The Consumer Financial Protection Bureau just issued its first Compliance Bulletin of the year—CFPB Compliance Bulletin 2015-1—reminding financial institutions that it supervises about the proper treatment of confidential supervisory information.
“Confidential supervisory information” would include examination reports and any information derived from or related to those reports, as well as any communications between CFPB and a supervised financial institution. The reminder applies as well to another government agency’s communication that is related to CFPB’s supervision of the institution.
The announcement would also include any other documents prepared by, on behalf of, or for the use of CFPB or any other government agency in the exercise of supervisory authority over the institution. The institution’s response(s) to CFPB or any other regulatory agency would be included.
Obviously, the scope of “confidential supervisory information” is very broad.
What’s behind the reminder
CFPB is issuing the bulletin to make its supervised institutions aware of the general prohibition (with only limited exceptions) against disclosing any Confidential Supervisory Information to third parties.
The stated motive for the bulletin is that many of CFPB’s supervised institutions are new to the world of federal regulatory oversight and may not be familiar with the standards of confidential supervisory information that banks, credit unions, and savings associations are generally accustomed to.
Banks, credit unions and savings associations generally know well that it is forbidden to disclose or release the contents of or information relating to a regulatory examination.
Although the CFPB announcement did not indicate this, another motive might be CFPB has found instances of confidential supervisory information being inappropriately disseminated beyond the boundaries of the regulator-regulatee relationship.
“Non-Disclosure Agreements” means exactly that
One item that CFPB highlighted in the Compliance Bulletin that goes beyond the normal scope of the examination report and related information is the non-disclosure agreement (NDA).
CFPB stressed in the Compliance Bulletin that a supervised financial institution that has entered into an NDA with a third party could risk violating the law if the institution tries to rely on the NDA to justify disclosing confidential supervisory information to a third party or restrict disclosing information to CFPB.
NDAs are new territory that existing OCC, FDIC, and FRB regulations dealing with disclosure of confidential information don’t specifically address (yet).
Good reminder for us all
Apart from the focus on NDAs in the CFPB Compliance Bulletin, the reminder about not sharing confidential supervisory information with third parties warrants a refresher, even if your institution is not a CFPB-supervised organization.
OCC regulations affecting national banks, for example, allow a national bank or federal savings association to release non-public OCC information (such as examination report information) to a consultant as long as the consultant is under contract to provide services to the institution. Importantly, there must be a written agreement between the consultant and the institution whereby the consultant agrees to abide by the restrictions on dissemination of the information.
FDIC regulations for state non-member banks permit bank employees, directors, and their agents to review examination reports and related information only within the scope of their agency relationship (e.g, an auditor in connection with an audit of the bank or the bank’s attorney in connection with providing the bank with legal counsel).
Employees should be reminded about their obligation to protect confidential supervisory information, along with confidential customer information. We tend to focus more on the latter when training employees.
Key topics to review
It would be a good idea to take a look at:
• Scope of “confidential supervisory information”—it is more than just examination reports.
• Your contracts with consultants that may need access to examination report information or any “confidential supervisory information.”
• Controls over the security of Reports of Examination and related information: who in the institution maintains copies, where are they stored, how secure they are.
• Employee training surrounding confidentiality of supervisory information.
• Current access to information in the institution: who has that access now, should they have access, etc.