Share This Page

Effective Date: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers

The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary Federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.


Effective date: April 1, 2022;

Compliance date: May 1, 2022.

  • April 1, 2022
  • Time: All Day