Skip to Content

We invite you to try out our new beta eCFR site at https://ecfr.federalregister.gov. We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Feedback' button on the bottom right of each page!

Rule

Amendments Relating to Disclosure of Records and Information

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 75194

AGENCY:

Bureau of Consumer Financial Protection.

ACTION:

Final rule.

SUMMARY:

This final rule amends the Bureau's rule regarding the confidential treatment of information obtained from persons in connection with the exercise of its authorities under Federal consumer financial law.

DATES:

This final rule is effective December 24, 2020.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

David Snyder, Senior Counsel, Legal Division, 202-435-7758. If you require this document in an alternative electronic format, please contact CFPB_Accessibility@cfpb.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

The Bureau of Consumer Financial Protection (Bureau) was established by title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub. L. 111-203, codified at 12 U.S.C. 5301 et seq.) (Dodd-Frank Act). The Dodd-Frank Act, among other things, directed the Bureau to “prescribe rules regarding the confidential treatment of information obtained from persons in connection with the exercise of its authorities under Federal consumer financial law.” 12 U.S.C. 5512(c)(6)(A).

In order to establish safeguards for protecting the confidentiality of information, as well as procedures for disclosing information as appropriate, the Bureau published an interim final rule on July 28, 2011, 76 FR 45371 (Jul. 28, 2011), followed by a final rule on February 15, 2013, 78 FR 11483 (Feb. 15, 2013). The Bureau also made limited revisions to the rule during that period, related to the treatment of privileged information. See Notice of Proposed Rulemaking, Confidential Treatment of Privileged Information, 77 FR 15286 (Mar. 15, 2012); Final Rule, Confidential Treatment of Privileged Information, 77 FR 39617 (July 5, 2012).

Based on its experience over the previous several years, the Bureau published a notice of proposed rulemaking on August 24, 2016, 81 FR 58310 (Aug. 24, 2016), that proposed to amend the rule to clarify, correct, and amend certain provisions of the rule, and it solicited comments on the proposal. The Bureau issued a final rule on September 12, 2018, 83 FR 46075 (Sept. 12, 2018), that pertained to the portions of the Bureau's proposal related to the Freedom of Information Act, 5 U.S.C. 552, the Privacy Act of 1974, 5 U.S.C. 552a, and requests for Bureau information in legal proceedings. The Bureau now issues this final rule to address the portions of its proposal regarding the confidential treatment of information obtained from persons in connection with the exercise of its authorities under Federal consumer financial law.

II. Summary of the Final Rule

The final rule revises subparts A and D of section 1070 of title 12 of the Code of Federal Regulations.

The revisions to subpart A address definitions of terms that are used throughout the remainder of the part. The Bureau has revised several of these definitions to clarify their intended meanings as well as Bureau practices. The Bureau has also included one new definition and deleted one definition in the final rule. The Bureau declines to finalize one new definition, “agency,” which was proposed in the notice of proposed rulemaking.

The revisions to subpart D pertain to the protection and disclosure of confidential information that the Bureau generates and receives during the course of its work. Various provisions of the Dodd-Frank Act require the Bureau to promulgate regulations providing for the confidentiality of certain types of information and protecting such information from public disclosure. The Bureau has sought to provide the maximum protection for confidential information, while ensuring its ability to share or disclose information to the extent necessary to achieve its mission. The Bureau has included detailed procedures in its final rule in order to promote transparency regarding its practices and anticipated uses of confidential information.

The Bureau has sought to balance concerns regarding the need to protect confidential information, including sensitive personal information, business information, confidential investigative information (CII) and confidential supervisory information (CSI), against the need to use and disclose certain information in the course of its work or, as appropriate, the work of other agencies with overlapping statutory or regulatory authority.

The Bureau has revised subpart D to clarify, correct, and amend certain aspects of the rule based on its experience over the last several years. In response to comments, the Bureau has declined to finalize, or has further revised, several of the revisions initially proposed in its notice of proposed rulemaking. In particular, the Bureau has in part declined to finalize, and in part further revised, its proposal to address disclosure of confidential investigative information in § 1070.42. In addition, the Bureau has declined to finalize its proposal to revise its standard for discretionary disclosure of confidential supervisory information to partner agencies under § 1070.43(b)(1).

III. Overview of Comments Received

The Bureau received twenty-seven comment letters in response to the notice of proposed rulemaking. Twenty-three of the comments addressed its proposal related to the confidential treatment of Bureau information, including proposed definitions in subpart A and proposed revisions to subpart D.[1] Twelve of these comment letters were submitted on behalf of industry trade associations. Three of these comment letters came from public interest organizations; two comment letters from individual financial institutions; one comment letter from a consumer advocacy organization; one comment letter from a consulting organization; one comment letter from an individual; two comment letters from a member of Congress; and one comment letter from a group of State attorneys general.

Commenters generally expressed concerns about whether the rule, as proposed, would sufficiently protect sensitive information, including CSI. In particular, numerous commenters took issue with the Bureau's proposal to expand discretion under 12 CFR 1070.43(b) to disclose CSI to agencies that may not have “jurisdiction” over the supervised financial institution. Commenters also expressed concerns with a proposed new definition of “agency” in 12 CFR 1070.2, which they believed to be overly broad. Commenters expressed a variety of policy concerns with these proposals, and a number of commenters argued that the Bureau lacks statutory authority to make these revisions, disagreeing with the Bureau's interpretation of 12 U.S.C. 5512(c)(6), which was articulated in support of the proposal. One commenter expressed support for the Bureau expanding its discretion to disclose CSI.Start Printed Page 75195

A number of commenters also expressed concerns about a Bureau proposal to expand 12 CFR 1070.42 to address the Bureau's disclosure of CII in the course of its enforcement activities, and limitations on further disclosure of CII. Several of these commenters argued that the proposal's restrictions on further disclosure of CII would constitute a content-based restriction and a prior restraint on speech and would run afoul of the First Amendment's free speech protections. Commenters also articulated various reasons why a recipient of CII may need or want to further disclose CII.

Comment letters expressed various other concerns regarding the Bureau's proposal as well. These included concerns with, among other things, a proposal to eliminate a requirement that Bureau contractors and consultants provide written certification that they will comply with legal requirements associated with confidential information; a proposal that would have allowed the Bureau to disclose CSI or CII concerning a person to its service providers; proposed changes to Bureau procedures for processing requests from partner agencies for confidential information; a proposed change to procedures regarding Bureau disclosure of confidential information to Congress; a proposal that would have allowed the Bureau to disclose confidential information “related to” an administrative or court proceeding to which the Bureau is a party; and a proposal to require persons in possession of confidential information to report to the Bureau improper disclosures of confidential information.

IV. Legal Authority

The Bureau proposed the rule pursuant to its authority under (1) title X of the Dodd-Frank Act, 12 U.S.C. 5481 et seq., including (a) section 1022(b)(1), 12 U.S.C. 5512(b)(1); (b) section 1022(c)(6)(A), 12 U.S.C. 5512(c)(6)(A); and (c) section 1052(d), 12 U.S.C. 5562(d); (2) the Freedom of Information Act, 5 U.S.C. 552; (3) the Privacy Act of 1974, 5 U.S.C. 552a; (4) the Right to Financial Privacy Act, 12 U.S.C. 3401 et seq.; (5) the Trade Secrets Act, 18 U.S.C. 1905; (6) 18 U.S.C. 641; (7) the Paperwork Reduction Act, 44 U.S.C. 3501 et seq., and (8) the Federal Records Act, 44 U.S.C. 3101. The Bureau received no comments on the applicability of these statutes, and it promulgates the final rule pursuant to these authorities.

V. Section-by-Section Analysis

Part 1070—Disclosure of Records and Information

Subpart A—General Provisions and Definitions

Section 1070.2—General Definitions

Proposed Section 1070.2(a) Agency

In the notice of proposed rulemaking, the Bureau proposed adding a new definition, “agency,” which it proposed to include “a Federal, State, or foreign governmental authority or an entity exercising governmental authority.” The Bureau declines to finalize this proposal.

As previously drafted, § 1070.43 provided the Bureau with discretion to share confidential information with Federal or State agencies in certain circumstances. The proposed definition, combined with proposed revisions to §§ 1070.43 and 1070.45, was intended to clarify the Bureau's ability to share confidential information with a broader category of entities with whom the Bureau may at times collaborate in the course of carrying out its authorities under Federal consumer financial laws. The Bureau stated in its proposal that this could include registration and disciplinary organizations like State bar associations. Proposed revisions to § 1070.47 also expanded protections for confidential information disclosed under subpart D to include information shared with these additional entities. Finally, the Bureau proposed additional technical corrections throughout the rule to account for use of the new term.[2]

The Bureau received a number of comment letters regarding this proposed definition, with particular emphasis on its interaction with proposed revisions to § 1070.43 regarding the Bureau's discretionary disclosure of confidential information (including confidential supervisory information) to other agencies.[3] Commenters largely took issue with the proposed definition's inclusion of “entit[ies] exercising governmental authority,” though several expressed concerns regarding its inclusion of “foreign governmental authorit[ies]” as well.

Several commenters stated that the proposed definition was overly broad. Commenters expressed concerns that non-governmental entities may lack jurisdiction over the persons that initially provided information to the Bureau, and that foreign agencies may not be subject to United States law. For example, one comment letter, from a group of industry trade associations, criticized the proposal's inclusion of “entit[ies] exercising governmental authority” as “limitless;” it stated that the Bureau provided no limitation on its interpretation of the term, and suggested that, in addition to State bar associations, it could include medical societies, national associations of State regulatory bodies (such as insurance or utility commissioners), or municipal entities (such as housing or transportation authorities). Another commenter suggested that the term could include quasi-governmental organizations such as State or local task forces, boards, commissions, licensing bodies, ombudsmen, self-regulatory organizations, or courts. Two industry trade association commenters questioned how confidential information from financial institutions could be relevant to entities like State bar associations—such as where the institution does not engage in the practice of law, or where the entity would not generally have authority over financial institutions.

One comment letter, from an industry trade association, criticized the proposed definition as outside the intended and normal usage of the term “agency.” It argued that the term unambiguously means a governmental entity with legal authority to supervise and regulate the individual or company to whom confidential supervisory information relates, and the Bureau lacks authority to expand the definition to include entities that, in the commenter's view, are clearly not agencies. It stated that while a State bar association may exercise governmental authority, it is a non-governmental, voluntary professional membership organization, and is not an agency. The commenter also analogized that the term “agency,” when used in the regulatory context (such as in the Administrative Procedure Act, 5 U.S.C. 551) refers to entities with administrative legal authority, and that section 342(g) of the Dodd-Frank Act defines “agency” to refer to specific financial regulatory bodies.[4]

Several commenters expressed concerns about the Bureau's authority to promulgate the proposed definition. One comment letter, from an industry trade association, stated that there is no legislative history to support a conclusion that the Bureau has discretion to share confidential Start Printed Page 75196information with “entities exercising governmental authority.” Two comment letters, from an industry trade association and a group of industry trade associations, argued that 12 U.S.C. 5512(c)(6), which discusses Bureau disclosure of CSI to certain agencies, does not mention non-U.S. agencies or quasi-governmental authorities. One comment letter, from a member of Congress, suggested that the Bureau's proposed definition was meant to unlawfully expand its authority to share confidential supervisory information with entities that lack jurisdiction over the companies, including foreign regulators and entities that exercise governmental authority.

Several comment letters from industry trade associations argued that the Bureau's proposal provides insufficient rationale for, or clarity regarding, its proposed definition. One of these commenters suggested that sharing confidential supervisory information with non-regulatory or non-governmental entities is unnecessary for enforcement or supervisory purposes. Another commenter suggested that the Bureau publish a list of entities “exercising governmental authority,” and concrete examples about how the Bureau intends to share confidential information with them and how such sharing would advance the Bureau's purposes. This commenter also suggested that the Bureau provide more information regarding its procedures for sharing information with foreign agencies and create a procedure for institutions to challenge a proposed disclosure with a presumption in favor of nondisclosure.

The Bureau also received two comment letters, from a group of industry trade associations and an industry trade association, raising concerns that non-regulatory or non-governmental entities may have insufficient information security, protections, controls, or expertise to protect the Bureau's confidential information. A third comment letter, from a financial institution, expressed similar concerns that the disclosure of confidential information to such entities could unintentionally result in exposing the information to the public. One comment letter, from an industry trade association, suggested that the disclosure of confidential information to bar associations would lead to further disclosure to the plaintiffs' bar and use in litigation against the financial institution at issue.

One comment letter, from a group of industry trade associations, suggested that the proposed definition could raise tensions with other laws. It stated that the proposal would lead to financial institutions “effectively sharing information in a manner that is inconsistent” with Regulation P, 12 CFR part 1016, and the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., because it would enable certain entities to obtain data that they could not otherwise obtain from the financial institution itself. The commenter also suggested that the proposal would allow sharing of confidential information, including personally identifiable information about non-U.S. individuals, in a manner that could be inconsistent with non-U.S. privacy rules and other non-U.S. laws, though it did not identify specific laws or explain how the proposal would conflict.

Finally, one commenter expressed concern regarding the Bureau's inclusion of foreign regulators in its proposal, noting that the proposal differed from the Federal Trade Commission's (FTC's) practices, which include certain restrictions on disclosures to foreign governments.

In response to the comments received, the Bureau declines to include the proposed definition, “agency,” in the final rule. The Bureau likewise declines to finalize the technical corrections and renumbering proposed to account for the new definition. Any use of the word “agency(ies)” in subpart D will not be capitalized because the final rule does not define the term.

The proposal's inclusion of “entit[ies] exercising governmental authority” had been intended primarily to facilitate limited and occasional collaboration in the course of carrying out the Bureau's enforcement activities. However, the Bureau recognizes that the defined term's use in provisions that address its disclosure of confidential supervisory information could give the impression that the Bureau intends to disclose confidential supervisory information to these entities as well. The Bureau also recognizes that the potential breadth of the proposal could create uncertainty and undermine confidence that information provided to the Bureau will be used and protected appropriately. In light of the minimal benefit of finalizing the proposal, relative to these concerns and others expressed in the comments received, the Bureau declines to include this proposed text in the final rule.

The Bureau included “foreign governmental authorit[ies]” in the proposed definition because Bureau enforcement and supervisory activities occasionally require it to coordinate with foreign government regulators, such as where a transnational entity engages in related activities in multiple jurisdictions, or where an entity abroad interacts with U.S. consumers from a foreign location.

The Bureau disagrees with commenters' contention that it lacks statutory authority to promulgate a regulation that authorizes disclosure of confidential information to foreign regulators. The Bureau has broad authority under 12 U.S.C. 5512(c)(6)(A) to draft regulations regarding the confidential treatment of information that it obtains from persons in connection with the exercise of its authorities under Federal consumer financial laws. Even assuming that this rulemaking authority is restricted by section 5512(c)(6)(C)(ii)—which says the Bureau “may, in its discretion, furnish to a prudential regulator or other agency having jurisdiction over a covered person or service provider any other report or confidential supervisory information concerning such person examined by the Bureau under the authority of any other provision of Federal law”—disclosure to foreign regulators is consistent with this provision. First, section 5512(c)(6)(C)(ii) does not address, and thus does not limit disclosure of, confidential investigative information or other confidential information that is not CSI. Second, the provision's reference to “other agency having jurisdiction” is not expressly restricted to domestic agencies and can reasonably be read to include foreign agencies with jurisdiction over the supervised financial institution.

Nevertheless, while the Bureau believes that it has authority to disclose confidential information to foreign regulators, it declines to expressly address such disclosures in the rule because, historically, its need to make these disclosures has been extremely rare. Revising the regulation to allow disclosure of confidential information to foreign regulators under the Bureau's standard information-sharing processes addressed in § 1070.43 risks leaving a mistaken impression that such disclosures will take place with regularity.

Instead, in the event that the Bureau identifies a future need to share confidential information with a foreign regulator, and it cannot otherwise make the disclosure pursuant to subpart D, it will do so pursuant to § 1070.46, which permits the Bureau's director to authorize disclosure of confidential information other than as set forth in subpart D. The authorization must be in writing, must otherwise be permitted by law, and may not be delegated. See 12 CFR 1070.46(a), (c).

The Bureau recognizes that disclosure of confidential information to a foreign Start Printed Page 75197regulator warrants special considerations, such as the regulator's ability to protect the information under its country's laws. And to the extent that the confidential information includes sensitive information, such as privileged information, proprietary information, or consumers' personal information, the Bureau will take that into consideration as well and will appropriately limit the scope of its disclosure. The Bureau intends to exercise its discretion to disclose confidential information to foreign regulators with caution, subject to appropriate confidentiality assurances and only when needed to support Bureau mission needs such as enhancing consumer protection. Limiting such disclosures to the Director's authority under § 1070.46 reflects this commitment by requiring decision-making to take place at the Bureau's highest level.

For the aforementioned reasons, the Bureau declines to finalize the proposed definition of “agency.”

Section 1070.2(a) Associate Director for Supervision, Enforcement and Fair Lending

The Bureau proposed adding a new definition for “Associate Director for Supervision, Enforcement and Fair Lending” in order to clarify the meaning of a term already used in the rule, as well as several times in the proposed revisions to the rule. The Bureau received no comments regarding this proposal, and it finalizes the proposal without modification.

Former Section 1070.2(e) Civil Investigative Demand Material

Former § 1070.2(e) defined the term “civil investigative demand material.” The Bureau proposed eliminating this definition and instead incorporating it into the definition of “confidential investigative information” in § 1070.2(h). The Bureau explained that, because the term “civil investigative demand material” only arose in the rule in § 1070.2(h), the separate definition was unnecessary. The Bureau received no comments regarding the elimination of this definition, and it finalizes the proposal without modification.[5]

Section 1070.2(f) Confidential Information

Section 1070.2(f) defines the term “confidential information.” Confidential information refers to three defined categories of non-public information—confidential consumer complaint information, confidential investigative information, and confidential supervisory information—as well as other Bureau information that may be exempt from disclosure pursuant to one or more of the statutory exemptions to the FOIA.

Confidential information does not include information contained in records that have been made publicly available or otherwise publicly disclosed by the Bureau. The Bureau proposed revising the definition to clarify that such appropriate disclosures may be made by either Bureau employees or other authorized agents of the Bureau. An unauthorized disclosure of information would not affect the information's confidentiality.

