Skip to Content


Compliance Bulletin-Treatment of Confidential Supervisory Information

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 10072


Bureau of Consumer Financial Protection.


Compliance Bulletin.


The Bureau of Consumer Financial Protection (CFPB) is issuing a compliance bulletin entitled “Treatment of Confidential of Supervisory Information” as a reminder that, with limited exceptions, persons in possession of confidential information, including confidential supervisory information (CSI), may not disclose such information to third parties.


This bulletin is effective February 25, 2015 and applicable beginning January 27, 2015.

Start Further Info


Christopher Young, Managing Senior Counsel and Chief of Staff, (202) 435-7408, Office of Supervision Policy.

End Further Info End Preamble Start Supplemental Information


I. Introduction

The CFPB issues this compliance bulletin as a reminder that, with limited exceptions, persons in possession of confidential information, including CSI, may not disclose such information to third parties.[1] More particularly, this bulletin:

1. Sets forth the definition of CSI;

2. Provides examples of CSI;

3. Highlights certain legal restrictions on the disclosure of CSI; and

4. Explains that private confidentiality and non-disclosure agreements (NDAs) neither alter the legal restrictions on the disclosure of CSI nor impact the CFPB's authority to obtain information from covered persons [2] and service providers [3] in the exercise of its supervisory authority.

II. Compliance Bulletin

The CFPB has supervisory authority over certain covered persons, including very large depository institutions, credit unions and their affiliates; [4] certain nonbanks; [5] and service providers [6] (collectively, supervised financial institutions).[7] Many supervised financial institutions became subject to federal supervision for the first time under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).[8]

Pursuant to authority granted under the Dodd-Frank Act,[9] the CFPB has issued regulations that govern the use and disclosure of CSI.[10] The CFPB expects all supervised financial institutions to know and comply with the regulations governing CSI, and provides the following guidance to assist with such compliance.

A. Definition of CSI

Under the CFPB's regulations, “confidential supervisory information” means:

  • Reports of examination, inspection and visitation, non-public operating, condition, and compliance reports, and any information contained in, derived from, or related to such reports;
  • Any documents, including reports of examination, prepared by, or on behalf of, or for the use of the CFPB or any other Federal, State, or foreign government agency in the exercise of supervisory authority over a financial institution, and any supervision information derived from such documents;
  • Any communications between the CFPB and a supervised financial institution or a Federal, State, or foreign government agency related to the CFPB's supervision of the institution;
  • Any information provided to the CFPB by a financial institution to enable the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, or to assess whether an institution should be considered a covered person, as that term is defined by 12 U.S.C. 5481, or is subject to the CFPB's supervisory authority; and/or
  • Information that is exempt from disclosure pursuant to 5 U.S.C. 552(b)(8).[11]

CSI does not include documents prepared by a financial institution for its own business purposes and that the CFPB does not possess.[12]

B. Examples of CSI

Supervised financial institutions and other persons that may come into possession of CSI should understand what constitutes CSI in order to comply with the applicable rules.[13] Examples of CSI include, but are not limited to:

  • CFPB examination reports and supervisory letters;
  • All information contained in, derived from, or related to those documents, including an institution's supervisory Compliance rating;
  • Communications between the CFPB and the supervised financial institution related to the CFPB's examination of the institution or other supervisory activities; and
  • Other information created by the CFPB in the exercise of its supervisory authority.Start Printed Page 10073

Thus, CSI includes any workpapers or other documentation that CFPB examiners have prepared in the course of an examination. CSI also includes supervisory information requests from the CFPB to a supervised financial institution, along with the institution's responses. In addition, any CFPB supervisory actions, such as memoranda of understanding between the CFPB and an institution, and related submissions and correspondence, are CSI.

C. Disclosure of Confidential Information Generally Prohibited

Subject to limited exceptions, supervised financial institutions and other persons in possession of CSI of the CFPB may not disclose such information.[14]

D. Exceptions to General Prohibition on Disclosure of CSI

There are certain exceptions to the general prohibition against disclosing CSI to third parties. A supervised financial institution may disclose CSI of the CFPB lawfully in its possession to:

  • Its affiliates;
  • Its directors, officers, trustees, members, general partners, or employees, to the extent that the disclosure of such CSI is relevant to the performance of such individuals' assigned duties;
  • The directors, officers, trustees, members, general partners, or employees of its affiliates, to the extent that the disclosure of such CSI is relevant to the performance of such individuals' assigned duties;
  • Its certified public accountant, legal counsel, contractor, consultant, or service provider.[15]

Supervised financial institutions may also in certain instances disclose CSI to others with the prior written approval of the Associate Director for Supervision, Enforcement, and Fair Lending, or his or her delegee (Associate Director).[16] The recipient of CSI shall not, without the prior written approval of the Associate Director, utilize, make, or retain copies of, or disclose CSI for any purpose, except as is necessary to provide advice or services to the supervised financial institution or its affiliate.[17] Moreover, any supervised financial institution or affiliate disclosing CSI shall take reasonable steps as specified in the regulations to ensure that the recipient complies with the rules governing CSI.[18]

Confidential information made available by the CFPB pursuant to 12 CFR part 1070 remains the property of the CFPB. There are other important requirements relating to the disclosure of confidential information, including disclosure pursuant to third-party legally enforceable demands, such as subpoenas or Freedom of Information Act requests. Among a number of other requirements, a recipient of a demand for confidential information must inform the CFPB's General Counsel of the demand.[19]

E. NDAs Do Not Supersede Federal Legal Requirements

The CFPB recognizes that some supervised financial institutions may have entered into third-party NDAs that, in part, purport to: (1) Restrict the supervised financial institution from sharing certain information with a supervisory agency; and/or (2) require the supervised financial institution to advise the third party when the institution shares with a supervisory agency information subject to the NDA. However, such provisions in NDAs between supervised financial institutions and third parties do not alter or limit the CFPB's supervisory authority or the supervised financial institution's obligations relating to CSI.

