A regulation passed by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) in November 2021 has gone into effect as of May 1st, requiring all banks to report data breaches within 36 hours. This is a change from previous reporting regulations, such as the New York Department of Financial Services rule that requires incident notification within 72 hours. According to the 80-page draft regulation, banks are required to report within 36 hours of determining that a breach is serious and has a material adverse impact on operations. According to the guidance posted by the agencies, banks can seek clarification from the appropriate agency as to whether an incident should be reported.
FDIC Incident Reporting Information
FDIC-supervised banks can comply with the rule by reporting an incident to their case manager, who serves as a primary FDIC contact for supervisory-related matters, or to any member of an FDIC examination team if the incident occurs during an examination. If a bank is unable to access these supervisory team contacts, the bank may notify the FDIC by email at firstname.lastname@example.org.
Federal Reserve Incident Reporting Information
A banking organization whose primary federal regulator is the Board of Governors of the Federal Reserve System must inform the board about a notification incident by sending an email to email@example.com or by calling 866-364-0096.
OCC Incident Reporting Information
A bank is required to notify the OCC after it determines that the notification incident has occurred. To satisfy this requirement, the bank may email/call its supervisory office, submit a notification via the BankNet website or contact the BankNet Help Desk at BankNet@occ.treas.gov or by phone at 800-641-5925.