In addition, the Bureau proposed revising the definition to clarify that confidential information disclosed to a third party in accordance with subpart D shall remain the Bureau's confidential information.

The Bureau received no comments regarding this proposal, and it finalizes the proposal without modification.

Section 1070.2(g) Confidential Consumer Complaint Information

Section 1070.2(g) defines the term “confidential consumer complaint information.” The Bureau proposed expanding the definition to include any information received or generated by the Bureau through processes or procedures established under 12 U.S.C. 5493(b)(3). The Bureau has found that its Consumer Response system at times receives misdirected complaints for which it lacks authority to act, or complaints submitted by companies rather than consumers. The proposed revision was intended to clarify that any complaints submitted to the Bureau through its Consumer Response system, and any information generated therein, are similarly classified under its confidentiality rules and subject to the same confidentiality protections. The proposal did not alter the prior text which limits confidential consumer complaint information to only include information that is exempt from disclosure pursuant to 5 U.S.C. 552(b).

One comment letter, from an industry trade association, expressed support for this proposal, which it described as an important safeguard for companies that may be named erroneously in consumer complaints submitted to the Bureau.

The Bureau finalizes the proposal without modification.

Section 1070.2(h) Confidential Investigative Information

Section 1070.2(h) defines the term “confidential investigative information.” As discussed above with respect to former § 1070.2(e), the Bureau proposed incorporating the definition of “civil investigative demand material” into § 1070.2(h). In addition, we proposed revising the term to clarify that confidential investigative information includes any information obtained or generated in the course of Bureau enforcement activities, including general investigative activities that may not pertain to a specific institution. The Bureau also proposed replacing § 1070.2(h)(2)'s reference to “materials” with “documents, materials, or records” in order to parallel similar language in the definition of “confidential supervisory information” at § 1070.2(i)(2).

An industry trade association criticized this proposal, alleging that it would “greatly expand” the definition of CII. The trade association argued that the revision would now include any information that may reveal the existence of communication between the Bureau and a company in the enforcement context, including the existence of a civil investigative demand (CID). The commenter expressed concerns that any such information would be subject to the Bureau's discretionary authority to share confidential information.

The Bureau does not agree that its proposed revisions to the definition of CII would significantly expand it. The Bureau merely proposed to incorporate the text of the definition of “civil investigative demand materials” into the definition of “confidential investigative information” to eliminate the need for a separate defined term. It further proposed minor revisions to refine and clarify the definition's text, such as making clear that CII can be obtained or generated in the course of general investigative activities that may not pertain to a specific institution. The Bureau did not propose substantive changes along the lines described by the commenter.

The commenter appears to take issue with the definition's inclusion of information “derived from” materials otherwise considered CII. However, this text predated the notice of proposed rulemaking and it is not new. Other than the non-substantive replacement of the word “documents” with “materials,” the Bureau's proposed revisions did not impact this text or its meaning.

The Bureau also disagrees with the commenter's implication that classifying information as “confidential investigative information” reduces its protections because the Bureau has procedures for sharing confidential Start Printed Page 75198information with partner agencies. On the contrary, classification of information as “confidential” restricts the Bureau's disclosure (rather than expanding it) because it renders the information subject to subpart D's protections. Where information is not considered “confidential,” the rule's protections do not attach to it, and the Bureau may share it with agency partners without taking into account the limitations and protections of the rule.

For the aforementioned reasons, the Bureau finalizes the proposal without modification.

Section 1070.2(i) Confidential Supervisory Information

Section 1070.2(i) defines the term “confidential supervisory information.” The Bureau proposed revising § 1070.2(i)(1)(i) to clarify that the term includes supervisory letters and similar documents. Since adopting the current definition of “confidential supervisory information,” the Bureau has refined the formats it uses for summarizing and memorializing the results of an examination or other supervisory review of a supervised financial institution. The Bureau currently issues different types of documents, including examination reports and supervisory letters, to convey the results of its examinations and other supervisory reviews. These documents are the property of the Bureau and are provided to the supervised financial institution for its confidential use only.

In addition, the Bureau proposed revising § 1070.2(i)(1)(ii) to state that, in addition to “documents” prepared by, or on behalf of, or for the use of the Bureau or any other Federal, State, or foreign government agency in the exercise of its supervisory authority over a financial institution, confidential supervisory information also includes “materials[ ] or records” prepared by, or on behalf of, or for the use of the Bureau or any other Federal, State, or foreign government agency in the exercise of its supervisory authority over a financial institution. This revision was intended to clarify that any such physical materials can include confidential supervisory information, regardless of the format. Likewise, the Bureau proposed revising the definition to include information derived from such “materials[ ] or records.” We noted in the notice of proposed rulemaking that information “derived” from such documents, materials, or records could include either physical materials (such as other documents, materials, or records) or information known to individuals (such as oral testimony or interviews based on knowledge gleaned from the documents, materials, or records).

In addition, the Bureau proposed revising § 1070.2(i)(1)(iv) to delete the reference to information collected using the Bureau's authority to monitor for risks to consumers in the offering or provision of consumer financial products or services under 12 U.S.C. 5512(c)(4) (sometimes referred to as the Bureau's “market monitoring” authority). The Bureau explained that, in accordance with the definition of “confidential information” in § 1070.2(f), market monitoring information would continue to be classified and protected as “confidential information” to the extent that it is exempt from disclosure pursuant to one or more of the statutory exemptions to the FOIA.

The Bureau proposed replacing the “market monitoring” reference in § 1070.2(i)(1)(iv) with new language stating that confidential supervisory information includes information obtained by the Bureau “for purposes of detecting and assessing risks to consumers and to markets for consumer financial products or services pursuant to 12 U.S.C. 5514(b)(1)(C), 5515(b)(1)(C), and 5516(b).” The purpose of this revision was to clarify that confidential supervisory information continues to include information obtained by the Bureau under its supervisory authorities at 12 U.S.C. 5514(b)(1)(C), 5515(b)(1)(C), and 5516(b). The Bureau had previously interpreted § 1070.2(i)(1)(iv) to address information obtained using these authorities as well as information obtained using its market monitoring authority, and the proposal was intended to retain the former, but exclude the latter.

Finally, the Bureau proposed deleting § 1070.2(i)(2), which previously stated that confidential supervisory information does not include documents prepared by a supervised financial institution for its own business purposes and that the Bureau does not possess. This provision was intended to prevent any implication that a supervised financial institution's copies of internal documents would be deemed to be confidential supervisory information on the grounds that those documents had been submitted to the Bureau in the course of a Bureau supervisory process. The Bureau explained that because this interpretation already follows from the other provisions of the rule, including the definition of “confidential supervisory information,” the explicit inclusion of this exception is unnecessary. The Bureau proposed renumbering § 1070.2(i) in light of this revision.

In response to the Bureau's proposal, one comment letter, from a group of industry trade associations, requested further guidance regarding the type of information that the Bureau considers to be “derived from” confidential supervisory information and therefore subject to the term's definition. For example, in a scenario where a supervised financial institution undertakes a project in response to Bureau concerns expressed in the course of supervision, the commenter asked whether the institution's work plan would be considered CSI. The commenter stated that such guidance is particularly important in light of the Bureau's proposal to delete § 1070.2(i)(2), which previously stated that confidential supervisory information does not include documents prepared by a supervised financial institution for its own business purposes and that the Bureau does not possess.

Where a supervised financial institution generates an internal work plan as part of its efforts to address Bureau supervisory concerns, information in the work plan that is “derived from” the types of documents, materials, or records described in § 1070.2(i)(1) and (2) is CSI. For example, an internal document may reveal a Bureau compliance rating, a Bureau supervisory finding, a supervisory “Matter Requiring Attention,” or other confidential information that is contained in documents, materials, or records prepared by, or on behalf of, or for the use of the Bureau. This information is CSI even where it is contained in an internal document that is not shared with the Bureau (for example, minutes of an internal discussion).

Certain work plans or other documents generated by a supervised financial institution in the course of a project undertaken in response to Bureau supervision may constitute CSI because they are “prepared . . . for the use of the [Bureau]” as described in § 1070.2(i)(2). For example, updates or progress reports generated at the request of the Bureau and submitted to the Bureau by an institution as part of the Bureau supervisory process are generally CSI.

On the other hand, work plans or other internal documents such as official business policies are not “derived from” the types of documents, materials, or records described in § 1070.2(i)(1) and (2) simply because they are created, adopted, or modified in response to Bureau supervision. A Start Printed Page 75199work plan that does not reveal the content or existence of confidential supervisory communications need not be treated as containing CSI.

In addition, as explained above, the Bureau does not intend the deletion of § 1070.2(i)(2) to substantively alter the meaning of “confidential supervisory information.” Rather, we consider the paragraph to be superfluous because its substance is implied by the remainder of the rule. The Bureau does not consider “confidential supervisory information” to include documents prepared by a supervised financial institution for its own business purposes, which do not include communications or information about the Bureau's supervisory process, and that the Bureau does not possess. As the Bureau explained in its notice of proposed rulemaking, should a supervised financial institution submit copies of such documents to the Bureau in the course of a Bureau supervisory process, the copies of the documents in the Bureau's possession would be Bureau confidential supervisory information. However, submission of those documents to the Bureau does not convert the copies of those documents that are in the possession of the financial institution into Bureau confidential information.

To the extent that institutions have additional questions along these lines, the Bureau encourages them to contact appropriate Bureau regional staff for further guidance.

In addition to the request for guidance, the Bureau received two comment letters from industry trade associations that expressed concerns with the proposal's removal of information collected using the Bureau's market monitoring authority at 12 U.S.C. 5512(c)(4) from the definition of “confidential supervisory information.” One commenter expressed concerns that removing market monitoring information from the definition of CSI could result in disclosure of market monitoring information under the Freedom of Information Act. It argued that FOIA exemptions that do not pertain to confidential supervisory information provide less protection because they are subject to more agency discretion.

The second commenter disagreed with the Bureau's reasoning, expressed in the notice of proposed rulemaking, that it is unnecessary to classify market monitoring information as CSI where the information is not used for supervisory purposes. The commenter argued that, with respect to supervised financial institutions, the Bureau has authority to collect the same information either through its market monitoring authority at 12 U.S.C. 5512(c)(4) or through its various supervisory authorities, and it expressed concerns that these different methods would provide different protections.

With respect to the first comment, the Bureau does not agree that re-classifying categories of confidential information in the rule would alter the applicability of exemptions under the FOIA. The FOIA establishes a judicially enforced statutory regime that is distinct from the Bureau's treatment of confidential information. The FOIA exemption that pertains to the supervision of financial institutions, 5 U.S.C. 552(b)(8) (Exemption (b)(8)), exempts from disclosure records “contained in, or related to, examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.” Market monitoring information, which may be unrelated to the Bureau's supervision of financial institutions, is not necessarily subject to this exemption, regardless of whether the Bureau has a regulation that labels it “confidential supervisory information.”

If Exemption (b)(8), or any other FOIA exemption, applies to market monitoring information, then under the Bureau's proposal it will be protected both from disclosure under the FOIA and pursuant to the Bureau's confidentiality rules. However, categorically classifying market monitoring information as CSI would not prevent the information's disclosure pursuant to a FOIA request in the event that no FOIA exemption can apply to it—for example, information collected for a study that is publicly available on the internet. The comment's conflation of the FOIA and the Bureau's independent confidentiality protections highlights the need for the proposed revision, in order to improve transparency and manage expectations related to the protections that attach to information collected by the Bureau.

The Bureau disagrees with the second commenter's argument as well. The comment letter correctly states that the Bureau could, conceivably, collect certain information under its 12 U.S.C. 5512(c)(4) market monitoring authority, or its 12 U.S.C. 5514(b), 5515(b), or 5516(b) supervisory authorities. While the commenter suggests that this counsels treating the information the same in all events, the Bureau thinks otherwise. Congress intentionally drafted the Dodd-Frank Act to provide the Bureau with distinct authorities to collect information for distinct purposes. The Bureau's proposal would categorize information in accordance with the authority used to collect the information and the information's intended use. Rather than conflating its authorities and uses, the proposal would improve transparency about the Bureau's classification and treatment of information.

Furthermore, even if the Bureau does not label it “confidential supervisory information,” market monitoring information will continue to be protected as confidential information to the extent that it is exempt from disclosure under the FOIA—in particular, information that contains confidential business information or personal information. See 5 U.S.C. 552(b)(4) & (6). Such information would largely be subject to the same protections accorded to CSI by the Bureau's confidentiality rules. And for the reasons already discussed, classifying this information as Bureau CSI would not protect it from disclosure under the FOIA to the extent that it is not actually subject to any exemption to the FOIA.

For the aforementioned reasons, the Bureau finalizes the proposal without modification.

Section 1070.2(k) Employee

Section 1070.2(k) defines the term “employee.” The Bureau proposed revising the definition to clarify that, for purposes of this rule, Bureau “employees” include certain contract personnel and employees of the Bureau's Inspector General.

The Bureau received one comment letter, from an industry trade association, expressing concern that classifying employees of the Bureau's Inspector General as “employees” could restrict the employees' ability to disclose confidential information and impair their ability to perform their jobs. For example, the commenter argued that § 1070.41 could prevent the Bureau's Inspector General from publishing reports regarding the Bureau's examination or supervision process, or other internal workings of the Bureau.

The Bureau disagrees with this commenter's concerns. Classifying employees of the Bureau's Inspector General as “employees” under the rule clarifies that Inspector General employees may access confidential information consistent with the rule. Furthermore, the Bureau does not agree with the commenter's concerns regarding § 1070.41's restrictions, as § 1070.41(c) allows for the publication of reports derived from confidential information to the extent that they do not identify, either directly or indirectly, any particular person to Start Printed Page 75200whom the information pertains. This concern is also addressed by proposed § 1070.48, which states that subpart D does not prohibit the Inspector General's office from disclosing confidential information “as needed in accordance with the Inspector General Act of 1978, 5 U.S.C. App. 3.” [6]

For the aforementioned reasons, the Bureau finalizes this proposal without modification.

Subpart D—Confidential Information

Section 1070.41 Non-Disclosure of Confidential Information

Section 1070.41(b) Disclosures to Contractors and Consultants

Section 1070.41(b) provides that contractors and consultants may only receive confidential information if they certify in writing to treat the confidential information in accordance with these rules, Federal laws and regulations that apply to Federal agencies for the protection of the confidentiality of personally identifiable information and for data security and integrity, as well as any additional conditions or limitations that the Bureau may impose. The Bureau proposed removing the certification requirement and replacing it with an affirmative statement that contractors and consultants are required to follow the obligations previously identified in the certification. The Bureau explained in its proposal that this revision was intended to clarify that contractors and consultants are subject to § 1070.41(b)'s requirements irrespective of any affirmative certification. The Bureau will further revise its proposal in the final rule.

In response to this proposal, the Bureau received one comment letter, from an industry trade association, stating that contractors and consultants should continue to be required to provide the written certification, to help them understand the gravity of their access to confidential information, and so their nondisclosure obligations can be more easily enforced. The commenter suggested that the Bureau can provide the clarity articulated in its notice of proposed rulemaking while continuing to require such certifications.

The Bureau agrees with the commenter that it is a best practice for contractors and consultants to provide a written certification that they will follow the Bureau's confidentiality rules. The Bureau also agrees that this provision can be revised further to both clarify contractors' and consultants' obligations and retain the current certification requirement. The Bureau thus revises the proposed language by adding an additional sentence after the proposed text: “CFPB contractors or consultants may receive confidential information only if such contractors or consultants certify in writing to treat such confidential information in accordance with these requirements.” This will retain the current certification requirement while addressing the need for clarity identified in the notice of proposed rulemaking.

Section 1070.41(c) Disclosures of Materials Derived From Confidential Information

Section 1070.41(c) addresses the disclosure of materials derived from confidential information. It requires that, when the Bureau discloses such materials, they may not directly or indirectly identify any particular person to whom the confidential information pertains. The Bureau proposed replacing the phrase “[n]othing in this subpart shall limit the discretion of the CFPB” with “[t]he CFPB may . . .” in order to clarify that § 1070.41(c) authorizes such disclosure by the Bureau. The Bureau received no comments regarding this proposal, and it finalizes the proposal without modification.

Section 1070.41(d) Disclosures of Confidential Information With Consent

The Bureau proposed a new paragraph that, where practicable, authorizes the Bureau to, upon receipt of prior consent, disclose confidential information that directly or indirectly identifies particular persons. The proposed provision would require consent from all such persons to the extent that the identification constitutes confidential information, and any such disclosure would have to comply with applicable law. In the event that the person is a minor child or otherwise lacks capacity to give consent, consent can be provided on that person's behalf by someone with legal authority to give it, such as a parent or guardian, where applicable. The Bureau explained in its notice of proposed rulemaking that it may at times be useful to disclose such information in order to achieve the Bureau's mission objectives, and that by conditioning disclosure on consent, affected persons' interests would be appropriately protected. The Bureau also clarified that this new provision is intended to serve as a distinct authority for disclosure, and that it would in no way impact other methods of disclosure currently addressed in the rule, such as in § 1070.43. The Bureau proposed renumbering the section to account for the new paragraph.

The Bureau received no comments regarding this proposal, and it finalizes the proposal without modification.

Section 1070.41(e) Nondisclosure of Confidential Information Belonging to Other Agencies

Section 1070.41(e) previously provided that nothing in subpart D requires or authorizes the Bureau to disclose confidential information that it has received from other agencies where such disclosure would contravene applicable law or conflict with any agreement between the CFPB and the provider agency. The Bureau further revises this provision in the final rule to address concerns about this provision raised in a comment letter.

The Bureau proposed replacing the word “disclosability” in the paragraph's title with “nondisclosure” in order to clarify that this provision protects the confidentiality of other agencies' confidential information; the Bureau explained in its proposal that it did not intend the revision to substantively change the provision. The Bureau received no comments regarding its proposed revision to the paragraph's title.

However, the Bureau did receive one comment letter, from a consulting organization, which noted that the Bureau can at times obtain prudential regulators' CSI from financial institutions. The commenter expressed concern that the Bureau could potentially disclose that CSI via other provisions of the rule in ways in which the originating prudential regulator might disagree.

