On January 27, 2015, the Consumer Financial Protection Bureau (“CFPB”) issued a compliance bulletin reminding supervised financial institutions (including large depository institutions, credit unions and their affiliates, certain nonbanks, and service providers) of existing regulatory requirements regarding confidential supervisory information.  In this article we (i) explain the definition of confidential supervisory information; (ii) discuss exceptions to the non-disclosure rule; and (iii) offer tips for ensuring compliance.

Under the CFPB’s regulations, “confidential supervisory information” is broadly defined to include the following non-public documents: (i) reports of examination and inspections of a financial institution; (ii) documents prepared by, or on behalf of, or for the use of the CFPB or any other Federal, State, or foreign government agency in the exercise of supervisory authority over a financial institution; (iii) communications between the CFPB and a supervised financial institution or a Federal, State, or foreign government agency related to the CFPB’s supervision of the institution; and/or (iv) information provided to the CFPB by a financial institution to enable the CFPB to monitor potential risks to consumers in the offering or provision of consumer financial products or services, or to assess whether an institution should be considered a covered person.  For example, any workpapers or other documentation prepared during a CFPB examination, any request for information by the CFPB and a supervised financial institution’s responses thereto, and supervisory action by the CFPB and any related submissions and correspondence would all be considered confidential supervisory information.

Confidential supervisory information may only be shared with: (i) a supervised financial institution’s affiliates; (ii) the officers, directors, and employees of a supervised financial institution (and/or its affiliates) if that information is relevant to those individual’s duties; and (iii) a supervised financial institution’s accountant, legal counsel, consultant, or service provider.  In all other instances, a supervised financial institution may only disclose confidential supervisory information to a third party upon the prior written approval of the Associate Director for Supervision, Enforcement and Fair Lending.

The bulletin clarifies that a non-disclosure agreement (“NDA”) with a third party does not alter the legal restrictions on the disclosure of confidential supervisory information.  Nor does an NDA impact the CFPB’s authority to obtain information from covered persons and service providers in the exercise of the CFPB’s supervisory authority.

To facilitate compliance with the confidentiality restrictions applicable to confidential supervisory information, a supervised financial institution should consider developing clear policies and procedures which: (i) ensure that all confidential supervisory information is appropriately labelled and segregated from regular business documents and records; (ii) establish safeguards to guarantee that only those with a legitimate need to review confidential supervisory information are given access to those materials; and (iii) develop a training regimen for employees on the categories of documents that qualify as confidential supervisory information, including instruction that the disclosure of confidential supervisory information to third parties is generally prohibited by the CFPB.