On August 24, 2016, the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) announced proposed amendments to its rules governing the disclosure by the CFPB, supervised financial institutions and others of “Confidential information,” including confidential supervisory information, confidential consumer complaint information, confidential investigative information, and other information exempt from disclosure under the Freedom of Information Act (“FOIA”).1 The proposed amendments also include changes to procedures for handling FOIA and Privacy Act disclosure requests. Comments on the proposal are due on or before October 24, 2016.
The CFPB’s proposed amendments highlight the increased attention paid to the regulatory requirement that banking organizations maintain the confidentiality of communications to and from supervisors, as well as the risks of violating these requirements. In August, the Federal Reserve fined a banking organization $36.3 million for the alleged improper receipt and use of confidential supervisory information.2
The Bureau’s proposed rule amendments modify the scope and coverage of the confidentiality requirements and alter circumstances in which disclosures of confidential information by the CFPB and others are permissible. While many of the amendments are clarifications of existing standards or technical drafting changes, there are several proposed modifications that would expand the CFPB’s authority to disclose confidential information to agencies that are not prudential supervisors and to certain non-governmental parties (such as state bar associations). The proposal also includes a new provision making it a regulatory violation if a financial institution does not report an unauthorized disclosure of confidential CFPB information.
Shortly after the CFPB came into existence in July 2011, the agency issued interim final regulations governing the confidentiality of supervisory and other information.3 The regulations were issued pursuant to the CFPB’s general rulemaking authority, as well as under a specific directive in the Dodd-Frank Act that the CFPB issue rules “regarding the confidential treatment of information obtained from persons in connection with the exercise of its authorities under Federal consumer financial law.”4 The final rule was issued in February 2013.5
The CFPB’s Part 1070 confidentiality and disclosure regulations cover a broad range of situations, including the CFPB’s procedures for processing FOIA and Privacy Act disclosure requests, substantive requirements and procedures the CFPB must itself follow in disclosing information to third parties other than through FOIA and Privacy Act requests, and the obligations imposed on financial institutions and other third parties to maintain the confidentiality of what the CFPB defines as its “confidential information.”
The regulations define four categories of “confidential information”: confidential supervisory information (“CSI”); confidential investigative information; confidential consumer complaint information; and information that is otherwise exempt from disclosure under FOIA. “Confidential information” does not cover only documents and other information in the possession of the CFPB or that were created by the CFPB (such as examination reports). It also generally includes documents and other information that may have been created by the supervised institution (or a party that is involved in an investigation) that discuss, are derived from, or otherwise relate to communications with the CFPB. The CFPB (and the prudential banking supervisors that have similar, but not identical, regulations6 ) take the view that all such information is the “property” of the agency, rather than the institution.
The regulations have a significant impact on the relationship between the CFPB and institutions subject to its jurisdiction.7 The rationale for prohibiting the public disclosure of bank examination and other supervisory information is twofold: to promote candor in communications between bank regulators and supervised institutions; and to safeguard public confidence in the supervised institution involved.8 The regulatory prohibition on supervised institutions disclosing confidential supervisory information on their own volition and without agency approval is coupled with the related, but narrower, “bank examination privilege” that governs discovery of supervisory-type information in litigation. The bank examination privilege, though, is a qualified privilege that may be overcome on a showing of need or in other circumstances.9 In short, courts may order the disclosure of some information that the CFPB’s regulations prohibit the institution from disclosing voluntarily.
In addition, the CFPB reserves discretion to disclose confidential information to certain other parties, including law enforcement agencies and other regulators, as well as to use the information in its own enforcement actions, without necessarily providing notice to the submitter of the information. The CFPB’s existing Part 1070 regulations also include provisions for institutions to disclose supervisory information to specified parties without specific authorization from the CFPB (such as to certified public accounts, legal counsel, consultants and contractors), and procedures for institutions to obtain specific authorization to provide this information to others.