The commenter correctly pointed out that, whereas § 1070.41(e), as proposed, addressed information provided directly to the Bureau by another agency, it was silent regarding other agencies' information that the Bureau might obtain indirectly from a third party. The Bureau sees value in providing assurances, to other regulators and to regulated entities, that § 1070.41(e) applies regardless of whether the Bureau received the information from the agency itself or from a third party.

To that end, the Bureau is revising the paragraph's text in the final rule. Rather than referencing “confidential information that another agency has provided to the CFPB,” the paragraph will instead pertain to “confidential information belonging to another agency that has been provided to the CFPB (either directly or through a holder of the information such as a financial institution).” The Bureau likewise Start Printed Page 75201revises the paragraph's title to reflect this revision.

The paragraph further states that the CFPB will not disclose confidential information belonging to another agency “to the extent such disclosure contravenes applicable law or the terms of any agreement that exists between the CFPB and the agency to govern the CFPB's treatment of information that the agency provides to the CFPB.” The Bureau understands the “applicable law” reference to include limits on its further disclosure of information in accordance with other agencies' regulations related to confidential treatment of information. See, e.g., 12 CFR 261.20(a); 12 CFR 4.37(b); 12 CFR 309.6(a); 12 CFR 792.31. We note, though, that § 1070.41(e) does not limit the Bureau's use and disclosure of business records or other company materials simply because that information has also been provided to another agency.

Section 1070.42 Disclosure of Confidential Supervisory Information and Confidential Investigative Information

Section 1070.42 previously provided that the Bureau may, in its discretion, disclose confidential supervisory information concerning a supervised financial institution or its service providers to that supervised financial institution or its affiliates. In addition, § 1070.42 provided that, unless directed otherwise by the Bureau's Associate Director for Supervision, Enforcement and Fair Lending or by his or her delegee, any supervised financial institution in possession of confidential supervisory information pursuant to this section may further disclose the information to certain recipients, subject to certain conditions.

In its notice of proposed rulemaking, the Bureau proposed several discrete changes to this section. First, it proposed expanding the scope of § 1070.42 to also address the Bureau's disclosure of CII in the course of its enforcement activities, as well as the further disclosure of CII by recipients of the information. Second, the Bureau proposed revising § 1070.42(a) to provide that, in addition to disclosing information concerning a person, its affiliates, or its service providers to that person or its affiliates, the Bureau may also disclose such information to that person's service providers. Third, the Bureau proposed revising § 1070.42(b)(2) to allow disclosure of information to insurance providers in certain circumstances without first seeking permission from the CFPB. Finally, the Bureau proposed removing references to the Associate Director for Supervision, Enforcement and Fair Lending's delegee, which was rendered unnecessary due to the new definition of the term “Associate Director for Supervision, Enforcement and Fair Lending” in § 1070.2. Each of these discrete proposals, and the comments responding to them, will be addressed in turn.

The majority of the comments submitted to the Bureau regarding § 1070.42 pertained to its proposal to expand the section's scope to address enforcement activities. In response to comments received, the Bureau in part declines to finalize, and in part further revises, this proposal.

As the Bureau explained in its notice of proposed rulemaking, it proposed this revision to lend clarity (1) to how the Bureau discloses CII in the course of its enforcement activities, and (2) regarding financial institutions' discretion to further disclose CII. This was intended to reduce confusion caused by the dynamic in the previously promulgated rule, which provided explicit and detailed instructions in the supervisory context, but lacked such specificity in the enforcement context. The Bureau's proposed solution was to mirror the CSI instructions with respect to CII.

The Bureau received a number of comment letters expressing concerns about the proposal's limitations on further disclosure of CII. In particular, the Bureau received seven comment letters—four from industry trade associations, two from public interest organizations, and one from a member of Congress—arguing that the proposal would infringe on free speech rights protected by the First Amendment. They stated that the proposal's requirement to obtain permission from the Bureau prior to further disclosing CII (other than as permitted in the section) would constitute a content-based restriction and a prior restraint on speech. For such restrictions to be constitutionally valid, they must be narrowly tailored to meet a compelling government interest, and commenters argued that the Bureau's proposal does not meet this test. Commenters also stated that courts and Congress have required procedural safeguards where agencies have imposed limitations on further disclosure of information regarding their investigative activities, and that the Bureau's proposal did not include such procedures.

These comment letters also described free speech benefits that commenters believed the proposal would harm. For example, commenters noted that entities may need to further disclose CII to meet contractual obligations and for other business dealings; to consult with others who may have information relevant to the investigation (such as former employees of the institution); to seek guidance or assistance from a trade association; and to complain to the press, the public and elected officials about perceived government misconduct. Commenters noted that free speech in this context promotes the public interest by enabling accountability and oversight of government, and in turn discouraging government overreach.

In addition, two industry trade association commenters and one financial institution commenter argued that the Bureau provided insufficient rationale for its proposal, such as that the Bureau did not detail the confusion that its proposal was intended to resolve. Finally, two commenters—an industry trade association and a member of Congress—argued that the Bureau lacks authority to promulgate its proposal because, in their view, the Bureau's statutory authority for its rule only limits the Bureau's own disclosures of information. One comment letter, from a public interest organization, encouraged the Bureau to state in its final rule that a recipient of CII in the course of an enforcement investigation is not prohibited from further disclosing the CII.

The Bureau received one comment letter from a financial institution that was supportive of this proposal because it would lend clarity regarding treatment of CII.

The Bureau has evaluated the comments that it received regarding this proposal, and it declines to finalize § 1070.42 as proposed.

As explained above, the two purposes of this proposal were to clarify (1) how the Bureau discloses CII in the course of its enforcement activities, and (2) financial institutions' discretion to further disclose CII. Rather than finalize its proposal in full, the Bureau will finalize it in part, and will further revise the section's text in part, in order to achieve these purposes while taking into account the comments that it received.

First, in order to clarify how the Bureau discloses CII in the course of its enforcement activities, the Bureau will finalize its proposed revisions to paragraph (a), which addresses the Bureau's own disclosure of confidential supervisory information and confidential investigative information (subject to additional revisions related to disclosures to service providers, discussed below). Although commenters were largely critical of proposed limits Start Printed Page 75202on further disclosure of CII, comment letters did not express concerns about the Bureau clarifying its own discretion to disclose CII in the course of its enforcement activities.

Second, the Bureau declines to expand paragraph (b)—which addresses further disclosure of CSI—to include CII. Instead, paragraph (b) will retain its previous scope and only address further disclosure of CSI. To effectuate this, the Bureau will revise the paragraph's title to read “Further disclosure of confidential supervisory information.” In addition, the Bureau declines to finalize its proposal to have all references in paragraph (b) to “confidential supervisory information” be accompanied by the phrase “confidential investigative information.” Furthermore, although the Bureau had proposed replacing references to “supervised financial institution” in paragraph (b) with a broader reference to “person” in order to account for recipients of CII, the Bureau declines to make this change because it is unnecessary if paragraph (b) only pertains to further disclosure of CSI. The Bureau finalizes several non-substantive technical revisions that it included in its proposal for clarity, and on which it received no comments. In addition, to clarify that paragraph (b) only authorizes the further disclosure of the Bureau's—and not other agencies'—information, the Bureau revises paragraph (b)(3) to, like (b)(1) and (2), refer to confidential supervisory information “of the CFPB;” and it adds a new paragraph (b)(4), stating that nothing in paragraph (b) authorizes the disclosure of confidential information belonging to another agency.

Third, in order to lend greater clarity to financial institutions' discretion to further disclose CII, the Bureau will include a new paragraph (c) in its final rule. This paragraph, titled “Further disclosure of confidential investigative information,” states that “[n]othing in this subpart shall prohibit any person lawfully in possession of confidential investigative information of the CFPB pursuant to paragraph (a) of this section from further disclosing that confidential investigative information.” This paragraph will thus make clear that the Bureau's rule does not prohibit the recipients of the Bureau's CII under paragraph (a) from further disclosing it.[7] The Bureau also inserts “paragraph (a) of” before two references to “this section” in paragraphs (b)(1) and (2), respectively, for clarity and to mirror the specificity in new paragraph (c).

The Bureau proposed several other revisions to § 1070.42 in its notice of proposed rulemaking that garnered fewer comments. For instance, the Bureau proposed revising § 1070.42(a) to provide that, in addition to disclosing information concerning a person, its affiliates, or its service providers to that person or its affiliates, the Bureau may also disclose such information to that person's service providers. In proposing this change, the Bureau reasoned that such information may at times be relevant to supervision or enforcement activities related to service providers. The Bureau declines to finalize this proposal in the final rule.

The Bureau received several comment letters expressing concerns about this proposal. Two comment letters, from an industry trade association and from a financial institution, expressed concern that disclosure of CSI or CII by the Bureau to an institution's service providers could lead to unintended consequences, particularly if the disclosure includes attorney-client privileged materials or proprietary information obtained from the financial institution. Another comment letter, from an industry trade association, argued that such disclosures could interfere with contractual relations between the financial institution and its vendors, and expressed concern that disclosures of preliminary allegations of wrongdoing could “poison the well” with the vendor. This commenter suggested that the financial institution, and not the Bureau, should determine when service providers should have access to confidential information.

In response to these comments, the Bureau declines to finalize this proposal, and the final rule will instead contain the status quo text, unmodified (subject to revisions to § 1070.42(a) related to the Bureau's disclosure of CII, discussed above), which only authorizes disclosure to a person or its affiliates.

The Bureau declines to address disclosure of CSI or CII to a person's service provider in the rule because, historically, its need to make such disclosures has been extremely rare. Revising the regulation to allow Bureau staff to disclose such CSI or CII to service providers pursuant to § 1070.42(a) risks leaving a mistaken impression that these disclosures will take place with regularity.

Instead, in the event that the Bureau identifies a future need to share CSI or CII pertaining to a person with its service provider, and it cannot otherwise make the disclosure pursuant to subpart D, it will do so pursuant to § 1070.46, which permits the Bureau's Director to authorize disclosure of confidential information other than as set forth in subpart D. The authorization must be in writing, must otherwise be permitted by law, and may not be delegated. See 12 CFR 1070.46(a), (c).

The Bureau anticipates that, for example, we may need to disclose CSI obtained from a financial institution to that institution's service provider in limited circumstances where we identify problems at a supervised service provider through the supervision of its client. We anticipate such disclosures to be rare, such as where CSI pertains to the service provider and the service provider is subject to the Bureau's supervisory authority. In instances such as these, where disclosure pertains to the Bureau's authority over the service provider, it should be in the Bureau's purview to make the disclosure.

However, the Bureau appreciates commenters' concerns, such as that the Bureau could “poison the well” or otherwise make these disclosures in inappropriate ways or for inappropriate purposes. In deciding whether to use its discretion to disclose information to service providers, we would consider in part whether the information contains otherwise sensitive information, such as attorney-client privileged information or proprietary information, and we will limit the scope of disclosure as appropriate. Vesting the Director alone with authority to approve these disclosures under § 1070.46 reflects this commitment by requiring decision-making to take place at the Bureau's highest level.

In addition, the Bureau also proposed revising § 1070.42(b)(2) to clarify that a person in possession of confidential information pursuant to this section may disclose such information to an insurance provider pursuant to a claim for coverage made by that person under an existing policy.

The Bureau explained in its proposal that such disclosures could only be made if the Bureau had not precluded indemnification or reimbursement for the claim. The Bureau further explained that this revised language would only authorize disclosure to the extent necessary for the insurance provider to process and administer the claim for coverage. Further distribution or use of the information would be prohibited. We noted that these limitations do not foreclose an insurance provider from using information that has been publicly disclosed by the Bureau in making future underwriting determinations Start Printed Page 75203regarding the person or for other purposes—even if that information was originally submitted to the insurance provider as confidential information under this provision.

The Bureau received two comment letters regarding this proposal. One comment letter, from an industry trade association, expressed concerns about the proposal's limitation. It noted that insurance contracts may require timely notice of claims (including receipt of a CID or initiation of a regulatory proceeding) and argued that waiting to learn whether the CFPB has precluded indemnification or reimbursement may preclude recovery. The commenter also argued that, following an enforcement action, an entity may be subject to a private class action suit, and therefore should be permitted to disclose information to its insurers to obtain reimbursement for legal and other expenses associated with the follow-on lawsuit.

A second comment letter, from a financial institution, suggested that the Bureau allow the disclosure of confidential information to insurance providers for the purpose of underwriting insurance coverage, such as directors and officers liability coverage. The commenter reasoned that, although an institution can seek approval from the Associate Director for Supervision, Enforcement and Fair Lending, this process would add time and uncertainty, which could impact institutions' ability to timely obtain insurance coverage.

The Bureau notes that facets of these comments—that relate to the disclosure of CII to insurance companies—are rendered moot by revisions to the proposal described above. Under the final rule, § 1070.42 contains no limitations on institutions' disclosure of CII to an insurance company, and this appears to resolve much of the commenters' concerns.

In addition, it is unclear from the industry trade group's comment whether the group interprets proposed § 1070.42(b)(2) to require financial institutions, prior to disclosing information to an insurance provider, to first inquire as to whether the Bureau precludes indemnification or reimbursement for a claim. It does not. The provision would permit such disclosures without first seeking permission from the Bureau; if the Bureau has not already notified the financial institution that it precludes indemnification or reimbursement, the financial institution may make the disclosure.

The Bureau disagrees with the second commenter's suggestion that it allow disclosures to insurance providers for underwriting purposes. Again, the provision is now limited to further disclosure of CSI, and the Bureau does not believe that underwriting would be an appropriate use of its supervisory communications and ratings. We note that the prudential regulators similarly concluded in 2005 that their nonpublic information should not be disclosed to insurance companies for underwriting purposes. See FDIC, Financial Institution Letter, FIL-13-2005, “Interagency Advisory on the Confidentiality of CAMELS Ratings and Other Nonpublic Supervisory Information (Feb. 28, 2005), available at https://www.fdic.gov/​news/​news/​financial/​2005/​fil1305.html (last visited Oct. 8, 2020).

For the aforementioned reasons, the Bureau finalizes this proposal without modification.

Finally, the Bureau proposed to remove references to the Associate Director for Supervision, Enforcement and Fair Lending's delegee. The Bureau reasoned that such reference is no longer necessary because the new definition of Associate Director for Supervision, Enforcement and Fair Lending, located at § 1070.2, includes delegees. The Bureau received no comments regarding this proposal, and it finalizes the proposal without modification.

In addition to the comments regarding its proposed revisions to § 1070.42, the Bureau also received a comment letter, from a group of industry trade associations, asking the Bureau to revise the rule to allow service providers to disclose CSI to the financial institutions to which they provide service. The current rule allows financial institutions to disclose CSI to their service providers, and the commenter suggested making this allowance reciprocal. The commenter reasoned that financial institutions' responsibility to monitor third-party relationships is made more difficult if the service provider can withhold negative supervisory evaluations from the financial institution.

The Bureau declines to make this suggested revision. The Bureau believes that supervisory communications with service providers could be undermined if the service providers knew that their clients could request the information. This concern is heightened with supervised nonbank institutions that are subject to the Bureau's supervision and happen to act as service providers.

Lastly, the Bureau received one comment letter, from a group of industry trade associations, seeking guidance on whether the Bureau's rule prohibits entities from making certain disclosures pursuant to securities law. This issue was similarly raised in comment letters that argued against the proposal's limitation on further disclosure of CII (discussed above) due to securities law obligations.

The Bureau agrees that further clarity on this issue would be helpful, as the comment letter makes clear that it is a source of confusion. As a preliminary matter, under § 1070.42(c) of the final rule, there are no restrictions on institutions' further disclosure of CII obtained pursuant to § 1070.42(a). In addition, the rule does not prohibit an institution from further disclosing confidential information, including confidential supervisory information, where such disclosure is otherwise required by law. See 12 CFR 1070.41(a). This includes where an institution determines that it is required to make a disclosure in order to comply with securities law. Such disclosure should be limited to that which is necessary to comply with securities law. The Bureau encourages financial institutions to reach out to appropriate regional staff with further questions regarding this issue.

The Bureau notes that its discussion of the authorization to make disclosures under the securities laws is limited to disclosure of the Bureau's confidential information; with respect to confidential information that belongs to other regulators, financial institutions should consult with the regulator(s) to which the confidential information belongs.

Section 1070.43 Disclosure of Confidential Information to Agencies

Section 1070.43 sets forth the circumstances in which the Bureau may disclose confidential information to other government agencies. The Bureau proposed several revisions to this section. First, as a general matter, the Bureau proposed to revise the section's title and subtitles to delete the references to “law enforcement agencies” and “other government agencies;” to revise the text throughout the section to account for the new defined term “agency;” and to make various other non-substantive technical corrections. Second, the Bureau proposed revising the standard, in § 1070.43(b)(1), regarding the Bureau's discretion to disclose CSI to other agencies. Third, the Bureau proposed revising § 1070.43(b)(2) to, among other things, move responsibility for acting on agency requests for confidential information from the Bureau's General Counsel to the Bureau's Associate Director for Supervision, Enforcement and Fair Lending. Fourth, the Bureau Start Printed Page 75204proposed deleting § 1070.43(c), which pertains to requests for information that is not confidential information. The Bureau also received a comment on proposed § 1070.43(c) (formerly § 1070.43(d)) which addresses the negotiation of standing requests for confidential information between the Bureau and other agencies.

The Bureau proposed revising the section's title and subtitles to delete the references to “law enforcement agencies” and “government” agencies because it believed the references to be superfluous. Instead, the title and subtitles would reference “agencies.” This was not intended to be a substantive change. The Bureau proposed various other non-substantive technical corrections in the section as well. The Bureau received no comments that directly address these proposed revisions, and it finalizes them without modification.

The Bureau also proposed revisions throughout the section to account for the proposed defined term “agency.” [8] For the reasons discussed above with respect to proposed § 1070.2(a), and because the Bureau has declined to include the new definition in the final rule, the Bureau declines to finalize these proposed revisions in § 1070.43. Previous references to “Federal or State agency” will remain references to “Federal or State agency” without modification.

Section 1070.43(a)(1)

Section 1070.43(a)(1) requires, among other things, that the Bureau disclose a final report of examination, including any and all revisions to that report, to a Federal or State agency with jurisdiction over a supervised financial institution, provided that the Bureau receives from the agency reasonable assurances as to the confidentiality of the information disclosed. The Bureau revises this provision in the final rule.

