80 FR 10072 - Compliance Bulletin-Treatment of Confidential Supervisory Information

BUREAU OF CONSUMER FINANCIAL PROTECTION

Federal Register Volume 80, Issue 37 (February 25, 2015)

Page Range		10072-10073
FR Document		2015-03791
The Bureau of Consumer Financial Protection (CFPB) is issuing a compliance bulletin entitled ``Treatment of Confidential of Supervisory Information'' as a reminder that, with limited exceptions, persons in possession of confidential information, including confidential supervisory information (CSI), may not disclose such information to third parties.
Federal Register, Volume 80 Issue 37 (Wednesday, February 25, 2015)
[Federal Register Volume 80, Number 37 (Wednesday, February 25, 2015)]
[Notices]
[Pages 10072-10073]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2015-03791]



[[Page 10072]]

=======================================================================
-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION


Compliance Bulletin--Treatment of Confidential Supervisory 
Information

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Compliance Bulletin.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Consumer Financial Protection (CFPB) is issuing 
a compliance bulletin entitled ``Treatment of Confidential of 
Supervisory Information'' as a reminder that, with limited exceptions, 
persons in possession of confidential information, including 
confidential supervisory information (CSI), may not disclose such 
information to third parties.

DATES: This bulletin is effective February 25, 2015 and applicable 
beginning January 27, 2015.

FOR FURTHER INFORMATION CONTACT: Christopher Young, Managing Senior 
Counsel and Chief of Staff, (202) 435-7408, Office of Supervision 
Policy.

SUPPLEMENTARY INFORMATION: 

I. Introduction

    The CFPB issues this compliance bulletin as a reminder that, with 
limited exceptions, persons in possession of confidential information, 
including CSI, may not disclose such information to third parties.\1\ 
More particularly, this bulletin:
---------------------------------------------------------------------------

    \1\ ``Confidential information'' means ``confidential consumer 
complaint information, confidential investigative information, and 
confidential supervisory information, as well as any other CFPB 
information that may be exempt from disclosure under the Freedom of 
Information Act pursuant to 5 U.S.C. 552(b). Confidential 
information does not include information contained in records that 
have been made publicly available by the CFPB or information that 
has otherwise been publicly disclosed by an employee with the 
authority to do so.'' 12 CFR 1070.2(f). CSI, the focus of this 
bulletin, is but one type of confidential information. See 12 CFR 
1070.2(i) (defining ``confidential supervisory information'').
---------------------------------------------------------------------------

    1. Sets forth the definition of CSI;
    2. Provides examples of CSI;
    3. Highlights certain legal restrictions on the disclosure of CSI; 
and
    4. Explains that private confidentiality and non-disclosure 
agreements (NDAs) neither alter the legal restrictions on the 
disclosure of CSI nor impact the CFPB's authority to obtain information 
from covered persons \2\ and service providers \3\ in the exercise of 
its supervisory authority.
---------------------------------------------------------------------------

    \2\ ``Covered person[s]'' include ``(A) any person that engages 
in offering or providing a consumer financial product or service; 
and (B) any affiliate of a person described [in (A)] if such 
affiliate acts as a service provider to such person.'' 12 U.S.C. 
5481(6).
    \3\ ``Service provider'' means ``any person that provides a 
material service to a covered person in connection with the offering 
or provision by such covered person of a consumer financial product 
or service, including a person that--(i) participates in designing, 
operating, or maintaining the consumer financial product or service; 
or (ii) processes transactions relating to the consumer financial 
product or service (other than unknowingly or incidentally 
transmitting or processing financial data in a manner that such data 
is undifferentiated from other types of data of the same form as the 
person transmits or processes) . . . . The term `service provider' 
does not include a person solely by virtue of such person offering 
or providing to a covered person--(i) a support service of a type 
provided to businesses generally or a similar ministerial service; 
or (ii) time or space for an advertisement for a consumer financial 
product or service through print, newspaper, or electronic media.'' 
12 U.S.C. 5481(26).
---------------------------------------------------------------------------

II. Compliance Bulletin

    The CFPB has supervisory authority over certain covered persons, 
including very large depository institutions, credit unions and their 
affiliates; \4\ certain nonbanks; \5\ and service providers \6\ 
(collectively, supervised financial institutions).\7\ Many supervised 
financial institutions became subject to federal supervision for the 
first time under the Dodd-Frank Wall Street Reform and Consumer 
Protection Act (Dodd-Frank Act).\8\
---------------------------------------------------------------------------

