On Tuesday, November 22, 2016, the OCC, Federal Reserve and the FDIC a press release announcing an invitation of comments on an advance notice of proposed rulemaking (ANPR), regarding enhanced cyber risk management standards for large banks under their supervision.
These regulatory agencies hope to increase operational resilience and lower the probability of failure in the banks they supervise.
Here’s what you need to know:
• The ANPR was published in the Federal Register on October 26, 2016, and comments are due by January 17, 2017.
• The ANPR applies to:
o any national bank, federal savings association (and any subsidiaries thereof), or federal branch of a foreign bank that is a subsidiary of a bank holding company or savings and loan holding company with total consolidated assets of $50 billion or more;
o any national bank, federal savings association, or federal branch of a foreign bank that has total consolidated assets of $50 billion or more and does not have a parent holding company; and
o any third-party service provider with respect to services provided to any covered national bank or federal savings association (or any subsidiaries thereof).
• The ANPR is not applicable to community banks
• Banks regulated by the above-mentioned agencies are required to ensure that the services they receive from third-parties are conducted with the same standards that would apply if the bank conducted the operations itself—therefore, the proposed enhanced standards would apply to all operations, even those serviced by third-parties.