The Bureau has previously explained that this provision implements 12 U.S.C. 5512(c)(6)(C)(i). See 78 FR 11484, 11494, 11496 (Feb. 13, 2013). In particular, in the preamble to its 2013 final rule, the Bureau concluded that section 5512(c)(6)(C)(ii)'s mandate that the Bureau disclose examination reports to “State regulator[s]” does not require the disclosure of CSI to a State attorney general unless that State attorney general regulates the covered person or service provider. See 78 FR 11484, 11496. The Bureau concedes that although it articulated this interpretation in the 2013 final rule's preamble, § 1070.43(a)'s inclusion of the more general term “Federal or State agency” could be cause for confusion.

Although the Bureau proposed no revisions to § 1070.43(a), it revises this provision in the final rule to clarify that it will disclose a final report or examination, including any and all revisions to such a report, “as provided in 12 U.S.C. 5512(c)(6)(C)(i),” to a Federal or State agency with jurisdiction over that financial institution, provided that the Bureau receives from the agency reasonable assurances as to the confidentiality of the information disclosed.

Several comments, while addressing the Bureau's proposed revisions to other provisions, touched on issues raised by § 1070.43(a). For example, one comment letter, from an industry trade association, expressed concern that, between the Bureau's proposed definition of “agency” and the Bureau's proposed interpretation of 12 U.S.C. 5512(c)(6), the Bureau could draft a rule that enables a State bar association to require the Bureau to disclose reports to it—a dynamic that the commenter described as absurd. Another comment letter, from a group of State attorneys general, expressed support for the Bureau's proposal to remove the jurisdictional requirement for sharing CSI with a partner agency under § 1070.43(b), suggesting that this revision would permit the Bureau to share CSI with State enforcement agencies more freely.

The Bureau notes, in response to the first comment, that concerns regarding the disclosure of CSI to State bar associations are fully addressed by the Bureau's decision to not finalize the proposed definition of “agency” in the final rule; and regarding the commenter's broader point, that the Bureau could conceivably draft § 1070.43(a) more broadly, the Bureau has not proposed such a rule. In response to the second comment, the Bureau notes that its policy regarding sharing CSI with State attorneys general is set forth in Bulletin 12-01. It did not intend its proposal to alter this policy, and Bulletin 12-01 will remain in place after the final rule becomes effective.

Nevertheless, these comments do highlight concerns and confusion related to disclosure of reports of examination to State agencies, including under § 1070.43(a). The Bureau thus revises the provision to clarify in its text that its scope parallels the scope of 12 U.S.C. 5512(c)(6)(C)(i). This revision does not change the interpretation articulated in the preamble to the 2013 final rule; it merely codifies that interpretation in the regulation's text.

In addition, for consistency with this new text, the Bureau revises § 1070.43(a)'s separate reference to disclosures of draft reports of examination “in accordance with 12 U.S.C. 5515(e)(1)(C)” to say that the draft reports of examination will be disclosed “as provided in 12 U.S.C. 5515(e)(1)(C).” Replacing the phrase “in accordance with” with the phrase “as provided in” is a technical revision that is not intended to change the meaning of that text.

Section 1070.43(b) Discretionary Disclosure of Confidential Information to Agencies

Section 1070.43(b)(1)

Section 1070.43(b)(1) sets forth the standard under which the Bureau may disclose confidential information to other agencies in its discretion. The Bureau's prior rule established two distinct standards for disclosing confidential supervisory information and other confidential information. It stated that the Bureau may disclose confidential information to an agency “to the extent that the disclosure of the information is relevant to the exercise of the [Agency's] statutory or regulatory authority,” but that it may only share confidential supervisory information with agencies “having jurisdiction over a supervised financial institution.”

The Bureau proposed removing the separate standard for confidential supervisory information, which would have aligned the two standards and provided the Bureau with discretion to disclose either confidential supervisory information or other confidential information to another agency “to the extent that the disclosure of the information is relevant to the exercise of the [agency's] statutory or regulatory authority.” The Bureau declines to finalize this proposed revision.

The Bureau explained in its notice of proposed rulemaking that this proposed change was intended to facilitate communication and information-sharing among the Bureau and other governmental authorities. The Bureau stated that it had determined that sharing confidential supervisory information in situations where the disclosure of the information is relevant to the exercise of the receiving agency's statutory or regulatory authority would facilitate the Bureau's purposes and objectives. It noted that multiple agencies engage in operations that potentially affect the offering and provision of consumer financial products and services, as well as the Start Printed Page 75205markets, industries, companies, and other persons relevant to the Bureau's work, and that multiple agencies have interests and obligations relating to implementation, interpretation, and enforcement of the Dodd-Frank Act and the other Federal consumer financial laws administered by the Bureau. The Bureau also explained that the proposed change would have assisted it in implementing and administering Federal consumer financial law in a more consistent and effective fashion, and would have enabled the Bureau to work together with other agencies having responsibilities related to consumer financial matters. The Bureau said that it believed that the proposed change would comport with the intent of the Dodd-Frank Act, since effective coordination and communication among agencies is essential in order for the regulatory framework established by that Act to work as Congress intended.

The Bureau stated in its proposal that, in its judgment, the prior rule's restrictions had proven overly cumbersome in application, posed unnecessary impediments to cooperating with other agencies, and otherwise risked impairing the Bureau's ability to fulfill its statutory duties. Unnecessary impediments to information-sharing in such circumstances impede supervisory and enforcement coordination and create opportunities for potential conflict, inefficiency, and duplication of efforts across agencies. The Bureau reasoned that retaining discretion to share confidential supervisory information in such situations would better promote the Bureau's mission and overall effectiveness.

The Bureau also stated in its proposal that the proposed change would codify a revised interpretation of 12 U.S.C. 5512(c)(6). See generally 81 FR 58310, 58317-18 (Aug. 24, 2016).

The Bureau received a number of comments regarding its proposed revision to § 1070.43(b)(1), and they were largely critical of the proposal. Commenters expressed general concerns regarding the potential breadth of proposed § 1070.43(b)(1), and the proposal's potential impact on the supervisory process. Commenters also raised concerns regarding the proposal's interaction with definition of “agency” in proposed § 1070.2(a).[9] In addition, a number of comment letters took issue with the Bureau's revised interpretation of 12 U.S.C. 5512(c)(6).

Several commenters criticized the Bureau's proposed revision to § 1070.43(b)(1) for being overly broad. For example, several industry trade associations stated that the proposed “relevance” standard would allow the Bureau to disclose CSI to any interested domestic or foreign agency, even if it has no role in the regulation of financial institutions. One comment letter, from a group of industry trade associations, suggested that if an institution operated in only one State and only sold a product in that State, any domestic or foreign regulator might find CSI regarding the institution “relevant” to their statutory or regulatory authority to the extent that consumers within their jurisdiction could purchase the same product. Another commenter argued that there is no logical stopping point to “relevance,” and that the proposal would enable disclosure of CSI by the Bureau even if information were only tangentially related to an agency's authority.

The Bureau received several comment letters that stated that broader disclosure of confidential supervisory information raises concerns regarding the protection of privileged material. Although not all Bureau CSI consists of material subject to a financial institution's privilege, financial institutions do at times submit materials subject to the attorney-client privilege and/or attorney work-product privilege in the course of the Bureau's supervisory activities. See generally 12 U.S.C. 1828(x). Commenters expressed concern that the transfer of privileged information to agencies or entities that are not covered by 12 U.S.C. 1828(x) or 12 U.S.C. 1821(t) could result in a breach or waiver of the privilege. Commenters also stated that the Bureau's proposal was likely to make entities less willing to voluntarily produce privileged materials to the Bureau due to such risks. One commenter suggested that uncertainty regarding the Bureau's protection of privilege could make institutions less likely to engage counsel or obtain written advice, which could negatively impact compliance. This commenter also stated that the U.S. Department of Justice and Securities and Exchange Commission do not condition cooperation credit on the waiver of privilege. Another comment letter stated that there is no indication in 12 U.S.C. 1828(x) that Congress intended the provision to enable a banking agency to circumvent the inability of other agencies to obtain privileged materials.

In light of these concerns, one commenter suggested that the Bureau modify its proposal to limit disclosure of privileged information to Federal agencies that are referenced in 12 U.S.C. 1821(t). Another commenter went further, suggesting that the Bureau state that it would not transfer privileged materials subject to 12 U.S.C. 1828(x) to other agencies or parties at all.

The Bureau also received several comment letters that expressed concern that broader dissemination of CSI increases risk that the CSI may not be protected sufficiently, including from data breach, hacking, and other unauthorized disclosures. One comment letter, from an industry trade association, stated that such disclosures could lead to the information being taken out of context, or could raise safety and soundness issues. A comment letter, from a group of industry trade associations, stated that, once the Bureau discloses CSI to an agency or entity, there is no mechanism to ensure that the recipient has taken appropriate steps to prevent data breaches or to resolve data breaches when they occur; and there is no meaningful way for the Bureau to prevent the further transmission of CSI by a recipient. This commenter also argued that the recipient's certification, required by § 1070.43(b)(2)(v), is inadequate. One comment letter, from an industry trade association, expressed concern that recipients of CSI may be unable to protect it from disclosure due to State and foreign disclosure or privacy laws (which may require greater disclosure than that mandated by the Freedom of Information Act, 5 U.S.C. 552) or discovery requests in civil litigation.

Commenters also stated that broad disclosure of CSI would undermine the Bureau's supervisory process. One commenter explained that it is logical to share CSI subject to heightened disclosure restrictions, compared to other confidential information like CII, because CSI plays a critical role in effective supervision. Several industry trade association commenters stated that the proposal would make institutions less likely to cooperate with the Bureau and produce information to the Bureau in the course of its supervisory activities. One comment letter, from a group of industry trade associations, articulated that the proposal would undermine the relationship of trust between banks and the Bureau, and it suggested that this could be detrimental to banks' safety and soundness. This commenter argued that the proposal would undermine the bank examination privilege because more routine Start Printed Page 75206disclosure of CSI would increase the risk that courts will no longer protect confidential supervisory information from disclosure in private litigation. This commenter suggested that the Bureau only disclose CSI in rare cases when the disclosure serves a strong governmental interest, and not merely advancement of the Bureau's mission.

The Bureau also received a number of comment letters that criticized its proposal for providing insufficient rationale or clarity. Several commenters stated that the Bureau's proposal did not establish a record for how the status quo rules impede its activities, and how the proposal would resolve those issues. One comment letter, from a group of industry trade associations, stated that the Bureau had not conducted a thorough analysis of the risks associated with expanded disclosure of CSI, including supervisory, litigation, and reputational risks, which it suggested surpassed the potential benefits of the proposal. Another comment letter, from an industry trade association, disagreed with the Bureau's justification for its proposal—that it would enable cooperation with other agencies having responsibilities related to consumer financial matters—because the proposal's definition of “agency” included non-financial regulators and other entities without responsibilities related to the enforcement of consumer financial laws or prudential regulation. A second industry trade association commenter argued that the proposal to disclose CSI to agencies that lack jurisdiction over supervised financial institutions would not help the Bureau administer consumer financial laws, reasoning that the status quo rule did not restrain the Bureau's supervisory or enforcement authorities. This same commenter rejected the Bureau's coordination rationale, reasoning that any agency that has supervisory or enforcement authority over a covered financial institution could already receive CSI under the previous rule.

In addition, the Bureau received several comment letters that argued that the Bureau's proposal was inconsistent with other regulators' practices, stating that other regulators do not disclose CSI to agencies that lack jurisdiction. For example, one comment letter, from a group of industry trade associations, stated that the proposal was inconsistent with the policies of Federal prudential regulators, which it said have broader statutory authority than the Bureau to share CSI. See 12 U.S.C. 1817(a)(2)(C)(iii) (Federal banking agencies may “furnish any report of examination or other [CSI] concerning any . . . entity examined by such agency . . . to . . . any . . . person that the Federal Banking agency determines to be appropriate.”). The commenter contrasted this language with 12 U.S.C. 5512(c)(6)(C)(ii), arguing that by not extending section 1817's discretionary authority to the Bureau, Congress indicated an intent to limit the Bureau's discretion to disclose CSI. The commenter stated that, in practice, regulators have adopted regulations that strictly limit such disclosure, which provides comfort to supervised entities. The commenter noted, for example, that the Office of the Comptroller of the Currency (OCC) has promulgated regulations that limit disclosure of non-public OCC information to State agencies where those agencies have “authority to investigate violations of criminal law” or are “state bank and state savings association regulatory agencies,” and when disclosure is “necessary, in the performance of their official duties.” 12 CFR 4.37(c).

Another comment letter, from a consulting organization, argued that the Bureau's proposal was inconsistent with other agencies' practices, and that it would compromise the reliability of the bank examination privilege and would violate the Bureau's obligations to the FFIEC to maintain supervisory consistency. This same commenter stated that Congress had intended 12 U.S.C. 5512(c)(6)(C) to mirror regulations by the Board of Governors of the Federal Reserve System (“FRB”), at 12 CFR 261.20, which it described as limiting the Board's sharing of CSI to agencies with supervisory jurisdiction. Another comment letter, from an industry trade association, similarly stated that FRB regulations, at § 261.20, permit disclosure to Federal prudential regulators and State supervisory agencies. This commenter also stated that the Bureau failed to explain why it needed greater flexibility in light of other agencies' practices.

The Bureau received other critical comments as well. For example, one comment letter, from a group of industry trade associations, suggested that the Bureau's proposal would result in an increase in requests for the Bureau's information, which would burden Bureau staff. Two commenters, a consulting organization and an industry trade association, expressed concern that sharing CSI with non-supervisory agencies would expand the Bureau's supervisory power in contravention of Cuomo v. Clearing House Ass'n, 557 U.S. 519 (2009), and related authorities.

Several commenters suggested that, in the event that the Bureau adopted its proposal, it should provide formal guidance or make additional changes to the rule. For example, one commenter proposed that the Bureau codify in the rule a formal policy and practice of sharing CSI only in limited circumstances, such as where the requestor demonstrates a substantial need for the requested information that outweighs the Bureau's need to maintain its confidentiality. This commenter also suggested that, absent circumstances that compel otherwise, the Bureau should notify the impacted supervised financial institution prior to disclosing CSI related to the institution to any entity other than Federal or State financial supervisory agencies with jurisdiction, or in certain cases U.S. Department of Justice, and give the supervised financial institution a reasonable opportunity to object and redact the information. Another commenter suggested that, in the event that the Bureau receives misdirected complaint data from credit unions over which it lacks jurisdiction, it should not share the data with any agency other than the National Credit Union Administration (NCUA) and that it should defer to the NCUA on whether the information is “relevant” to other agencies' statutory or regulatory authority.

In addition to these issues, a number of the comment letters received by the Bureau disagreed with the revised interpretation of 12 U.S.C. 5512(c)(6) that the Bureau articulated in its proposal. Commenters described the Bureau's interpretation as “tortured,” “unreasonable,” and contrary to statutory language and to the statute's clear intent. In particular, several of the comment letters, received from industry trade associations and a member of Congress, disagreed with the Bureau's conclusion that 12 U.S.C. 5512(c)(6)(C)(ii) is ambiguous, instead concluding that the provision is unambiguous and restrictive. The Bureau also received several comment letters, from industry trade associations, that stated that the Bureau's interpretation of 12 U.S.C. 5512(c)(6) renders subparagraph (C)(ii) superfluous. And several comment letters, also from industry trade associations, argued that its proposed interpretation conflicted with legislative history and congressional intent. Finally, one comment letter, from a consulting organization, suggested that the Bureau did not sufficiently substantiate the change in policy articulated in its proposal. See Encino Start Printed Page 75207Motorcars v. Navarro, 136 S. Ct. 2117, 2125-26 (2016).[10]

The Bureau received one comment that was supportive of its proposal, from a group of State attorneys general. The comment letter suggested that the proposal would permit the Bureau to share CSI with State enforcement agencies. It argued that sharing CSI would properly increase resources available to address consumer abuses by supervised institutions, and that it would support coordination and collaboration between State attorneys general and the Bureau in their enforcement efforts.[11]

The Bureau disagrees with commenters' claims that it did not sufficiently substantiate the change in policy articulated in its proposal. The Bureau stated in its proposal that it had determined that broader discretion to disclose CSI would facilitate the Bureau's purposes and objectives, and it explained how such discretion would assist its work. See 81 FR 58310, 58317 (Aug. 24, 2016).

However, the Bureau declines to finalize its proposal. Instead, the final rule will retain § 1070.43(b)(1)'s status quo dual standards, unmodified: The Bureau may disclose confidential information to an agency “to the extent that the disclosure of the information is relevant to the exercise of the [Agency's] statutory or regulatory authority,” and confidential supervisory information to an agency “having jurisdiction over a supervised financial institution.”

The Bureau had proposed changing the standard for disclosure of CSI to provide flexibility to address rare situations where it may have a need to disclose information identified as confidential supervisory information to an agency that does not necessarily have jurisdiction over a given financial institution. However, the Bureau acknowledges that commenters have raised the general concern that, as proposed, § 1070.43(b)(1)'s potential breadth could create uncertainty and decrease confidence that information provided to the Bureau in the course of its supervisory activities will be used and protected appropriately. In light of these concerns, the Bureau declines to revise the regulation as proposed.

Section 1070.43(b)(2)

Section 1070.43(b)(2) sets forth a process for agencies to submit written requests (sometimes referred to as “access requests”) to the Bureau in order to obtain access to its confidential information pursuant to § 1070.43(b). Whereas the section previously required submission of access requests to the General Counsel, the Bureau proposed to instead require submission to the Associate Director for Supervision, Enforcement and Fair Lending.[12] The Bureau further revises § 1070.43(b)(2) in the final rule in several ways. In particular, rather than vesting authority to act upon access requests with either the General Counsel or the Associate Director for Supervision, Enforcement and Fair Lending, the final rule will vest the authority with the Director or her designee. Thus, instead of codifying a delegation via regulation, the final rule will provide the Director with the flexibility to change the delegation if warranted, without the need for further rulemaking.

