The Consumer Financial Protection Bureau (CFPB) has made waves lately, applying increased scrutiny to areas such as auto lending and account fees for college-student banking. Given the CFPB’s wide license to oversee and enforce the consumer financial laws, financial institutions may be wondering where the CFPB will move next.
The CFPB holds broad authority, and confusion may exist as to where that authority ends and other agencies’ authority begins. For instance, does the CFPB have any say in how financial institutions run their BSA/AML compliance programs? Moreover, when investigating potential violations of the consumer financial laws, can the CFPB require disclosure of a suspicious activity report (SAR) or information that would reveal a SAR’s existence?
For example, a CFPB investigator might request a bank to provide information about a SAR regarding a bank customer the CFPB is investigating. What if the CFPB does make such a request?
As those in the financial industry know, the unauthorized release of a SAR, or any information revealing the existence of a SAR, can result in severe civil and criminal penalties. However, one exception requires disclosure in response to requests from regulatory/supervisory agencies having authority to examine the financial institution for BSA compliance.
The CFPB is an independent bureau within the Federal Reserve System. It was created by merging the consumer financial regulatory departments of several agencies, including the OCC, FDIC and National Credit Union Administration (NCUA). The Federal Reserve’s Board of Governors, OCC, FDIC and NCUA all have authority to examine financial institutions for BSA compliance, making them appropriate requestors of SAR-related information from the entities they examine. Thus confusion often exists regarding whether the CFPB, a bureau of the Federal Reserve System created from these BSA-examining agencies, is also a proper requestor of SAR-related material.
Looking to the CFPB’s enabling statutes, it oversees the “federal consumer financial laws.” The BSA is not in substance or focus a federal consumer financial law. Further, the list of consumer financial laws over which the Dodd-Frank Act grants the CFPB administrative authority does not include the BSA. Finally, the CFPB does not examine financial institutions for BSA compliance.
As a result, the CFPB is likely not a proper requestor of a SAR, or any information that may reveal the existence of a SAR. The CFPB may not agree, given its position that even attorney-client privileged communications are fair game. However, financial institutions would do well to require a court to compel the production of SAR-related information to the CFPB, given the risks and penalties associated with unauthorized disclosure.
 12 U.S.C. §§ 5481–5603 (2010).
 In addition, the statutes explicitly state that the CFPB may not require financial institutions to disclose to consumers “any information collected … for the purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct … [or] any information required to be kept confidential by any other provision of law.” 12 U.S.C. § 5533(b)(2)–(3).