United States: CFPB Makes The Case For Supervisory Examination Privilege

In the Consumer Financial Protection Bureau's ("CFPB") first official release of the year, CFPB Bulletin 12-01, the agency addresses the treatment and scope of confidentiality protections accorded information collected from supervised institutions through the CFPB's supervisory process.¹ Bulletin 12-01 addresses two specific parts of the CFPB's policy on confidential information.² First, it states that institutions providing privileged information to the CFPB pursuant to a supervisory request will not waive any privilege that attaches to such information. Second, the bulletin indicates the CFPB will treat information obtained through the supervisory process as confidential and privileged. Further, the agency notes that it will only disclose such information to prudential and state regulators, when necessary and/or appropriate, and to law enforcement agencies, only where justified, as determined by the CFPB.

Bulletin 12-01 attempts to resolve the issue regarding the CFPB's lack of a statutory examination privilege such as that provided to the federal banking agencies ("FBAs") in § 18(x) of the Federal Deposit Insurance Act ("FDIA").³ The bulletin provides considerable legal support for why the same or a similar privilege applies to supervisory information provided to the CFPB, including that the privilege carried over with the transfer of oversight to the CFPB of large banks' consumer financial compliance activities. The analysis, however, highlights the absence of the same statutory protection that the FBAs felt compelled to pursue for many years leading up to enactment of FDIA § 18(x) in § 607 of the Financial Services Regulatory Relief Act of 2006 ("FSRRA"). Section 607 was carefully crafted and inserted into the FSRRA to avoid the possibility that a last-minute exclusion from the pending law would be viewed by a court as evidence that the privilege articulated in existing case law was flawed. At the same time, FSSRA § 607 was important to the FBAs because several courts had already weakened or undermined the existing common law examination privilege. This was why the FBAs risked pushing the legislative fix in order to have a clear statutory protection that could not be challenged or further watered down.

This provides an important backdrop to Bulletin 12-01. Certainly, the history leading up to FSRRA § 607 suggests that supervised institutions that are required to disclose privileged information to the CFPB should be mindful of the issues and potential risks in doing so. Notwithstanding the CFPB's assertion that it has the same authority and legal protections in place as the FBAs to receive privileged information without effecting a waiver of the privilege, supervised institutions should heed the CFPB's suggestion in Bulletin 12-01 to memorialize privilege claims and/or request limits to the form and scope of any supervisory request for privileged information where it is important or appropriate to do so. In particular, supervised institutions should consider consulting counsel prior to disclosing privileged information that raises potential issues or increased risk to the institution.

CFPB Treatment of Confidential Supervisory Information

In Bulletin 12-01, the CFPB notes that it will treat information obtained during the supervisory process as confidential and privileged, consistent with the policies of other prudential regulators.⁴ Further, the CFPB guidance indicates that the agency will treat such information as exempt from disclosure under the Freedom of Information Act, and will not routinely share such information with government agencies not engaged in supervision. However, the CFPB indicates that it will share a supervised institution's confidential supervisory information with other prudential (federal) regulators and state regulators that share supervisory jurisdiction over the institution with the CFPB. When confidential supervisory information is shared with another federal or state agency, the CFPB maintains that such information remains the property of the CFPB and may not be further disclosed or shared by the recipient with the CFPB's permission.

Of particular note is the discussion on the sharing of confidential supervisory information with law enforcement agencies, such as State Attorneys General. Bulletin 12-01 provides that the CFPB will share confidential information in these situations "except where required by law,"⁵ "only in very limited circumstances and upon review of all the relevant facts and considerations." The decision to share, made by the CFPB General Counsel "in consultation with appropriate Bureau personnel," will depend on the significance of the law enforcement interest at stake. Most striking is that "even the furtherance of a significant law enforcement interest will not always be sufficient." The CFPB notes that it may decline to share confidential supervisory information with law enforcement based on other considerations, such as "the integrity of the supervisory process and the importance of preserving the confidentiality of such information."

Protection of Privileged Information

Pursuant to Bulletin 12-01, when a supervised institution provides privileged information to the CFPB in connection with the agency's exercise of its supervisory and examination authority, such information retains any applicable privilege. As noted above, the agency views such information as the property of the CFPB and, in connection with any further sharing of such information by the recipient, will not waive any privilege attached to the information at the time the CFPB received it. In this regard, the CFPB notes that because the provision of such information is required and not voluntary, there is no waiver of privilege. Thus, the agency states that it will not consider valid any attempt by an institution to withhold requested supervisory information based on a waiver of privilege concerns.

Bolstering its view with respect to the retention of an existing privilege, the CFPB notes that because "Congress intended the Bureau's examination authority to be equivalent to that of the prudential regulators," the same statutory provision that grants prudential regulators the authority to receive privileged information from their supervised entities without there being a waiver of privilege, FDIA § 18(x), applies to the CFPB. The CFPB reaches this conclusion by noting that, in inheriting the prudential regulators' examination authority with respect to compliance with federal consumer financial laws for supervised institutions, it was granted "all powers and duties" vested in the prudential regulators related to examination authority. One of the powers is the ability and authority to receive privileged information without affecting a waiver. As noted above, however, FDIA § 18(x) applies to the FBAs, and does not include the CFPB. For the very reason that the FBAs and NCUA sought enactment of FSRRA § 607 to provide certainty and clarity to the privilege, the CFPB is at a disadvantage by not being extended the same statutory privilege protection in the Dodd-Frank Act.

