Arnold & Porter Discusses Federal Reserve Developments on Confidential Supervisory Information
The Board of Governors of the Federal Reserve System (FRB) issued two notable documents over the past two weeks involving confidential supervisory information (CSI): a cease and desist order against a former bank employee for improper handling of CSI and a request for comment on proposed changes to the FRB's rules governing the disclosure of CSI.
Cease and Desist Order Against Former Bank Employee
First, in a stark reminder to employees in the financial services industry, the FRB issued a cease and desist order against a former employee of a non-bank subsidiary of a bank holding company for violation of its rules relating to confidential supervisory information.1 Specifically, the order stated that the former employee, while employed at the company, removed CSI and other proprietary information from his office without authorization and in violation of company policy. The specific acts giving rise to the violation were that the employee sent the CSI to his personal email address and kept copies of the documents at his residence. It was further reported that removal of information was done as a matter of convenience to allow the employee to work from home.
The FRB's pursuit of this action highlights the seriousness in which the FRB, as well as other federal and state banking agencies, approach their rules governing CSI and the particular prohibition under 12 C.F.R. § 261.20(g) from making copies of CSI or removing CSI from the workplace:
No person obtaining access to confidential supervisory information pursuant to this section may make a personal copy of any such information; and no person may remove confidential supervisory information from the premises of the institution or agency in possession of such information except as permitted by specific language in this regulation or by the Board.
Although emailing yourself records or taking documents home for additional review may seem benign and even common, doing so with documents that fall into the broad category of CSI proved can be perilous. All institutional affiliated parties, including any director, officer, employee, or controlling stockholder of an insured depository institution, should take notice for this enforcement action and familiarize themselves with the rules and restrictions state and federal banking regulators impose on the handling of CSI. Similarly, financial institutions should review their policies, procedures, and employee training to assure they appropriately address employee conduct and expectations regarding CSI.
Notice of Proposed Rulemaking on CSI
The Federal Reserve Board also recently issued a notice of proposed rulemaking (NPRM) in an effort to update the rules governing the Board's disclosure of confidential supervisory and other nonpublic information.2 The most notable proposed changes are those that would expand the ability of a supervised financial institutions to share CSI with its affiliates, auditors, and outside legal counsel, and those that would expand the ability of the FRB to disclose CSI to other federal and state banking agencies. Specifically:
- Section 261.20 would be revised to provide that all CSI and other nonpublic information made available under the FRB's CSI rules (Subpart C) remains the property of the FRB, that any disclosure under Subpart C does not constitute a waiver by the FRB of any applicable privileges, and that Subpart C does not limit or restrict the FRB's authority to impose additional conditions or limitations on the use and disclosure of CSI or other nonpublic information.
- Section 261.21 would authorize supervised financial institutions to disclose CSI to directors, officers, or employees of their affiliates, to the extent such individuals have a need for the information in the performance of their official duties. Under current Section 261.20(b), disclosure may only be made to a parent holding company.
- Section 261.21 would also eliminate the current requirement under Section 261.20(b)(2)(i) that certified public accountants or legal counsel review CSI only on the premises of the supervised financial institution . Instead, it would provide that CSI could be viewed off-site subject to written agreement and a requirement to destroy, return, or cease access to the CSI at the conclusion of the engagement.
- Section 261.22(a) would update the list of state and federal agencies to which the FRB could provide CSI, and provide that such provision of CSI could be made with or without a request from such agency.
- Section 261.22(b) would permit the FRB to disclose CSI to the Department of Justice or the Department of Housing and Urban Development in furtherance of specific statutory responsibilities, such as the fair lending laws under the Fair Housing Act and the Equal Credit Opportunity Act.
Finally, although several revisions to the definition of CSI are proposed, the FRB stated that the such revisions are for clarification purposes only and would not expand or reduce the information that falls within the definition.
Supervised financial institutions should carefully review the NPRM and evaluate whether the proposed revisions address any concerns of the institution or whether there are additional concerns that should be addressed in the revised rule. In addition, in light of the FRB's enforcement action, supervised financial institutions should use the NPRM to evaluate its current practices and procedures relating to CSI.
All comments on the NPRM must be submitted within 60 days of the date of publication in the Federal Register.
FRB Press Release (Jun. 14, 2019). The NPRM also requests public comment on technical, clarifying updates regarding its Freedom of Information Act procedures.