A supervised financial institution should not attempt to use an NDA as the basis for failing to provide information sought pursuant to supervisory authority. The CFPB has the authority to require supervised financial institutions and certain other persons to provide it with reports and other information to conduct supervisory activities, pursuant to the Dodd-Frank Act.[20] Failure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies.[21]

In addition, a supervised financial institution may risk violating the law if it relies upon provisions of an NDA to justify disclosing CSI in a manner not otherwise permitted. As noted above, any disclosure of CSI outside of the applicable exceptions would require the prior written approval of the Associate Director for Supervision, Enforcement, and Fair Lending (or his or her delegee).[22]

Supervised financial institutions should contact appropriate CFPB supervisory personnel with any questions regarding this Bulletin.

III. Regulatory Requirements

This compliance bulletin provides nonbinding guidance on matters including limitations on disclosure of CSI under applicable law. It is therefore exempt from the notice and comment rulemaking requirements under the Administrative Procedure Act pursuant to 5 U.S.C. 553(b). Because no notice of proposed rulemaking is required, the Regulatory Flexibility Act does not require an initial or final regulatory flexibility analysis.[23] In addition, the CFPB has determined that this bulletin summarizes existing requirements and does not establish any new nor revise any existing recordkeeping, reporting, or disclosure requirements on covered entities or members of the public that would be collections of information requiring OMB approval under the Paperwork Reduction Act.[24]

Start Signature

Dated: February 2015.

Richard Cordray,

Director, Bureau of Consumer Financial Protection.

End Signature End Supplemental Information


1.  “Confidential information” means “confidential consumer complaint information, confidential investigative information, and confidential supervisory information, as well as any other CFPB information that may be exempt from disclosure under the Freedom of Information Act pursuant to 5 U.S.C. 552(b). Confidential information does not include information contained in records that have been made publicly available by the CFPB or information that has otherwise been publicly disclosed by an employee with the authority to do so.” 12 CFR 1070.2(f). CSI, the focus of this bulletin, is but one type of confidential information. See 12 CFR 1070.2(i) (defining “confidential supervisory information”).

Back to Citation

2.  “Covered person[s]” include “(A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described [in (A)] if such affiliate acts as a service provider to such person.” 12 U.S.C. 5481(6).

Back to Citation

3.  “Service provider” means “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that—(i) participates in designing, operating, or maintaining the consumer financial product or service; or (ii) processes transactions relating to the consumer financial product or service (other than unknowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes) . . . . The term `service provider' does not include a person solely by virtue of such person offering or providing to a covered person—(i) a support service of a type provided to businesses generally or a similar ministerial service; or (ii) time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.” 12 U.S.C. 5481(26).

Back to Citation

5.  Under 12 U.S.C. 5514, the CFPB has supervisory authority over all nonbank covered persons offering or providing three enumerated types of consumer financial products or services: (1) Origination, brokerage, or servicing of consumer loans secured by real estate, and related mortgage loan modification or foreclosure relief services; (2) private education loans; and (3) payday loans. 12 U.S.C. 5514(a)(1)(A), (D), (E). The CFPB also has supervisory authority over “larger participant[s] of a market for other consumer financial products or services,” as the CFPB defines by rule. 12 U.S.C. 5514(a)(1)(B), (a)(2). Additionally, the CFPB has the authority to supervise any nonbank covered person that it “has reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity . . . to respond[,] . . . is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” 12 U.S.C. 5514(a)(1)(C).

Back to Citation

7.  “Financial institution” means “any person involved in the offering or provision of a `financial product or service,' including a `covered person' or `service provider,' as those terms are defined by 12 U.S.C. 5481.” 12 CFR 1070.2(l). “Supervised financial institution” means “a financial institution that is or that may become subject to the CFPB's supervisory authority.” 12 CFR 1070.2(q).

Back to Citation

10.  See 12 CFR part 1070. In addition to the confidentiality protections afforded by the CFPB's regulation, CSI may also be subject to other laws regarding disclosure, including the bank examination or other privileges, privacy laws, and other restrictions.

Back to Citation

13.  See generally 12 CFR 1070.

Back to Citation

14.  See 12 CFR 1070.41(a) (providing that “[e]xcept as required by law or as provided in this part, no . . . person in possession of confidential information[] shall disclose such confidential information by any means (including written or oral communications) or in any format (including paper and electronic formats), to: (1) [a]ny person who is not an employee, contractor, or consultant of the CFPB; or (2) [a]ny CFPB employee, contractor, or consultant when the disclosure of such confidential information . . . is not relevant to the performance of the employee's, contractor's, or consultant's assigned duties”); see also 12 CFR 1070.42(b) (setting forth exceptions relating to the disclosure of “confidential supervisory information of the CFPB” which is “lawfully in [the] possession” of any “supervised financial institution”).

Back to Citation

21.  See 12 U.S.C. 5536(a)(2) (making it unlawful for a supervised financial institution “to fail or refuse, as required by Federal consumer financial law, or any rule or order issued by the CFPB thereunder—(A) to permit access to or copying of records; . . . or (C) to make reports or provide information to the Bureau.”).

Back to Citation

22.  See 12 CFR 1070.42(b)(2)(ii).

Back to Citation

23.  5 U.S.C. 603(a), 604(a).

Back to Citation

[FR Doc. 2015-03791 Filed 2-24-15; 8:45 am]