Notwithstanding the arguments for why FDIA § 18(x) should apply to the CFPB, the fact remains that the language of the statute does not specifically do so, and the definition of entities considered a "federal banking agency" under the FDIA is explicit.⁶ Further, assuming the FBAs' existing FDIA § 18(x) authority over insured depository institutions did transfer to the CFPB, the FBAs have no jurisdiction over nonbank financial institutions (other than insured depository institution affiliates, subsidiaries and service providers) that could have transferred over to the CFPB. Thus, while the literal language of FDIA § 18(x) appears broad enough to accommodate nonbank financial firms, the provision of confidential information by such firms outside of the regulated banking industry context was not contemplated when FDIA § 18(x) was enacted. While an argument can be made supporting the CFPB's analysis that it inherited the protections of FDIA § 18(x), the CFPB is in a similar place as the FBAs prior to enactment of FSRRA § 607. While consistent with Congress's goals and intent in creating the agency, the best solution is to amend FDIA § 18(x) to include the CFPB, as is currently being considered.⁷ This is the only effective manner to protect against a waiver when privileged information is disclosed to the CFPB, and it appears to be in the best interest of all affected parties to do so.

Implications for Supervised Institutions

Until a legislative solution is achieved to resolve the status of privileged information disclosed to the CFPB, supervised institutions that receive a request from the CFPB for privileged information as part of the supervisory process should take several steps to protect such information. First, as suggested by the CFPB, the institution should request the CFPB to limit the form and scope of any supervisory request for privileged information. Second, the institution should explicitly note any claim to privileged information in its response to the CFPB. In particular, institutions should clearly designate all privileged documents as such on the face of any such documents conveyed to the CFPB. Finally, institutions should consult with counsel before disclosing anything to the CFPB that might be privileged. While a legislative solution to this problem will hopefully be reached soon, until then, supervised institutions should work with the agency to take the steps necessary to protect privileged information being provided in response to a supervisory request from the CFPB.

Action Plan – Establish Document Review Procedures and Work with the CFPB to Address Issues

Bulletin 12-01 raises important and difficult issues for supervised institutions required to submit confidential supervisory information to the CFPB that is also privileged information. The bulletin raises numerous questions regarding the extent of protections that will continue to attach to such information shared with the CFPB and whether a court could find that a supervised institution waived a privilege by sharing such information with the CFPB. While existing case law favors the view that the CFPB has articulated in Bulletin 12-01, the lack of the same statutory protections afforded the FBAs provides some uncertainty, particularly for nonbank financial firms providing information to the CFPB. It is important for all institutions impacted by Bulletin 12-01 to understand how its terms will apply to their existing operations, and to take appropriate steps to implement document review policies and procedures to minimize potential risks. In this regard, institutions should work with counsel and the CFPB to minimize uncertainty regarding the protection of existing privileges for documents required to be provided to the agency.

In particular, supervised institutions should undertake a comprehensive review of their existing document review procedures and supervisory compliance mechanisms to understand how information is or will be shared with the CFPB and to assess the risks presented by existing protocols. As suggested by the CFPB, institutions should proactively work with the CFPB to minimize such risks. The following steps are important to protect your institution:

• Conduct a general assessment of the potential operational, compliance, legal and other risks to your organization arising from the sharing of confidential supervisory information with the CFPB, and fully understand the implications for your institution regarding the sharing of any privileged information;
• Identify all potential sources of supervisory information within the institution, and existing policies and procedures with respect to controls imposed on the sharing of such information;
• Determine the steps taken in providing confidential supervisory information to the CFPB or another regulator, including requirements for the protection of the confidentiality and any privileges that attach to such information;
• Initiate discussions with legal advisors and consultants to determine what steps you should take to address potential weaknesses in your regulatory information sharing and compliance program, and to minimize risks regarding the sharing of confidential supervisory information subject to a privilege;
• Identify other potential sources of supervisory information held by related entities and third party service providers to assess potential risks regarding the sharing of such information with the CFPB, and to determine steps that should be taken, if any, to protect privileged information;
• Work with the CFPB to limit the form and scope of any supervisory request for privileged information, and to explicitly note any claim to privileged information in your institution's response to the CFPB, including clearly designating all privileged documents as such on the face of documents conveyed to the CFPB; and
• Finally, and most importantly, you should consult with counsel before disclosing anything from your institution to the CFPB that might be privileged.

Paul Hastings is actively working with clients to identify and address the issues and risks related to Bulletin 12-01, including procedures for identifying and protecting confidential supervisory information that is also subject to a privilege. We are available to advise you with respect to the potential applicability and impact of the CFPB's position on these issues at your institution.

Footnotes

1 See CFPB Bulletin 12-01, The Bureau's Supervision Authority and Treatment of Confidential Supervisory Information (Jan. 4, 2012), available at http://www.consumerfinance.gov/wp-content/uploads/2012/01/GC_bulletin_12-01.pdf ("Bulletin 12-01").

2 For the CFPB's policy on confidential information, see 12 CFR § 1070.41.

3 See 12 USC § 1828(x)(1) (providing there is no waiver of the attorney-client privilege, under federal or state law, when a federally-chartered bank provides privileged materials to a "Federal Banking Agency"). See also 12 USC § 1813(z) (defining "Federal Banking Agency" as the "Comptroller of the Currency, the Director of the Office of Thrift Supervision, the Board of Governors of the Federal Reserve System, or the Federal Deposit Insurance Corporation").

4 In a footnote to this statement, Bulletin 12-01 references the authority of the FBAs and the National Credit Union Administration ("NCUA"), all of which were covered by the statutory examination privilege provided by FSRRA § 607.

5 Among the instances in which information is required to be shared is sharing information with the U.S. Attorney General on potential violations of Federal criminal law and with the IRS on possible tax law noncompliance.

6 Pursuant to FDIA § 18(z), "the term [f]ederal banking agency" means the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation." 12 USC § 1828(z).

7 See Financial Institutions Examination Fairness and Reform Act of 2011, H.R. 3461, 112th Cong. § 6(b) (2011).

The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.