Navigating the Complexities of CSI
In an era of increased oversight, regulatory agencies have taken a greater interest in standardizing the conduct of financial institutions. An area of ongoing interest is the protection of confidential supervisory information (CSI), a term used by the banking agencies to refer to information that is prepared by, on behalf of, or for the use of financial regulatory agencies, including state or federal banking supervisors. CSI extends to information related to an examination, inspection, or other visitation of an institution. Each of the regulators has issued rules that govern the disclosure of CSI by “supervised financial institutions.”
Agencies have a longstanding history of controlling disclosure of CSI, which is the property of the regulator. The Office of the Comptroller of the Currency (OCC) and the Board of Governors of the Federal Reserve System (the Fed) issued guidance, respectively, nearly 20 years ago, including criminal penalties for violations. In 2005, the regulators enhanced efforts to protect their CSI when the Fed, OCC, and Federal Deposit Insurance Corporation (FDIC) released coordinated guidance in response to growing concerns of improper disclosure of CSI (12 CFR § 261.20(b)(1)). For example, except as permitted by regulation, Fed-related CSI may only be disclosed based on the prior written consent of the Fed’s general counsel. The regulation outlines a detailed approval procedure and imposes consequences for mismanagement of the information. Similarly, guidance from the Consumer Financial Protection Bureau (CFPB) explicitly states “that, with limited exceptions, persons in possession of confidential information, including confidential supervisory information, may not disclose such information to third parties.”
At least as early as 1997, the Federal Reserve Bank expressed concerns regarding the potential for improper disclosure of CSI by various financial institutions within its jurisdiction.
While it is well understood that CSI requires diligent protection, the process by which banks and their advisers access and analyze CSI may be less so. Proper compliance with CSI regulations requires a general understanding of the regulatory history, as well as applicable procedures and processes. While the procedures can be cumbersome, with enhanced understanding of CSI requirements, financial institutions and their advisers can better operate under the existing regulatory regime. We outline key provisions relevant to CSI protection and management and make suggestions for improvements to the current system. Increased awareness coupled with pointed reform will aid regulatory agencies in ensuring that CSI is properly understood and protected.
CSI Regulatory History and Intent
The CSI regulations issued by the banking regulators represent a longstanding effort to safeguard against disclosure of important nonpublic supervisory and enforcement information and activity. At least as early as 1997, the Fed expressed concerns regarding the potential for improper disclosure of CSI by financial institutions within its jurisdiction. In a Circular, the Fed defined “confidential supervisory information” as:
... [R]eports of examination and inspection, confidential operating and condition reports, and any information derived from, relating to, or contained in them. ‘Confidential supervisory information’ may consist of documents prepared by, on behalf of, or for the use of the Board [of Governors, or] a Reserve Bank.... (12 CFR § 261.2(b))
The Circular further designated as CSI all information contained in various reports, “including an institution’s supervisory rating, such as BOPEC, CAMELS or ROCA.” (Note: This quotation makes reference to common banking rating and assessment systems, which are defined as follows: BOPEC (Bank subsidiaries, Other subsidiaries, Parent, Earnings, Capital); CAMEL (Capital adequacy, Asset quality, Management, Earnings, and Liquidity); and ROCA (Risk management, Operational controls, Compliance and Asset quality).
In addition to defining CSI, the Fed outlined the procedure for resolving ambiguities in the classification of CSI and noted that questions about the scope and nature of CSI “should be addressed to the Reserve Bank before any public disclosure of the information is made.”
Most notably, the Fed made clear that it owns CSI: “All confidential supervisory information is the property of the Board of Governors of the Federal Reserve System, and may be used only as the Board of Governors permits.” The Circular went on to broadly define the appropriate scope of and limitations with respect to disclosure of CSI. Finally, it identified the consequences of failing to comply with the requirements, which included formal supervisory action and the potential imposition of “substantial” civil penalties.
In the years following the Circular’s release, regulatory agencies remained concerned about CSI. To address these concerns, in February 2005 the Fed, OCC, and FDIC issued the Interagency Advisory on the Confidentiality of the Supervisory Rating and Other Nonpublic Supervisory Information (Interagency Advisory). Mirroring the Circular’s language, the Interagency Advisory noted “financial institutions are prohibited by law from disclosing their CAMELS or RFI rating and other nonpublic supervisory information to nonrelated third parties without written permission from the appropriate federal banking agency.”
The principles of the Circular and the Interagency Advisory were combined and codified by the Fed in its regulations (12 CFR § 261.20). These regulations establish a broad framework, which includes the following provisions:
Any “supervised financial institution” lawfully in possession of confidential supervisory information may disclose such information to its directors, officers, and employees and to its parent holding company and its directors, officers, and employees.
Supervised financial institutions may disclose CSI to certified public accountants or legal counsel that they employ, provided that accountants and/or counsel review the information at the institution and refrain from making or retaining copies for their files.
