Federal Regulatory Update

Federal Regulatory Update

CFPB Bulletin 2015-01 (dated January 27, 2015)


The Consumer Financial Protection Bureau (the “CFPB”) recently issued a bulletin addressing the treatment of confidential supervisory information (“CSI”) by persons in possession of such information.




The CFPB has supervisory authority over certain covered entities, including very large depository institutions, credit unions and their affiliates, certain nonbanks, and service providers (collectively “supervised financial institutions”).  Many supervised financial institutions became subject to federal supervision for the first time under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”).


Pursuant to authority granted under the Dodd-Frank Act, the CFPB has issued regulations that govern the use and disclosure of CSI.  The CFPB expects all supervised financial institutions to know and comply with the regulations governing CSI, and provides the following guidance to assist with such compliance.


Definition of CSI


Under the CFPB’s regulations, “confidential supervisory information” means:

  • Reports of examination, inspection and visitation, non-public operation, condition, and compliance reports, and any information contained in, derived from, or related to such reports;
  • Any documents, including reports of examination, prepared by, or on behalf of, or for the use of the CFPB or any other federal, state, or foreign government agency in the exercise of supervisory authority over a financial institution, and any supervision information derived from such documents;
  • Any communication between the CFPB and a supervised financial institution or a federal, state, or foreign government agency related to the CFPB’s supervision of the institution;
  • Any information provided to the CFPB by a financial institution to enable the CFPB to monitor for risks to borrowers in the offering or provision of consumer financial products or services, or to assess whether an institution should be considered a covered entity, or is subject to the CFPB’s supervisory authority; and/or
  • Information that is exempt from disclosure.


CSI does include documents prepared by a financial institution for its own business purposes and that the CFPB does not possess.


Examples of CSI


Supervised financial institutions and other entities that may come into possession of CSI should understand what constitutes CSI in order to comply with the applicable rules. Examples of CSI include, but are not limited to:

  • CFPB examination reports and supervisory letters;
  • All information contained in, derived from, or related to those documents, including an institution’s supervisory compliance rating;
  • Communications between the CFPB and the supervised financial institution related to the CFPB’s examination of the institution or other supervisory activities; and
  • Other information created by the CFPB in the exercise of its supervisory authority.


Accordingly, CSI includes any workpapers or other documentation that CFPB examiners have prepared in the course of an examination.  CSI also includes supervisory information requests from the CFPB to a supervised financial institution, along with the institution’s responses.  In addition, any CFPB supervisory actions, such as memoranda of understanding between the CFPB and an institution, and related submissions and correspondence, are CSI.


Disclosure of Confidential Information Generally Prohibited


Subject to limited exceptions, supervised financial institutions and other entities in possession of CSI of the CFPB may not disclose such information.


Exceptions to General Prohibition on Disclosure of CSI


There are certain exceptions to the general prohibition against disclosing CSI to third parties. A supervised financial institution may disclose CSI of the CFPB lawfully in its possession to:

  • Its affiliates;
  • Its directors, officers, trustees, members, general partners, or employees, to the extent that the disclosure of such CSI is relevant to the performance of such individuals’ assigned duties;
  • The directors, officers, trustees, members general partners, or employees of its affiliates, to the extent the disclosure of such CSI is relevant to the performance of such individuals’ assigned duties; and
  • Its certified public accountant, legal counsel, contractor, consultant, or service provider.


Supervised financial institutions may also in certain instances disclose CSI to others with the prior written approval of the Associate Director of Supervision, Enforcement, and Fair Lending, or his or her designee (“Associate Director”).  The recipient of the CSI must not, without the prior written approval of the Associate Director, utilize, make, or retain copies of, or disclose CSI for any purpose, except as is necessary to provide advice or services to the supervised financial institution or its affiliate.  Moreover, any supervised financial institution or affiliate disclosing CSI must take reasonable steps to ensure that the recipient complies with the rules governing CSI.


Confidential information made available by the CFPB remains the property of the CFPB. There are other important requirements relating to the disclosure of confidential information, including disclosure pursuant to third-party legally enforceable demands, such as subpoenas or Freedom of Information Act requests.  Among a number of other requirements, a recipient of a demand for confidential information must inform the CFPB’s General Counsel of the demand.


NDAs Do Not Supersede Federal Legal Requirements


The CFPB recognizes that some supervised financial institutions may have entered into third-party non-disclosure agreements (“NDAs”) that, in part, purport to (1) restrict the supervised financial institution from sharing certain information with a supervisory agency, and/or (2) required the supervised institution to advise the third party when the institution shares with a supervisory agency information subject to the NDA.  However, such provisions in NDAs between supervised financial institutions and third parties do not alter or limit the CFPB’s supervisory authority or the supervised financial institution’s obligations relating to CSI.


A supervised financial institution should not attempt to use an NDA as the basis for failing to provide information sought pursuant to supervisory authority.  The CFPB has the authority to require supervised financial institutions and certain other persons to provide it with reports and other information to conduct supervisory activities, pursuant to the Dodd-Frank Act. Failure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies.


In addition, a supervised financial institution may risk violating the law if it relies upon provisions of an NDA to justify disclosing CSI in any manner not otherwise permitted.  As provided above, any disclosure of CSI outside of the applicable exceptions would require the prior written approval of the Associate Director.


Supervised financial institutions should contact appropriate CFPB supervisory personnel with any questions regarding this Bulletin.