The Bureau explained in its notice of proposed rulemaking that it believed the proposed change would lead to increased efficiency because the vast majority of access requests submitted to the Bureau pertain to work conducted by its Division of Supervision, Enforcement and Fair Lending. The Bureau stated that the Associate Director for Supervision, Enforcement and Fair Lending would continue to consult with other Bureau stakeholders, including the Legal Division, as necessary. The Bureau reasoned that, in making these changes, the authority to act upon access requests would shift from the Legal Division to other Bureau staff with expertise more directly related to processing these requests. The Bureau also proposed that access requests be emailed to a single email address, accessrequests@cfpb.gov, or to the Bureau's mailing address at 1700 G Street NW, Washington, DC 20552, in order to facilitate processing.

The Bureau received five comment letters, all from industry trade associations, that were critical of the proposal to shift the authority to act upon access requests from the General Counsel to the Associate Director for Supervision, Enforcement and Fair Lending.

Three comment letters expressed concern that the proposal could create a conflict of interest. For example, one commenter argued that the Associate Director could use access requests as a “negotiating tool” in situations where an agency may ask the Associate Director for CSI regarding an entity while the Division is simultaneously engaged in an enforcement action against the same entity. A second commenter expressed concerns that the Associate Director might lack impartiality, given that he or she also oversees requests for information from institutions during the course of an investigation, as well as requests from institutions to further disclose information under § 1070.42(b). Another comment letter, from a group of industry trade associations, stated that the Associate Director would have a potential conflict of interest because he or she may have reasons to grant access requests related to the work conducted by his or her Division.

Four comment letters argued that the Bureau's General Counsel is better suited to the role of approving access requests. The group of trade associations stated that the General Counsel is in a better position to weigh the impact of disclosure on the bank examination privilege and other legal obligations. The commenter also argued that agencies' assertions in access requests regarding their legal authority are more appropriately addressed by the General Counsel. Similarly, two commenters asserted that the General Counsel is better suited than the Associate Director for making determinations that impact personal and commercial privacy interests of entities. One commenter argued that shifting the authority for access requests could lose a check on ensuring that disclosure of CSI is rooted in the Bureau's statutory and regulatory authority, rather than political or ideological motivations. Two commenters recommended that the General Counsel maintain a role in deciding whether to approve access Start Printed Page 75208requests, with one suggesting more specifically that General Counsel approval be required, in addition to the Associate Director's approval.

Two commenters also criticized the proposal for departing from other agencies' practices. The group of industry trade associations noted that the FRB vests authority to decide access requests with its Legal Division. Another commenter argued that other agencies vest their General Counsel with responsibility to “oversee FOIA requests and production of information.” This same commenter expressed concern that moving access-request authority could result in inconsistent decisions regarding the release of information in response to access requests, FOIA requests, or requests under the Bureau's Touhy regulations at 12 CFR 1070.30 through 1070.37.[13]

As the Bureau explained in the notice of proposed rulemaking, we proposed moving access-request authority from the General Counsel to the Associate Director for Supervision, Enforcement and Fair Lending in order to increase efficiency because most access requests submitted to the Bureau pertain to work conducted by that Division. The Bureau believes that the Associate Director may be in a better position than the General Counsel to make a policy determination whether to authorize an access request, since the Division of Supervision, Enforcement and Fair Lending is more familiar with the information at issue and the context of the access request. The Bureau does not agree with the contention that this change creates a conflict of interest, as the Bureau would consider the same policy grounds for granting an access request regardless of where the authority is located.

In addition, while some agencies, such as the FRB, may vest access-request authority with their General Counsel, others do not. For example, the FDIC vests access-request authority in the director of the division having primary authority over the records. See 12 CFR 309.6. Likewise, the Securities and Exchange Commission vests access-request authority in senior officers at or above the level of Associate Director or Associate Regional Director. See Securities and Exchange Commission, Division of Enforcement, Enforcement Manual section 5.1 (Nov. 28, 2017), available at https://www.sec.gov/​divisions/​enforce/​enforcementmanual.pdf (last visited Oct. 8, 2020); 17 CFR 240.24c-1. Given the size and organization of the Bureau, and for the reasons described above, we think it reasonable to vest access-request authority in an official other than the General Counsel.

Nevertheless, in light of the concerns expressed, the Bureau declines to codify in the rule that authority to act upon access requests is vested in the Associate Director for Supervision, Enforcement and Fair Lending. Instead, the final rule will vest the authority in the “Director,” which is defined in 12 CFR 1070.2(j) to include a designee of the Director. Thus, while the Director may delegate the authority to the Associate Director for Supervision, Enforcement and Fair Lending, this shift can be reversed or otherwise changed without requiring a rulemaking—such as if experience shows that the Bureau's Legal Division was in a better position to address access requests.

The Bureau notes that if responsible for acting upon access requests, the Division of Supervision, Enforcement and Fair Lending would continue to consult with the Legal Division as needed, such as when an access request raises legal questions regarding authority, privilege, privacy, trade secrets, or other legal obligations.[14]

Furthermore, the Bureau does not share one commenter's concern that its proposal could lead to different results where determinations are made in response to an access request, a FOIA request, or a request under the Bureau's Touhy regulations. These disclosures occur in different contexts, subject to different protections, and should not necessarily result in identical determinations. In addition, as stated above, the Bureau's Legal Division would continue to be consulted as needed in access-request determinations.

Finally, although the Bureau received no comments on the email address or mailing address that it proposed for access request submissions, it declines to include this contact information in the final rule because it has concluded that codification of such information is unnecessary.

In addition to changing the authority to act on access requests, the Bureau proposed revising § 1070.43(b)(2)(iii), for purposes of clarity, to state that, among other things, access requests must include a statement certifying and identifying the agency's “statutory or regulatory authority that is relevant to the requested information, as required by paragraph (b)(1).” We explained in the proposal that, in our experience, the previous formulation (the agency must certify or identify its “authority for requesting the documents”) can lead to confusion.

The Bureau received no comments on this proposal. However, because the Bureau has declined to finalize its proposed revision to § 1070.43(b)(1) regarding discretionary disclosure of CSI, it needs to further revise paragraph (b)(2)(iii) to track the dual standards in paragraph (b)(1) and achieve the same clarity sought in the proposal. Thus, the Bureau further revises the text in the final rule to read, “A statement certifying and identifying, as required by paragraph (b)(1) of this section, the agency's statutory or regulatory authority that is relevant to the requested information or, with respect to a request for confidential supervisory information, the agency's jurisdiction over a supervised financial institution.”

Finally, although the Bureau proposed no revisions to § 1070.43(b)(2)(v), it received two comment letters from industry trade associations regarding the paragraph, which requires agencies to include in an access letter “[a] certification that the agency will maintain the requested confidential information in confidence, including in a manner that conforms to the standards that apply to Federal agencies for the protection of the confidentiality of personally identifiable information and for data security and integrity, as well as any additional conditions or limitations that the CFPB may impose.” One commenter described the requirement as inadequate, and the other argued that the certification does not substitute for evaluation of the agencies' data security policies.

These comments are similar to a comment that the Bureau received when it initially promulgated the rule, where a commenter suggested that the Bureau audit agencies' data security practices prior to sharing confidential information with them. See 78 FR 11484, 11495 (Feb. 15, 2013). We considered and rejected the suggestion at the time, explaining in the previous final rule that, prior to disclosure, the Bureau takes reasonable steps to ensure that a requesting agency is legally authorized to protect the information, and that it has systems in place to safeguard the information from theft, loss, or Start Printed Page 75209unauthorized access or disclosure. See id. at 11497. The Bureau's view remains unchanged, and it finalizes § 1070.43(b)(2)(v) without modification.

Former Section 1070.43(c) State Requests for Information Other Than Confidential Information

Former § 1070.43(c) stated that State agency requests for information other than confidential information were not to be made and considered under § 1070.43. The Bureau proposed deleting this paragraph because it believed the paragraph to be unnecessary and confusing. Because, by its own terms, § 1070.43 only applies to confidential information, there is no need to state that it does not apply to information that is not confidential. The Bureau received no comments on this proposal, and it finalizes the proposal without modification.

Proposed Section 1070.43(c) Negotiation of Standing Requests

Proposed § 1070.43(c) (formerly § 1070.43(d)) states that the Bureau may negotiate terms governing the exchange of confidential information with agencies on a standing basis. The Bureau proposed no substantive revisions to this paragraph (other than replacing a reference to “Federal or State agencies” with “Agencies,” which is discussed above).

The Bureau received one comment letter, from an industry trade association, which stated that the Bureau could use this authority to negotiate data security standards, and it requested clarification from the Bureau that such standards are non-negotiable.

The Bureau disagrees with the commenter's implication that the Bureau can use proposed § 1070.43(c) to negotiate data security standards lower than the standards required by § 1070.43(b)(2). Paragraph (b)(2) requires agencies to make certain confidentiality assurances in order for the Bureau to approve an access request. Proposed paragraph (c), meanwhile, merely states that the Bureau can agree to the exchange of information on a standing, rather than a case-by-case, basis. In this context, the Bureau interprets proposed paragraph (c) to require that such standing agreements be consistent with the requirements of paragraph (b)(2). In addition, we note that the Bureau's obligations under the Dodd-Frank Act, such as the confidentiality requirements of 12 U.S.C. 5512(c)(8), apply equally to disclosures under paragraphs (b) and (c).

For the aforementioned reasons, the Bureau finalizes the proposal without modification.

Section 1070.44 Disclosure of Confidential Consumer Complaint Information

Section 1070.44 addresses the Bureau's disclosure of confidential consumer complaint information in the course of investigating, resolving, or otherwise responding to consumer complaints. The Bureau proposed replacing the phrase “[n]othing in this subpart shall limit the discretion of the CFPB” with “[t]he CFPB may . . .” in order to clarify that § 1070.44 authorizes such disclosure by the Bureau. The Bureau also proposed replacing the phrase “concerning financial institutions or consumer financial products and services” with “concerning consumer financial products and services or a violation of Federal consumer financial law” in order to clarify that the section broadly addresses any information received or generated by the Bureau through processes or procedures established under 12 U.S.C. 5493(b)(3), including where complaints do not concern financial institutions, or where the Bureau lacks authority to act on them. The Bureau received no comments on this proposal, and it finalizes the proposal without modification.

Section 1070.45 Affirmative Disclosure of Confidential Information

Section 1070.45 addresses various instances where the Bureau may make disclosures of confidential information on its own initiative. The Bureau proposed several revisions to clarify, supplement, or amend the disclosures previously addressed in the section. Any disclosures made pursuant to this section must be made in accordance with applicable law.

The Bureau proposed deleting the reference in § 1070.45(a) to “confidential investigative information” in the phrase “confidential investigative information or other confidential information.” The Bureau explained in its proposal that this reference is unnecessary because confidential investigative information is a sub-category of confidential information. The Bureau also noted that, while it may disclose any category of confidential information under § 1070.45(a), disclosures made under this section—particularly paragraphs (a)(3) and (4) and proposed (a)(6)—are more likely to involve confidential investigative information, rather than other categories of confidential information, such as confidential supervisory information. The Bureau received no comments regarding this proposal, and it finalizes the proposal without modification.

Paragraph (a)(2) addresses disclosure of confidential information to either House of the Congress, or to an appropriate committee or subcommittee of the Congress, as set forth in 12 U.S.C. 5562(d)(2). The text states that, upon receipt of a request from the Congress for confidential information that a financial institution submitted to the Bureau along with a claim that such information consists of trade secret or privileged or confidential commercial or financial information, or confidential supervisory information, the Bureau “shall notify” the financial institution in writing of its receipt of the request and provide the institution with a copy of the request. The Bureau proposed revising the text to state that it “may notify” the financial institution in such circumstances. The Bureau declines to finalize this proposal.

The Bureau reasoned in its proposal that this revision would provide greater flexibility and more closely align with 12 U.S.C. 5562(d)(2), which states that the Bureau “is permitted to adopt rules allowing prior notice to any party that owns or otherwise provided the material to the Bureau and had designated such material as confidential.”

The Bureau received four comment letters that addressed this proposal. Three commenters—an industry trade association, a group of industry trade associations, and a financial institution—stated that notification should be mandatory so that financial institutions have an opportunity to object to the disclosure to Congress, or at least to prepare to be able to assist Congress or to respond to potential publicity. One comment letter, from a group of industry trade associations, argued that notice is critical to ensuring that information is not misused, misunderstood, inaccurately reported, or inadvertently disclosed. The commenter reasoned that notice allows institutions to be prepared to respond to questions and potentially avoid panic or inappropriate or harmful reactions. The two industry trade association commenters also stated that they did not believe the Bureau sufficiently explained its need for “flexibility” in its proposal, and that any such need is outweighed by the importance of preserving the confidentiality of CSI. One of the commenters also noted that the Bureau's proposal differs from a similar rule promulgated by the FTC that requires agency notice in similar situations. See 16 CFR 4.11(b). Finally, the Bureau received a comment letter, from a public interest organization, expressing concern that the Bureau's Start Printed Page 75210proposal could reduce institutions' ability to prevent, or at least object to, the disclosure of information to Congress, which could threaten the privileged status of any such information.

In light of these comments, the Bureau declines to finalize this proposal, and the final rule instead will contain the status quo text, unmodified, which requires notification by the Bureau prior to disclosures to either House of the Congress or to an appropriate committee of subcommittee of the Congress. The Bureau appreciates commenters' concerns about a financial institution's need to know when its sensitive information is being produced to Congress. The Bureau also recognizes that a mandatory, rather than discretionary, notification process establishes predictability and increases confidence regarding the Bureau's protection and appropriate treatment of information. The Bureau's proposal had been intended to give the Bureau flexibility where it receives Congressional requests for less sensitive information—for example, publicly available market monitoring materials that the rule previously classified as “confidential supervisory information.” However, other revisions to the rule, such as the removal of market monitoring material from the definition of “confidential supervisory information” in § 1070.2(i), alleviate the need for such flexibility. Further, the Bureau concludes that the benefits of the mandatory notice requirement outweigh the marginal benefits of retaining flexibility in instances where the Bureau receives requests for less sensitive information.

Paragraph (a)(3) pertains to the disclosure of confidential information in “investigational hearings and witness interviews, as is reasonably necessary, at the discretion of the CFPB.” This paragraph was initially intended to address disclosure in the course of investigations and enforcement actions. See 76 FR 45372, 45375 (Jul. 28, 2011). The Bureau proposed revising the paragraph to state that it may disclose confidential information in “investigational hearings and witness interviews, or otherwise in the investigation and administration of enforcement actions, as is reasonably necessary, at the discretion of the CFPB.” It explained that this revision would clarify that the Bureau may disclose confidential information in its discretion to conduct its investigations or perform administrative tasks to further its own enforcement actions. This includes, for example, disclosures to expert witnesses, service process servers, or other Federal and State agencies that may provide assistance with space for investigational hearings or advise the Bureau on local rules regarding a court filing. This would also include instances in which the Bureau is partnering with another agency and determines that it needs to share specific information with that agency to further an investigation or administer the filing or settlement of a joint enforcement action. The Bureau received no comments on this proposal, and it finalizes the proposal without modification.

Paragraph (a)(4) authorizes the disclosure of confidential information “[i]n an administrative or court proceeding to which the CFPB is a party.” The Bureau proposed revising this paragraph to state that it may disclose confidential information “[i]n or related to an administrative or court proceeding to which the Bureau is a party.” The Bureau declines to finalize this proposal.

The Bureau explained in its proposal that it intended this revision to clarify that it may disclose confidential information not only during an administrative or court proceeding to which the Bureau is a party, such as in complaints and consent orders, but also when related to the Bureau's implementation of ongoing administrative or court orders. It noted that such disclosures could be made in furtherance of the Bureau's reporting requirements and could include, for example, updates on required consumer remuneration and the payment of civil money penalties.

The Bureau received two comments regarding this proposed revision. One comment letter, from a group of industry trade associations, criticized the proposal as overly broad and unnecessary. It expressed concern that such disclosure could increase litigation and reputation risk for financial institutions and potentially undermine the bank examination privilege. The commenter also stated that the Bureau's proposal did not indicate how broadly it could construe “related to,” and that it did not justify why such disclosures are necessary or how that need would outweigh the Bureau's need to maintain confidentiality. Another comment letter, from an industry trade association, expressed concern that the proposal could allow the Bureau to disclose confidential information prior to commencement or after conclusion of a proceeding.

In light of these concerns, the Bureau declines to make the proposed revision in the final rule. As the Bureau explained in its proposal, it occasionally has a need to disclose confidential information about an administrative or court proceeding outside the context of the actual proceeding, such as updating the public and Congress about consumer remuneration and the payment of civil money penalties. While such disclosures are relatively rare and only occur in limited circumstances, addressing these disclosures in § 1070.45(a)(4) risks leaving a mistaken impression that such disclosures will take place with regularity. Furthermore, as indicated by the commenters' expressed concerns, the potential breadth of the proposed text could lead to this provision being applied more broadly than the proposal intended.

Instead, in the event that the Bureau identifies a future need to disclose confidential information about an administrative or court proceeding outside the context of the actual proceeding, and it cannot otherwise make the disclosure pursuant to subpart D, it will do so pursuant to § 1070.46, which permits the Bureau's director to authorize disclosure of confidential information other than as set forth in subpart D. The authorization must be in writing, must otherwise be permitted by law, and may not be delegated. See 12 CFR 1070.46(a), (c).

Disclosures contemplated by the proposal should only be made when appropriate and subject to due consideration of the disclosure's impact. Vesting the Director alone with authority to approve these disclosures under § 1070.46 reflects this commitment by requiring decision-making to take place at the Bureau's highest level.

Paragraph (a)(4) also permits the submitter of confidential investigatory materials that consists of trade secrets or privileged or confidential financial information, or confidential supervisory information, to seek a protective or other order prior to the information's disclosure in an administrative or court proceeding. For clarity, the Bureau proposed replacing the phrase “confidential investigatory materials” with “confidential investigative information,” a defined term used throughout the rule. Likewise, the Bureau proposed replacing the reference to “appropriate protective or in camera order” with “appropriate order,” which would encompass both examples in the previous version. Finally, the Bureau proposed revising the rule to also allow the Bureau to seek an appropriate order in its discretion. Whereas the prior text only discusses the submitter seeking such an order, there may be times where it would be more efficient or appropriate for the Bureau itself to make Start Printed Page 75211such a request. The Bureau received no comments regarding these proposed revisions, and it finalizes the proposal without modification.

