On January 28, 2015, the Consumer Financial Protection Bureau issued a bulletin warning financial institutions about entering into agreements with third parties that share or hide information related to regulatory exams, as well as warning entities under investigation about sharing information with third parties.
The bulletin is intended to assist supervised entities in complying with the CFPB’s regulations governing the use and disclosure of confidential supervisory information (CSI). In the bulletin, the CFPB reviews the definitions of CSI, which includes: reports of examinations, inspections and visitations; any documents, including examination reports, prepared by, or on behalf of, or for the use of the CFPB or any other federal, state or foreign government agency in the exercise of supervisory authority over a financial institution; any communications between the CFPB and a supervised entity or a federal, state, or foreign government agency related to the CFPB’s supervision of the entity; any information provided to the CFPB by a supervised entity to enable the CFPB to monitor for consumer risk in the offering or provision of consumer financial products or services or to assess whether an entity is a covered person or subject to CFPB supervisory authority; and information that is exempt from disclosure under certain provisions of FOIA. The CFPB then emphasizes the general rule that “supervised financial institutions and other persons in possession of CSI of the CFPB may not disclose such information.”
The CFPB also stated that it is “aware that some” entities may have executed contractual non-disclosure agreements with third parties that would otherwise require the entity being examined to notify the third-party of the contemplated disclosure of information or restrict the provision of information altogether. The CFPB explicitly noted that the advisory was not just for regulated banks but for non-banks “that may be unfamiliar with federal supervision” and existing requirements on confidential supervisory information. Nonetheless, the CFPB warned against institutions using non-disclosure agreements as a means to limit the agency’s ability to obtain information, with the CFPB stating that a supervised entity “should not attempt to use an NDA as the basis for failing to provide information sought pursuant to supervisory authority,” and that the “[f]ailure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies.”
This new bulletin should be understood as a clear warning to companies of the potential remedial action by the CFPB for the non-disclosure of information sought and/or the disclosure of CSI, and it should be carefully reviewed by any entity coming under investigation by the CFPB.