The Consumer Financial Protection Bureau reminded supervised financial institutions, including nonbank companies that may be unfamiliar with federal supervision, of the existing regulatory requirements regarding confidential supervisory information (CSI) on Tuesday.

The bureau is tasked with supervising companies to determine their compliance with federal consumer financial laws, to assess risks to consumers and to help ensure a fair and transparent marketplace for consumers.

Under its authority, the CFPB oversees banks and credit unions with assets over $10 billion, and their affiliates, and is also the first federal agency with supervisory authority over certain nonbank financial companies, such as mortgage lenders and servicers, payday lenders, and private student lenders. They also oversee certain large debt collectors, consumer reporting agencies, student loan servicers and international remittance providers.

The CFPB issued a bulletin, found here, to provide guidance on what types of information constitute confidential supervisory information.

The bulletin gives the following examples of CSI:

  • CFPB examination reports and supervisory letters
  • All information contained in, derived from, or related to those documents, including an institution’s supervisory compliance rating
  • Communications between the CFPB and the supervised financial institution related to the CFPB’s examination of the institution or other supervisory activities
  • Other information created by the CFPB

Financial institutions can only disclose CSI to applicable internal resources, such as employees or trustees, or outside affiliates like legal counsel or service providers. Any other disclosure of CSI requires prior written approval of the associate director for supervision, enforcement, and fair lending, or his or her delegee.

The bureau noted that it is aware some supervised financial institutions may have entered into non-disclosure agreements that purport to restrict the institution from sharing information with a regulator, or to require the institution to notify a third party when it shares information.

However, the bulletin explains that provisions in non-disclosure agreements do not alter or limit the bureau’s existing supervisory authority or the supervised financial institution’s obligations relating to CSI. 

"A supervised financial institution should not attempt to use an NDA as the basis for failing to provide information sought pursuant to supervisory authority. The CFPB has the authority to require supervised financial institutions and certain other persons to provide it with reports and other information to conduct supervisory activities, pursuant to the Dodd-Frank Act. Failure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies," the bulletin states.