Any person who is not included in the class of permissible recipients and who seeks access to confidential supervisory information about a state member bank, a bank or financial holding company, a savings and loan holding company, or another entity supervised by the Fed must file a request for disclosure with the general counsel of the Fed, following the requirements set forth in 12 CFR § 261.22.
If an examination is conducted jointly with state banking regulators, the report of examination is owned jointly by both regulators. As such, written permission to disclose confidential supervisory information about that examination must be obtained from the state banking department in addition to the Fed.
The CFPB issued its own CSI guidance that was codified in 2012 in 12 CFR § 1070, which governs the disclosure of its records and information. Like the traditional banking regulators, under the CFPB rules, any regulated entity “lawfully in the possession of CFPB CSI” is permitted to provide the information to its “directors, officers, trustees, members, general partners, or employees, to the extent that the disclosure is relevant to the performance of each individual’s assigned duties.” Unlike other regulators, however, the CFPB defined CSI quite expansively in 12 CFR § 1070.2, to include:
Any documents, including reports of examination, prepared by, on behalf of, or for the use of the CFPB or any other Federal, State, or foreign government agency in the exercise of supervisory authority over a financial institution, and any information derived from such documents;
Any communications between the CFPB and a supervised financial institution or a Federal, State, or foreign government agency related to the CFPB’s supervision of the institution; and
Any information provided to the CFPB by a financial institution to enable the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, or to assess whether an institution should be considered a covered person, as that term is defined by 12 U.S.C. 5481, or is subject to the CFPB’s supervisory authority….
In August 2016, the CFPB proposed several modifications to its CSI rules as it relates to the parties with whom CSI can be shared.13 Notably, as set forth in the October 2016 letter from TCH, the American Bankers Association, the Consumer Bankers Association, the Financial Services Roundtable, the Housing Policy Council, and the U.S. Chamber of Commerce (the Associations), the CFPB appears poised to expand its authority to share CSI with third parties, arguably in excess of its statutory authority and without providing appropriate safeguards to prevent broad disclosure (“Information,” 81 Fed. Reg. 58310 (Aug. 24, 2016) (“Proposal”)). Under the existing regulation, the CFPB is only permitted to share CSI with a federal or state agency that has supervisory authority over a financial institution. As such, state attorneys general are often preempted from receiving CSI from financial institutions that are supervised by a federal agency. In the proposed amendments to its regulations, the definition of “agency” would be expanded to allow the CFPB to share CSI with a host of additional entities, including “foreign regulators and certain entities that exercise governmental authority, such as registration and disciplinary organizations like state bar associations” (12 C.F.R. § 1070.43(b)). A final rule has not been published as of the date of this article.
In a proposed amendment, the CFPB would broadly be permitted to share CSI with any agencies “having jurisdiction” over a person or service provider.
Notwithstanding the CFPB’s attempt to expand its ability to disclose CSI, regulators remain serious about protecting CSI from unauthorized disclosure. This was made clear in the matter of Goldman Sachs employee Joseph Jiampietro, in which stolen CSI was allegedly used to generate profits (Proposal at 58311). In August 2016, as a result of the misuse of its then employees, the Fed ordered Goldman Sachs Group to pay a $36.3 million civil money penalty for its unauthorized use and disclosure of CSI. The order also required Goldman to “implement an enhanced program to ensure the proper use of confidential supervisory information.” The Fed also barred the former Goldman Sachs employee from the banking industry. It is also worth noting that among the CFPB’s proposed rules is a new affirmative requirement for “any person in possession of confidential information,” including financial institutions, to notify the CFPB in the event of an unlawful disclosure of CSI “upon the discovery of any disclosure” (Proposed 12 C.F.R. § 1070.47(g)). Under the existing rule, there is no specific requirement for notification, and no requirements whatsoever for those merely “in possession” of CSI.
Disclosures to Outside Advisers
The variation among the regulators in their requirements regarding the protection of CSI is most apparent in the rules regarding the ability of institutions to disclose CSI to outside advisers. Whereas under 12 CFR § 261.20(g), the Fed requires explicit prior written application and approval by the Fed’s General Counsel for any disclosure of CSI – including to outside advisers – the OCC permits disclosure to certain categories of individuals, such as outside counsel or independent auditors, without requiring prior written approval (12 CFR § 4.37). The OCC also permits disclosure of OCC CSI as long as the consultant is under a written contract.22 (“A national bank, Federal savings association, or holding company or a director, officer, or employee thereof, may also release non-public OCC information to a consultant under this paragraph if the consultant is under a written contract to provide services to the bank or Federal savings association….”). Under the OCC’s rules, the contract with the consultant must include language that “states [the consultant’s] awareness of, and agreement to comply with, the prohibition on the dissemination of nonpublic OCC CSI, and [that the consultant] agrees not to use the non-public OCC CSI for any purpose other than as provided” within the scope of its engagement with the bank or Federal savings association. The reasons for the OCC’s outside consultant exception are not clear from the public record.
