25 Feb Federal Regulatory Update
The Consumer Financial Protection Bureau (“CFPB”) issued a final rule, 78 Federal Register 11484 (the “Rule”), effective March 18, 2013, which establishes the CFPB’s rule regarding the confidential treatment of information obtained from persons in connection with the exercise of the CFPB’s authorities under federal consumer financial law. Subpart D of the Rule pertains to the protection and disclosure of confidential information that the CFPB generates and receives during the course of its work. This part of the Rule appears to be the most pertinent to mortgage lenders, and only it will be discussed in this memorandum.
The CFPB recognizes that much of the information it will generate and obtain during the course of its activities will be commercially, competitively, and personally sensitive in nature and generally warrants heightened protection. Notwithstanding these concerns, however, there are instances in which the disclosure of confidential information is necessary or appropriate for the CFPB to accomplish its statutory mission, such as the investigation and resolution of consumer complaints or the enforcement of federal consumer financial laws.
Subpart D balances these competing concerns by generally prohibiting the CFPB and its employees from disclosing confidential information to non-employees and even in certain cases its employees, except in certain limited circumstances.
Section 1070.41 of the Rule generally prohibits the disclosure of confidential information by the CFPB’s employees, former employees or other persons who possess the CFPB’s confidential information, to non-employees of the CFPB or to CFPB employees for whom the information is not relevant to the performance of their assigned duties. CFPB’s consultants and contractors must agree in writing to protect the confidentiality of any information which they may obtain.
That section of the Rule further provides that the CFPB is not precluded from disclosing materials that it derives from or creates using confidential information, provided that the materials do not identify, either directly or indirectly, any particular persons to whom the information pertains. This clarifies that the CFPB may create and publish reports, analyses and other materials derived from confidential information so long as the reports, analyses, or other materials do not identify the subject of the information or discuss the information in such a way that one could infer the identity of the person it concerns.
The CFPB is not permitted or authorized to voluntarily disclose confidential information that it obtains from other agencies in violation of its confidentiality agreements with the agencies, where applicable law otherwise authorizes (but does not require) the CFPB to disclose the information. These agreements would not and could not preclude the disclosure of confidential information where applicable law requires the CFPB to disclose it.
The CFPB is permitted to disclose confidential supervisory information that concerns a supervised financial institution or its service providers to that supervised institution, to its directors, officers, trustees, members, general partners, or employees, as well as to its affiliates and the directors, officers, trustees, members, general partners, or employees of the affiliate. A supervised financial institution is permitted to disclose confidential supervisory information that it lawfully receives from the CFPB to its directors, officers, trustees, members, general partners, or employees and to its affiliates and its affiliate’s directors, officers, trustees, members, general partners or employees to the extent that the disclosures are relevant to the performance of these individuals’ assigned duties.
A supervised financial institution or its affiliate may disclose confidential supervisory information that it lawfully receives from the CFPB to its certified public accountants, outside legal counsel, contractors, consultants, and service providers as well as, with the prior written authorization of the Associate Director for Supervision, Enforcement, and Fair Lending or his or her designee to other persons provided that the supervised financial institution or its affiliate takes reasonable steps to ensure that the recipients cannot, without the prior written approval of the Associate Director or his or her designee, utilize, make or retain copies of, or disclose confidential supervisory information for any purpose, except as is necessary to provide advice or services to the supervised financial institution or its affiliates.
The rule allows the Bureau to share examination reports as well as other reports, and confidential supervisory information with all federal and state agencies, including state attorneys general, that both do and do not regulate the covered persons or service providers to which the information pertains.
The CFPB’s policy is to share confidential supervisory information with law enforcement agencies, including state attorneys general, only in very limited circumstances upon review of all the relevant facts and information. The decision whether to provide confidential supervisory information to another agency will made by the CFPB’s General Counsel, in consultation with appropriate CFPB personnel.
The CFPB must share confidential consumer complaint information with agencies to the extent that they provide written certifications to the CFPB that they will maintain the information in confidence, including by maintaining it in a manner that conforms to the standards that apply to federal agencies for the protection of the confidentiality of personally identifiable information and for data security and integrity.
The CFPB requires a requesting agency to identify its legal authority to protect the requested documents from public disclosure. Agencies that seek access to confidential information must certify that they will keep that information confidential in addition to safeguarding it. The CFPB is to be notified immediately of any actual or suspected security breach involving confidential information, including any theft, loss, unauthorized disclosure or misuse of any confidential information that consists of personally-identifiable information.
The CFPB is allowed to alert other agencies of its discovery of evidence that may indicate violations of laws that are subject to the other agencies jurisdiction, and to the extent the CFPB deems it necessary to alert agencies of such evidence, to summarize evidence that constitutes confidential information.
The submission by any person of any information to the CFPB in the course of the CFPB’s supervisory or regulatory processes will not waive or otherwise affect any privilege such person may claim with respect to such information under federal or state law. The provision of confidential information to the CFPB, and the CFPB’s disclosure of such information to another agency does not waive legal privileges that otherwise protect the information from disclosure.