The CFPB quietly proposed a rule on August 24 that would amend the regulations concerning confidential supervisory information (CSI) and confidential investigative information (CII), as well as the Freedom of Information Act (FOIA). The proposal expands the CFPB's discretion to share information with other agencies, including state attorneys general, in ways that could put a broader swath of industry information at risk of disclosure.

CSI includes the reports, communications, and other documents obtained through CFPB exams, inspections, and other forms of inquiry conducted under the CFPB's supervisory authority, among other items. In general, supervised financial institutions and others in possession of CSI may not disclose such information. CSI remains the property of the CFPB, and disclosure may impair the CFPB's supervisory goals. CII includes information received or prepared by the CFPB relating to enforcement activities, such as civil investigative demands (CIDs) or notice and opportunity to respond and advise (NORA) letters.

Under Section 1022 of the Dodd-Frank Act, the CFPB "may, in its discretion, furnish to a prudential regulator or other agency having jurisdiction over a covered person or service provider any other report or other confidential supervisory information concerning such person examined by the [CFPB]," to the extent that the information is "relevant to the exercise of the [prudential regulator or other agency's] statutory or regulatory authority." The proposed rule would amend the regulation implementing Section 1022 (12 C.F.R. § 1070 et seq.) and interpret Section 1022 to provide fewer restrictions and a broader scope of information sharing – including CSI. The proposed rule would, among other things:

  1. Clarify the definition of CSI. The proposal would revise the definition of CSI to clarify that the term includes supervisory letters and similar documents as well as information derived from such documents that are provided to the supervisory financial institution for its confidential use only. To date, similar guidance has been provided only informally. Further, the CFPB clarifies that "market monitoring" activities and information should not be classified as CSI if they are not used for supervisory purposes. This clarification would give the CFPB more flexibility to use and disclose less-sensitive, non-confidential information.
  2. Narrow institutions' disclosure of information related to enforcement actions. The proposal would apply institution-focused disclosure restrictions similar to those imposed on CSI to CII. Recipients of CII would have the "same discretion" with respect to disclosing CII that they currently have for CSI (and would, presumably, be bound by the relevant parts of the CFPB's Treatment of Confidential Supervisory Information Bulletin).
  3. Relax disclosure standards. Currently, the CFPB may share CSI only with agencies "having jurisdiction over a supervised financial institution." The proposal would lower the standard for disclosure of CSI by removing the requirement that the recipient agency have jurisdiction over the subject of the CSI. Under the proposed revision, the CFPB could disclose any CSI that is "relevant to the exercise of the Agency's statutory or regulatory authority." In the proposal, the CFPB emphasizes how the prior rule was too burdensome on the CFPB and impaired its implementation and administration of federal consumer financial law.
  4. Broaden government access to CSI. The CFPB may currently share CSI only with federal or state agencies. The Bureau's proposal would increase the number of entities that can receive CSI by defining a new term, "Agency," which would include federal, state, or foreign government authorities, as well as entities exercising government authority. The proposal clarifies that entities exercising government authority include registration and disciplinary organizations, such as state bar associations.
  5. Replace the gatekeeper. Currently, the CFPB's general counsel decides whether to disclose CSI. The proposed rule would replace the general counsel with the CFPB's Associate Director for the Supervision, Enforcement, and Fair Lending Division. The change is designed to lead to increased efficiency, as the majority of access requests submitted to the CFPB involve work conducted by that Division.

In general, the proposed rule will involve greater costs to covered persons with regard to their confidential information. Broader sharing of information may create an increased risk of unintended disclosures and a loss of confidentiality. In addition, if the proposed rule is finalized, the CFPB will have greater discretion to release more information to more people and entities than before. The CFPB is accepting comments on the proposed rule until October 24, 2016.