On March 12, 2012, the Consumer Financial Protection Bureau (CFPB) announced proposed amendments to the confidential treatment of information obtained from persons in connection with its exercise of authorities under federal consumer financial law. The proposed amendments will add a new section to the rules which provide that the submission by any person of any information to the CFPB in the course of its supervisory or regulatory processes will not waive or otherwise affect any privilege such person may claim with respect to such information under federal or state law as to any other person or entity.
Additionally, the CFPB is proposing to adopt a provision which provides that privileged information given by the CFPB to another federal or state agency does not waive any applicable privilege, whether the privilege belongs to the CFPB or any other person.
The Dodd-Frank Act did not explicitly address whether the submission of privileged information to the CFPB in the course of the its supervisory or regulatory processes will affect any privilege a supervised entity may claim with respect to such information, even though Congress did provide that "all the powers and duties" of the prudential regulators relating to their transferred consumer financial protection functions would be granted to the CFPB, and this grant of authority encompasses the ability to receive privileged information from supervised entities without effecting a waiver.
In this article, I will offer a brief understanding of this complex issue and provide an Action Plan.
The CFPB first announced in October of 2010 that it would be gathering information from banks and nonbanks in its efforts to examine and supervise financial service products. Many financial institutions at the time expressed considerable concern that divulging privileged documents to the CFPB would be deemed a waiver by the courts, thereby permitting competitors and consumer groups to access the privileged documents.
The CFPB's first official release in 2012, Bulletin 12-01, addressed the treatment and scope of confidentiality protections accorded information collected from supervised institutions through the CFPB's supervisory process.
Then, as indicated above, on March 12, 2012, the CFPB proposed the new rule, the purpose of which, among other things, is to codify protections for privileged information submitted by financial institutions that are regulated by the CFPB.
CFPB Bulletin 12-01
The CFPB asserts that "Congress intended the Bureau's examination authority to be equivalent to that of the prudential regulators," with respect to the statutory provision that grants prudential regulators the authority to receive privileged information from their supervised entities without there being a waiver of privilege.
The CFPB reached this conclusion by claiming that in inheriting the prudential regulators' examination authority with respect to compliance with federal consumer financial laws for supervised institutions, it was concomitantly granted "all powers and duties" vested in the prudential regulators related to examination authority.
And one of the powers is the ability and authority to receive privileged information without affecting a waiver. However, it should be noted here that the statutes cited by the CFPB in support of its claim apply to federal banking agencies, not the CFPB. Thus, it seems that the CFPB is not entirely in a position to use, mutatis mutandis, the same statutory privilege protection provided for in Dodd-Frank.
Bulletin 12-01 addressed two specific parts of the CFPB's policy on confidential information.
►It states that institutions providing privileged information to the CFPB pursuant to a supervisory request will not waive any privilege that attaches to such information.
►It indicates that the CFPB will treat information obtained through the supervisory process as confidential and privileged, and, importantly, it provides that the CFPB will only disclose such information to prudential and state regulators, when necessary and/or appropriate, and to law enforcement agencies, only where justified, as determined by the CFPB.
Bulletin 12-01 seeks to resolve an intrinsic issue regarding the CFPB's lack of a statutory examination privilege such as that provided to the federal banking agencies. Although the Bulletin provides possible legal support for why similar privilege applies to supervisory information provided to the CFPB, the outline itself does recognize the absence of the same statutory protection that the federal banking agencies had been compelled to pursue in the Financial Services Regulatory Relief Act of 2006 (FSRRA), specifically Section 607.
Section 607 of FSRRA was important to the federal banking agencies because several courts had diminished the existing common law examination privilege. Broadly speaking, this section was adopted in order to have statutory protection that could not be challenged.
In my view, the legislative history involved in drafting Section 607 of the FSRRA suggests that supervised institutions which disclose privileged information to the CFPB should be mindful of the issues and potential risks in doing so, given the CFPB's assertion that it has the same authority and legal protections in place as the federal banking agencies to receive privileged information without effecting a waiver of the privilege.
A core feature of the proposed rule is the following provision:
The submission by any person of any information to the CFPB for any purpose in the course of any supervisory or regulatory process of the CFPB shall not be construed as waiving, destroying, or otherwise affecting any privilege such person may claim with respect to such information under federal or state law as to any person or entity other than the CFPB.
On July 28, 2011, the CFPB issued a rule providing that the "provision by the CFPB of any confidential information pursuant to [12 CFR part 1070, Subpart D] does not constitute a waiver, or otherwise affect, any privilege any agency or person may claim with respect to such information under federal law."
