The CFPB issued a compliance bulletin setting forth its views that, with limited exceptions, persons in possession of confidential information, including confidential supervisory information, or CSI, may not disclose such information to third parties. The bulletin:

  • sets forth the definition of CSI;
  • provides examples of CSI;
  • highlights certain legal restrictions on the disclosure of CSI; and
  • explains that private confidentiality and non-disclosure agreements neither alter the legal restrictions on the disclosure of CSI nor impact the CFPB’s authority to obtain information from covered persons and service providers in the exercise of its supervisory authority.

Under the CFPB’s regulations, “confidential supervisory information” means:

  • reports of examination, inspection and visitation, non-public operating, condition, and compliance reports, and any information contained in, derived from, or related to such reports;
  • any documents, including reports of examination, prepared by, or on behalf of, or for the use of the CFPB or any other Federal, State, or foreign government agency in the exercise of supervisory authority over a financial institution, and any supervision information derived from such documents;
  • any communications between the CFPB and a supervised financial institution or a Federal, State, or foreign government agency related to the CFPB’s supervision of the institution;
  • any information provided to the CFPB by a financial institution to enable the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, or to assess whether an institution should be considered a covered person, as that term is defined by 12 § U.S.C. 5481, or is subject to the CFPB’s supervisory authority; and/or
  • information that is exempt from disclosure pursuant to 5 U.S.C. § 552(b)(8).11

CSI does not include documents prepared by a financial institution for its own business purposes and that the CFPB does not possess.

Examples of CSI include, but are not limited to:

  • CFPB examination reports and supervisory letters;
  • all information contained in, derived from, or related to those documents, including an institution’s supervisory compliance rating;
  • communications between the CFPB and the supervised financial institution related to the CFPB’s examination of the institution or other supervisory activities;
  • other information created by the CFPB in the exercise of its supervisory authority; and
  • any workpapers or other documentation that CFPB examiners have prepared in the course of an examination.

A supervised financial institution may disclose CSI of the CFPB lawfully in its possession to:

  • its affiliates;
  • its directors, officers, trustees, members, general partners, or employees, to the extent that the disclosure of such CSI is relevant to the performance of such individuals’ assigned duties;
  • the directors, officers, trustees, members, general partners, or employees of its affiliates, to the extent that the disclosure of such CSI is relevant to the performance of such individuals’ assigned duties; and
  • its certified public accountant, legal counsel, contractor, consultant, or service provider.