    \4\ 12 U.S.C. 5515(a).
    \5\ Under 12 U.S.C. 5514, the CFPB has supervisory authority 
over all nonbank covered persons offering or providing three 
enumerated types of consumer financial products or services: (1) 
Origination, brokerage, or servicing of consumer loans secured by 
real estate, and related mortgage loan modification or foreclosure 
relief services; (2) private education loans; and (3) payday loans. 
12 U.S.C. 5514(a)(1)(A), (D), (E). The CFPB also has supervisory 
authority over ``larger participant[s] of a market for other 
consumer financial products or services,'' as the CFPB defines by 
rule. 12 U.S.C. 5514(a)(1)(B), (a)(2). Additionally, the CFPB has 
the authority to supervise any nonbank covered person that it ``has 
reasonable cause to determine, by order, after notice to the covered 
person and a reasonable opportunity . . . to respond[,] . . . is 
engaging, or has engaged, in conduct that poses risks to consumers 
with regard to the offering or provision of consumer financial 
products or services.'' 12 U.S.C. 5514(a)(1)(C).
    \6\ 12 U.S.C. 5514(e), 5515(d).
    \7\ ``Financial institution'' means ``any person involved in the 
offering or provision of a `financial product or service,' including 
a `covered person' or `service provider,' as those terms are defined 
by 12 U.S.C. 5481.'' 12 CFR 1070.2(l). ``Supervised financial 
institution'' means ``a financial institution that is or that may 
become subject to the CFPB's supervisory authority.'' 12 CFR 
1070.2(q).
    \8\ Public Law 111-203 (codified at 12 U.S.C. 5301 et seq.).
---------------------------------------------------------------------------

    Pursuant to authority granted under the Dodd-Frank Act,\9\ the CFPB 
has issued regulations that govern the use and disclosure of CSI.\10\ 
The CFPB expects all supervised financial institutions to know and 
comply with the regulations governing CSI, and provides the following 
guidance to assist with such compliance.
---------------------------------------------------------------------------

    \9\ 12 U.S.C. 5512(c)(6)(A).
    \10\ See 12 CFR part 1070. In addition to the confidentiality 
protections afforded by the CFPB's regulation, CSI may also be 
subject to other laws regarding disclosure, including the bank 
examination or other privileges, privacy laws, and other 
restrictions.
---------------------------------------------------------------------------

A. Definition of CSI

    Under the CFPB's regulations, ``confidential supervisory 
information'' means:
     Reports of examination, inspection and visitation, non-
public operating, condition, and compliance reports, and any 
information contained in, derived from, or related to such reports;
     Any documents, including reports of examination, prepared 
by, or on behalf of, or for the use of the CFPB or any other Federal, 
State, or foreign government agency in the exercise of supervisory 
authority over a financial institution, and any supervision information 
derived from such documents;
     Any communications between the CFPB and a supervised 
financial institution or a Federal, State, or foreign government agency 
related to the CFPB's supervision of the institution;
     Any information provided to the CFPB by a financial 
institution to enable the CFPB to monitor for risks to consumers in the 
offering or provision of consumer financial products or services, or to 
assess whether an institution should be considered a covered person, as 
that term is defined by 12 U.S.C. 5481, or is subject to the CFPB's 
supervisory authority; and/or
     Information that is exempt from disclosure pursuant to 5 
U.S.C. 552(b)(8).\11\
---------------------------------------------------------------------------

    \11\ 12 CFR 1070.2(i).
---------------------------------------------------------------------------

    CSI does not include documents prepared by a financial institution 
for its own business purposes and that the CFPB does not possess.\12\
---------------------------------------------------------------------------

    \12\ 12 CFR 1070.2(i)(2).
---------------------------------------------------------------------------

B. Examples of CSI

    Supervised financial institutions and other persons that may come 
into possession of CSI should understand what constitutes CSI in order 
to comply with the applicable rules.\13\ Examples of CSI include, but 
are not limited to:
---------------------------------------------------------------------------

    \13\ See generally 12 CFR 1070.
---------------------------------------------------------------------------

     CFPB examination reports and supervisory letters;
     All information contained in, derived from, or related to 
those documents, including an institution's supervisory Compliance 
rating;
     Communications between the CFPB and the supervised 
financial institution related to the CFPB's examination of the 
institution or other supervisory activities; and
     Other information created by the CFPB in the exercise of 
its supervisory authority.

[[Page 10073]]

    Thus, CSI includes any workpapers or other documentation that CFPB 
examiners have prepared in the course of an examination. CSI also 
includes supervisory information requests from the CFPB to a supervised 
financial institution, along with the institution's responses. In 
addition, any CFPB supervisory actions, such as memoranda of 
understanding between the CFPB and an institution, and related 
submissions and correspondence, are CSI.