The Bureau did, however, receive one comment letter, from a group of industry trade associations, asking the Bureau to further revise paragraph (a)(4) to require it to notify institutions of its intended use of certain information in connection with administrative or court proceedings. The commenter argued that, by allowing submitters to seek protective and similar orders, paragraph (a)(4) implicitly requires that the Bureau first notify submitters of its intended use of the information; it suggested that the Bureau make such a requirement explicit.

In accordance with this provision, it is the Bureau's practice to take steps to ensure that the submitter has an opportunity to seek a protective order where it has a cognizable claim for one. However, the Bureau does not agree with the commenter's interpretation that paragraph (a)(4) imposes an implicit notification requirement on the Bureau, as there is no textual basis for that conclusion. Furthermore, we do not think it necessary for the rule to codify a formal notification process. For these reasons, the Bureau declines to revise the rule as suggested by the commenter.

The Bureau proposed a new paragraph, proposed paragraph (a)(5), that states that the Bureau may disclose confidential information in “CFPB personnel matters, as necessary and subject to appropriate protections.” The Bureau explained in its proposal that this paragraph was intended to clarify that confidential information may at times be disclosed in the course of equal employment opportunity matters, grievance proceedings, and other personnel matters. We noted that such disclosures would only be made as necessary, in accordance with applicable law, and subject to appropriate protections. The Bureau also proposed re-numbering § 1070.45 to account for this new paragraph. The Bureau received no comments on this proposal, and it finalizes the proposal without modification.

Proposed paragraph (a)(6) (formerly paragraph (a)(5)) addresses disclosure to other agencies of confidential information in summary form in certain circumstances. The Bureau explained in its proposal that the purpose of this provision is to allow it to inform agencies about potential legal violations in which they may have an interest, including situations in which they may wish to submit a request for information under § 1070.43. The Bureau proposed revising this paragraph to authorize disclosure to “Agencies in summary form to the extent necessary to confer with such Agencies about matters relevant to the exercise of the Agencies' statutory or regulatory authority.” This was intended to clarify the paragraph's intended purpose and more closely align with the standard used for disclosing confidential information to agencies under § 1070.43.

The Bureau received one comment letter, from a group of industry trade associations, which stated that this revision was “unnecessary.” The commenter argued that 12 U.S.C. 5566 mandates that the Bureau transmit evidence to the Attorney General if it has evidence that may constitute a violation of Federal criminal law, and that no similar provision suggests that the Bureau may share CSI with other Federal or State law enforcement agencies. The commenter also expressed concerns that the proposal was overbroad due to the definition of “agency” in proposed § 1070.2(a).

The Bureau disagrees with the commenter's argument, which appears to misunderstand the purpose of this paragraph. The provision is primarily intended to enable preliminary, high-level discussion that facilitates submission of an access request under 12 CFR 1070.43. For example, it could include a summary of the nature of an investigation or the kinds of confidential information that the Bureau possesses; more substantive information may then be provided to the agency in response to a request under § 1070.43. The discussions contemplated by this provision are necessary for other agencies to determine whether they have an interest in submitting an access request to the Bureau, and if so, what statements to include in it. Otherwise, an agency may not even know that the Bureau possesses confidential information in which it is interested. The Bureau proposed revising this paragraph to align it with § 1070.43 in order to clarify and facilitate the two provisions' interaction.[15] We do not agree that 12 U.S.C. 5566, which requires criminal referrals to the Attorney General in certain circumstances, forecloses the Bureau from drafting regulations pursuant to 12 U.S.C. 5512(c)(6)(A) that authorize other affirmative disclosures of confidential information to partner agencies.

In addition, as discussed above regarding proposed § 1070.2(a), the Bureau has declined to finalize the proposed definition of “agency,” addressing concerns regarding this paragraph's breadth.

For the aforementioned reasons, the Bureau finalizes the proposal without modification.

Section 1070.47 Other Rules Regarding the Disclosure of Confidential Information

The Bureau proposed reorganizing § 1070.47 for clarity. Specifically, it proposed moving paragraph (a)(5) to immediately after paragraph (a)(2) because the two paragraphs both address further disclosure by the recipient of confidential information. The Bureau further proposed making paragraph (a)(3), which addresses third-party requests for information, a new paragraph titled “Third party requests for information” to highlight the provision and lead to better ease of use. Finally, the Bureau proposed re-numbering the section to account for these changes. The Bureau received no comments regarding this reorganization of the section, and it finalizes the proposal without modification.

Section 1070.47(a) Further Disclosure Prohibited

Section 1070.47(a) describes certain steps that recipients of confidential information under subpart D must take to protect the information. It notes that confidential information disclosed under this subpart remains Bureau property, it prohibits further disclosure of confidential information without the Bureau's prior written permission, and it sets forth procedures to follow in the event that a recipient of confidential information receives from a third party a legally enforceable demand for the information.

Consistent with proposed revisions to § 1070.43(b), the Bureau proposed shifting from its General Counsel to the Associate Director for Supervision, Enforcement and Fair Lending the authority in paragraph (a)(1) to provide in writing that confidential information is no longer Bureau property, and the authority in paragraph (a)(2) to provide written permission to further disclose confidential information. In the final rule, the Bureau declines to finalize the proposed revision to paragraph (a)(1), and it further revises paragraph (a)(2).

The Bureau explained in its proposal that it believed that its proposed Start Printed Page 75212changes would lead to increased efficiency because the vast majority of access requests submitted to the Bureau pertain to work conducted by its Division of Supervision, Enforcement and Fair Lending. The Bureau also noted that it intended the General Counsel to retain his or her authority with respect to legally enforceable demands or requests for confidential information, described in paragraph (a)(3). Finally, as discussed above with respect to proposed § 1070.2(a), the Bureau proposed revisions to account for the newly proposed defined term “agency.”

Comment letters that addressed this proposal generally discussed it together with proposed revisions to § 1070.43(b), regarding the move of access request authority from the General Counsel to the Associate Director for Supervision, Enforcement and Fair Lending. For a discussion of these comments, please see the discussion regarding § 1070.43(b) above. In light of these comments, the Bureau declines to finalize its proposal to transfer from the General Counsel to the Associate Director for Supervision, Enforcement and Fair Lending the authority in paragraph (a)(1) to provide in writing that confidential information is no longer Bureau property. This authority will instead be retained by the Bureau's General Counsel. In addition, for the reasons addressed in the discussion regarding § 1070.43(b) above, the Bureau will further revise paragraph (a)(2) in the final rule, to vest with the Director (or her designee) the authority to provide written permission to further disclose confidential information.

For a discussion of comments on the definition of “agency,” please see the discussion regarding proposed § 1070.2(a) above. For the reasons addressed in that discussion, the Bureau declines to finalize revisions intended to account for the proposed definition of “agency.”

Section 1070.47(d) Return or Destruction of Records

The Bureau proposed adding a new paragraph (d) to clarify that the Bureau may require any person in possession of confidential information to return the records to the Bureau or destroy them.

Paragraph (d) is further revised in the final rule for consistency with new § 1070.42(c), which was added in response to comments on proposed revisions to § 1070.42.[16] 12 CFR 1070.42(c) states, “Nothing in this subpart shall prohibit any person lawfully in possession of confidential investigative information of the CFPB pursuant to paragraph (a) of this section from further disclosing that confidential investigative information.” The Bureau adds to paragraph (d), “[e]xcept with respect to confidential investigative information disclosed pursuant to § 1070.42(a) of this subpart,” because a requirement to return or destroy these records would raise tension with the ability to further disclose the information. This further revision is not intended to impact the Bureau's ability to enter into a protective order, or to otherwise reach mutual agreement with a party with respect to the protection of CII.

The Bureau received one comment letter regarding this proposal, from a public interest organization. The commenter suggested that this proposal, among other proposed revisions to § 1070.47, was intended to assure supervised and regulated entities that the Bureau's separate proposals that would expand its discretion to share information would not prejudice those entities. The commenter expressed concern that the provision may not be enforceable with respect to information disclosed to foreign agencies, State agencies, Congress, or other government agencies that are not subject to the Bureau's jurisdiction. The commenter suggested that this provision could create an “illusion of certainty” for entities that disclose privileged information to the Bureau in reliance on this and other provisions.

The purpose of this proposal was to facilitate the Bureau's control over its own confidential information. The proposed text is relatively common for information sharing agreements, and the Bureau's intent was to codify such language in its regulations to put recipients of its confidential information on notice that it may require the return or destruction of such records. For these reasons, the Bureau finalizes this proposal without modifying it in response to this comment.

Section 1070.47(e) Non-Waiver of CFPB Rights

The Bureau proposed adding a new paragraph (e) to clarify that the Bureau's disclosure of confidential information under subpart D does not waive the Bureau's right to control, or impose limitations on, the subsequent use and dissemination of its confidential information.

Paragraph (e) is further revised in the final rule for consistency with new § 1070.42(c), which was added in response to comments on proposed revisions to § 1070.42.[17] 12 CFR 1070.42(c) states, “Nothing in this subpart shall prohibit any person lawfully in possession of confidential investigative information of the CFPB pursuant to paragraph (a) of this section from further disclosing that confidential investigative information.” The Bureau adds to paragraph (e), “[e]xcept as provided in § 1070.42(c),” because the new text in § 1070.42(c) permits further disclosure of confidential investigative information in certain circumstances.

The Bureau received one comment letter regarding proposed § 1070.47(e), from the same public interest organization that commented on proposed § 1070.47(d). As it did with respect to proposed § 1070.47(d), the commenter suggested that this paragraph was intended to assure entities that the Bureau's separate proposals that would expand its discretion to share information would not prejudice them, and it expressed concerns that this provision may not be enforceable with respect to government authorities, and that the proposal could give create an “illusion of certainty” for entities that disclose privileged information to the Bureau in reliance on this provision.

Like proposed § 1070.47(d), the purpose of this proposal was to facilitate the Bureau's control over its own confidential information. The Bureau intended this provision to parallel 12 CFR 4.37(d), a provision that serves a similar purpose in analogous regulations promulgated by the OCC. The Bureau's purpose was to codify such language in its own regulations to put recipients of its confidential information on notice that the Bureau does not intend its disclosure of confidential information to waive its rights with respect to the information. For these reasons, the Bureau finalizes the proposal without modifying it in response to this comment.

Section 1070.47(f) Non-Waiver of Privilege

The Bureau proposed moving the former paragraph (c), Non-waiver, to a new paragraph (f), and making corresponding technical corrections to paragraph (f)(2), in order to account for the two new paragraphs described above. In addition, the Bureau proposed replacing the title “Non-waiver” with a new title “Non-waiver of privilege” so as to clarify the distinction between this paragraph and the new paragraph (e), Non-waiver of CFPB rights. Start Printed Page 75213

The Bureau received two comment letters regarding this paragraph, from a public interest organization and a group of industry trade associations. The public interest organization commenter argued that most Federal circuits reject selective waiver doctrine and may not protect privilege in the absence of statutory authority, and that entities that rely on proposed § 1070.47(f) to disclose privileged information to the Bureau may risk the Bureau waiving their privilege because the paragraph's reference to “any Federal or State Agency” is broader than the express anti-waiver protection in 12 U.S.C. 1821(t). The industry commenter expressed similar concerns, that if the Bureau transferred privileged material that it had received under 12 U.S.C. 1828(x), that transfer could endanger the material's privilege.

The Bureau notes that it did not propose any substantive changes to this provision, which already exists in the rule. We previously considered and addressed these issues in a 2012 rulemaking in which we readopted this provision in modified form. See generally Final Rule, Confidential Treatment of Privileged Information, 77 FR 39617 (July 5, 2012). Our view has not changed since then. As we explained at the time, this provision is “primarily intended to protect the Bureau's privileges—including, for example, its examination privilege, its deliberative process privilege, and its law enforcement privilege—in the context of a coordinated examination or joint investigation.” Id. at 39621. We also explained that, per Bulletin 12-01, the Bureau only requests privileged information from institutions in limited circumstances, and there is a presumption against sharing confidential supervisory information with non-supervisory agencies. Id. We noted that “[t]he Bulletin's presumption against sharing confidential supervisory information would be even stronger” where it includes information subject to attorney-client or work-product privileges. Id.

Moreover, the Bureau concluded in its 2012 rulemaking that it had statutory authority to promulgate a regulation that protected against waiver of privilege in the event that information is shared with State agencies. See Notice of Proposed Rulemaking, Confidential Treatment of Privileged Information, 77 FR 15286, 15289 (Mar. 15, 2012); see also Final Rule, 77 FR at 39621. This conclusion has been buttressed by Congress's subsequent amendment to 12 U.S.C. 5514(b)(3), which states that, in coordinating the supervision of nondepository covered persons with prudential regulators, the State bank regulatory authorities, and the State agencies that license, supervise, or examine the offering of consumer financial products or services, “[t]he sharing of information with such regulators, authorities, and agencies shall not be construed as waiving, destroying, or otherwise affecting any privilege or confidentiality such person may claim with respect to such information under Federal or State law as to any person or entity other than such Bureau, agency, supervisor, or authority.”

For the aforementioned reasons, the Bureau finalizes the proposal without modification.

Section 1070.47(g) Reports of Unauthorized Disclosure

The Bureau proposed adding a new paragraph (g) that would have required any persons in possession of confidential information to immediately notify the Bureau upon discovery of any disclosures of confidential information made in violation of subpart D. The Bureau further revises the proposal in the final rule.

The Bureau received three comment letters that addressed this provision, from a group of industry trade associations, from a consumer advocacy organization, and from a financial institution. The group of industry trade associations expressed concern that this proposal would create an “independent violation” for “any person” in possession of confidential information to fail to immediately notify the Bureau upon discovery of improper disclosures. The group argued that, unlike supervised financial institutions, imposing notification requirements on other potential recipients of confidential information, including individuals or non-regulated third parties, is not appropriate, and would heighten legal risks for individuals and institutions. The commenter noted that it can be difficult to determine whether a particular document or piece of information is CSI; it expressed further concerns that the provision presumes that recipients of confidential information would know what constitutes confidential information and what disclosures are permitted by the rule, and it concluded that such expectations are unreasonable. The commenter alleged that the “imposition of additional liability” on recipients of improper disclosures would “improperly shift the burden to those who are, in essence, innocent bystanders in a violation.” The consumer advocacy organization expressed similar concerns that journalists or other members of the public could be subject to these notification requirements, which could chill journalistic or other inquiries.

This proposal was intended to instruct agencies, institutions, or other persons that may improperly disclose the Bureau's confidential information to notify the Bureau so that, where warranted, the Bureau can take appropriate steps to mitigate any harm caused by such disclosure. For example, if an agency partner were to publicly disclose CII without permission, the Bureau would work to limit public disclosure and protect the privacy or proprietary interests of those affected by the disclosure. This is in line with the Bureau's obligations under 12 U.S.C. 5512(c)(8), which requires that, “[i]n collecting information from any person [or] publicly releasing information held by the Bureau, . . . the Bureau shall take steps to ensure that proprietary, personal, or confidential consumer information that is protected from disclosure under [the FOIA] or [the Privacy Act of 1974], or any other provision of law, is not made public under this title.”

The Bureau appreciates commenters' concerns that the proposal's notification requirement could apply to third parties without a direct relationship with the Bureau, who may not realize that they possess confidential information or know of this subpart's requirements. And it likewise appreciates the commenter's concerns about chilling journalistic or other inquiries. To address these concerns, the Bureau will further revise and narrow the proposed text, limiting this provision to persons “that obtain confidential information under this subpart.” Agencies, institutions, and other persons that obtain confidential information under this subpart should be advised of their receipt of the Bureau's confidential information and any obligations to protect the information's confidentiality.

In addition to these comments regarding the proposal's applicability to third parties, the Bureau also received a comment letter from a financial institution that expressed concern regarding the proposal's inclusion of the term “immediately.” The commenter suggested that “immediately,” read literally, would create an impossible standard to meet, and it instead recommended a “more reasonable” standard, such as “promptly.”

The Bureau agrees that a requirement for “immediate” notification, if read literally, could create compliance difficulties. To address this concern, the Bureau revises the proposal's temporal Start Printed Page 75214standard to instead require notification “as soon as possible and without unreasonable delay.” In adopting this standard, the Bureau analogizes to the same temporal standard adopted by the Office of Management and Budget with respect to Federal agency breach reporting. See Office of Management and Budget, M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information” (Jan. 3, 2017). This is also intended to be analogous to the reporting standard set forth in interagency information security guidance by the prudential regulators, which advises as a best practice that a financial institution “notify[] its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.” See Interagency Guidelines Establishing Information Security Standards, 12 CFR part 208, appendix D-2 (emphasis in original).

Finally, the same financial institution requested clarification regarding the proposal's interaction with existing requirements and supervisory expectations applicable to financial institutions, their employees, and other institution-affiliated parties, as defined in 12 U.S.C. 1813(u). The commenter stated that, upon discovery of improper disclosure, supervised financial institutions would already be expected to take certain steps, including notifying regulators as appropriate, pursuant to supervisory expectations and under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and State breach laws.

This provision is consistent with the Bureau's existing supervisory expectations. In addition, this provision does not impact other notification expectations relating to the Gramm-Leach-Bliley Act or requirements under various State breach laws, as they generally do not require notification to the Bureau and, depending on the information's content, may not apply to the Bureau's confidential information.

Former Section 1070.48 Privileges not Affected by Disclosure to the CFPB

Former § 1070.48 provided that the submission by any person of any information to the Bureau in the course of the Bureau's supervisory or regulatory processes will not waive or otherwise affect any privilege such person may claim with respect to such information under Federal or State law as to any other person or entity. This section had been promulgated separately from the rest of the rule. See Final Rule, Confidential Treatment of Privileged Information, 77 FR 39617 (July 5, 2012). Congress subsequently enacted Public Law 112-215, 126 Stat. 1589, Dec. 20, 2012, which amended 12 U.S.C. 1828(x) to provide these same protections to privileged information submitted to the Bureau. Because 12 U.S.C. 1828(x), as revised, provided the exact same protections as former § 1070.48, it rendered former § 1070.48 superfluous and unnecessary, and the Bureau therefore proposed deleting the provision in its regulation text to avoid potential confusion.

The Bureau received no comments regarding this proposal, and it finalizes the proposal without modification.

