One of the thornier areas of law for U.S.-regulated banks and their holding companies is that regarding confidential supervisory information (CSI). U.S. regulators treat bank examination reports and related correspondence and materials, which are often the most useful sources of information about a financial institution, as the regulators' own property, with parties subject to severe penalties for disclosing such information without prior regulatory approval.1 Receiving approval is often a time-consuming process that may frustrate corporate transaction and litigation deadlines. In addition, each of the federal regulators – the Board of Governors of the Federal Reserve System (Federal Reserve), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Consumer Financial Protection Bureau (CFPB) – and each state financial regulatory authority – such as the New York Department of Financial Services (NYDFS) – has its own rules on the subject.

There have been two recent meaningful developments in the law regarding CSI. First, the Federal Reserve recently finalized revisions to its CSI regulation (Fed Final Rule); those revisions become effective on October 15th. Second, on September 9th, the NYDFS reproposed a regulation (NYDFS Proposed Rule) that would liberalize its approach to CSI disclosure. This Client Alert discusses these two developments.

In addition, the Alert contains a summary of the principal provisions of the CSI regulations of the four federal banking regulators and NYDFS, on the assumption that the NYDFS regulation is finalized in the form that NYDFS proposed it.

I. Federal Reserve Final Rule

The Fed Final Rule is an improvement, albeit a modest one, in terms of providing Federal Reserve-supervised institutions – bank and thrift holding companies, including their nonbank subsidiaries, state member banks, and branches, agencies and representative offices of non-U.S. banks – flexibility in sharing CSI without the Federal Reserve's prior approval. Enhancements to the Federal Reserve' regulatory framework demonstrate an effort to streamline the approval process in certain areas.

A. Scope of CSI

The Fed Final Rule defines CSI as "information that is or was created or obtained in furtherance of the [Federal Reserve's] supervisory, investigatory or enforcement activities," and includes reports of examination, inspection and visitation; confidential operating and condition reports; supervisory assessments; investigative requests for documents or other information; and supervisory correspondence or other supervisory communications, as well as "any information derived from or related to such information."2 In a clarification, the Fed Final Rule states that CSI does not include documents that are prepared "for or by" a supervised financial institution for its own business purposes that are in its own possession and do not otherwise contain CSI, even though copies of such documents in the Federal Reserve's possession do constitute CSI.3 Therefore, turning over such non-CSI to the Federal Reserve does not make the information CSI in the hands of the supervised financial institution.

B. Disclosure to Affiliates

The Fed Final Rule states that a supervised institution may disclose CSI without prior Federal Reserve approval not only to its own directors, officers and employees, but also, when it is "necessary or appropriate for business purposes," to directors, officers, employees of its affiliates.4 This position liberalizes the regulation from prior practice and aligns the Federal Reserve's position more closely with that of the CFPB, under which CSI may be disclosed to [directors, officers and employees of] affiliates to the extent that it "is relevant to the performance of such individuals' assigned duties."5 As shown in the Appendix, neither the OCC nor the FDIC has adopted this position in their CSI rules; disclosure to a parent may be permitted without prior regulatory approval, but not to other affiliates.6

C. Disclosure to Legal Counsel, Auditors, and Service Providers

The Fed Final Rule also makes a change from the prior regulation in permitting supervised institutions to disclose CSI to external legal counsel and their auditors, without prior written approval, when "necessary or appropriate in connection with the provision of legal or auditing services to the supervised financial institution."7 This change aligns the Federal Reserve's position with that of the OCC and the even more permissive CFPB; the FDIC, however, has not adopted this position with respect to external legal counsel, and therefore the default provision of specific prior approval obtains under its regulations.8

In addition, under the revised Federal Reserve framework, supervised institutions are also able to disclose CSI to service providers to the institution and service providers to the institution's external counsel and auditors (such as consultants, contractors, and technology providers), without prior written approval, in instances where such disclosure is "necessary to the service provider's provision of services."9 The Fed Final Rule requires that the service provider first enter into a written agreement with the supervised institution, external counsel or auditor in which the service provider agrees that (i) it will treat the CSI in accordance with applicable regulations and (ii) it will not use the CSI for any purpose other than as provided under its contract to provide services to the supervised institution.10 The rule requires supervised institutions to maintain a written account of such service provider disclosures and provide the Federal Reserve a copy of the written account on request.11