C. Disclosure of Confidential Information Generally Prohibited

    Subject to limited exceptions, supervised financial institutions 
and other persons in possession of CSI of the CFPB may not disclose 
such information.\14\
---------------------------------------------------------------------------

    \14\ See 12 CFR 1070.41(a) (providing that ``[e]xcept as 
required by law or as provided in this part, no . . . person in 
possession of confidential information[] shall disclose such 
confidential information by any means (including written or oral 
communications) or in any format (including paper and electronic 
formats), to: (1) [a]ny person who is not an employee, contractor, 
or consultant of the CFPB; or (2) [a]ny CFPB employee, contractor, 
or consultant when the disclosure of such confidential information . 
. . is not relevant to the performance of the employee's, 
contractor's, or consultant's assigned duties''); see also 12 CFR 
1070.42(b) (setting forth exceptions relating to the disclosure of 
``confidential supervisory information of the CFPB'' which is 
``lawfully in [the] possession'' of any ``supervised financial 
institution'').
---------------------------------------------------------------------------

D. Exceptions to General Prohibition on Disclosure of CSI

    There are certain exceptions to the general prohibition against 
disclosing CSI to third parties. A supervised financial institution may 
disclose CSI of the CFPB lawfully in its possession to:
     Its affiliates;
     Its directors, officers, trustees, members, general 
partners, or employees, to the extent that the disclosure of such CSI 
is relevant to the performance of such individuals' assigned duties;
     The directors, officers, trustees, members, general 
partners, or employees of its affiliates, to the extent that the 
disclosure of such CSI is relevant to the performance of such 
individuals' assigned duties;
     Its certified public accountant, legal counsel, 
contractor, consultant, or service provider.\15\
---------------------------------------------------------------------------

    \15\ 12 CFR 1070.42(b).
---------------------------------------------------------------------------

    Supervised financial institutions may also in certain instances 
disclose CSI to others with the prior written approval of the Associate 
Director for Supervision, Enforcement, and Fair Lending, or his or her 
delegee (Associate Director).\16\ The recipient of CSI shall not, 
without the prior written approval of the Associate Director, utilize, 
make, or retain copies of, or disclose CSI for any purpose, except as 
is necessary to provide advice or services to the supervised financial 
institution or its affiliate.\17\ Moreover, any supervised financial 
institution or affiliate disclosing CSI shall take reasonable steps as 
specified in the regulations to ensure that the recipient complies with 
the rules governing CSI.\18\
---------------------------------------------------------------------------

    \16\ 12 CFR 1070.42(b)(2)(ii).
    \17\ 12 CFR 1070.42(b)(3)(i).
    \18\ 12 CFR 1070.42(b)(3)(ii).
---------------------------------------------------------------------------

    Confidential information made available by the CFPB pursuant to 12 
CFR part 1070 remains the property of the CFPB. There are other 
important requirements relating to the disclosure of confidential 
information, including disclosure pursuant to third-party legally 
enforceable demands, such as subpoenas or Freedom of Information Act 
requests. Among a number of other requirements, a recipient of a demand 
for confidential information must inform the CFPB's General Counsel of 
the demand.\19\
---------------------------------------------------------------------------

    \19\ 12 CFR 1070.47.
---------------------------------------------------------------------------

E. NDAs Do Not Supersede Federal Legal Requirements

    The CFPB recognizes that some supervised financial institutions may 
have entered into third-party NDAs that, in part, purport to: (1) 
Restrict the supervised financial institution from sharing certain 
information with a supervisory agency; and/or (2) require the 
supervised financial institution to advise the third party when the 
institution shares with a supervisory agency information subject to the 
NDA. However, such provisions in NDAs between supervised financial 
institutions and third parties do not alter or limit the CFPB's 
supervisory authority or the supervised financial institution's 
obligations relating to CSI.
    A supervised financial institution should not attempt to use an NDA 
as the basis for failing to provide information sought pursuant to 
supervisory authority. The CFPB has the authority to require supervised 
financial institutions and certain other persons to provide it with 
reports and other information to conduct supervisory activities, 
pursuant to the Dodd-Frank Act.\20\ Failure to provide information 
required by the CFPB is a violation of law for which the CFPB will 
pursue all available remedies.\21\
---------------------------------------------------------------------------