Proposed Section 1070.48 Disclosure of Confidential Information by the Inspector General

The Bureau proposed adding a new section to clarify that part 1070 does not limit the discretion of its Inspector General's office to disclose confidential information as needed in fulfilling its responsibilities under the Inspector General Act of 1978, 5 U.S.C. App. 3. Because the Bureau proposed deleting the current text of § 1070.48, this new section replaces that text.

The Bureau received two comment letters regarding this proposal. One comment letter, from an industry trade association, stated that it was unclear whether the “as needed” language limits the Bureau's Inspector General's ability to publish reports containing confidential information. It asked that the Bureau either delete the proposal or clarify the extent to which its Inspector General's office may disclose confidential information. A second comment letter, from a public interest organization, expressed concern that the proposal could make it easier for the Bureau's Inspector General's office to further disclose privileged supervisory information submitted to the Bureau, which could undermine the information's privileged status and discourage the submission of privileged materials to the Bureau.

To be clear, the proposal's “as needed” language is intended to enable the Bureau's Inspector General's office, in its discretion, to disclose confidential information to the extent that it deems such disclosure necessary to fulfill its duties under the Inspector General Act of 1978, 5 U.S.C. App. 3. Furthermore, as explained above with respect to inclusion of Inspector General employees in the definition of “employee” in § 1070.2(k), § 1070.41(c) already allows for the publication of reports derived from confidential information to the extent that they do not identify, either directly or indirectly, any particular person to whom the information pertains.[18]

With respect to the commenter's concern that the Inspector General's office may further disclose financial institutions' privileged information in a manner that could undermine the privilege, the Inspector General's office will give due consideration to the applicable privileges associated with any disclosures that it may make.

For the aforementioned reasons, the Bureau finalizes the proposal without modification.

Part 1091—Procedural Rule To Establish Supervisory Authority Over Certain Nonbank Covered Persons Based on Risk Determination

Section 1091.103 Contents of Notice

The Bureau proposed to revise paragraph (a)(2)(vii) to remove the cross-reference to § 1070.2(i)(1) and replace it with a cross-reference to § 1070.2(j). The Bureau received no comments on this proposal. Because the definitions in § 1070.2 are renumbered in the final rule, the final rule further revises the proposal to appropriately cross-reference § 1070.2(i).

Section 1091.115 Change of Time Limits and Confidentiality of Proceedings

The Bureau proposed to revise § 1091.115(c) to remove the cross-reference to § 1070.2(i)(1) and replace it with a cross-reference to § 1070.2(j). The Bureau received no comments on this proposal. Because the definitions in § 1070.2 are renumbered in the final rule, the final rule further revises the proposal to appropriately cross-reference § 1070.2(i).

V. Section 1022(b)(2)(A) of the Dodd-Frank Act

In developing this final rule, the Bureau has considered the potential benefits, costs, and impacts as required by section 1022(b)(2)(A) of the Dodd-Frank Act.[19] The Bureau has consulted, or offered to consult with, the Start Printed Page 75215prudential regulators and the Federal Trade Commission, including consultation regarding consistency with any prudential, market, or systemic objectives administered by such agencies.[20]

The Bureau has chosen to consider the benefits, costs, and impacts of the final rule as compared to the status quo: The current statutory provisions and the regulations as set forth by the Bureau on February 15, 2013, 78 FR 11483 (Feb. 15, 2013) (which includes the protections for privileged information which Congress enacted in Pub. L. 112-215, 126 Stat. 1589, Dec. 20, 2012, which amended 12 U.S.C. 1821(t)(2)(A) and 1828(x)).[21] The Bureau does not have data with which to quantify the benefits or costs of the final rule, nor were any data provided by commenters. The discussion below considers the qualitative costs, benefits, and impacts that the Bureau anticipates from the rule. The Bureau also notes that the discussion below should be read in conjunction with the discussion of impacts in the Section by Section discussion above.

Summary of main aspects of rule. In this analysis, the Bureau focuses on the benefits, costs, and impacts of the main aspects of the final rule, which are found in subparts A and D.

The changes to the definitions in subpart A will alter the treatment of certain information submitted to the Bureau. The revised definition of confidential consumer complaint information will now include any information received or generated by the CFPB through processes or procedures established under 12 U.S.C. 5493(b)(3), clarifying that any complaints submitted to the CFPB through its Consumer Response system, and any information generated therein, are similarly classified under its confidentiality rules and subject to the same confidentiality protections. The revised definition of confidential supervisory information will no longer include reference to information collected using the Bureau's market monitoring authority.

The changes in subpart D will provide that a person lawfully in possession of confidential supervisory information provided directly to it by the Bureau pursuant to § 1070.42 may disclose the information to an insurance provider pursuant to a claim made under an existing policy, provided that the Bureau has not precluded indemnification or reimbursement for the claim and to the extent necessary for the insurance provider to process and administer any claims for coverage.

In addition, the changes in subpart D will authorize the Bureau, upon receipt of prior consent, to disclose confidential information that directly or indirectly identifies particular persons. The rule includes a clarification that the Bureau may disclose confidential information in its discretion as needed to conduct its investigations or perform administrative tasks to further its own enforcement actions.

Lastly, the final rule adds § 1070.47(g), which will require any person that obtains confidential information under subpart D to, as soon as possible and without unreasonable delay, notify the CFPB upon the discovery of any further disclosures made in violation of subpart D.

The Bureau views the remainder of the final rule to mainly include clarifications, corrections and technical changes, which will have limited impacts on consumers and covered persons.

Costs and benefits to consumers and covered persons of changes in Subpart A. The final rule's changes to certain definitions in subpart A will impact the Bureau's ability to disclose confidential information, which will in turn result in some costs and benefits for consumers and covered persons.

The expansion of the definition of confidential consumer complaint information to include any complaints submitted through the Bureau's Consumer Response system should provide benefits for consumers and covered persons. Specifically, because all such complaints will now be subject to the Bureau's confidentiality rules, this change should afford greater confidentiality protections to consumers and covered persons submitting or referenced in any misdirected complaints that the Bureau receives and that are now covered under the definition.

The deletion of market monitoring information collected pursuant to 12 U.S.C. 5512(c) from the definition of confidential supervisory information will not impose costs on financial institutions because this information will continue to be protected as confidential information under the Bureau's rules, to the extent that the information includes confidential business information, personal information, or other sensitive information that is exempt from disclosure under the Freedom of Information Act, 5 U.S.C. 552(b). But this change will mean that Bureau will have more flexibility to use and disclose less-sensitive, non-confidential information collected for market monitoring purposes, such as data that are already publicly available. This change will allow the Bureau to implement and administer Federal consumer financial law more efficiently, which will benefit consumers. In addition, this flexibility should not impose additional costs for covered persons because such less-sensitive information would already be subject to public access via the FOIA.

Costs and benefits to consumers and covered persons of changes in Subpart D. As noted above, the new provisions in subpart D authorize the Bureau to disclose confidential information in certain circumstances. Consumers will generally benefit from these provisions because each of these changes allows more efficient sharing of confidential information between the CFPB and various parties and thus also results in more efficient administration of consumer financial laws. The Bureau notes, however, that any benefits are limited, relative to the proposal, given the narrower scope of the final rule.

These changes may entail certain costs to covered persons, such as increased risk for a loss of confidentiality. However, the final rule expands the circumstances in which confidential information may be disclosed only in discrete circumstances, and moreover, any recipient of confidential information from the Bureau may not further disclose such information without the prior written permission of the Bureau. Therefore, any increased risk for a loss of confidentiality should be minimal. The Bureau continues to seek to provide stringent protection for confidential information while ensuring its ability to share or disclose information to the extent necessary to achieve its mission.

The new requirement that any person that obtains confidential information under subpart D must notify the CFPB upon the discovery of any further disclosures made in violation of subpart D should not cause additional burden for supervised entities with respect to CSI, as this provision is consistent with the Bureau's existing supervisory expectations. It should not cause additional burden on recipients of CII Start Printed Page 75216under § 1070.42(a), as further disclosure of such information is not prohibited by the final rule. It may result in some additional burden in cases where confidential consumer complaint information is further disclosed by a covered person, which will now have the obligation to notify the Bureau. Consumers should benefit from this requirement because notification should facilitate the mitigation of any harms caused by the unauthorized disclosure.

Other impacts. The CFPB does not expect that the final rule will have an appreciable impact on consumers' access to consumer financial products or services. The scope of the rulemaking is limited to matters related to access to and disclosure of certain types of information, and does not relate to credit access.

The Bureau does not believe that this rule will have a unique impact on insured depository institutions or insured credit unions with $10 billion or less in assets as described in section 1026(a) of the Dodd-Frank Act. The rule does not distinguish in any material way information regarding such institutions. In addition, because the Bureau has limited supervisory authority over these institutions, they are generally less likely to share information with the Bureau, and therefore any impacts of the rule related to confidential supervisory information may be less compared to other institutions.

The Bureau also does not believe that this rule will have a unique impact on consumers in rural areas. The rule does not distinguish information regarding consumers in rural areas, or regarding institutions that provide products or services to consumers in rural areas. In addition, to the extent that these consumers may use smaller financial service providers over which the Bureau has limited supervisory authority, and which may be less likely to share information with the Bureau, the impacts of the rule related to confidential supervisory information may be less for these consumers than for other consumers.

VI. Regulatory Requirements

The Regulatory Flexibility Act, 5 U.S.C. 601 et seq., as amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (the RFA), requires each agency to consider the potential impact of its regulations on small entities, including small businesses, small governmental units, and small not-for-profit organizations, unless the head of the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. The Director so certifies. The rule does not impose any obligations or standards of conduct for purposes of analysis under the RFA, and it therefore does not give rise to a regulatory compliance burden for small entities.

The Bureau also has determined that this rule does not impose any new recordkeeping, reporting, or disclosure requirements on members of the public that would be collections of information requiring approval under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq.

Finally, pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), the Bureau will submit a report containing this rule and other required information to the United States Senate, the United States House of Representatives, and the Comptroller General of the United States prior to the rule taking effect. The Office of Information and Regulatory Affairs (OIRA) has designated this rule as not a “major rule” as defined by 5 U.S.C. 804(2).

VII. Signing Authority

The Director of the Bureau, Kathleen L. Kraninger, having reviewed and approved this document, is delegating the authority to electronically sign this document to Laura Galban, a Bureau Federal Register Liaison, for purposes of publication in the Federal Register.

Start List of Subjects

List of Subjects

12 CFR Part 1070

  • Confidential business information
  • Consumer protection
  • Freedom of information
  • Privacy

12 CFR Part 1091

  • Administrative practice and procedure
  • Consumer protection
  • Credit
  • Trade practices
End List of Subjects

Authority and Issuance

For the reasons set forth in the preamble, the Bureau amends 12 CFR parts 1070 and 1091 to read as follows:

Start Part

PART 1070—DISCLOSURE OF RECORDS AND INFORMATION

End Part Start Amendment Part

1. The authority citation for part 1070 continues to read as follows:

End Amendment Part Start Authority

Authority: 12 U.S.C. 5481 et seq.; 5 U.S.C. 552; 5 U.S.C. 552a; 18 U.S.C. 1905; 18 U.S.C. 641; 44 U.S.C. ch. 31; 44 U.S.C. ch. 35; 12 U.S.C. 3401 et seq.

End Authority

Subpart A—General Provisions and Definitions

Start Amendment Part

2. Revise § 1070.2 to read as follows:

End Amendment Part
General definitions.

For purposes of this part:

(a) Associate Director for Supervision, Enforcement and Fair Lending means the Associate Director for Supervision, Enforcement and Fair Lending of the CFPB or any CFPB employee to whom the Associate Director for Supervision, Enforcement and Fair Lending has delegated authority to act under this part.

(b) Business day means any day except Saturday, Sunday or a legal Federal holiday.

(c) CFPB means the Bureau of Consumer Financial Protection.

(d) Chief FOIA Officer means the Chief Operating Officer of the CFPB.

(e) Chief Operating Officer means the Chief Operating Officer of the CFPB, or any CFPB employee to whom the Chief Operating Officer has delegated authority to act under this part.

(f) Confidential information means confidential consumer complaint information, confidential investigative information, and confidential supervisory information, as well as any other CFPB information that may be exempt from disclosure under the Freedom of Information Act pursuant to 5 U.S.C. 552(b). Confidential information does not include information contained in records that have been made publicly available by the CFPB or information that has otherwise been publicly disclosed by an employee, or agent of the CFPB, with the authority to do so. Confidential information obtained by a third party or otherwise incorporated in the records of a third party, including another agency, shall remain confidential information subject to this part.

(g) Confidential consumer complaint information means information received or generated by the CFPB through processes or procedures established under 12 U.S.C. 5493(b)(3), to the extent that such information is exempt from disclosure pursuant to 5 U.S.C. 552(b).

(h) Confidential investigative information means:

(1) Any documentary material, written report, or written answers to questions, tangible thing, or transcript of oral testimony received by the CFPB in any form or format pursuant to a civil investigative demand, as those terms are set forth in 12 U.S.C. 5562, or received by the CFPB voluntarily in lieu of a civil investigative demand; and

(2) Any other documents, materials, or records prepared by, on behalf of, received by, or for the use by the CFPB or any other Federal or State agency in the conduct of enforcement activities, and any information derived from such materials.

(i) Confidential supervisory information means:

(1) Reports of examination, inspection and visitation, non-public operating, Start Printed Page 75217condition, and compliance reports, supervisory letter, or similar document, and any information contained in, derived from, or related to such documents;

(2) Any documents, materials, or records, including reports of examination, prepared by, or on behalf of, or for the use of the CFPB or any other Federal, State, or foreign government agency in the exercise of supervisory authority over a financial institution, and any information derived from such documents, materials, or records;

(3) Any communications between the CFPB and a supervised financial institution or a Federal, State, or foreign government agency related to the CFPB's supervision of the institution;

(4) Any information provided to the CFPB by a financial institution for purposes of detecting and assessing risks to consumers and to markets for consumer financial products or services pursuant to 12 U.S.C. 5414(b)(1)(C), 5515(b)(1)(C), or 5516(b), or to assess whether an institution should be considered a covered person, as that term is defined by 12 U.S.C. 5481, or is subject to the CFPB's supervisory authority; and/or

(5) Information that is exempt from disclosure pursuant to 5 U.S.C. 552(b)(8).

(j) Director means the Director of the CFPB or his or her designee, or a person authorized to perform the functions of the Director in accordance with law.

(k) Employee means all current employees or officials of the CFPB, including contract personnel, the employees of the Office of the Inspector General of the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau, and any other individuals who have been appointed by, or are subject to the supervision, jurisdiction, or control of the Director, as well as the Director. The procedures established within this part also apply to former employees where specifically noted.

(l) Financial institution means any person involved in the offering or provision of a “financial product or service,” including a “covered person” or “service provider,” as those terms are defined by 12 U.S.C. 5481.

(m) General Counsel means the General Counsel of the CFPB or any CFPB employee to whom the General Counsel has delegated authority to act under this part.

(n) Person means an individual, partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity.

(o) Report of examination means the report prepared by the CFPB concerning the examination or inspection of a supervised financial institution.

(p) State means any State, territory, or possession of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, Guam, American Samoa, or the United States Virgin Islands or any federally recognized Indian tribe, as defined by the Secretary of the Interior under section 104(a) of the Federally Recognized Indian Tribe List Act of 1994 (25 U.S.C. 479a-1(a)), and includes any political subdivision thereof.

(q) Supervised financial institution means a financial institution that is or that may become subject to the CFPB's supervisory authority.

Start Amendment Part

3. Revise subpart D to read as follows:

End Amendment Part
Subpart D—Confidential Information
1070.40
Purpose and scope.
1070.41
Non-disclosure of confidential information.
1070.42
Disclosure of confidential supervisory information and confidential investigative information.
1070.43
Disclosure of confidential information to agencies.
1070.44
Disclosure of confidential consumer complaint information.
1070.45
Affirmative disclosure of confidential information.
1070.46
Other disclosures of confidential information.
1070.47
Other rules regarding the disclosure of confidential information.
1070.48
Disclosure of confidential information by the Inspector General.

Subpart D—Confidential Information

Purpose and scope.

This subpart does not apply to requests for official information made pursuant to subpart B, C, or E of this part.

Non-disclosure of confidential information.

(a) Non-disclosure. Except as required by law or as provided in this part, no current or former employee or contractor or consultant of the CFPB, or any other person in possession of confidential information, shall disclose such confidential information by any means (including written or oral communications) or in any format (including paper and electronic formats), to:

(1) Any person who is not an employee, contractor, or consultant of the CFPB; or

(2) Any CFPB employee, contractor, or consultant when the disclosure of such confidential information to that employee, contractor, or consultant is not relevant to the performance of the employee's, contractor's, or consultant's assigned duties.

(b) Disclosures to contractors and consultants. CFPB contractors or consultants must treat confidential information in accordance with this part, other Federal laws and regulations that apply to Federal agencies for the protection of the confidentiality of personally identifiable information and for data security and integrity, as well as any additional conditions or limitations that the CFPB may impose. CFPB contractors or consultants may receive confidential information only if such contractors or consultants certify in writing to treat such confidential information in accordance with the requirements identified in this paragraph (b).

(c) Disclosure of materials derived from confidential information. The CFPB may, in its discretion, disclose materials that it derives from or creates using confidential information to the extent that such materials do not identify, either directly or indirectly, any particular person to whom the confidential information pertains.

(d) Disclosure of confidential information with consent. Where practicable, the CFPB may, in its discretion and in accordance with applicable law, disclose confidential information that directly or indirectly identifies particular persons if the CFPB obtains prior consent from such persons to make the disclosure.

(e) Nondisclosure of confidential information belonging to other agencies. Nothing in this subpart requires or authorizes the CFPB to disclose confidential information belonging to another agency that has been provided to the CFPB (either directly or through a holder of the information such as a financial institution) to the extent that such disclosure contravenes applicable law or the terms of any agreement that exists between the CFPB and the agency to govern the CFPB's treatment of information that the agency provides to the CFPB.

Disclosure of confidential supervisory information and confidential investigative information.

(a) Discretionary disclosure of confidential supervisory information or confidential investigative information by the CFPB. The CFPB may, in its discretion, and to the extent consistent with applicable law, disclose confidential supervisory information or confidential investigative information concerning a person or its service Start Printed Page 75218providers to that person or to its affiliates.

