CFPB Reminds Companies to Stay Quiet on Supervisory Exams and that NDAs Don't Trump its Authority

The Consumer Financial Protection Bureau (CFPB ) Tuesday issued a bulletin to remind supervised financial institutions, including nonbank companies that may be unfamiliar with federal supervision, of existing regulatory requirements regarding confidential supervisory information. The Bureau also used the opportunity to formally note that non-disclosure agreements signed by a company do not trump its obligations to comply with CFPB supervisory requests.

The bulletin was primarily focused on the confidential supervisory information (CSI) that arises from examinations and requests for information. The CFPB notes that under the Dodd-Frank Act, regulations are in place that restrict the disclosure of any CSI.

Broadly, the CFPB said that CSI includes examination reports and any other documents or communications provided by the Bureau to a company during the supervisory process.

Disclosure of this information is prohibited, with only a few exceptions. Those exceptions include the sharing of the documents with internal stakeholders and decisionmakers, such as company affiliates, directors, and employees and external service providers like CPAs and legal counsel.

The CFPB did not say that it has seen examples of disallowed disclosure prompting the bulletin. It did, however, note that it is the first federal agency with supervisory authority over certain nonbank financial companies such as mortgage lenders and servicers, payday lenders, consumer reporting agencies and certain large debt collectors.

One issue the CFPB is potentially seeking to avoid in keeping supervisory information private is an implicit “seal of approval” that a company might use in business development after a successful examination.

“They would not want to give a perceived endorsement to a collection agency, for example, whose examination resulted in no penalty or formal order,” said Terri Haley, the Compliance Professionals Forum’s Director of Compliance. “This agency could, in theory, take their examination report to potential clients and use it as a selling point.”

For its part, the CFPB does not disclose the outcome of examinations unless it launches a public enforcement action. Many of the results from examinations and other supervisory activity, however, are published in aggregate and anonymously in its periodic Supervisory Highlights Report.

The CFPB’s bulletin also formally addressed the issue of supervised companies using non-disclosure agreements to refuse to provide information and documentation requested by supervisors. The Bureau said that some supervised companies have entered into third-party NDAs that purport to restrict the information the company can provide to regulators.

“A supervised financial institution should not attempt to use an NDA as the basis for failing to provide information sought pursuant to supervisory authority,” the Bureau said in the bulletin. “Failure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies.”

In addition, a supervised financial institution may risk violating the law if it relies upon provisions of an NDA to justify disclosing CSI in a manner not otherwise permitted.

“Even if you have signed an NDA that says ‘contact me if you share this information with a regulator,’ you should seek the advice of legal counsel prior to any disclosure,” said Haley.