# Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
> **US Federal Reserve System** · Final rule. · Published 2021-11-23 · Effective 2022-04-01 · 86 FR 66424
## Document
- **Document number:** 2021-25510
- **Category:** final-rule
- **Agency:** US Federal Reserve System
- **Federal Register citation:** 86 FR 66424
- **CFR reference:** 12 CFR 53
- **Publication date:** 2021-11-23
- **Effective date:** 2022-04-01
- **Docket:** Docket ID OCC-2020-0038
## Abstract

The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary Federal regulator of any ``computer-security incident'' that rises to the level of a ``notification incident,'' as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

## Source
- [Federal Register document](https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank)
---
*AI Analytics · CC0 1.0*