CFPB Treatment of Confidential Supervisory Information: Comparative Analysis and Overlapping Jurisdiction of the Federal Banking Agencies
The Consumer Financial Protection Bureau (“CFPB”) recently released a compliance bulletin (the “CSI Bulletin”) reviewing the legal responsibilities of regulated entities relating to the sharing of certain CFPB-related confidential supervisory information (“CSI”).
The CSI Bulletin articulates standards familiar to insured depository institutions, which are subject to similar restrictions from their primary federal banking regulators on the sharing of CSI. Importantly, the CSI Bulletin highlights a significant issue for regulated entities that either (1) have possession, custody, or control over information deemed to be CSI of the CFPB, or (2) have entered into an NDA containing confidentiality provisions that conflict with CFPB regulation and policy. While the CFPB’s approach is
similar to that of the prudential bank regulators, entities that have not been subject to comprehensive regulation may be unfamiliar with regulators’ expectations regarding the sharing of CSI. Nonbank entities supervised by the CFPB, including nonbank mortgage companies, debt collectors, credit reporting companies, payday lenders, and private education lenders, must be particularly vigilant about their disclosure and transfer of CSI to any person other than their directors, officers, employees, legal counsel, other authorized external service providers, or the CFPB. Entities already familiar with the CSI requirements imposed by the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“FRB”), or the Federal Deposit Insurance Corporation (“FDIC”) should also review the CSI Bulletin, as the scope of coverage and specific procedures for disclosing CSI varies by regulator.
To avoid potential issues with or action by the CFPB, which could include the possibility of civil money penalties, regulated entities should understand what information constitutes CSI and be aware of the applicable restrictions and disclosure requirements to ensure regulated entity practices conform with the CFPB’s expectations.
I. Key CSI Requirements
The CFPB, OCC, FRB, and FDIC each have similar, but not identical, requirements regarding the release of CSI related to the examination and supervision activities of entities subject to their jurisdiction.
Scope of CSI
CFPB CSI includes the following:
- CFPB reports of examination, inspection, and visitation, as well as CFPB non-public operating, condition, and compliance reports to the CFPB (including any information derived from those reports);
- Any documents prepared by, on behalf of, or for the use of the CFPB or any other federal, state, or foreign government agency in the exercise of supervisory authority over a regulated entity, and any information derived from such documents;
- Any communications between the CFPB or another government agency and a regulated entity related to CFPB supervision;
- Any information provided to the CFPB by an entity to enable the CFPB to monitor for consumer risks or to assess whether an entity should be considered a covered person; and
- Information that is exempt from disclosure pursuant to 5 U.S.C. §552(b)(8).
See 12 C.F.R. §1070.2(i)(1).
“Non-public OCC information” includes the following:
- Any record created or obtained by the OCC or the OTS in connection with the performance of its responsibilities (e.g., records concerning supervision, licensing, regulation, and examination);
- Any record compiled by the OCC or the OTS in connection with either agency’s enforcement responsibilities;
- Any OCC or OTS report of examination, supervisory correspondence, investigatory files, or internal agency memorandum;
- Confidential OCC or OTS information obtained by a third party;
- Testimony from, or an interview with, an OCC or former OTS employee, officer, or agent; and
- Confidential information relating to operating and no longer operating regulated entities.
See 12 C.F.R. § 4.32(b).
FRB CSI includes the following:
- FRB reports of examination, inspection, and visitation, confidential operating and condition reports (including any information derived from those reports);
- Information gathered by the FRB in the course of any investigation, suspicious activity report, cease-and-desist orders, civil money penalty enforcement orders, suspension, removal or prohibition orders, or other orders or actions (subject to some exceptions); and
- Any documents prepared by, on behalf of, or for the use of the FRB, a Federal Reserve Bank, a federal or state supervisory agency or a bank, bank holding company, or other regulated entity.
See 12 C.F.R. §261.2(c)(1).
FDIC CSI includes the following:
- Records that are contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of the FDIC or any agency responsible for the regulation or supervision of financial institutions.
See 12 C.F.R. §309.5(g)(8).
