On January 27, 2015, the Consumer Financial Protection Bureau (“CFPB”) issued compliance bulletin 2015-01 (the “Bulletin”), reminding supervised financial institutions of existing regulatory requirements regarding confidential supervisory information. The Bulletin applies to entities under the jurisdiction of the CFPB, including large depository institutions, credit unions and their affiliates, certain nonbanks, and service providers. The Bulletin, which summarizes existing requirements, was issued primarily as a reminder that, with limited exceptions, “supervised financial institutions and other persons in possession of confidential supervisory information of the CFPB may not disclose such information.”

The Bulletin highlights the regulatory concerns related to the use of non-disclosure agreements (“NDAs”), which purport to restrict a third party’s use of confidential supervisory information. The Bulletin states that private NDAs neither alter the legal restrictions on the disclosure of confidential supervisory information nor impact the CFPB’s authority to obtain information from covered persons and service providers in the exercise of the CFPB’s supervisory authority. Specifically, the CFPB warns that a supervised entity is in violation of the law if it relies upon provisions of an NDA to justify disclosing confidential supervisory information in a manner not otherwise permitted. Any disclosure of confidential supervisory information outside the scope of applicable exceptions would require prior written approval from the Associate Director of Supervision, Enforcement and Fair Lending.

In addition, the Bulletin provides guidance to supervised financial institutions that are required to comply with the CFPB’s regulations governing the use and disclosure of confidential supervisory information under 12 CFR Part 1070. Specifically, it offers examples of the type of information that constitutes confidential supervisory information and the limited exceptions under which such information may be disclosed. Some of the more useful examples of confidential supervisory information include:

  • any workpapers or other documentation that CFPB examiners have prepared in the course of an examination;
  • supervisory information requests from the CFPB to a supervised entity and the entity’s responses; and
  • CFPB supervisory actions, such as Memoranda of Understanding (“MOUs”) between the CFPB and an entity, and related submissions and correspondence.

The Bulletin also describes certain exceptions to the general prohibition against disclosing confidential supervisory information to third parties, as set forth in 12 CFR Part 1070. A supervised financial institution may disclose confidential supervisory information of the CFPB lawfully in its possession to:

  • its affiliates;
  • its directors, officers, trustees, members, general partners, or employees, to the extent that the disclosure of such confidential supervisory information is relevant to the performance of such individuals’ assigned duties;
  • the directors, officers, trustees, members, general partners, or employees of its affiliates, to the extent that the disclosure of such confidential supervisory information is relevant to the performance of such individuals’ assigned duties;
  • its certified public accountant, legal counsel, contractor, consultant, or service provider; and
  • others, in certain instances, with the prior written approval of the Associate Director for Supervision, Enforcement and Fair Lending. 

A copy of the Bulletin is available here .