PROPOSED MODIFICATIONS TO THE CFPB’s CONFIDENTIALITY REGULATION
The CFPB’s rulemaking release proposes substantive and technical amendments to the existing confidentiality rules and solicits comments on all aspects of the proposed rule (presumably including provisions that have not yet been proposed for amendment). Several of the proposals are noteworthy:
A. CFPB DISCLOSURE OF CONFIDENTIAL INFORMATION TO ENTITIES SUCH AS STATE BAR ASSOCIATIONS AND DISCLOSURE OF CONFIDENTIAL SUPERVISORY INFORMATION TO STATE ENFORCEMENT AGENCIES
Under the current regulation, the Bureau has discretion to provide confidential information to a Federal or State agency “to the extent that the disclosure of the information is relevant to the exercise of the agency’s statutory or regulatory authority, or, with respect to confidential supervisory information, to a Federal or State agency having jurisdiction over a supervised financial institution.”10 The proposed amendments would expand the definition of “agency” to include a “foreign governmental authority or an entity exercising governmental authority,” and not just a domestic government agency.11 The proposal also would permit the CFPB to release confidential supervisory information to another agency (as more broadly defined) “to the extent that the disclosure of the information is relevant to the exercise of the [agency’s] statutory or regulatory authority.”12 Importantly, the CFPB is proposing to provide confidential supervisory information (not just investigative information) to a range of governmental and quasigovernmental units, foreign and domestic, beyond those that have previously had access to supervisory information. These potential recipients of CFPB supervisory information include local consumer protection agencies.13
To reach these results, the CFPB revised its interpretation of Section 1022(c)(6)(C)(ii) of the Dodd-Frank Act.14 Previously, the Bureau took the view that this specific grant of authority to provide supervisory information only to agencies with jurisdiction over the entity meant that the Bureau was otherwise prohibited from discretionary releases of supervisory information, including to non-supervisory agencies. In the section-by-section analysis of the proposed amendments, the Bureau asserts that the statutory language is ambiguous, and that the specific section involved is permissive, rather than restrictive.15
The CFPB’s reference to state bar associations as potential recipients of confidential information is noteworthy because “an activity engaged in by an attorney as part of the practice of law” is generally excluded from the CFPB’s jurisdiction.16 Nevertheless, the CFPB has been active in bringing enforcement actions against attorneys, while asserting the exclusion did not apply in various circumstances, particularly debt collection.17 The Bureau may be concerned about situations where its investigations uncover evidence of misconduct by attorneys that is outside the CFPB’s statutory authority to take action against the attorneys. If its Proposal becomes final, the Bureau may provide the confidential information to the relevant state bar association.
B. FINANCIAL INSTITUTION DISCLOSURE OF LAWFULLY RECEIVED CONFIDENTIAL SUPERVISORY AND INVESTIGATIVE INFORMATION
The existing regulation provides that “supervised financial institutions” (which are defined to include institutions that are “or may be subject to the CFPB’s supervision”) to which the CFPB provides confidential supervisory information may disclose that information to their affiliates, attorneys, CPA firms, consultants, and contractors without further approval. The existing regulation omits mention of confidential investigative information (such as civil investigative demands or a Notice and Opportunity to Respond and Advise (“NORA”)). The proposal amends the regulation to remedy this apparent oversight. The proposal also broadens the coverage of the regulation to include other persons besides supervised financial institutions because various entities may be subject to the CFPB’s enforcement jurisdiction or receive requests for information as third parties and thereby come into possession of confidential investigative information.
A recipient of confidential supervisory or confidential investigative information may not “utilize, make or retain copies of, or disclose [such] information for any purpose, except as is necessary to provide advice or services to the supervised financial institution or its affiliate.”18
The CFPB is also proposing to allow supervised financial institutions to provide confidential supervisory information or confidential investigative information to insurance providers, but only with respect to a claim for coverage under an existing policy.19 The authorization does not appear to extend to permitting the disclosure of confidential information to an insurance carrier for the purpose of underwriting Directors and Officers Liability or other coverage.20
C. NOTIFICATION TO INSTITUTIONS OF CONGRESSIONAL REQUESTS FOR CONFIDENTIAL INFORMATION
The existing regulation states that the Bureau “shall” notify an institution of a Congressional request for confidential information that the institution has submitted to the CFPB. The proposed rule would amend this provision to state that the Bureau “may” notify an institution of such a request.21 Accordingly, under the proposed rule, an institution may not be aware that the CFPB is providing confidential information about the institution to Congress.
D. REPORTING UNAUTHORIZED DISCLOSURE OF CONFIDENTIAL INFORMATION
The CFPB is proposing a new section of its regulations making it an explicit requirement for “[a]ny person in possession of confidential information [to] immediately notify the CFPB upon the discovery of any disclosures made in violation of this subpart.”22 The section-by-section analysis accompanying the Proposal does not discuss this provision in detail. The CFPB may read this new prohibition as authorizing it to bring a federal court injunctive action and seek civil money penalties against any entity or individual who has received CFPB “confidential information” without proper authorization, regardless of whether that entity or individual is otherwise subject to the CFPB’s supervisory or enforcement jurisdiction.23
Although it is currently perceived to be a breach of regulatory protocol for a supervised institution not to make such a notification of an unauthorized disclosure, there is no explicit regulatory requirement for such a notification by a supervised institution, much less by a recipient of the confidential information (which could conceivably include the media).
The confidentiality rules of financial institution supervisors were originally designed to promote a nonadversarial supervisory process and encourage candor between the supervisor and the supervised institution by precluding as much as possible these communications from being used in collateral matters such as private and other agency litigation. The proposed amendments may suggest, however, that the Bureau may be more willing to share supervisory information and other confidential information with other state and federal (and even foreign) enforcement agencies more readily than bank supervisors have done historically.
The proposed rule introduces a provision requiring immediate notification to the Bureau when there has been an unauthorized disclosure. This is already a common practice when supervised institutions have made such a discovery; however, by making it a regulatory requirement, the Bureau creates the potential for punitive sanctions.