CFPB issues bulletin on treatment of confidential supervisory information
COMPLIANCE NEWS |
On Jan 27, 2015, the Consumer Financial Protection Bureau (CFPB or Bureau) issued Compliance Bulletin 2015-01, addressing the treatment of confidential supervisory information (CSI) by supervised entities. The bulletin was released "as a reminder that with limited exceptions, persons in possession of confidential information, including confidential supervisory information (CSI), may not disclose such information to third parties."
The bulletin defines CSI as:
- "Reports of examination, inspection and visitation, nonpublic operating, condition, and compliance reports, and any information contained in, derived from, or related to such reports;
- Any documents, including reports of examination, prepared by, or on behalf of, or for the use of the CFPB or any other Federal, State or foreign government agency in the exercise of supervisory authority over a financial institution, and any supervision information derived from such documents
- Any communications between the CFPB and a supervised financial institution or a Federal, State, or foreign government agency related to the CFPB's supervision of the institution;
- Any information provided to the CFPB by a financial institution to enable the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, or to assess whether an institution should be considered a covered person, as that term is defined by 12 § U.S.C. 5481, or is subject to the CFPB's supervisory authority; and/or
- Information that is exempt from disclosure pursuant to 5 U.S.C. § 552(b)(8) [12 CFR 1070.2(i)]."1
It is important to note that CSI does not include documents, reports or other information prepared by an institution for its own use, and that is not provided to the CFPB.
To help in understanding the definition of CSI, the bulletin provides many examples of CSI, including exam reports, supervisory letters and information related to them. Communications between the institution and the Bureau relating to an exam or supervisory activities are also considered CSI.
The general prohibition against sharing CSI is very broad, allowing the information to be shared only as required by law or only to employees, contractors or consultants of the CFPB if the information is relevant to that individuals' duties. However, there are specific exceptions to the general prohibition. Under those exceptions, CSI may be disclosed to the:
- Affiliates of the institution
- Directors, officers, trustees, members, general partners or employees of the institution or its affiliates, but only to the extent that the disclosure of such CSI is relevant to the performance of such individuals' assigned duties
- Certified public accountants, legal counsel, contractors, consultants or service providers of the institution
It is also possible, in certain circumstances and with prior written approval of the Associate Director for Supervision, Enforcement and Fair Lending, or his or her delegee (Associate Director), that CSI may be disclosed to other individuals. There are also limitations on how the recipient of the CSI may use it, and a requirement on the institution to take "reasonable steps as required in the regulations [12 CFR 1070.42(b)(3)(ii)] to ensure that the recipient complies with the rules governing CSI."
The bulletin also emphasizes that private confidentiality and nondisclosure agreements (NDAs) do not supersede federal legal requirements. Provisions in NDAs between institutions and third parties, that attempt to restrict sharing information with a supervisory agency or require the institution to advise the third party when the information is shared with a supervisory agency, do not alter or limit the CFPB's supervisory authority or the financial institution's obligations relating to CSI. The bulletin cautions that an institution should not use an NDA "as the basis for failing to provide information sought pursuant to supervisory authority… Failure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies." To be in compliance with legal requirements, the institution should obtain permission of the Associate Director before sharing CSI, and not rely on the provisions of the NDAs to support the disclosure of the information.
1 CFPB Compliance Bulletin 2015-01 (January 27, 2015)