In other words, the proposal would ensure that the CFPB's transfer of privileged information to another federal or state regulatory agency will not waive any privilege that protects the confidentiality of the information.
The CFPB claims that the proposed rule is substantially identical to the statutory provisions that apply to the submission of privileged information to prudential regulators, state bank and credit union supervisors, and foreign banking authorities.
According to the CFPB, the rule would be comparable to the federal law that protects the confidentiality of information that is provided to other regulatory agencies. Additional language precludes claims that the rule implicitly waives any privileges if information is provided under other circumstances.
The Dodd-Frank Act does actually provide that the CFPB assumed all of the powers and duties covering consumer financial protection that previously were held by the other agencies, and it also causes the CFPB to adopt rules to protect the confidentiality of information it receives.
Subpart D (referenced above) makes clear that the CFPB is authorized to disclose, in "appropriate circumstances, confidential information to another Federal or State agency." The operative words in this language are "appropriate circumstances."
It seems that the CFPB is endeavoring to provide assurances that providing privileged information will not breach confidentiality.
The rule provides that information obtained during the supervisory process will be treated as confidential and privileged, consistent with the policies of other prudential regulators. Furthermore, the CFPB will treat such information as exempt from disclosure under the Freedom of Information Act, and will not routinely share such information with government agencies not engaged in supervision.
But, the CFPB will share a supervised institution’s confidential supervisory information with other prudential and federal regulators and state regulators that share supervisory jurisdiction over the institution with the CFPB. When confidential supervisory information is shared with another federal or state agency, the CFPB asserts that such information remains the property of the CFPB and may not be further disclosed or shared by the recipient without the CFPB’s permission.
It is important to take note of the fact that the CFPB may share confidential supervisory information with law enforcement agencies, such as State Attorneys General. That is, the CFPB will share confidential information in these situations “except where required by law,” and/or “only in very limited circumstances and upon review of all the relevant facts and considerations.”
The decision to share confidential supervisory information with state and federal law enforcement agencies depends on the significance of the law enforcement interest at stake. The CFPB may take the position that the furtherance of a significant law enforcement interest will not always be sufficient. Presumably, the CFPB may actually decline to share confidential supervisory information with law enforcement based on other considerations (i.e., such as “the integrity of the supervisory process,” and the importance of preserving the confidentiality of such information).
Although existing case law favors the view outlined by the CFPB in Bulletin 12-01, and the proposed rule provides certain substantive grounds to adopt the protections that will continue to attach to confidential and privileged information shared with the CFPB, it is unsettled at this time whether a court could find that a supervised institution waived a privilege by sharing such information with the CFPB.
Further, the lack of the same statutory protections afforded to the federal banking agencies infers uncertainty, particularly for nonbank financial firms providing information to the CFPB.
Therefore, the most important consideration for supervised institutions and non-bank financial firms is to determine how the proposed rule will apply to their existing operations and take steps to implement policies and procedures for document review policies and procedures to minimize risks.
The following list is not meant to be comprehensive; however, it suggests certain actions that a financial institution, bank or nonbank, should implement in preparation for a CFPB examination, with respect to protecting the confidentiality and privilege of its documents and information.
►Conduct a self-assessment of operational, compliance, legal and other risks that may arise from sharing confidential supervisory information with the CFPB, including, but not limited to, the effects on the company for sharing such information.
►Identify sources of supervisory information, policies and procedures, with respect to controls imposed on the sharing of such information.
►Enumerate the logistical steps that should be exercised prior to providing confidential supervisory information to the CFPB.
►Retain risk management consultants and legal advisors to determine corrective actions needed to remediate potential weaknesses in the information sharing and compliance program.
►Determine the supervisory information held by related entities, such as affiliates and third-party service providers, to assess risks that may be posed by sharing such information with the CFPB, and remediate any weaknesses.
►When the CFPB requests confidential and privileged information, endeavor to limit the form and scope of such requests.
►State any claim to privileged information in a response to the CFPB; for instance, by designating in emboldened type all privileged documents as such on the documents themselves that are conveyed to the CFPB.
►Consult with experienced counsel before disclosing any document or information to the CFPB that might be considered subject to confidentiality and privilege.
The CFPB has already begun examinations. It is incumbent on responsible management of a supervised financial institution to put in place the appropriate means to preserve the treatment of confidential and privileged information.
Jonathan Foxx, former chief compliance officer for two of the country’s top publicly-traded residential mortgage loan originators, is the president and managing director of Lenders Compliance Group, a mortgage risk management firm devoted to providing regulatory compliance advice and counsel to the mortgage industry. He may be contacted at (516) 442-3456 or by e-mail at [email protected]