On January 27, 2015, the Consumer Financial Protection Bureau (“CFPB”) issued a Compliance Bulletin 2015-1 (the “Bulletin”) reminding supervised financial institutions about regulatory requirements surrounding Confidential Supervisory Information (“CSI”), specifically the requirement to keep such information confidential. In the Bulletin, the CFPB offers examples of what constitutes CSI, including: (1) CFPB examination reports and supervisory letters; (2) information related to an institution’s supervisory rating, information, and communications; (3) communications between the supervised institution and the CFPB related to the CFPB’s supervisory activities; and (4) information created by the CFPB in the exercise of its supervisory authority. See CFPB Compliance Bulletin 2015-01 at 3. The CFPB explains that these categories encompass all workpapers, information requests, institution responses, and memoranda of understanding created during the course of the CFPB’s supervision of an institution, as well as oral communication. Id. at 3. Moreover, the Bulletin reminds supervised entities that they must obtain written approval by the Associate Director for Supervision, Enforcement, and Fair Lending prior to disclosing CSI to any party that is not a subject of the applicable exceptions contained in 12 C.F.R 1070.42(b).1 Of note, these exceptions do not include disclosure of CSI to other state or federal agencies.
In addition, the Bulletin aims to eliminate any doubt that the CFPB is entitled to information it requests in the course of examinations, regardless of measures taken by institutions to protect information from disclosure. The Bulletin, and press release, emphasize that non-disclosure agreements (“NDAs”) entered into between supervised entities and thirdparties that aim to restrict the information shared with the CFPB are ineffective. In fact, according to the CFPB, reliance on NDAs to justify an institution’s failure to provide information “is a violation of the law for which the CFPB will pursue all available remedies.” Id. at 5.
The Bulletin does not add new requirements for supervised institutions regarding CSI, but serves as a warning shot to entities subject to CFPB supervisory authority.