On December 11, 2012, the U.S. Senate passed House Bill 4014 (HR 4014) without amendment and sent it to the President for signature. HR 4014 is the long-awaited and much sought after legislation that amends the Federal Deposit Insurance Act (FDIA)1 in order to protect banks2 and non-banks3 that are subject to the Consumer Financial Protection Bureau’s (CFPB or Bureau) supervision and examination authority from unintended waiver or destruction of a privilege that they could have otherwise claimed as to third parties. And while there is cause to be somewhat comforted or alleviated even there are still some real risks and considerations that lie ahead as examined entities are asked to turn over their privileged documents and communications.

The CFPB itself is the impetus of some of the uncertainty that lies ahead as it continues to pursue Memorandums of Understanding with state regulators4 not covered under the FDIA, and has repeatedly professed policy statements that lack solid footing under the law.5 In fairness to the CFPB, however, the CFPB is in a bit of a quagmire. Concerning large banks, it is supposed to coordinate and share exam reports with the prudential regulators, though it has no responsibility for safety and soundness reviews.6 Concerning non-banks, some of which are regulated by state agencies, the CFPB is to conduct similar examinations.7 This raises all sorts of questions related to sharing information not answered by Dodd-Frank. HR 4014 answers some but not all of these questions, and privilege protection continues to be a source of consternation.

Below we explore HR 4014, its history and its intended benefits, as well as the murky waters that lie ahead and, what this means for banks and non-banks falling under the CFPB’s supervision and examination authority in days ahead.

The Skinny on HR 4014: Why it was needed and what it does.

To begin, we step back in time to January 2012 — the CFPB had just released its Bulletin 12-01 which was intended to provide guidance regarding the “confidentiality protections,” that its supervisory process would afford to supervised depository institutions with more than $10 billion in deposits, e.g. Section 1025 large banks, and their respective affiliates.8 In that Bulletin the CFPB, in almost a monarchial fashion, decreed that, “the provision of information to the Bureau pursuant to a supervisory request would not waive any privilege that may attach to such information.” The CFPB backed up its decree with a single district court decision, 9 a 1991 OCC interpretive letter,10 as well as the Dodd-Frank transference of authority provision as to Federal consumer financial law11 from the prudential regulators to the CFPB.

In the face of multiple Circuit Court decisions12 which found that voluntary disclosure to the government waived any applicable privilege, the CFPB’s back-up was hardly the clear legislative footing needed to provide comfort to depository institutions that they were not “voluntarily” disclosing privileged materials and thus, waiving privilege by turning records over to the CFPB. Nonetheless, in that Bulletin, the CFPB advised that, “it will not consider waiver concerns to be a valid basis for the withholding of privileged information .…” Even more, the CFPB, unlike its comparative prudential regulator counter-parts, did not propose in that Bulletin or in its Supervision and Examination Manual, that its examiners limit requests to situations where there was a clear “material risk.”13 The CFPB did, however, state that its policy was to seek information material to its supervisory objectives from non-privileged sources first, to limit the request for privileged materials, and it noted that it would take all reasonable steps to assist supervised institutions in rebutting any claims of waiver.

Bulletin 12-01 also included the CFPB’s position with regards to the sharing of confidential information with government agencies, even those not engaged in supervision. To that point, the CFPB stated that while it will not “routinely share” confidential supervisory information with those not engaged in supervision, its policy is to share with law enforcement, including states’ Attorneys General, in very limited circumstances. This policy on sharing raised a myriad of privilege, trade secret, and other disclosure concerns. At the end of the day, large banks were left with little to no assurance that their confidential records would not end up in the hands of third parties who had little to no accountability when it came to disclosure.

Fast forward a few months — the CFPB in March 2012 published notice and requested comment on its proposal to a rule addition concerning confidential treatment of privileged information submitted during the supervisory process.14 The stated intent was to afford the same protections that apply to the submission of privileged information to prudential regulators and State and foreign bank regulators.15 This rule proposal expanded Bulletin 12-01 with the addition of non-depository institutions that the CFPB supervises, but otherwise was a mere restatement of the monarchial non-waiver decree contained in the Bulletin.

The CFPB received twenty-six comment letters to the rule proposal, but to no avail. In the end, the CFPB professed again that it had the authority to issue a rule that would govern third parties’ claims of waiver.16 The Bureau also restated its policy on asking for privileged information as contained in the Bulletin, comparing its policy to that of the prudential regulators, and directly quoted its prior statement on sharing of information with other agencies and law enforcement.17

The rule on confidential treatment of privileged information, which became effective on August 6, 2012, did provide some comfort on the “voluntary” disclosure issue, but fears remained as the rule was footed in statutory language, e.g., the FDIA, that applied directly to prudential regulators but not explicitly to the CFPB. More than that, the intent of the CFPB to share confidential information with other agencies raised significant concerns of privilege waiver or worse yet, confidential records ending up in the hands of adverse litigants.