Parties Authorized to Review or Receive CSI Without a Specific Request
CFPB CSI may be disclosed only to the following entities:
- Directors, officers, trustees, members, general partners, or employees of the regulated entity;
- Directors, officers, trustees, members, general partners, or employees of its affiliates;
- Certified public accountants, legal counsel, contractors, consultants, or other service providers; and
- Another person, with the prior written approval of the CFPB.
See 12 C.F.R. §1070.42(b).
“Non-public OCC information” may be disclosed only to the following entities:
- Directors, officers, employees, or agents of the regulated entity;
- A parent holding company and its directors, officers, or employees;
- Persons or organizations officially connected with the regulated entity as an attorney, auditor, independent auditor, or consultant; and
- Other persons, with the prior written approval of the OCC.
See 12 C.F.R. § 4.37.
FRB CSI may be disclosed only to the following entities:
- Directors, officers, and employees of the regulated entity;
- A parent bank holding company or parent savings and loan holding company and its directors, officers, and employees;
- Certified public accountants and legal counsel; and
- Other persons, with the prior written approval of the FRB.
See 12 C.F.R. § 261.20.
FDIC CSI may be disclosed only to the following entities:
- Directors, officers, employees, or agents of the regulated entity who have a need for such records in the performance of their official duties;
- External auditors; and
- Other persons, with the prior written approval of the FDIC.
See 12 C.F.R. § 309.6.
Additional Regulatory Guidance
Non-disclosure agreements: A regulated entity may not enter into third-party NDAs that attempt to: (1) restrict the entity from sharing certain information with the CFPB; or (2) require the entity to advise a third party when it shares with the CFPB information subject to an NDA. The CFPB warns that these agreements do not alter or limit the CFPB’s supervisory authority or an entity’s obligations relating to CSI.
See CFPB, Compliance Bull. 2015-01 (Jan. 27, 2015).
Non-disclosure agreements: A regulated entity may not enter into third-party NDAs that attempt to: (1) restrict the entity from providing information to FRB supervisory staff; (2) require an entity, without the prior approval of the FRB, to disclose that any information will be or was provided to FRB supervisory staff; or (3) require or permit the entity to inform a counterparty of a current or upcoming FRB examination or any nonpublic FRB supervisory initiative or action.
See FRB, SR 07-19 (Dec. 13, 2007).
Copy and removal of CSI by directors and officers: It is a breach of fiduciary duty, and a violation of FDIC regulations, for directors and officers of a regulated entity to copy and remove CSI in anticipation of litigation or an enforcement action against that director or officer in his or her personal capacity.
See FDIC, FIL-14-2012 (Mar. 19, 2012).
Process for Making a Specific Disclosure Request
Entities seeking approval for CSI disclosures that are not specifically authorized by CFPB regulation must submit a written request to the CFPB Associate Director for Supervision, Enforcement, and Fair Lending at the following address: Consumer Financial Protection Bureau, 1700 G Street, NW, Washington, D.C. 20552. Requests are approved on a discretionary basis.
See 12 C.F.R. §1070.42(b)(2)(ii).
Entities seeking approval for non-public OCC information disclosures that are not specifically authorized by OCC regulation must submit a written request to the Director of the OCC Litigation Division at the following address: Office of the Comptroller of the Currency, 400 7th Street, SW, Washington, D.C. 20219. Requests are approved on a discretionary basis.
See 12 C.F.R. § 4.34; 12 C.F.R. § 4.36.
Entities seeking approval for CSI disclosures that are not specifically authorized by FRB regulation must submit a written request to the FRB’s General Counsel at the following address: Legal Division, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW, Washington, D.C. 20551. Requests are approved on a discretionary basis.
See 12 C.F.R. § 261.20.
Entities seeking approval for CSI disclosures that are not specifically authorized by FDIC regulation must submit a written request to the Director of the FDIC's Division having primary authority over the records or information sought. Requests are approved on a discretionary basis.
See 12 C.F.R. § 309.6(a).
The CFPB supervises banks with more than $10 billion in assets, and certain nonbank financial entities including mortgage-related firms, private student lenders, payday lenders, and certain other large nonbank consumer financial entities, including debt collection agencies, debt relief firms, consumer finance and similar companies, prepaid card issuers, credit card products, credit reporting agencies, and mobile payment providers.