    \20\ 12 U.S.C. 5514, 5515.
    \21\ See 12 U.S.C. 5536(a)(2) (making it unlawful for a 
supervised financial institution ``to fail or refuse, as required by 
Federal consumer financial law, or any rule or order issued by the 
CFPB thereunder--(A) to permit access to or copying of records; . . 
. or (C) to make reports or provide information to the Bureau.'').
---------------------------------------------------------------------------

    In addition, a supervised financial institution may risk violating 
the law if it relies upon provisions of an NDA to justify disclosing 
CSI in a manner not otherwise permitted. As noted above, any disclosure 
of CSI outside of the applicable exceptions would require the prior 
written approval of the Associate Director for Supervision, 
Enforcement, and Fair Lending (or his or her delegee).\22\
---------------------------------------------------------------------------

    \22\ See 12 CFR 1070.42(b)(2)(ii).
---------------------------------------------------------------------------

    Supervised financial institutions should contact appropriate CFPB 
supervisory personnel with any questions regarding this Bulletin.

III. Regulatory Requirements

    This compliance bulletin provides nonbinding guidance on matters 
including limitations on disclosure of CSI under applicable law. It is 
therefore exempt from the notice and comment rulemaking requirements 
under the Administrative Procedure Act pursuant to 5 U.S.C. 553(b). 
Because no notice of proposed rulemaking is required, the Regulatory 
Flexibility Act does not require an initial or final regulatory 
flexibility analysis.\23\ In addition, the CFPB has determined that 
this bulletin summarizes existing requirements and does not establish 
any new nor revise any existing recordkeeping, reporting, or disclosure 
requirements on covered entities or members of the public that would be 
collections of information requiring OMB approval under the Paperwork 
Reduction Act.\24\
---------------------------------------------------------------------------

    \23\ 5 U.S.C. 603(a), 604(a).
    \24\ 44 U.S.C. 3501 et seq.

    Dated: February 2015.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2015-03791 Filed 2-24-15; 8:45 am]
BILLING CODE 4810-AM-P
Federal Register / Vol. 80, No. 37 / Wednesday, February 25, 2015 / Notices 10073

Thus, CSI includes any workpapers or Director, utilize, make, or retain copies In addition, a supervised financial
other documentation that CFPB of, or disclose CSI for any purpose, institution may risk violating the law if
examiners have prepared in the course except as is necessary to provide advice it relies upon provisions of an NDA to
of an examination. CSI also includes or services to the supervised financial justify disclosing CSI in a manner not
supervisory information requests from institution or its affiliate.17 Moreover, otherwise permitted. As noted above,
the CFPB to a supervised financial any supervised financial institution or any disclosure of CSI outside of the
institution, along with the institution’s affiliate disclosing CSI shall take applicable exceptions would require the
responses. In addition, any CFPB reasonable steps as specified in the prior written approval of the Associate
supervisory actions, such as memoranda regulations to ensure that the recipient Director for Supervision, Enforcement,
of understanding between the CFPB and complies with the rules governing CSI.18 and Fair Lending (or his or her
an institution, and related submissions Confidential information made delegee).22
and correspondence, are CSI. available by the CFPB pursuant to 12 Supervised financial institutions
CFR part 1070 remains the property of should contact appropriate CFPB
C. Disclosure of Confidential supervisory personnel with any
the CFPB. There are other important
Information Generally Prohibited questions regarding this Bulletin.
requirements relating to the disclosure
Subject to limited exceptions, of confidential information, including III. Regulatory Requirements
supervised financial institutions and disclosure pursuant to third-party
other persons in possession of CSI of the legally enforceable demands, such as This compliance bulletin provides
CFPB may not disclose such subpoenas or Freedom of Information nonbinding guidance on matters
information.14 Act requests. Among a number of other including limitations on disclosure of
requirements, a recipient of a demand CSI under applicable law. It is therefore
D. Exceptions to General Prohibition on exempt from the notice and comment
Disclosure of CSI for confidential information must
inform the CFPB’s General Counsel of rulemaking requirements under the
There are certain exceptions to the the demand.19 Administrative Procedure Act pursuant
general prohibition against disclosing to 5 U.S.C. 553(b). Because no notice of
CSI to third parties. A supervised E. NDAs Do Not Supersede Federal proposed rulemaking is required, the
financial institution may disclose CSI of Legal Requirements Regulatory Flexibility Act does not
the CFPB lawfully in its possession to: The CFPB recognizes that some require an initial or final regulatory
• Its affiliates; supervised financial institutions may flexibility analysis.23 In addition, the
• Its directors, officers, trustees, have entered into third-party NDAs that, CFPB has determined that this bulletin
members, general partners, or in part, purport to: (1) Restrict the summarizes existing requirements and
employees, to the extent that the supervised financial institution from does not establish any new nor revise
disclosure of such CSI is relevant to the sharing certain information with a any existing recordkeeping, reporting, or
performance of such individuals’ supervisory agency; and/or (2) require disclosure requirements on covered
assigned duties; the supervised financial institution to entities or members of the public that
• The directors, officers, trustees, advise the third party when the would be collections of information
members, general partners, or institution shares with a supervisory requiring OMB approval under the
employees of its affiliates, to the extent agency information subject to the NDA. Paperwork Reduction Act.24
that the disclosure of such CSI is However, such provisions in NDAs Dated: February 2015.
relevant to the performance of such between supervised financial Richard Cordray,
individuals’ assigned duties; institutions and third parties do not Director, Bureau of Consumer Financial
• Its certified public accountant, legal alter or limit the CFPB’s supervisory Protection.
counsel, contractor, consultant, or authority or the supervised financial [FR Doc. 2015–03791 Filed 2–24–15; 8:45 am]
service provider.15 institution’s obligations relating to CSI. BILLING CODE 4810–AM–P
Supervised financial institutions may A supervised financial institution
also in certain instances disclose CSI to should not attempt to use an NDA as the
others with the prior written approval of basis for failing to provide information DEPARTMENT OF DEFENSE
the Associate Director for Supervision, sought pursuant to supervisory
Enforcement, and Fair Lending, or his or authority. The CFPB has the authority to Office of the Secretary
her delegee (Associate Director).16 The require supervised financial institutions
recipient of CSI shall not, without the [Docket ID DoD–2015–OS–0021]
and certain other persons to provide it
prior written approval of the Associate with reports and other information to Proposed Collection; Comment
conduct supervisory activities, pursuant Request
14 See 12 CFR 1070.41(a) (providing that ‘‘[e]xcept to the Dodd-Frank Act.20 Failure to
as required by law or as provided in this part, no AGENCY: Defense Security Cooperation
. . . person in possession of confidential provide information required by the
information[] shall disclose such confidential CFPB is a violation of law for which the Agency, DoD.
information by any means (including written or oral CFPB will pursue all available ACTION: Notice.
communications) or in any format (including paper remedies.21
and electronic formats), to: (1) [a]ny person who is SUMMARY: In compliance with the
not an employee, contractor, or consultant of the Paperwork Reduction Act of 1995, the
17 12 CFR 1070.42(b)(3)(i).
CFPB; or (2) [a]ny CFPB employee, contractor, or
asabaliauskas on DSK5VPTVN1PROD with NOTICES

