In a new compliance bulletin (2015-01), the CFPB reminds supervised financial institutions, including nonbanks, of their obligations regarding the disclosure of confidential supervisory information (CSI).
The bulletin is intended to assist supervised entities in complying with the CFPB’s regulations governing the use and disclosure of CSI (12 CFR Part 1070). In the bulletin, the CFPB reviews the definition of CSI, which includes: reports of examinations, inspections and visitations; any documents, including examination reports, prepared by, or on behalf of, or for the use of the CFPB or any other federal, state or foreign government agency in the exercise of supervisory authority over a financial institution; any communications between the CFPB and a supervised entity or a federal, state, or foreign government agency related to the CFPB’s supervision of the entity; any information provided to the CFPB by a supervised entity to enable the CFPB to monitor for consumer risk in the offering or provision of consumer financial products or services or to assess whether an entity is a covered person or subject to CFPB supervisory authority; and information that is exempt from disclosure under certain provisions of FOIA.
The bulletin includes examples of what constitutes CSI, noting that it includes: any workpapers or other documentation that CFPB examiners have prepared in the course of an examination; supervisory information requests from the CFPB to a supervised entity and the entity’s responses; and CFPB supervisory actions such as MOUs between the CFPB and an entity, and related submissions and correspondence.
In the bulletin, the CFPB states the general rule that “supervised financial institutions and other persons in possession of CSI of the CFPB may not disclose such information” and reviews the exceptions to the general prohibition and requirements for disclosing CSI. Among the exceptions are ones permitting disclosure of CSI by a supervised entity to: its affiliates; directors, officers or employees of the supervised entity or its affiliates to the extent the disclosure of such CSI is relevant to the performance of such individuals’ assigned duties; and a supervised entity’s accountants, legal counsel, and other service providers.
Since the above portions of the bulletin largely review what is already contained in the CFPB’s regulations, it would seem that the most noteworthy aspect of the bulletin is its discussion of third-party non-disclosure agreements (NDAs) that purport to restrict a supervised entity from sharing certain information with a regulator or require the entity to notify the third party when it shares with a regulator information subject to the NDA. (The bulletin’s discussion of NDAs was also highlighted in the CFPB’s press release.)
The CFPB states that the provisions of NDAs do not alter or limit the CFPB’s supervisory authority or the supervised entity’s obligations relating to CSI. It warns that a supervised entity “should not attempt to use an NDA as the basis for failing to provide information sought pursuant to supervisory authority” and that “[f]ailure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies.” The CFPB further warns that a supervised entity “may risk violating the law if it relies upon provisions of an NDA to justify disclosing CSI in a manner not otherwise permitted” and notes that any disclosure of CSI outside of the applicable exceptions would require prior written approval from the Associate Director of Supervision, Enforcement and Fair Lending.