On January 27, 2015, the Consumer Financial Protection Bureau (“CFPB”) issued Compliance Bulletin 2015-01 as a “reminder” of certain confidentiality and disclosure requirements related to CFPB examinations and investigations. Though the CFPB’s Bulletin did not cite examples of historic violations, those subject to the CFPB’s authority should assess their practices, particularly in litigation, with respect to the disclosure of information and be sensitive to the Bulletin’s message in doing so.
The Bulletin provides warnings of two types of potential violations. One type arises out of a financial institution’s obligations with respect to “confidential supervisory information (CSI).” Examples of CSI include but are not limited to:
- CFPB examination reports and supervisory letters;
- All information contained in, derived from, or related to those documents, including an institution’s supervisory Compliance rating;
- Communications between the CFPB and the supervised financial institution related to the CFPB’s examination of the institution or other supervisory activities; and
- Other information created by the CFPB in the exercise of its supervisory authority.
Specifically, according to the Bulletin, a supervised entity may commit a violation if it discloses CSI or other “confidential information” to a third party without CFPB consent. This is true even if the supervised entity enters into a non-disclosure agreement with a third party.
For entities involved in litigation, this presents a trap for the unwary. Discovery requests often seek communications with regulators, including the CFPB. In responding to that discovery, financial institutions need to examine closely exactly which communications and other information constitute or include CSI that should not be disclosed. This includes the fact that the CFPB has previously requested information from a particular institution and what information the CFPB requested.
The second type of potential violation relates to disclosure obligations to the CFPB of confidential information. According to the Bulletin, a financial institution cannot avoid disclosing information to the CFPB simply because that information is subject to a non-disclosure agreement with a third-party. Financial institutions will need to be more aware of their contractual relationships with third-party service providers, including, but not limited to, tax, insurance, flood, collection field call, or trustee vendors, loan servicers, credit reporting services, technology providers, contractual underwriters, appraisers, and even law firms, in light of disclosure obligations to the CFPB.