(b) Further disclosure of confidential supervisory information. Unless directed otherwise by the Associate Director for Supervision, Enforcement and Fair Lending:

(1) Any supervised financial institution lawfully in possession of confidential supervisory information of the CFPB provided directly to it by the CFPB pursuant to paragraph (a) of this section may disclose such information, or portions thereof, to its affiliates and to the following individuals to the extent that the disclosure of such confidential supervisory information is relevant to the performance of such individuals' assigned duties:

(i) Its directors, officers, trustees, members, general partners, or employees; and

(ii) The directors, officers, trustees, members, general partners, or employees of its affiliates.

(2) Any supervised financial institution or affiliate thereof that is lawfully in possession of confidential supervisory information of the CFPB provided directly to it by the CFPB pursuant to paragraph (a) of this section may disclose such information, or portions thereof, to:

(i) Its certified public accountant, legal counsel, contractor, consultant, or service provider;

(ii) Its insurance provider pursuant to a claim made under an existing policy, provided that the Bureau has not precluded indemnification or reimbursement for the claim; information disclosed pursuant to this paragraph (b)(2)(ii) may be used by the insurance provider solely for purposes of administering such a claim; or

(iii) Another person, with the prior written approval of the Associate Director for Supervision, Enforcement and Fair Lending.

(3) Where a supervised financial institution or its affiliate discloses confidential supervisory information of the CFPB pursuant to paragraph (b) of this section:

(i) The recipient of such confidential supervisory information shall not, without the prior written approval of the Associate Director for Supervision, Enforcement and Fair Lending, utilize, make, or retain copies of, or disclose confidential supervisory information for any purpose, except as is necessary to provide advice or services to the supervised financial institution or its affiliate; and

(ii) The supervised financial institution or its affiliate disclosing the confidential supervisory information shall take reasonable steps to ensure that the recipient complies with paragraph (b)(3)(i) of this section.

(4) Nothing in this paragraph (b) authorizes a supervised financial institution or affiliate thereof to further disclose confidential information belonging to another agency.

(c) Further disclosure of confidential investigative information. Nothing in this subpart shall prohibit any person lawfully in possession of confidential investigative information of the CFPB pursuant to paragraph (a) of this section from further disclosing that confidential investigative information.

Disclosure of confidential information to agencies.

(a) Required disclosure of confidential information to agencies. The CFPB shall:

(1) Disclose a draft of a report of examination of a supervised financial institution prior to its finalization, as provided in 12 U.S.C. 5515(e)(1)(C), and disclose a final report of examination, including any and all revisions made to such a report, as provided in 12 U.S.C. 5512(c)(6)(C)(i), to a Federal or State agency with jurisdiction over that supervised financial institution, provided that the CFPB receives from the agency reasonable assurances as to the confidentiality of the information disclosed; and

(2) Disclose confidential consumer complaint information to a Federal or State agency to facilitate preparation of reports to Congress required by 12 U.S.C. 5493(b)(3)(C) and to facilitate the CFPB's supervision and enforcement activities and its monitoring of the market for consumer financial products and services, provided that the agency shall first give written assurance to the CFPB that it will maintain such information in confidence, including in a manner that conforms to the standards that apply to Federal agencies for the protection of the confidentiality of personally identifiable information and for data security and integrity.

(b) Discretionary disclosure of confidential information to agencies. (1) Upon receipt of a written request that contains the information required by paragraph (b)(2) of this section, the CFPB may, in its discretion, disclose confidential information to a Federal or State agency to the extent that the disclosure of the information is relevant to the exercise of the agency's statutory or regulatory authority or, with respect to the disclosure of confidential supervisory information, to a Federal or State agency having jurisdiction over a supervised financial institution.

(2) To obtain access to confidential information pursuant to paragraph (b)(1) of this section, an authorized officer or employee of the agency shall submit a written request to the Director. The request shall include the following:

(i) A description of the particular information, kinds of information, and where possible, the particular documents to which access is sought;

(ii) A statement of the purpose for which the information will be used;

(iii) A statement certifying and identifying, as required by paragraph (b)(1) of this section, the agency's statutory or regulatory authority that is relevant to the requested information or, with respect to a request for confidential supervisory information, the agency's jurisdiction over a supervised financial institution;

(iv) A statement certifying and identifying the agency's legal authority for protecting the requested information from public disclosure; and

(v) A certification that the agency will maintain the requested confidential information in confidence, including in a manner that conforms to the standards that apply to Federal agencies for the protection of the confidentiality of personally identifiable information and for data security and integrity, as well as any additional conditions or limitations that the CFPB may impose.

(c) Negotiation of standing requests. The CFPB may negotiate terms governing the exchange of confidential information with Federal or State agencies on a standing basis, as appropriate.

Disclosure of confidential consumer complaint information.

The CFPB may, to the extent permitted by law, disclose confidential consumer complaint information as it deems necessary to investigate, resolve, or otherwise respond to consumer complaints or inquiries concerning consumer financial products and services or a violation of Federal consumer financial law.

Affirmative disclosure of confidential information.

(a) The CFPB may disclose confidential information, in accordance with applicable law, as follows:

(1) To a CFPB employee, as that term is defined in § 1070.2 and in accordance with § 1070.41;

(2) To either House of the Congress or to an appropriate committee or subcommittee of the Congress, as set forth in 12 U.S.C. 5562(d)(2), provided that, upon the receipt by the CFPB of a request from the Congress for confidential information that a financial institution submitted to the CFPB along with a claim that such information Start Printed Page 75219consists of a trade secret or privileged or confidential commercial or financial information, or confidential supervisory information, the CFPB shall notify the financial institution in writing of its receipt of the request and provide the institution with a copy of the request;

(3) In investigational hearings and witness interviews, or otherwise in the investigation and administration of enforcement actions, as is reasonably necessary, at the discretion of the CFPB;

(4) In an administrative or court proceeding to which the CFPB is a party. In the case of confidential investigative information that contains any trade secret or privileged or confidential commercial or financial information, as claimed by designation by the submitter of such material, or confidential supervisory information, the submitter, or the CFPB, in its discretion, may seek an appropriate order prior to disclosure of such material in a proceeding;

(5) In CFPB personnel matters, as necessary and subject to appropriate protections;

(6) To agencies in summary form to the extent necessary to confer with such agencies about matters relevant to the exercise of the agencies' statutory or regulatory authority; or

(7) As required under any other applicable law.

(b) [Reserved]

Other disclosures of confidential information.

(a) To the extent permitted by law and as authorized by the Director in writing, the CFPB may disclose confidential information other than as set forth in this subpart.

(b) Prior to disclosing confidential information pursuant to paragraph (a) of this section, the CFPB may, as it deems appropriate under the circumstances, provide written notice to the person to whom the confidential information pertains that the CFPB intends to disclose its confidential information in accordance with this section.

(c) The authority of the Director to disclose confidential information pursuant to paragraph (a) of this section shall not be delegated. However, a person authorized to perform the functions of the Director in accordance with law may exercise the authority of the Director as set forth in this section.

Other rules regarding the disclosure of confidential information.

(a) Further disclosure prohibited. (1) All confidential information made available under this subpart shall remain the property of the CFPB, unless the General Counsel provides otherwise in writing.

(2) Except as set forth in this subpart, no supervised financial institution, Federal or State agency, any officer, director, employee or agent thereof, or any other person to whom the confidential information is made available under this subpart, may further disclose such confidential information without the prior written permission of the Director.

(3) No person obtaining access to confidential information pursuant to this subpart may make a personal copy of any such information, and no person may remove confidential information from the premises of the institution or agency in possession of such information except as permitted under this subpart or by the CFPB.

(b) Third party requests for information. (1) A supervised financial institution, Federal or State agency, any officer, director, employee or agent thereof, or any other person to whom the CFPB's confidential information is made available under this subpart, that receives from a third party a legally enforceable demand or request for such confidential information (including but not limited to, a subpoena or discovery request or a request made pursuant to the Freedom of Information Act, 5 U.S.C. 552, the Privacy Act of 1974, 5 U.S.C. 552a, or any State analogue to such statutes) should:

(i) Inform the General Counsel of such request or demand in writing and provide the General Counsel with a copy of such request or demand as soon as practicable after receiving it;

(ii) To the extent permitted by applicable law, advise the requester that:

(A) The confidential information sought may not be disclosed insofar as it is the property of the CFPB; and

(B) Any request for the disclosure of such confidential information is properly directed to the CFPB pursuant to its regulations set forth in this subpart; and

(iii) Consult with the General Counsel before complying with the request or demand, and to the extent applicable:

(A) Give the CFPB a reasonable opportunity to respond to the demand or request;

(B) Assert all reasonable and appropriate legal exemptions or privileges that the CFPB may request be asserted on its behalf; and

(C) Consent to a motion by the CFPB to intervene in any action for the purpose of asserting and preserving any claims of confidentiality with respect to any confidential information.

(2) Nothing in this section shall prevent a supervised financial institution, Federal or State agency, any officer, director, employee or agent thereof, or any other person to whom the information is made available under this subpart from complying with a legally valid and enforceable order of a court of competent jurisdiction compelling production of the CFPB's confidential information, or, if compliance is deemed compulsory, with a request or demand from either House of the Congress or a duly authorized committee of the Congress. To the extent that compulsory disclosure of confidential information occurs as set forth in this paragraph (b)(2), the producing party shall use its best efforts to ensure that the requestor secures an appropriate protective order or, if the requestor is a legislative body, use its best efforts to obtain the commitment or agreement of the legislative body that it will maintain the confidentiality of the confidential information.

(c) Additional conditions and limitations. The CFPB may impose any additional conditions or limitations on disclosure or use under this subpart that it determines are necessary.

(d) Return or destruction of records. Except with respect to confidential investigative information disclosed pursuant to § 1070.42(a), the CFPB may require any person in possession of CFPB confidential information to return the records to the CFPB or destroy them.

(e) Non-waiver of CFPB rights. Except as provided in § 1070.42(c), the disclosure of confidential information to any person in accordance with this subpart does not constitute a waiver by the CFPB of its right to control, or impose limitations on, the subsequent use and dissemination of the information.

(f) Non-waiver of privilege— (1) In general. The CFPB shall not be deemed to have waived any privilege applicable to any information by transferring that information to, or permitting that information to be used by, any Federal or State agency.

(2) Rule of construction. Paragraph (f)(1) of this section shall not be construed as implying that any person waives any privilege applicable to any information because paragraph (f)(1) of this section does not apply to the transfer or use of that information.

(g) Reports of unauthorized disclosure. Any person that obtains confidential information under this subpart shall, as soon as possible and without unreasonable delay, notify the CFPB upon the discovery of any further disclosures made in violation of this subpart.

Start Printed Page 75220
Disclosure of confidential information by the Inspector General.

Nothing in this subpart shall limit the discretion of the Office of the Inspector General of the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau to disclose confidential information as needed in accordance with the Inspector General Act of 1978, 5 U.S.C. App. 3.

Start Part

PART 1091—PROCEDURAL RULE TO ESTABLISH SUPERVISORY AUTHORITY OVER CERTAIN NONBANK COVERED PERSONS BASED ON RISK DETERMINATION

End Part Start Amendment Part

4. The authority citation for part 1091 continues to read as follows:

End Amendment Part Start Authority

Authority: 12 U.S.C. 5512(b)(1), 5514(a)(1)(C), 5514(b)(7).

End Authority

Subpart B—Determination and Voluntary Consent Procedures

Start Amendment Part

5. Section 1091.103 is amended by revising paragraph (a)(2)(vii) to read as follows:

End Amendment Part
Contents of Notice.

(a) * * *

(2) * * *

(vii) In connection with a proceeding under this part, including a petition for termination under § 1091.113, all documents, records or other items submitted by a respondent to the Bureau, all documents prepared by, or on behalf of, or for the use of the Bureau, and any communications between the Bureau and a person, shall be deemed confidential supervisory information under 12 CFR 1070.2(i).

* * * * *

Subpart D—Time Limits and Deadlines

Start Amendment Part

6. Section 1091.115 is amended by revising paragraph (c) to read as follows:

End Amendment Part
Change of time limits and confidentiality of proceedings.
* * * * *

(c) In connection with a proceeding under this part, including a petition for termination under § 1091.113, all documents, records or other items submitted by a respondent to the Bureau, all documents prepared by, or on behalf of, or for the use of the Bureau, and any communications between the Bureau and a person, shall be deemed confidential supervisory information under 12 CFR 1070.2(i).

Start Signature

Dated: October 27, 2020.

Laura Galban,

Federal Register Liaison, Bureau of Consumer Financial Protection.

End Signature End Supplemental Information

Footnotes

1.  The Bureau received four comment letters that only addressed its proposal related to the Freedom of Information Act. The Bureau also received one comment letter that was unrelated to the notice of proposed rulemaking.

Back to Citation

2.  The Bureau also proposed renumbering the definitions in § 1070.2 to account for the addition and subtraction of various definitions.

Back to Citation

3.  See below for discussion of comments regarding proposed § 1070.43(b)(1).

Back to Citation

4.  Section 342 of the Dodd-Frank Act establishes Offices of Minority and Women Inclusion in enumerated Federal financial regulators.

Back to Citation

5.  See below for discussion of comments regarding the definition of “confidential investigative information” in § 1070.2(h).

Back to Citation

6.  See below for additional discussion of comments regarding disclosures of confidential information by the Inspector General's office under § 1070.48.

Back to Citation

7.  The Bureau notes that while it disagrees with two commenters' arguments that its authority under the Dodd-Frank Act to promulgate its confidentiality rules is limited to the Bureau's own disclosure of information, these commenters' arguments are rendered moot by the Bureau's revision in the final rule.

Back to Citation

8.  See above for discussion of comments regarding the proposed definition of “Agency” in proposed § 1070.2(a).

Back to Citation

9.  The Bureau's final rule does not include the proposed definition of “agency” in response to these and related concerns. See above for discussion of comments regarding proposed § 1070.2(a).

Back to Citation

10.  One commenter interpreted 12 U.S.C. 5512(c)(6)(C) to apply to confidential investigative information (in addition to confidential supervisory information), and to require the Bureau to provide confidentiality assurances to the impacted financial institution prior to disclosing the confidential information to another agency under subparagraph (C)(i). The Bureau disagrees with these interpretations. First, subparagraph (C) explicitly references “confidential supervisory information,” which is a narrower term than subparagraph (A)'s more general reference to “information obtained from persons in connection with the exercise of its authorities under Federal consumer financial law.” CII is thus outside the scope of subparagraph (C), and the Bureau's rule makes clear in § 1070.2(h) and (i) that the Bureau considers “confidential investigative information” to be different from “confidential supervisory information.” Second, the Bureau disagrees that subparagraph (C)(i) requires the Bureau to provide confidentiality assurances to the supervised financial institution about whom a report of examination pertains; because the provision addresses the exchange of information between the Bureau and another agency, the Bureau understands it to require the agency obtaining the report of examination to provide such assurances of confidentiality to the Bureau.

Back to Citation

11.  The Bureau notes that its policy regarding sharing CSI with State attorneys general is set forth in Bulletin 12-01. It did not intend its proposal to alter this policy, and Bulletin 12-01 remains in place subsequent to the final rule becoming effective.

Back to Citation

12.  The Bureau likewise proposed moving the General Counsel's related “access request” authorities in 12 CFR 1070.47(a)(1)-(2) to the Associate Director for Supervision, Enforcement and Fair Lending. The comment letters received by the Bureau generally addressed both revisions together.

Back to Citation

13.  This commenter also claimed that the Bureau's proposal would shift responsibility for determining FOIA requests to the Associate Director for Supervision, Enforcement, and Fair Lending. The Bureau made no such proposal. Authorities to decide FOIA requests remained unchanged in the Bureau's proposal, and are unchanged in this final rule and in 83 FR 46075 (Sept. 12, 2018).

Back to Citation

14.  The Bureau occasionally receives access requests for confidential information that is neither CII nor CSI, such as information originating from another Bureau Division that is exempt from disclosure under the FOIA. In those instances, the Division of Supervision, Enforcement and Fair Lending would consult with impacted Divisions as warranted.

Back to Citation

15.  Although the Bureau has declined to finalize its proposed changes to § 1070.43(b)(1), thus retaining dual standards for disclosure of CSI and other confidential information under that provision, we will not further revise proposed § 1070.45(a)(6). While the Bureau will only disclose CSI under § 1070.43(b)(1) to agencies with jurisdiction over a supervised financial institution, we may need to disclose CSI at a high level to confer with agencies about matters relevant to the exercise of their statutory or regulatory authority—for example, in order to determine whether the agency has jurisdiction over a supervised financial institution.

Back to Citation

16.  See above for discussion of comments regarding § 1070.42.

Back to Citation

17.  See above for discussion of comments regarding § 1070.42.

Back to Citation

18.  For further discussion of comments regarding the inclusion of Inspector General employees in the definition of “employee,” see the above discussion of proposed § 1070.2(k).

Back to Citation

19.  Section 1022(b)(2)(A) of the Dodd-Frank Act addresses the consideration of the potential benefits and costs of regulation to consumers and covered persons, including the potential reduction of access by consumers to consumer financial products or services; the impact on depository institutions and credit unions with $10 billion or less in total assets as described in section 1026 of the Dodd-Frank Act; and the impact on consumers in rural areas. Section 1022(b)(2)(B) directs the Bureau to consult, before and during the rulemaking, with appropriate prudential regulators or other Federal agencies, regarding consistency with objectives those agencies administer.

Back to Citation

20.  Two comment letters received by the Bureau, from a consulting organization and a group of industry trade associations, suggested that the Bureau did not meet its obligations to consult with prudential regulators regarding its proposed rule pursuant to 12 U.S.C. 5512(b)(2)(B). This is not true. The Bureau consulted with the prudential regulators regarding its proposed rule, including its proposed revision to § 1070.43(b)(1) and the definition of “agency” in proposed § 1070.2(a). The Bureau consulted with the prudential regulators regarding its final rule as well.

Back to Citation

21.  The Bureau has discretion in any rulemaking to choose an appropriate scope of analysis with respect to potential benefits and costs and an appropriate baseline.

Back to Citation

[FR Doc. 2020-24113 Filed 11-23-20; 8:45 am]

BILLING CODE 4810-AM-P