OCC Bulletin 2016-41| November 22, 2016

Enhanced Cyber Risk Management Standards: Advanced Notice of Proposed Rulemaking


Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties


The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the agencies) are inviting comment on an advance notice of proposed rulemaking (ANPR) regarding enhanced cyber risk management standards (enhanced standards) for large and interconnected entities under their supervision.

The agencies are considering establishing enhanced standards to increase the operational resilience of a covered entity, lower the probability of a covered entity's failure or inability to serve as a financial intermediary, and reduce the potential impact on the financial system of a cyber event affecting a covered entity.

The ANPR was published in the Federal Register on October 26, 2016, and comments are due by January 17, 2017.

Note for Community Banks

The ANPR is not applicable to community banks.


The ANPR describes potential enhanced standards that are divided into five general categories: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

The ANPR applies to:

  • any national bank, federal savings association (and any subsidiaries thereof), or federal branch of a foreign bank that is a subsidiary of a bank holding company or savings and loan holding company with total consolidated assets of $50 billion or more;
  • any national bank, federal savings association, or federal branch of a foreign bank that has total consolidated assets of $50 billion or more and does not have a parent holding company; and
  • any third-party service provider with respect to services provided to any covered national bank or federal savings association (or any subsidiaries thereof).

The proposed standards in the ANPR would be implemented in a tiered manner, imposing more stringent standards on the systems of covered entities that are critical to the functioning of the financial sector.


As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may impact the safety and soundness not only of that entity but also of other financial entities with potentially systemic consequences. Third parties that provide payment processing, core banking, and other financial technology services to these participants in the financial sector also provide services that are vital to the financial sector as a whole.

In response to the expanding cyber risks, the agencies are considering establishing enhanced standards for the largest and most interconnected entities under their supervision. A covered entity is required to ensure that the services it receives from a third party are conducted consistent with the same standards that would apply if the covered entity conducted the operations itself. Thus, the enhanced standards would apply to all the operations of a covered entity regardless of whether the covered entity conducts an operation itself or through a third party.

Further Information

Please contact Bethany Dugan, Deputy Comptroller for Operational Risk, at (202) 649-6550; or Carl Kaminski, Special Counsel, Beth Knickerbocker, Counsel, or Rima Kundnani, Attorney, Legislative and Regulatory Activities Division, at (202) 649-5490.


Amy S. Friend
Senior Deputy Comptroller and Chief Counsel

Related Link