Skip to main content
All
July 13, 2026

FDIC Proposes Substantial Overhaul of Confidential Information Regulations

Advisory

The Federal Deposit Insurance Corporation (FDIC) has proposed its first major update to the rules governing Confidential Supervisory Information (CSI) in roughly three decades. The Notice of Proposed Rulemaking (Proposed Rule), which was published in the Federal Register on June 30, 2026, seeks to “update, clarify, and supplement” the rules regarding the disclosure of CSI by the FDIC and others.1 Perhaps most significantly for FDIC-supervised institutions, the Proposed Rule would expand the ability of such institutions to disclose CSI, including to certain professional-services providers and potential merger partners, without the pre-approval of the FDIC under certain circumstances. Comments on the Proposed Rule, which includes 30 specific questions posed by the FDIC, are due by August 31, 2026.

Overview

The Proposed Rule would reorganize Part 309 of the FDIC’s regulations into four subparts and would relocate the service-of-process rules to a new Part 306. As revised, Part 309 would consist of the following:

  1. Subpart A (General): Providing a statement on the FDIC’s authority, the scope of the regulation, and definitions
  2. Subpart B (Freedom of Information Act): Detailing the process for submitting and responding to FOIA requests; intended to provide greater transparency into existing FDIC practices and to add a process for handling confidential commercial information
  3. Subpart C (Discretionary Disclosure of Confidential Information): Relaxing the FDIC’s current prohibition on disclosure of CSI to allow disclosure for “legitimate business purposes” in certain circumstances without FDIC pre-approval; for situations in which FDIC approval is still necessary, the agency’s “good cause” standard is clarified
  4. Subpart D (Disclosure of Confidential Information in Legal Proceedings in Which the FDIC is Not a Party): Clarifying the process for seeking disclosure of CSI in legal proceedings in which the FDIC is not a party

While all of the proposed changes have potentially significant ramifications for depository institutions and other interested parties, it is the revised Subpart C that likely will have the greatest day-to-day impact on FDIC-supervised banks.

Discretionary Disclosure

The Proposed Rule would allow insured depository institutions to disclose CSI to a number of enumerated parties, provided such disclosure was for “legitimate business purposes” and the recipient, excluding the institution’s (or its affiliate’s) own directors, officers, and employees, had entered into a written confidentiality agreement regarding the CSI. This change is a considerable expansion of the existing regulation, which contemplates disclosure only to the institution’s own personnel and majority holding companies without prior approval. As amended, recipients newly eligible to receive CSI without prior approval would include:

  • Affiliates and their directors, officers, and employees
  • Outside legal counsel, accountants, and auditors
  • Greater than 50% shareholders (with a greatly streamlined process compared to the existing regulation)
  • “Qualifying Service Providers,” which would include consulting and IT providers, as well as providers of services used in delivering the institution’s financial products and services
  • An individual to whom an offer of employment as a “senior executive officer” (e.g., President, CEO, COO, CFO, CLO, CIO, etc.) has been made
  • Insured depository institutions (including their affiliates, legal counsel, and auditors) that are potential merger counterparties, up to three times every five years, provided the potential counterparty executes a waiver of any potential claims against the FDIC

Holding companies (i.e., shareholders owning greater than 50% of the voting stock of the subsidiary bank) also remain on the list, albeit with more streamlined procedures. Beyond being eligible recipients, holding companies also would be permitted to disclose FDIC CSI lawfully in their possession to the same categories of recipients, and under the same conditions, as their subsidiary banks.

Parties not on the pre-authorized list would still require FDIC approval under the agency’s clarified “good cause” standard, which would now include eight specific factors. In addition, institutions would generally be permitted to disclose CSI that is more than 25 years old, provided that other restrictions (e.g., privacy) would not prohibit disclosure and that the FDIC had not directed otherwise.

Takeaway

The Proposed Rule should come as a welcome development for FDIC-supervised institutions. While other prudential regulators have long permitted some of these disclosures, such as to auditors and counsel, the FDIC’s regulations, on their face, have always been much more restrictive. Interested parties should review the details of the new provisions, as well as the 30 specific questions posed by the FDIC, and determine whether to comment.

*             *             *

If you would like to discuss the FDIC’s Proposed Rule or determine whether to comment, please contact any of the authors of this Advisory or your usual firm contact.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. FDIC, Disclosure of Information, 91 Fed. Reg. 39,726 (June 30, 2026).