State Model Language for Examining Technology Service Providers
MSL XX.010 TITLE – This Act may be cited as the [insert name of model law]
MSL XX.020 PURPOSE OF THIS ACT – The connections between banks and technology service providers create risks to the financial system, as banks are increasingly reliant on third parties to provide or enable key banking functions and everyday services. Because of the vital role technology service providers play in the safety and soundness of banks and the stability of the financial system, it is imperative for banking agencies to examine technology service providers. A significant disruption affecting a single technology service provider could have an adverse impact on a large number of banks; understanding the interconnectivity between banks and non-banks is crucial to avoiding such a situation. The purpose of this Act is to provide the requisite legal authority for banking agencies to examine technology service providers that provide services to banks.
MSL XX.030 DEFINITIONS - For purposes of this Act, the following definitions shall apply:
(A) Depository institution - The term ‘‘depository institution’’ has the same meaning as in section 3 of the Federal Deposit Insurance Act.
(B)Technology Service Provider – The term “technology service provider” means any person, company, corporation, or other legal entity that provides a service listed in MSL XX.040 to a depository institution.
MSL XX.040 EXAMINATION OF TECHNOLOGY SERVICE PROVIDERS
(A)Whenever a depository institution, or any subsidiary or affiliate of such depository institution that is subject to examination by the Commissioner, causes to be performed for itself, by contract or otherwise, any of the services listed in subsection (B),
(1) Such performance shall be subject to regulation and examination by Commissioner to the same extent as if such services were being performed by the depository institution itself.
(B) - Covered Services
(1) Data processing services;
(2) activities that support financial services, including but not limited to, lending, funds transfer, fiduciary activities, trading activities, and deposit taking
(3) internet related services, including but not limited to web services and electronic bill payments, mobile applications, system and software development and maintenance, and security monitoring; and
(4) activities related to the business of banking.
MSL XX.050 ACCEPTANCE OF EXAMINATIONS FROM OTHER EXAMINERS - The Commissioner may, in his discretion, accept examinations authorized or required to be conducted by this title, which are made by bank regulatory agencies, in lieu of any examination authorized or required under the laws of this state.
MSL XX.060 CONFIDENTIALITY OF TECHNOLOGY SERVICE PROVIDER EXAMINATION REPORTS
(A) Examination reports of technology service providers obtained by the Commissioner or the Department are confidential.
[Comment: The intent of this language is to indicate a preference that TSP examinations receive the same treatment as examinations of depository institutions under state law. Please modify as appropriate to conform to any applicable public records law requirements/terminology in your state.]
(B) Notwithstanding subsection (A), the Commissioner may furnish a copy of a report of any examination performed by the Commissioner of the condition and affairs of any technology service provider to the depository institutions serviced by the technology service provider.
MSL XX.070 OTHER PROVISIONS
(A) The Commissioner may enter into agreements with any depository institution supervisory agency that has concurrent jurisdiction over a Technology Service Provider to: (1) engage the services of the agency's examiners at a reasonable rate of compensation; or (2) provide the services of the Commissioner’s agency’s examiners to the agency at a reasonable rate of compensation.
(B) The Commissioner may take enforcement actions against the Technology Service Provider pursuant to [State Citation] if the Commissioner considers the actions to be necessary or appropriate to carry out its responsibilities under this chapter or to ensure compliance with the laws of the State.
(C) The Commissioner may enter into joint examinations or joint enforcement actions with other bank supervisory agencies having concurrent jurisdiction over a Technology Service Provider.