Printer Friendly

TOWARDS A COHERENT AND CONSISTENT FRAMEWORK FOR TREATMENT OF CONFIDENTIAL SUPERVISORY INFORMATION.

"It's not me who can't keep a secret. It's the people I tell that can't." Abraham Lincoln (1)

I. INTRODUCTION

In recent years, new regulators, new rules, enhanced supervisory and enforcement authority, and intensive public scrutiny of the effectiveness of banking supervision have all amplified the longstanding tensions and ambiguities that emerge from the exchange of information critical to effective bank supervision, including "confidential supervisory information" ("CSI"). The dynamics of supervisory dialogue involve everything from routine examination matters to complex public enforcement investigations. The D.C. Circuit described the context from which CSI emerges as follows:
   Bank safety and soundness supervision is an iterative
   process of comment by the regulators and response by the
   bank. The success of the supervision therefore depends
   vitally upon the quality of communication between the
   regulated banking firm and the bank regulatory agency.
   This relationship is both extensive and informal. It is
   extensive in that bank examiners concern themselves
   with all manner of a bank's affairs: Not only the
   classification of assets and the review of financial
   transactions, but also the adequacy of security systems
   and of internal reporting requirements, and even the
   quality of managerial personnel are of concern to the
   examiners. (2)


As a policy matter, concerns about the treatment of CSI that emerge from this supervisory dialogue must be reconciled with legal privileges and the desirability of open government. These interrelated concerns can complicate the dialogue between a supervised institution and its supervisors. There are traps for the unwary for institutions that are insufficiently mindful of how CSI is shared and maintained, ranging from reputational damage and diminished competitive posture, to loss of legal privilege and even to civil or criminal sanction. The agencies have such elevated concerns about the improper use or disclosure of CSI that enforcement actions, civil penalties, and even criminal referrals will be used as a deterrent and punishment. Enforcement actions can serve as definitional guardrails in understanding the scope of permitted use of CSI, but many questions remain. (3)

For example, in 1997, Asahi Bank, Ltd., then one of Japan's largest banks, consented to an order issued by the Board of Governors of the Federal Reserve System ("Board") to pay a $5 million civil money penalty, in part, for the misuse of CSI by its New York branch employees, who allegedly accessed sealed boxes of documents stored by examiners at Asahi Bank's offices. No financial impropriety was alleged to have resulted from the improper access. In addition to its civil enforcement action, the Board referred the matter to the Justice Department. (4)

In 2012, the National Credit Union Administration ("NCUA") banned a credit union director from serving on any NCUA-insured credit union board, for having revealed the supervisory rating of a credit union led by a nominee for the NCUA's governing board. (5) In this case, the NCUA couched its enforcement action and prohibition order as pertaining to a breach of fiduciary duty by the director.

Most recently, a former Federal Reserve Bank of New York examiner and a Goldman Sachs banker each pled guilty to a misdemeanor charge of theft of government property and consented to an order banning each from banking. In this case, the banker wrongfully obtained approximately thirty-five documents containing CSI from his former subordinate at the Federal Reserve Bank of New York. The banker then used those documents for purposes of furthering his career interests at Goldman Sachs by sharing those documents within the company, including documents relating to examinations of a bank that Goldman Sachs was advising about a potential transaction. In this case, upon learning of these issues, Goldman Sachs fired the banker as well as a managing director with supervisory responsibility, and self-disclosed the misuse of CSI to its regulators. Despite these actions, Goldman Sachs paid a $50 million fine to the New York Department of Financial Services, agreed to a three-year abstention from any consulting arrangements that would require disclosure of CSI under New York law, and further agreed to pay a $36 million fine to the Board. The Board's Order asserted that the firm had inadequate policies, training, controls, and risk management oversight related to handling of CSI, and the Board required implementation of an enhanced compliance program pertaining to CSI. (6) Further, the Board also brought a civil enforcement action against the managing director also fired by Goldman Sachs, alleging violations of law as well as breach of fiduciary duty. (7)

Considering the examples above, there are clearly lessons to be learned. First, the agencies take improper disclosures of CSI seriously, and will bring civil actions and make criminal referrals in appropriate instances. Disclosure or use of CSI, except as expressly permitted by the appropriate agency, may be subject to criminal penalties. (8) Further, as seen in the Goldman Sachs Order (9) and other enforcement actions, the agencies expect banks to have appropriate compliance programs in place to ensure that CSI is not misused. However, despite the seriousness of these issues, the rules governing CSI are disparate and in some cases inconsistent, forcing some institutions to consider how to reconcile conflicting regulatory expectations.

Larger, more complex banking institutions may have supervisory relationships or enforcement-related dialogue with the Board, the Office of the Comptroller of the Currency ("OCC"), the Federal Deposit Insurance Corporation ("FDIC"), the Consumer Financial Protection Bureau ("CFPB"), the Securities and Exchange Commission ("SEC"), the Commodity Futures Trading Commission ("CFTC"), the Department of Justice ("DOJ"), the Internal Revenue Service ("IRS"), state regulators and tax authorities, state attorneys general, foreign regulators, and others. In addition, banks have a choice of charter and of federal prudential supervisor, and the degree of clarity and permissiveness of the agency's rules pertaining to CSI may be a factor in regulatory arbitrage.

