INTRODUCTION

The Board of Governors of the Federal Reserve System (the Board), in conjunction with the New York State Department of Financial Services (the NYDFS) recently issued enforcement actions and fined a foreign bank (the Bank) and its New York branch (the Branch) approximately $32.4 million for their unauthorized use and disclosure of confidential supervisory information (CSI). On January 16, 2024, the Board issued its consent cease-and-desist order (the 2024 Board Order) with the Bank and the Branch, fining them approximately $2.4 million. The next day, on January 17, 2024, the NYDFS issued its consent order (the NYDFS Order) with the Bank and the Branch, resolving an investigation for the unauthorized disclosure of CSI, fining them approximately $30 million.

KEY TAKEAWAYS

The 2024 Board Order and NYDFS Order are strong reminders of the seriousness in which the Board, as well as other banking agencies, approach their rules regarding CSI:1

  • Demonstrates the importance of effective internal controls governing the use and dissemination of CSI.
  • Highlights that supervised financial institutions must obtain approval (as opposed to only providing notice) from the appropriate banking regulators when it comes to disclosure of CSI.
  • Highlights that supervised financial institutions must implement and maintain effective governance, compliance, and audit policies and procedures designed to detect and prevent the unauthorized use and disclosure of CSI, including policies, procedures, training, and monitoring.

BACKGROUND ON CSI AND UPDATED CSI REGULATIONS

Information related to bank supervision and examinations is generally treated as CSI that is owned by the appropriate banking agency, as opposed to the bank.2 As such, such information may not be released by the bank without approval of the appropriate banking agency.3 CSI generally includes all records created or obtained by the agency in connection with its supervision and examination of the bank, including, but not limited to: “reports of examination, inspection, and visitation; confidential operating and condition reports; supervisory assessments; investigative requests for documents or other information; and supervisory correspondence or other supervisory communications.”4 Conversely, CSI does not include information or documents such as call reports, formal enforcement actions, routine financial reports, bank information not attributable to an examination or regulatory matters, and other documents and information of general application, including regulatory requirements and letters. The rules regarding disclosure of CSI vary with respect to each banking regulator.

On July 24, 2020, the Board issued a final rule (the 2020 CSI Board Rule), which, among other things, provides clarifying revisions to the definition of CSI and allows for disclosure of CSI under specific circumstances. The 2020 CSI Board Rule was an improvement in terms of the Board providing flexibility to its supervised financial institutions in sharing CSI without Board approval. Among other things, the 2020 CSI Board Rule clarified that certain internal business documents of a supervised financial institution are CSI in the hands of the Board but not CSI in the hands of the supervised financial institution.5 The 2020 CSI Board Rule also streamlined the disclosure of CSI in certain areas, including disclosure to external legal counsel and auditors, service providers, and affiliates. Regarding disclosure of CSI to other banking regulators, CSI “that is contained in documents prepared by or for the institution for its own business purposes” may be disclosed to the appropriate banking agency “with the concurrence of the institution's central point of contact at the Reserve Bank, equivalent supervisory team leader, or other designated Reserve Bank employee” (POC) upon a determination by the POC that the other regulator “has a legitimate supervisory or regulatory interest in the [CSI].”6 The 2020 CSI Board Rule also permits supervised institutions to disclose CSI to external legal counsel and their auditors, without prior written approval, when “necessary or appropriate in connection with the provision of legal or auditing services to the supervised financial institution.”7

About a year later in April 2021, the NYDFS issued its own updated CSI regulations (NYDFS CSI Regulations), joining the Board in making amendments to its approach to CSI and, for the most part, harmonizing the New York CSI rules with the 2020 CSI Board Rule. Notably, with respect to disclosure by NYDFS-regulated entities of CSI to other banking regulators, disclosure of CSI may be made with the prior written approval of both the NYDFS Senior Deputy Superintendent for Banking and the NYDFS General Counsel, or their respective delegates.8 In addition, the NYDFS CSI Regulations provide a “limited exception” for disclosure by such entities to “legal counsel or an independent auditor that has been retained or engaged by such regulated entity pursuant to an engagement letter or written agreement.”9

