TCH submitted a comment letter in response to the notice of proposed rulemaking issued by the Federal Reserve Board, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation (collectively, the “Agencies”) regarding computer-security incident notification requirements for banking organizations and their bank service providers. TCH takes seriously and has consistently fulfilled its responsibility as a payment system operator to provide timely information to its participants about operational incidents that impact them. In its letter, TCH notes that the Agencies significantly underestimated the impact of the proposal to bank service providers and their bank customers. TCH respectfully suggests that the purpose of the proposed rulemaking is already met by existing practices of financial market utilities (FMUs) such as TCH. If, in the alternative, there is a regulatory mandate for FMUs to provide certain notices, such notices should be provided to their primary federal regulator for actual and material operational incidents. Finally, Federal Reserve Banks should be held to the same notification standards as private sector FMUs with respect to all Federal Reserve financial services.
To read the full comment letter click here.