The Fed Final Rule also liberalizes the manner of disclosure. Under prior practice, disclosure of CSI to external auditors and counsel was required to be limited to on-premises review; the Federal Reserve did not permit the information to be copied or shared off-site. The Fed Final Rule strikes this outdated requirement and allows for disclosure in any manner when "necessary or appropriate in connection with the provision of legal or auditing services to the supervised financial institution."12

D. Disclosure to Other Regulators

The Fed Final Rule also somewhat modifies the manner in which CSI requests for disclosure to other regulators are handled. Historically, any disclosure by a supervised institution of Federal Reserve CSI to another regulatory body (e.g., other banking regulators, state and federal, or the Securities and Exchange Commission) required the prior written consent of the Federal Reserve's General Counsel. With respect to CSI about a supervised institution "that is contained in documents prepared by or for the institution for its own business purposes," such as internal minutes, the Fed Final Rule changes this practice and permits institutions to make requests to share such CSI with other bank regulators to the "central point of contact at the Reserve Bank, equivalent supervisory team leader, or other designated Reserve Bank employee."13 Disclosure will be permitted upon a determination by the Federal Reserve point of contact that [the other regulator] "has a legitimate supervisory or regulatory interest in the [requested internally prepared CSI]."14 Disclosure of all other CSI to another regulator, however, still requires the consent of the Federal Reserve's General Counsel.15

II. NYDFS Proposed Rule

Like the Fed Final Rule, the NYDFS Proposed Rule, which is a re-proposal of a November 2019 proposal, is a welcome development because it demonstrates a greater willingness to harmonize the NYDFS CSI regime with those of other regulators. If finalized, New York would, for the first time, have a CSI regulation in addition to a statutory provision, Section 36.10 of the Banking Law.

A. Scope of CSI

The NYDFS Proposed Rule defines CSI as "any information that is covered by Section 36.10 of the [New York] Banking Law."16 Section 36.10, in turn, refers to "reports of examinations and investigations [of any NYDFS-supervised institution and affiliates], correspondence and memoranda concerning or arising out of such examination and investigations, including any duly authenticated copy or copies thereof," and includes any confidential materials shared by NYDFS with any governmental agency or unit.17

B. Disclosure to Affiliates

Under Section 36.10, the default standard for disclosure of any CSI is the prior written approval of NYDFS. The NYDFS Proposed Rule contains an exception for disclosure of CSI to affiliates and their directors, officers and employees when "necessary and appropriate for business purposes."18 We note that this standard is different from the Federal Reserve and OCC standard, which is "necessary or appropriate" for business purposes.19

C. Disclosure to Legal Counsel, Auditors and Other Service Providers

The NYDFS Proposed Rule would also ease current restrictions on NYDFS-supervised institutions' disclosure of CSI to certain advisors. It would provide a "limited exception" for disclosure to "legal counsel or an independent auditor that has been retained or engaged by such [supervised institution] pursuant to an engagement letter or written agreement."20 The applicable engagement letter or written agreement would be required to contain certain acknowledgements by the legal counsel or independent auditor; inter alia, it would be required to state (i) that the information will be used solely to provide "legal representation or auditing services" and (ii) that the information will be disclosed solely to employees, directors, or officers only "to the extent necessary and appropriate for business purposes.21

Notably, unlike the Fed Final Rule, the NYDFS Proposed Rule does not contain an exception for third-party vendors to legal counsel and external auditors. In declining to permit what it characterized as "a broad exception," NYDFS noted that the OCC's regulations do not contain one.22

D. Disclosure to Other Regulators

With respect to the disclosure of NYDFS CSI to other regulators, including, for non-U.S banks, their home country supervisors, the NYDFS Proposed Rule would require the prior written consent of both the Senior Deputy Superintendent of NYDFS for Banking and the General Counsel of NYDFS, or their respective delegates, prior to disclosure.23 There is no streamlined procedure, as in the Fed Final Rule, for internally generated CSI.