Simultaneous to the CFPB’s rule proposal, the Congress was busy working on legislation to address the privilege waiver concerns raised by the industry. Ultimately what passed the House on March 26, 2012 was HR 4014. United States Representative Huizenga of Michigan, the bill’s sponsor, recognized that Dodd-Frank failed to provide necessary privilege protections and introduced the bill in order to provide a real solution and protect information that depository and non-depository institutions may provide during an exam.18 Along that line, HR 4014 does several things — but primarily it amends 12 USC 1821(t)(2)(A) and 1828(x), (Section 11(t)(2)(A), and Section 18(x), respectively), of the FDIA, to insert the CFPB in order to afford privilege protections to “any person” submitting information to the CFPB in relation to the CFPB’s supervisory responsibilities.

More precisely, Section 18(x), the provision that traditionally has shielded privileged information provided by “any person” to any Federal banking agency, state bank supervisor, or foreign banking authority for any purpose in the supervisory or regulatory process was amended to include the CFPB. Section 11(t)(2)(A), the provision that allows a “covered agency” to share privileged information with another “covered agency”19 or other agency of the Federal government without waiving privilege was amended to include the CFPB. Thus, the result of HR 4014 is that “any person,”20 whether a depository or non-depository, can share privileged information with the CFPB within the context of the CFPB’s supervisory responsibilities and not be deemed to have voluntarily disclosed and waived any applicable attorney-client or work product privileges. The CFPB can also share that information with any other explicitly listed agency and not be deemed to have waived the privilege.

The Senate passed HR 4014 on December 11, 2012 without amendment and sent it to the President for signature.21

Present day, where does HR 4014 leave the CFPB’s supervised entities?

Despite HR 4014’s good intentions, a gaping hole remains that supervised entities need to be aware of. Specifically, Section 11(t), which protects information shared by and between a list of “covered agencies,” does not include State bank supervisors and State non-bank supervisors as “covered agencies.” Thus, if the CFPB shares information with these state agencies, as it has stated it will, then the concerns regarding waiver of privilege and possible disclosure of confidential documents to adverse litigants remain.

Notably, this hole exists independent of the creation of the CFPB — in other words, depository institutions who turned over privileged documents to federal banking agencies were subject to similar risks before, if their documents were turned over to a non-covered State agency or law enforcement. But the advent of the CFPB and the CFPB’s very clear policy statements on sharing information with State agencies and law enforcement bring this issue to the forefront.

Aware of this concern, the CFPB has sought to enter into a Memorandum of Understanding22 (MOU) with various State authorities . One stated purpose of this MOU is to “preserve the confidential nature of the information the parties share by and among themselves.”23 A few observations — this MOU raises all the same concerns the supervised entities had upon the release of Bulletin 12-01 discussed above. It is lacking in any solid statutory footing, like the FDIA. Consequently, if the CFPB does in fact share privileged and confidential information with State authorities, supervised entities are at a real risk of effectively waiving privilege and having their records produced to third parties, including adverse litigants.

A sure way to resolve this issue would be to legislatively limit who the CFPB can share with or list such germane State agencies in the FDIA, or a combination of the two. In the meantime, supervised entities should seek a commitment from the CFPB that it will not share its privileged information with State bank supervisors, State non-bank supervisors and/or law enforcement absent a court order compelling same. And even in that instance, an assurance from the CFPB that it will seek to have court ordered protections in place to prevent subsequent disclosure of the privileged information. Along that line, the CFPB should notify the supervised entity of when its been requested to share information so the supervised entity has an opportunity to respond and object if needed.

This Begs the Long-Standing Question Raised by the American Bar Association ("ABA"): Why Do the Regulators Even Need to Ask For Privileged Information?

HR 4014 provides some of the needed protection for privileged materials once produced to the CFPB, but does not address the threshold question whether the CFPB has authority to compel production in the first place. This is troubling given the importance of the attorney-client privilege and work product doctrine and the need for unfettered communication between attorney and client.24 No one doubts that. So how then does the CFPB assert authority to compel production?

This question was directly addressed by the ABA’s letter to CFPB dated April 12, 2012.25 While the letter urged the CFPB to pull down its proposed rule in favor of seeking legislation such as HR 4014, the letter emphasizes that preservation of the privilege is secondary to the primary question of whether the CFPB has authority to compel production. The ABA argues that neither Dodd-Frank nor any other Federal statute grants this authority.

It further argues that the fact that financial institutions have a history of cooperating with the prudential regulators is not a basis for claiming authority. Overall, “the ABA is not aware of any reported Federal appellate court case holding that the Federal banking regulators – or any other Federal agencies – can require production of privileged materials.”

Regrettably this question will not resolve itself quickly. This tug-of-war over privileged materials is apt to continue absent court rulings, legislation,26 executive order, or the adoption of reasonable agency policies.27

In conclusion…

It is true that HR 4014 is good news for supervised entities. But this piece of legislation does not resolve all the privilege issues. How murky the waters get in this area in days ahead will depend largely upon the CFPB’s policy regarding requesting privileged materials and sharing those materials. Supervised entities should remain vigilant and seek assurances as described above when providing privileged information.