The OCC supervises national banks and federally chartered savings associations.
The FRB supervises bank holding companies and their nonbank subsidiaries, financial holding companies, savings and loan holding companies, any firm designated as systemically significant by the Financial Stability Oversight Council (“FSOC”), and state banks that are members of the Federal Reserve System.
The FDIC supervises federally insured depository institutions, including state banks and savings associations that are not members of the Federal Reserve System.
A. The CFPB
The CFPB’s recent CSI Bulletin reviews the existing legal framework for CFPB-regulated entities and articulates a new, and arguably more controversial, position regarding the treatment of CSI and third-party NDAs.
1. Scope of CFPB CSI
Compared to other regulatory agencies, the CFPB imposes a more extensive definition of what constitutes CSI upon its supervised entities. CFPB CSI includes all of the following:
Reports of examination, inspection and visitation, non-public operating, condition and compliance reports, and any information contained in, derived from, or related to such reports;
Any documents, including reports of examination, prepared by, on behalf of, or for the use of the CFPB or any other federal, state, or foreign government agency in the exercise of supervisory authority over a financial institution, and any information derived from such documents;
Any communications between the CFPB and a regulated entity or a federal, state, or foreign government agency related to the CFPB’s supervision of the institution;
Any information provided to the CFPB by a financial institution to enable the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, or to assess whether an institution should be considered a covered person, as that term is defined by 12 U.S.C. § 5481, or is subject to the CFPB’s supervisory authority; and
Information that is exempt from disclosure pursuant to 5 U.S.C. § 552(b)(8).
The CFPB’s CSI Bulletin provides a “non-exhaustive” list of CSI examples, which includes CFPB examination reports and supervisory letters, all information contained in, derived from, or related to those documents (including an institution’s supervisory
compliance rating), all communications between the CFPB and a regulated entity related to an examination of the institution or other supervisory activities, supervisory requests for information from the CFPB to the regulated entity, and the institution’s response, memoranda of understanding, and any related submissions and correspondence, and any other information created by the CFPB in the exercise of its supervisory authority (including workpapers and other documentation prepared by CFPB examiners in preparation for an examination).
Notwithstanding the CFPB’s broad reach, documents are not deemed CSI if they are prepared by a financial institution for its own business purposes and the documents are not in the possession of the CFPB.
2. CFPB Guidance Regarding NDAs
Addressing an issue that raises somewhat unique and challenging issues for formerly unregulated nonbank financial firms, the CSI Bulletin discusses the treatment of information subject to NDAs between regulated entities and third parties. The CFPB recognizes that some entities may have existing NDAs that intended to prevent the institution from sharing certain information with a supervisory agency, or require it to advise a third party when the institution provides certain information to a supervisory agency.
B. The OCC (National Banks and Federal Savings Associations)
In contrast, the OCC prohibits the unauthorized disclosure of CSI by national banks and federal savings associations.
There are several notable exceptions to the OCC’s general prohibition on the disclosure of CSI. For example, non-public OCC CSI can be released if it is published in “statistical material that does not disclose, either directly or when
used in conjunction with other publicly available information, the affairs of any individual, corporation, or other entity.”
1. Scope of OCC CSI
Under OCC regulations, “non-public OCC information” encompasses OCC CSI and includes any record created or obtained “by the OCC in connection with the performance of its responsibilities, such as a record concerning supervision, licensing, regulation, and examination of a national bank, a federal savings association, a bank holding company, a savings and loan holding company, or an affiliate.”
Any record compiled by the OCC or the OTS in connection with either agency’s enforcement responsibilities;
Any report of examination, supervisory correspondence, investigatory file compiled by the OCC or OTS in connection with an investigation or internal agency memorandum, whether the information is in the possession of the OCC or some other individual or entity;
Confidential OCC information obtained by a third party or otherwise incorporated in the records of a third party, including another government agency;
Testimony from, or an interview with, a current or former OCC or OTS employee, officer, or agent concerning information acquired by that person in the course of his or her performance of official duties with the OCC or OTS or due to that person’s official status at the OCC or OTS; and
Confidential information relating to operating and no longer operating national banks, federal savings associations, and savings and loan holding companies as well as their subsidiaries and affiliates.
