MPF Announcement 2023-21

MPF^® Program Guide Updates

The MPF Program has made the following updates:

Reporting on Security Incidents or Breaches

In order to align with recent regulator rulings, specificity has been added to the MPF Program Guide outlining the timing requirements when reporting a security incident or breach by PFIs and Servicers.

PFIs/Servicers must report any security incident/breach to the MPF Provider and MPF Bank which would also be required to be reported to a regulator. The report of the security incident must be provided within 48 hours after the PFI/Servicer determines that a cyber-attack/breach has occurred. The PFI/Servicer must ensure both they and their service providers comply with all state, federal and other regulatory requirements.   

Additionally, the PFI/Servicer must allow the MPF Bank an opportunity to first review any notifications to the borrowers which directly or indirectly identifying the MPF Bank.

The MPF Program Guide has been updated to incorporate these requirements. Refer to MPF Program Guide Section 6.1.1.