CSI ENFORCEMENT ACTIONS: THE 2024 BOARD ORDER AND THE NYDFS ORDER

The 2024 Board Order solely focuses on the unauthorized disclosure of CSI. According to the 2024 Board Order, “after receiving confirmation from Board and Reserve Bank staff that proposed communications with a third party included CSI and would therefore require a waiver from the Board prior to disclosure, the Bank and Branch nonetheless caused the unauthorized, and therefore impermissible, disclosure of CSI to occur.”10 Although the 2024 Board Order does not provide many details regarding the unauthorized disclosure, the 2024 Board Order states that the unauthorized disclosure of CSI by the Branch was caused by the “lack of adequate internal controls related to the use and dissemination of CSI[.]” Notably, however, the 2024 Board Order noted that the Branch has since then “begun to enhance its policies, procedures, and training related to CSI following the unauthorized disclosure.”11 In addition to the civil money penalty, the Bank's board of directors and the Branch's senior management must submit a written plan to enhance “the effectiveness of the Branch's internal controls and compliance functions regarding the identification, monitoring, and control of CSI.”12

Unlike the 2024 Board Order, the NYDFS Order was issued for, among other things, sharing CSI to an overseas regulator in violation of New York law and failure to maintain an effective and compliant anti-money laundering program. The NYDFS Order provides more information regarding the conduct underlying the unauthorized disclosure of CSI. According to the NYDFS Order, the Bank sought to transfer an employee from the Branch to an overseas Bank affiliate, which transfer required approval from the overseas regulator. As part of the approval process, the overseas regulator requested information regarding whether the employee or the Branch was the subject of any regulatory or disciplinary investigation.

Prior to responding to the overseas regulator, Branch counsel advised that “responses about the ongoing investigations would constitute CSI, and therefore, the [Branch's] regulators would need to approve disclosure of the CSI to the [overseas] regulator.”13 As such, Bank counsel approached the NYDFS, the Board, and the Federal Reserve Bank of New York to provide background and the proposed language to send to the overseas regulator. However, without proper authorization, the Branch sent the proposed language and documents containing CSI to the overseas Bank affiliate, which, in turn, sent the language and information to the overseas regulator. Branch counsel subsequently learned about the CSI breach and, shortly thereafter, reported the unauthorized disclosure of CSI to the NYDFS and the Board. In addition to the $30 million penalty, the NYDFS Order requires the Bank to submit status reports to NYDFS regarding enhancements to the Bank's handling of CSI.

Footnotes

1 Another example that highlights the importance of handling CSI in compliance with applicable law, regulations, and policies occurred in June 2019 when the Board issued a cease-and-desist order against a former bank employee for improper handling of CSI. Specifically, the order stated that the former employee removed documents containing CSI from his office and sent them to his personal email addresses, and kept copies of such documents at his residence, in direct violation of Board regulation and company policy.

2 See 12 C.F.R. § 261.20(a).

3 Id.

4 See 12 C.F.R. § 261.2(b). In addition, CSI also includes “any portion of a document in the possession of any person, entity, agency or authority, including a supervised financial institution, that contains or would reveal confidential supervisory information.”

5 See 12 C.F.R. § 261.21(b)(2).

6 See id.. Both the Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation require prior written consent to disclose CSI to other regulators; however, the FDIC also requires a showing of “good cause.” See 12 C.F.R. § 4.37(b)(1); see also 12 C.F.R. § 309.6(b)(7)(i) and (iv).

7 12 C.F.R. § 261.21(b)(3).

8 N.Y. Comp. Codes R. & Regs. Tit. 3 § 7.2(g).

9 N.Y. Comp. Codes R. & Regs. Tit. 3 § 7.2(d).

10 The 2024 Board Order at page 2.

11 Id.

12 Id. at page 4.

13 The NYDFS Order at page 7.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.