OCC CSI does not include information that the OCC is required to release under the Freedom of Information Act or that the OCC has published or made available, including final orders and other agreements.
C. The Federal Reserve Board (Holding Companies, Nonbank Affiliates, and State Member Banks)
An entity regulated by the FRB that is in lawful possession of FRB CSI may only disclose such information to its directors, officers, and employees, its parent holding company or bank, or its directors, officers, and employees.
1. Scope of FRB CSI
The FRB defines CSI to include “reports of examination, inspection and visitation, confidential operating and condition reports, and any information derived from, related to, or contained in such reports,” as well as “[i]nformation gathered by the [FRB] in the course of any investigation,
suspicious activity report, cease-and-desist orders, civil money penalty enforcement orders, suspension, removal or prohibition orders, or other orders or actions.”
2. FRB Guidance Regarding NDAs
Similar to the CFPB, the FRB has issued guidance clarifying its expectations regarding NDAs between banking organizations and their counterparties or other third parties.
Restrict a banking organization from providing information to FRB supervisory staff;
Require or permit, without the prior approval of the FRB, a banking organization to disclose to a counterparty that any information will be or was provided to FRB supervisory staff; or
Require or permit, without the prior approval of the FRB, a banking organization to inform a counterparty of a current or upcoming FRB examination or any nonpublic FRB supervisory initiative or action.
D. The FDIC (State Nonmember Banks and State Savings Associations)
Finally, under the rules and regulations of the FDIC, so-called “exempt records” or any CSI contained in such records may not be released to “any persons other than those officers, directors, employees, or agents of the [FDIC] who have a need for such records in the performance of their official duties.”
1. Scope of FDIC CSI
Under the rules and regulations of the FDIC, “exempt records” include “[r]ecords that are contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of the FDIC or any agency responsible for the regulation or supervision of financial institutions.”
2. FDIC Guidance Regarding the Copying and Removal of CSI by Directors and Officers
The FDIC has also issued guidance regarding the copying and removal of CSI by directors and officers of FDIC-supervised entities. Specifically, the FDIC has observed a limited number of instances where directors and officers of troubled or failing entities have made copies of CSI and then removed such copies from the institution in anticipation of litigation or an enforcement action against them personally.
E. Potential Issues with Overlapping CSI Requirements and Supervisory Jurisdiction
As noted above, the CFPB takes the position that CFPB CSI includes any documents prepared by, on behalf of, or for the use of the CFPB or any other federal, state, or foreign government agency in the exercise of supervisory authority over a regulated entity, including other agencies’ reports of examination, and any information derived from such documents. Thus, it appears that the CFPB takes the view that documents or other information prepared by another supervisory authority that constitutes such other agency’s CSI also qualifies as CFPB CSI notwithstanding that such information is entirely and exclusively subject to a privilege that belongs to another agency and that only such other agency may waive. Moreover, it does not appear that the CFPB is asserting this broad authority based on a CFPB supervisory interest in the other agency’s CSI or that the CSI must be related to CFPB supervision (although this may be implied). Thus, this creates a difficult issue of overlapping CSI requirements and supervisory jurisdiction between the CFPB and a prudential regulator such as the OCC, FRB, or FDIC, all of which have strident views regarding the protection of CSI that arises from their own bank examination reporting privilege.