The FDIC has issued its own CSI guidelines, which permits disclosure to only the following persons:
Directors, officers, employees, or agents of the regulated entity who have a need for such records in the performance of their official duties;
External auditors; and Other persons, with the prior written approval of the FDIC.
Similar to the OCC guidelines, but narrower in scope, the FDIC provision 12 CFR § 309.6 noticeably omits attorneys from the category of persons presumed to be entitled to access to CSI. The CFPB, on the other hand, permits disclosure of CSI to “certified public accountant[s], legal counsel, contractor[s], consultant[s] or service provider[s],” by excepting these individuals from the general prohibition on disclosure or CSI. Notably, under the CFPB’s rules, “[a] supervised financial institution may disclose CSI of the CFPB lawfully in its possession” to such persons without prior approval from the CFPB (12 CFR § 1070.42(b)). Thus, while certain provisions make allowance for the disclosure of CSI to certain advisers, there is a lack of consistency across the regulators, which could potentially prove problematic.
Over the coming years, regulators and financial institutions will need to reach a reasoned understanding of the importance of proper management of CSI.
The Fed and FDIC procedures applicable to lawyers and consultants are particularly difficult in an age in which lawyers and consultants play a much larger role in regulatory compliance than they did when the rules were enacted before the financial crisis. The ability of consultants and lawyers to review materials off-site lacks standardization because the rules allow for off-site analysis on a case-by-case basis and vary depending upon the supervisory staff assigned to each institution (12 CFR § 261.20(e)). Despite their different approaches to advisers, each of the Fed’s, the FDIC’s, and the OCC’s regulations make clear the seriousness with which each agency regards the proper protections for CSI.
A Proposed Solution
Most pressingly, all supervised financial institutions should again be made aware of the requirements and procedures outlined in the relevant provisions governing CSI. Though the standards have previously been promulgated, it would be worthwhile for federal agencies to reaffirm their commitment to proper management of CSI by publishing updated guidance that provides a clear and consistent approach regarding the scope of CSI as well as the appropriate course of conduct for their supervised financial institutions with respect to the protection and limited sharing of CSI. The regulatory agencies should facilitate open dialogue on the issue to ensure that regulators, institutions, and industry professionals are all speaking the same language.
The success of the system also requires buy-in from the institutions to which the regulations apply. Financial institutions must play an active role in ensuring their adherence to existing standards. They should take care to consider the requirements of the regulations as applied to their specific institutions. Furthermore, they should assess their current procedures for CSI management and give special consideration to potential changes in process and procedure that could help ensure and enhance compliance.
Regulatory agencies may wish to consider the following changes to 12 CFR § 261.20 and 12 CFR § 309.6 to streamline CSI requirements across agencies and improve compliance with the existing procedures. At the outset, the OCC, Fed, and FDIC should consider updating their regulations to mirror the exclusion for attorneys and advisers found in the CFPB’s rules. If the regulators are reluctant to implement such an exclusion, as an alternative they could implement a standardized short form or expedited review process that institutions may use to request the release of CSI to outside advisers. The short form would require only basic details of the circumstances requiring disclosure of the CSI. Further, it would be completed with the presumption that disclosure is acceptable absent evidence justifying nondisclosure.
Similarly, the regulators could implement expedited review mechanisms, which would allow outside advisers to gain access to CSI quickly to satisfy various business needs. Taking into consideration the protections offered by the attorney-client privilege, it may be possible to implement an expedited approval process, which would streamline and standardize the approval process because of the unique advisory role played by attorneys and other essential advisers.
Finally, the regulators may wish to consider updating the requirements regarding the protection and limited sharing of CSI to reflect the way in which information is collected, reviewed, and stored in the 21st century. The regulations reflect protections appropriate for physical materials and have not been updated to account for the shift to the use and maintenance of electronic materials. For example, the Fed’s requirement that certain parties may review CSI only “on-premises” makes little sense in the digital age.
The stakes of noncompliance with the existing regulations are high. Increased awareness ensures that the institutions to which the rules apply are fully aware of what is expected of them. Furthermore, the availability of a less cumbersome process for disclosing CSI to advisers ensures that regulated institutions are able to honor regulators’ expectations while still being responsive to demands of the fast-paced financial market. Over the coming years, regulators and financial institutions will need to reach a reasoned understanding of the importance of proper management of CSI in light of technological advances in information gathering and retention, as well as the realities of the increasingly complex regulatory framework under which institutions are, more than ever, relying on attorneys and consultants to help enhance their compliance with this new regulatory architecture. Achieving success is predicated on all parties having a true understanding of what is at stake.