Is your financial institution or company subject to the Consumer Financial Protection Bureau’s (CFPB) supervision? If so, take note of a recent bulletin warning supervised entities – both banks and non-banks – about the treatment of confidential supervisory information.

There are two main takeaways from the bulletin:

  • Disclosure of confidential supervisory information (CSI) is prohibited, with limited exceptions.

The CFPB broadly defines CSI in its bulletin. Not surprisingly, the CFPB takes the position that its examination and compliance reports are CSI, but it also considers any information derived from these reports to be CSI. The bulletin also declares CSI to include communications related to the CFPB’s supervision. What is more surprising, perhaps, is the position that even information provided to the CFPB may be CSI when the CFPB is monitoring risks to consumers or determining whether the entity is subject to the CFPB’s supervisory authority.

Disclosure of CSI is expressly prohibited except in a few situations. Disclosure is permitted to organizational employees, directors and the like (where relevant to duties); to affiliates and service providers; and to accountants, consultants and attorneys hired by the supervised entity. If these exceptions do not apply, a supervised entity can request permission from the CFPB to disclose the CSI.

A logical question that arises from this bulletin is “what happens when you have a subpoena requesting documents that are considered CSI?” The bulletin addresses this issue, but unfortunately does not provide much guidance beyond stating the following: “Among a number of other requirements, a recipient of a demand for confidential information must inform the CFPB’s General Counsel of the demand.” It remains to be seen how this requirement will work in practice.

  • Non-disclosure agreements (NDAs) with third parties are not grounds to withhold information sought by the CFPB.

The CFPB also takes aim at NDAs. The bulletin instructs that “[a] supervised financial institution should not attempt to use an NDA as the basis for failing to provide information sought pursuant to supervisory authority.” In fact, the CFPB warned it will pursue “all available remedies” against supervised entities attempting to wield an NDA as a shield. As a practical matter, this might place supervised entities in a catch-22 situation: Either violate the NDA’s express terms or withhold the information and face penalties from the CFPB. As supervised entities execute future NDAs, they should consider crafting language in the NDA that takes the CFPB’s position into account.

The bulletin clearly states that it is nonbinding guidance. Nonetheless, it would be wise to heed CFPB’s warning that noncompliance with these provisions will have consequences.