Accordingly, institutions and financial firms that find themselves in circumstances in which the CFPB is seeking to exercise some degree of authority to obtain CSI or control the disclosure of CSI that arises from supervisory information obtained from a prudential federal banking regulator would be wise to exercise a significant degree of caution in handling the situation. At a minimum, the regulated entity should ensure that the prudential regulator is fully engaged regarding the circumstances, and the regulated entity may even deem it appropriate to have a three-party conversation with both the prudential regulator and the CFPB in instances in which the CFPB seeks to assert its own privilege for the release of CSI jointly claimed by both regulators. This would be the case, for example, where a regulated entity seeks to release certain CSI of its prudential regulator that the CFPB seeks to block. Alternatively, circumstances could arise in which the CFPB seeks to release CSI that is claimed, in whole or in part, as the CSI of one of the prudential regulators without the CFPB obtaining the clear authorization or consent of the prudential regulatory agency to do so. For example, a particular point of concern and potential contention could be the handling of NDAs requiring or restricting the sharing of CSI jointly claimed by the CFPB and a prudential federal bank regulator. Again, a regulated entity should seek to facilitate an open dialogue with both regulators to avoid being placed in a difficult situation regarding the release of or restrictions on CSI, as well as the entity’s own use of CSI claimed by both regulators.
II. Action Plan
While the aforementioned policies and regulations regarding the handling of CSI are not new to banks and other traditionally regulated financial entities subject to federal oversight, the CFPB’s definition of CSI and the agency’s specific restraints on the dissemination of CSI to third parties may be unfamiliar to nonbank entities regulated by the CFPB. Similarly, while banks are familiar with the handling of CSI, new territory for banks created by the CFPB’s CSI Bulletin involves potential issues with overlapping CSI requirements and supervisory jurisdiction of the prudential federal banking regulators and the CFPB for jointly-claimed CSI. As the CSI Bulletin makes clear, the CFPB has placed a renewed emphasis on compliance with CSI disclosure prohibitions and procedures; thus, a real potential for confusion may emerge among both banks and
nonbank financial firms with respect to the handling of CFPB CSI. While the CSI Bulletin technically serves as “nonbinding guidance” to banks, savings associations, and credit unions with assets over $10 billion, as well as other nonbank businesses subject to the CFPB’s jurisdiction (e.g., certain payday lenders, private education lenders, large consumer reporting agencies, debt collectors, student loan services, international remittance providers, and mortgage companies), noncompliance with any of the CSI-related regulations may constitute a “violation of law.” Thus, regulated entities facing these standards of confidentiality—or issues regarding overlapping CSI requirements—for the first time should take special care to review the applicable regulations and bring their practices into compliance, as well as reach out to their regulators or counsel, as appropriate, to seek clarification regarding how to handle various situations involving the disclosure or non-disclosure of CSI.
Based on the CSI Bulletin, there are a number of action items that banks and nonbank financial firms should consider when reviewing their internal controls and risk management procedures for CSI compliance. To avoid a formal supervisory action and the imposition of civil money penalties, regulated entities should, at a minimum, consider the following action items:
Review and understand the types of information that constitute CSI for both their prudential federal banking regulator(s) and the CFPB, and the corresponding laws, rules, regulations, and available guidance related to the disclosure and non-disclosure of CSI to third parties;
Review and analyze how the regulated entity currently manages CSI in its possession, custody, or control, how such information is maintained and categorized, and whether there are any gaps in compliance monitoring programs and procedures;
Evaluate all persons with access to CSI at the regulated entity, and determine whether the level of access to CSI of each person is commensurate with their role, job function, and responsibility within the organization;
Review and update, as appropriate, board of directors, management, and staff training regarding the handling, sharing, disclosure, and nondisclosure of CSI, including training that may be appropriate to highlight issues of overlapping jurisdiction between a prudential regulator and the CFPB;
Review and revise existing policies, procedures, and internal controls in place to prevent the inadvertent sharing of CSI, including procedures for reporting to regulators if any CSI is inadvertently released; and
Review all existing NDAs between the institution and third parties for any confidentiality provisions contrary to CFPB regulation and policy, as well as the requirements imposed on the sharing of CSI by a prudential bank regulator.
Regardless of the circumstances, if there is doubt regarding the handling of CSI, a regulated entity should seek appropriate guidance in assessing the disclosure requirements and risks of a particular course of action, as well as the extent to which such course of action could expose potential vulnerabilities in the entity’s policies, procedures, and internal controls regarding the handling of CSI.
* * * * *
Paul Hastings attorneys are actively working with clients to identify and address issues related to CSI disclosure and nondisclosure issues and potential CFPB investigations, as well as to assist clients in reviewing and maintaining robust compliance policies and programs with respect to the handling of CSI.