E. Duty to Notify NYDFS of Requests for CSI

The NYDFS Proposed Rule requires each supervised institution, affiliate of a supervised institution, legal counsel, and independent auditor that is served with a request, subpoena or order to provide CSI to notify the Office of the General Counsel of the request immediately so that NYDFS will be able to intervene in the action as appropriate.24 But it does not – in a relaxation from NYDFS's November 2019 position – require external counsel and independent auditors to agree contractually to assert legal privileges and protections as requested by NYDFS on the agency's behalf.25 The proposal instead would mandate that CSI holders only inform the requester and the relevant tribunal of the obligations set forth in the NYDFS Proposed Rule and the substance of Section 36.10 of the New York Banking Law.26 Relatedly, the NYDFS Proposed Rule does not require that supervised institutions maintain a record of all disclosed CSI.27

Conclusion

The Fed Final Rule and the NYDFS Proposed Rule signal a growing awareness by regulators of the inefficiencies posed by the current CSI regulatory framework. One hopes that the Fed Final Rule will help establish a regulatory benchmark for the other federal banking regulators, and that NYDFS's willingness to reexamine its own processes will perhaps inspire other state regulators to revisit their regulations. Nonetheless, the overriding traditional principle of CSI law and regulation – that the regulators consider CSI their property, to be disclosed only upon their specific consent – remains a key feature of all regulatory regimes.


Appendix: Comparison of CSI Requirements

Topic

Federal Reserve

OCC

FDIC

CFPB

NYDFS Proposed Rule

Supervisory Jurisdiction

Bank/thrift holding companies and their nonbank subsidiaries, financial holding companies, state member banks, branches, agencies and representative offices of non-U.S. banks, and systemically significant nonbank financial companies when designated.

National banks, federally chartered savings associations, and federally licensed branches and agencies of non-U.S. banks.

FDIC-insured state banks that are not members of the Federal Reserve System and FDIC-insured state savings associations.

Depository institutions with more than $10 billion in assets and certain nonbank financial entities, including mortgage-related firms, lenders (e.g., student loans, payday), certain other large nonbank consumer financial entities (e.g., debt collection/relief and consumer finance firms, credit reporting agencies), and prepaid and credit card issuers.

Any entity licensed, chartered, authorized, registered, or otherwise subject to supervision by NYDFS under the New York Banking Law.

Scope

Information that is or was created or obtained in furtherance of the Board's supervisory, investigatory, or enforcement activities.28 Includes any portion of a document in the possession of any person, entity, agency or authority, including a supervised institution, that contains or would reveal confidential supervisory information is CSI. New 12 C.F.R. § 261.2(b)(1).

Excludes internally prepared documents for business purposes that do not contain CSI (even if such information is in possession by the Board and such copies constitute CSI.

New 12 C.F.R. § 261.2(b)(2).

(a) Records created or obtained by the OCC in connection with its supervisory responsibilities;

(b) Records compiled by the OCC in connection with its enforcement responsibilities;

(c) Examination reports, supervisory correspondence, investigatory files complied, agency memoranda;

(d) CSI obtained by a third party;

(e) Testimonies and interviews with current or former agency employees, officers, or agents concerning information acquired in course of such person's official duties or status; and

(f) Information related to current and former supervised institutions and their subsidiaries and affiliates.

12 C.F.R. § 4.37(b)(1).

(a) Records designated pursuant to an executive order;

(b) Records relating solely to internal personnel rules and practices;

(c) Records otherwise exempt from disclosure by statute;

(d) Intra-agency memoranda or letters;

(e) Certain records compiled for law enforcement purposes; and

(f) Records related to examination, operation, or condition of the supervised institution, prepared by or on behalf of the FDIC or other regulatory body.

12 C.F.R. § 309.5(g).

(a) Reports of examination, inspection and visitation, non-public operating, condition, and compliance reports, and any information contained in, derived from, or related to such reports;

(b) Any document, including reports of examination, prepared by, on behalf of, or for the use of the CFPB or any other federal, state or foreign regulator supervising such financial institution, and any information derived from such documents;

(c) Intra-agency communications; and

(d) Information provided to the CFPB by the supervised institution regarding consumer risk in the offering or provision of consumer financial products or services, or to assess whether such supervised institution is a "covered person."

