortgage Servicing Rules, COVID-19, Cyber Risk, Lending, Incident Reporting, US Agencies
Related Articles
ISSB Sustainability Standards Expected to Become Global Baseline
The finalization of the two sustainability disclosure standards—IFRS S1 and IFRS S2—is expected to be a significant step forward in the harmonization of sustainability disclosures worldwide.
IOSCO, BIS, and FSB to Intensify Focus on Decentralized Finance
Decentralized finance (DeFi) is expected to increase in prominence, finding traction in use cases such as lending, trading, and investing, without the intermediation of traditional financial institutions.
BCBS Assesses NSFR and Large Exposures Rules in US
The Basel Committee on Banking Supervision (BCBS) published reports that assessed the overall implementation of the net stable funding ratio (NSFR) and the large exposures rules in the U.S.
Global Agencies Focus on ESG Data, Climate Litigation and Nature Risks
At the global level, supervisory efforts are increasingly focused on addressing climate risks via better quality data and innovative use of technologies such as generative artificial intelligence (AI) and blockchain.
ISSB Standards Shine Spotlight on Comparability of ESG Disclosures
The finalization of the IFRS sustainability disclosure standards in late June 2023 has brought to the forefront the themes of the harmonization of sustainability disclosures
EBA Issues Several Regulatory and Reporting Updates for Banks
The European Banking Authority (EBA) recently issued several regulatory publications impacting the banking sector.
BCBS Proposes to Revise Core Principles for Banking Supervision
The Basel Committee on Banking Supervision (BCBS) launched a consultation on revisions to the core principles for effective banking supervision, with the comment period ending on October 06, 2023.
US Proposes Final Basel Rules, Transition Period to Start in July 2025
The U.S. banking agencies (FDIC, FED, and OCC) recently proposed rules implementing the final Basel III reforms, also known as the Basel III Endgame.
FSB Report Outlines Next Steps for Climate Risk Roadmap
The Financial Stability Board (FSB) recently published the second annual progress report on the July 2021 roadmap to address climate-related financial risks.
EBA Plans on Ad-hoc ESG Data Collection and Climate Scenario Exercise
The recognition of climate change as a systemic risk to the global economy has further intensified regulatory and supervisory focus on monitoring of the environmental, social, and governance (ESG) risks.