BSCA guidance is the “OG” of vendor management standards, and if you are not familiar with BSCA, consider this a primer for all FDIC-insured bank Information Security Officers, IT Managers or Compliance Officers.

63 years ago, only large regional banks had access to IT services. The Bank Service Company Act (BSCA) was enacted in 1962 to allow banks of all asset sizes to invest in bank service companies (BSCs) with one stipulation: Financial Institutions (FIs) were required to acknowledge a new third-party relationship or contract in writing to their primary regulator. FIs’ use of third-party technology service providers (TSPs) has continued to expand over the years, however, the formal acknowledgement of new technology services and changes to TSPs to the FDIC regulatory agencies is commonly overlooked by bank personnel.

Examiners began observing gaps in contracts and compliance with the BSCA amidst the proliferation of Internet banking vendors and adoption/changes to TSP relationships. FDIC-FIL19-2019 was released in April 2019 because of the recognition of gaps that could negatively impact a bank’s resilience strategies (business continuity and incident response). This is especially important in today’s evolving FinTech environment. Many FinTechs are not aware of or may not be willing to acknowledge the operational standards necessary to conduct business with banks, including background checks for employees, project/change management policies, business continuity plans, and periodic tests of incident response plans. These are just a few of the standards that your bank should confirm are in place for any new TSP engagement.

Subsequent BSCA guidance has been enhanced to state that any FDIC-supervised institution that has services performed by a third party “shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first.” As defined in Section 3 of the Act, these services include “check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.” This includes managed security services, Internet Banking services, website hosting, etc.

Takeaways:

Ensure that Project Management standards outlined in your board-approved written Information Security Program stipulate the reporting of Form FDIC 6120/06 (3-97) to your FDIC Division of Supervision (DOS) Regional Office -or- your specific regulatory governing agency. Ensuring this standard is consistently addressed whenever a new/replacement TSP or new service for an existing TSP is contracted will help regulators to ensure a consistent, high-quality standard for mitigating risk and ensuring resiliency among TSPs for the financial services industry.