12 C.F.R. § 1070.2(b)(1).

All reports of examinations and investigations, correspondence and memoranda concerning or arising out of such examination and investigations, including any duly authenticated copy or copies thereof in the possession of any supervised institution or its affiliates, including any confidential materials shared by NYDFS with any governmental agency or unit. NY Banking Law § 36.10.

Default Disclosure Standard

"[P]rior written permission of the General Counsel" New § 261.20(a).

Supervised institution must demonstrate "a substantial need to . . . disclose such information that outweighs the need to maintain confidentiality." New 12 C.F.R. § 261.23(a)(1).

Prior written consent. 12 C.F.R. § 4.37(b)(1).

Prior written consent. 12 C.F.R. § 309.6(b).

Default Standard: "[G]ood cause for disclosure." 12 C.F.R. § 309.6(b).

Prior written consent. 12 C.F.R. §1070.2(b)(2)(ii).

Prior written consent. NY Banking Law § 36.10.

Default Standard: "[T]he ends of justice and the public advantage will be subserved by the publication thereof." NY Banking Law § 36.10.

Certain Exceptions to Disclosure

Parent Holding Company

No consent or written request required, when "necessary or appropriate for business purposes." New 12 C.F.R. § 261.21(b)(1).

No consent or written request required, when "necessary or appropriate for business purposes." 12 C.F.R. § 4.37(b)(2).

For majority shareholders, supervised institution's board must authorizes disclosure via board action. 12 C.F.R. § 309.6(b)(7)(iii).

No consent or written request required for parent holding company personnel, to the extent that it "is relevant to the performance of such individuals' assigned duties." 12 C.F.R. § 1070.42(b)(1).

No consent or written request required, when "necessary and appropriate for business purposes." 3 NYCRR § 7.2(c) (proposed 2020).

Affiliates

No consent or written request required, when "necessary or appropriate for business purposes." New § 261.21(b)(1).

Non-parent holding company affiliates require prior written consent 12 C.F.R. § 4.37(b)(2).

Non-parent holding company affiliates require prior written consent. 12 C.F.R. § 309.6(b)(7)(iii).

No consent or written request required for affiliate personnel, to the extent that it "is relevant to the performance of such individuals' assigned duties." 12 C.F.R. § 1070.42(b)(1).

No consent or written request required, when "necessary and appropriate for business purposes." 3 NYCRR § 7.2(c) (proposed 2020).

Outside Counsel / Auditors

No consent or written request required, when "necessary or appropriate in connection with the provision of legal or auditing services." New 12 C.F.R. § 261.21(b)(3).

No consent or written request required, when "necessary or appropriate for business purposes." 12 C.F.R. § 4.37(b)(2).

For outside counsel, prior written consent required, and a showing of "good cause." 12 C.F.R. § 309.6(b)(7)(i) and (iv).

For external auditors, no consent or written request required. See FDIC Financial Institutions Letter (FIL-57-92), dated July 24, 1992.

No consent or written request required. 12 C.F.R. § 1070.42(b)(2)(i).

No consent or written request required for disclosure "to legal counsel or an independent auditor [if]. . . retained or engaged by such

regulated entity pursuant to an engagement letter or written agreement" where the legal counsel or independent auditor states, among other things, that CSI will be used solely to provide "legal representation or auditing services"; and that the information will be disclosed solely to employees, directors, or officers only "to the extent necessary and appropriate for business purposes." 3 NYCRR § 7.2(b) (proposed 2020).

Other Service Providers:

CSI may be shared with service providers of attorneys or auditors if the service provider is under a written agreement with the legal counsel or auditor pursuant to which it agrees to treat the CSI in accordance with 12 C.F.R. § 261.20(a) and use CSI only "as necessary to provide the services.." New 12 C.F.R. § 261.21(b)(3).

Other Service Providers to Institution: Allowed when "necessary to the service provider's provision of services" and such provider is bound by written agreement with the supervised institution, agreeing to treat CSI in accordance with 12 C.F.R. § 261.20(a) and use CSI only "as provided under its contract to provide services." New 12 C.F.R. § 261.21(b)(4).

