Yesterday, the CFPB issued CFPB Compliance Bulletin 2015-01 (“Bulletin 2015-01”). The purpose of the bulletin was two-fold. First, the CFPB reminded “supervised” financial and nonbank institutions that are in possession of confidential information, including Confidential Supervisory Information (“CSI”) that they may not disclose such information to third parties. Second, the CFPB warned these entities that any attempt to use a non-disclosure agreement (“NDA”) as a basis for not providing information to the CFPB is considered a violation of law.
CSI Broadly Defined
CSI is defined very broadly in the bulletin and is excerpted below:
- Reports of examination, inspection and visitation, non-public operating, condition, and compliance reports, and any information contained in, derived from, or related to such reports;
- Any documents, including reports of examination, prepared by, or on behalf of, or for the use of the CFPB or any other Federal, State, or foreign government agency in the exercise of supervisory authority over a financial institution, and any supervision information derived from such documents; and
- Any communication between the CFPB and a supervised financial institution or a Federal, State, or foreign government agency related to the CFPB’s supervision of the institution;
- Any information provided to the CFPB by a financial institution to enable the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, or to assess whether an institution should be considered a covered person, as that term is defined by 12 §USB 5481, or is subject to the CFPB’s supervisory authority; and/or
- Information that is exempt from disclosure pursuant to 5 U.S.C. § 552(b) (8).
If a financial institution prepares documents for its own business purposes and does not give it to the CFPB, that will not constitute CSI. But if a financial institution does provide such documentation to the CFPB, then that document becomes CSI and a financial institution will need to track what information it provides to the CFPB in order to ensure that it protects CSI in accordance with Bulletin 2015-01. Other kinds of information that cannot be disclosed include: (i) an institution’s supervisory compliance rating, (ii) any CFPB supervisory actions taken, and the memoranda of understanding used to document such supervisory actions. It is not clear what prompted this bulletin but it is possible that supervised entities may be tempted to broadcast its supervisory compliance rating after receiving a successful examination, which is not something the CFPB would look favorably on. The CFPB already publishes the results of its examinations in its Supervisory Highlights Report.
There are exceptions to this rule. CSI may be disclosed to a third party that is affiliated with the supervised entity; a director, officer, trustee, member, general partner or employee of a supervised entity, to the extent such disclosure is relevant to the performance of such individual’s assigned duties; or to a CPA, legal counsel, consultant or service provider. Disclosure can also be obtained by seeking prior written approval from the CFPB.
NDAs are No Excuse for Not Complying with CFPB Information Requests
What was more interesting to me were the sections of the bulletin which stated that “a supervised financial institution should not attempt to use an NDA as the basis for failing to provide information sought pursuant to supervisory authority.” Banks often enter into NDAs with service providers, partners and other companies that it may look to do business with, which restrict the bank’s ability to share proprietary or confidential information. These NDAs often require a company to inform such party if the company must disclose any information that is subject to an NDA, including information disclosed to a regulatory agency. Bulletin 2015-01 makes clear that these NDAs do not limit the CFPB’s ability to obtain any information, including information that may be subject to an NDA. A company must disclose such information to the CFPB, even if it would be considered a breach of the NDA.
Moreover, because of the broad definition of CSI, if information is disclosed to the CFPB that is also subject to an NDA, this information is automatically considered CSI and subject to Bulletin 2015-01’s restrictions on CSI. An entity that discloses this information to the CFPB, may risk “violating the law if it relies upon provisions of an NDA to justify disclosing CSI in a manner not otherwise permitted.” Many NDAs contain provisions requiring a party to let the other party know if confidential information may be disclosed, including giving the other party time to obtain a protective order or injunction to stop the release of such information. However, under Bulletin 2015-01, this may no longer be possible because the supervised entity may not be permitted to even disclose that the CFPB has requested such information. This may put some entities in a tough spot since they may need to choose between breaching an NDA or violating CFPB’s bulletin. Banks and other supervised entities should look into revising their form NDAs to avoid such an outcome.