consultant when the disclosure of such confidential 18 12 CFR 1070.42(b)(3)(ii). Defense Security Cooperation Agency
information . . . is not relevant to the performance 19 12 CFR 1070.47. announces a proposed public
of the employee’s, contractor’s, or consultant’s 20 12 U.S.C. 5514, 5515. information collection and seeks public
assigned duties’’); see also 12 CFR 1070.42(b) 21 See 12 U.S.C. 5536(a)(2) (making it unlawful for
comment on the provisions thereof.
(setting forth exceptions relating to the disclosure a supervised financial institution ‘‘to fail or refuse,
of ‘‘confidential supervisory information of the Comments are invited on: (a) Whether
as required by Federal consumer financial law, or
CFPB’’ which is ‘‘lawfully in [the] possession’’ of any rule or order issued by the CFPB thereunder—
any ‘‘supervised financial institution’’). 22 See 12 CFR 1070.42(b)(2)(ii).
(A) to permit access to or copying of records; . . .
15 12 CFR 1070.42(b). 23 5U.S.C. 603(a), 604(a).
or (C) to make reports or provide information to the
16 12 CFR 1070.42(b)(2)(ii). Bureau.’’). 24 44 U.S.C. 3501 et seq.

VerDate Sep<11>2014 18:05 Feb 24, 2015 Jkt 235001 PO 00000 Frm 00030 Fmt 4703 Sfmt 4703 E:\FR\FM\25FEN1.SGM 25FEN1
Document Created: 2015-12-18 13:09:11
Document Modified: 2015-12-18 13:09:11
Category		Regulatory Information
Collection		Federal Register
sudoc Class		AE 2.7: GS 4.107: AE 2.106:
Publisher		Office of the Federal Register, National Archives and Records Administration
Section		Notices
Action		Compliance Bulletin.
Dates		This bulletin is effective February 25, 2015 and applicable beginning January 27, 2015.
Contact		Christopher Young, Managing Senior Counsel and Chief of Staff, (202) 435-7408, Office of Supervision Policy.
FR Citation		80 FR 10072