CSI may be provided by the supervised institution to a consultant if the consultant enters into a written contract, agreeing to abide by OCC rules and use CSI only to provide services. 12 C.F.R. § 4.37(b)(2).

Prior written consent, and a showing of "good cause." 12 C.F.R. § 309.6(b)(7)(i) and (iv).

No consent or written request required for disclosure to a contractor, consultant, or service provider. 12 C.F.R. § 1070.42(b)(2)(i).

Other persons require prior written consent. 12 C.F.R. § 1070.42(b)(2)(ii).

Prior written consent required. NY Banking Law § 36.10.

Other regulators

Consent of "central point of contact at the Reserve Bank, equivalent supervisory team leader, or other designated Reserve Bank employee" to disclose internally prepared material containing CSI to the FDIC, OCC, CFPB, state regulators supervising such institution; prior written consent required to disclose all other CSI. New 12 C.F.R. § 261.21(b)(2).

Prior written consent required. 12 C.F.R. § 4.37(b)(1).

Prior written consent required, and a showing of "good cause." 12 C.F.R. § 309.6(b)(7)(i) and (iv).

Prior written consent required. 12 C.F.R. § 170.42(b)(2)(ii).

Prior written consent of the Senior Deputy Superintendent of NYDFS for Banking and the General Counsel required. 3 NYCRR § 7.2(f) (proposed 2020).

Footnotes

1. Federal bank examination reports, for example, cite 18 U.S.C. § 641, which makes it a felony to convert, knowingly, government property to one's own use. Lesser sanctions for alleged CSI violations have included substantial fines and prohibitions on consulting arrangements with supervised institutions for a period of years.

2. New 12 C.F.R. § 261.2(b)(1).

3. See id. § 261.2(b)(2)(1).

4. See id. § 261.21(b)(1).

5. 12 C.F.R. § 1070.42(b)(1).

6. See Appendix.

7. New 12 § 261.21(b)(3).

8. See Appendix. The FDIC does not require prior approval for a bank's independent auditor.

9. New 12 § 261.21(b)(3)-(4).

10. Id.

11. Id. § 261.21(b)(4).

12. Id. § 261.21(b)(3).

13. Id. § 261.21(b)(2).

14. Id.

15. Id. § 261.23(b)-(c).

16. 3 N.Y.C.R.R. § 7.1(a) (proposed 2020).

17. New York Banking Law, Section 36.10.

18. 3 N.Y.C.R.R. § 7.2(c) (proposed 2020).

19. See Appendix.

20. 3 N.Y.C.R.R. § 7.2(b) (proposed 2020).

21. Id. (emphasis added).

22. NYS Register, page 12 (Sept. 9, 2020), available at https://www.dos.ny.gov/info/register/2020/090920.pdf.

23. 3 N.Y.C.R.R. § 7.2(f) (proposed 2020).

24. Id. § 7.2(d) (proposed 2020).

25. See 3 N.Y.C.R.R. § 7.2(c) (proposed 2019) (institution "agrees to notify the Department, promptly and in writing, of any demand or request for the supervisory confidential information, and agrees to assert on behalf of the Department all such legal privileges and protections as the Department may request").

26. 3 N.Y.C.R.R. § 7.2(d) (proposed 2020).

27. This too is a change from the 2019 position. See 3 N.Y.C.R.R. § 7.2(f) (proposed 2019) ("Regulated entities must keep a written record of all confidential supervisory information disclosed pursuant to the provisions of this Part and a copy of each party's written agreement mentioned in subdivision (b) of this section for inspection and review by the Department").

28. Includes "reports of examination, inspection, and visitation; confidential operating and condition reports; supervisory assessments; investigative requests for documents or other information; and supervisory correspondence or other supervisory communications." New 12 C.F.R. § 261.2(b)(1).

Excludes "[d]ocuments prepared by or for a supervised financial institution for its own business purposes that are in its own possession and that do not include confidential supervisory information as defined in paragraph (b)(1) of this section, even though copies of such documents in the Board's or Reserve Bank's possession constitute confidential supervisory information." Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.