Without an announcement, the CFPB has proposed a rule that would expand its discretion to share confidential supervisory information (CSI) with state attorneys general and other agencies that do not have supervisory authority over companies.

The proposed rule, published yesterday in the Federal Register, would amend the CFPB’s information disclosure rules under 12 CFR 1070.43 to:

  1. Expand the agencies that can receive CSI from federal and state agencies to any “Agency” defined as a “Federal, State, or foreign governmental authority, or an entity exercising governmental authority” regardless of whether it has jurisdiction over the company whose CSI is shared.
  2. Lower the standard for disclosure of CSI from “having jurisdiction over [the] supervised financial institution” to disclosure if it is “relevant to the exercise of the Agency’s statutory or regulatory authority.”
  3. Replace the CFPB General Counsel as the person who decides whether to disclose CSI with the head of Supervision, Enforcement, and Fair Lending.

By the CFPB’s own admission in the proposal, these changes would eliminate the stricter standard for disclosing CSI and apply the more relaxed and subjective standard for non-supervisory confidential information.  The amendments mean that any agency (including local authorities such as the New York City Department of Consumer Affairs)—which doesn’t have jurisdiction over a company—could still receive the company’s CSI because it is “relevant” to the requesting agency’s authority.

The CFPB attempts to justify this radical and potentially far-reaching change by arguing that it has reached a “better” interpretation of Section 1022 of Dodd-Frank.  The proposed rule, however, deviates from the plain language in Section 1022:

“[T]he Bureau may, in its discretion, furnish to a prudential regulator or other agency having jurisdiction over a covered person or service provider any other report or other confidential supervisory information concerning such person examined by the Bureau under the authority of any other provision of Federal law.”

12 USC 5512(c)(6)(C)(ii) (Emphasis added).

The proposed rule, while alarming by itself, begs the question: Why does the CFPB want to expand its power to share CSI with state AGs and other agencies that don’t have supervisory authority, especially since the Bureau has been assuring companies that, under the current rules, such disclosures are rare?  The CFPB should answer this question and explain why highly sensitive, proprietary, and sometimes privileged CSI should be disclosed more widely and easily.  The proposed rule would affect supervised banks and non-banks alike.  We therefore urge industry stakeholders to submit comments by the deadline, which is October 24, 2016.