Further reflecting the importance of this issue, definitions and permissible uses of CSI have significance in other contexts beyond the scope of this article. For the distinct but related purposes of the federal Freedom of Information Act ("FOIA"), matters that are "contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions" are exempt from disclosure to the public by the federal government. (10) The same policy underpins the common law "bank examiner privilege," which may be asserted by the agencies to shield disclosure of CSI as an evidentiary matter in the context of litigation. (11) Separately, CSI may contain communications subject to legal privilege, such that institutions must understand whether statutory protections pertaining to "selective waiver" preserve the privileged nature of those communications. (12)

Against this backdrop, this article examines the definitions of CSI and the treatment of confidential communications between banks (13) and their supervisors--the Board, the OCC, the FDIC, as well as with the CFPB--in the exercise of each agency's supervisory and enforcement powers. It proceeds in five parts. Part II discusses the agency definitions of CSI, both in an abstract sense and as the rules limit permitted use and disclosure. (14) Part III provides illustrative examples of the implications of the agencies' disparate rules. (15) Part IV posits whether market signals have eroded the veil of secrecy afforded to certain key elements of CSI. (16) Finally, Part V presents considerations for potential reform. (17) While many states have their own rules pertaining to CSI, further complicating the landscape, a complete analysis of those rules is beyond the scope of this article. Throughout, the article identifies some suggested opportunities for reform, and discusses some common practical concerns that arise from supervisory discourse. (18)

II. CONFIDENTIAL SUPERVISORY INFORMATION

A. Definitions in the Abstract

CSI can generally be defined as information prepared for, by or on behalf of, or for the use of a bank's supervisors. At its core, this includes supervisory ratings, examination reports and supervisory letters, and the iterative back-and-forth that emerges as banks are subject to regulatory supervision. Beyond these axiomatic points, however, the Board, OCC, FDIC, and CFPB each have distinct definitions and requirements. In many cases, what constitutes CSI must be assessed under a "know it when you see it" standard, but the agencies have provided definitions in the abstract, varying between agencies:
Board   (1) Confidential supervisory information means:

        (i) Exempt information (19) consisting of reports of
        examination, inspection and visitation, confidential
        operating and condition reports, and any information
        derived from, related to, or contained in such reports;

        (ii) Information gathered by the Board in the course
        of any investigation, suspicious activity report, (20)
        cease-and-desist orders, civil money penalty enforcement
        orders, suspension, removal or prohibition orders, or other
        orders or actions under [enumerated laws pursuant to which
        the Board has supervisory or enforcement authority];
        except--

        (A) Such final orders, amendments, or modifications of final
        orders, or other actions or documents that are specifically
        required to be published or made available to the public
        pursuant to 12 U.S.C. 1818(u), (21) or other applicable law,
        including the record of litigated proceedings; and

        (B) The public section of Community Reinvestment Act
        examination reports...;

        and

        (iii) Any documents prepared by, on behalf of, or for the
        use of the Board, a Federal Reserve Bank, a federal or
        state financial institutions supervisory agency, or a
        bank or bank holding company or other supervised
        financial institution.

        (2) Confidential supervisory information does not include
        documents prepared by a supervised financial institution
        for its own business purposes and that are in its
        possession. (22)

OCC     (b) Non-public OCC information:

        (1) Means information that the OCC is not required to
        release under the FOIA ... or that the OCC has not yet
        published or made available pursuant to [Section 1818(u)]
        and includes:

        (i) A record created or obtained:

        (A) By the OCC in connection with the OCC's performance
        of its responsibilities, such as a record concerning
        supervision, licensing, regulation, and examination of a
        national bank, a Federal savings association, a bank
        holding company, a savings and loan holding company,
        or an affiliate; or

        (B) By the OTS (23) in connection with the OTS's
        performance of its responsibilities, such as a record
        concerning supervision, licensing, regulation, and
        examination of a Federal savings association, a savings
        and loan holding company, or an affiliate;

        (ii) A record compiled by the OCC or the OTS in connection
        with either agency's enforcement responsibilities;

        (iii) A report of examination, supervisory correspondence,
        an investigatory file compiled by the OCC or OTS in
        connection with an investigation, and any internal
        agency memorandum, whether the information is in the
        possession of the OCC or some other individual or entity;

        (iv) Confidential OCC information obtained by a third party
        or otherwise incorporated in the records of a third party,
        including another government agency;

        (v) Testimony from, or an interview with, a current or
        former OCC employee, officer, or agent or a former OTS
        employee, officer, or agent concerning information acquired
        by that person in the course of his or her performance of
        official duties with the OCC or OTS or due to that person's
        official status at the OCC or OTS; and

        (vi) Confidential information relating to operating and
        no longer operating national banks, Federal savings
        associations, and savings and loan holding companies
        as well as their subsidiaries and their affiliates.

        (2) Is the property of the Comptroller. (24)

FDIC    [Confidential supervisory information includes:]

        Records that are contained in or related to examination,
        operating, or condition reports prepared by, on behalf of,
        or for the use of the FDIC or any agency responsible for
        the regulation or supervision of financial
        institutions. (25)

CFPB    (1) Confidential supervisory information means:

        (i) Reports of examination, inspection and visitation,
        non-public operating, condition, and compliance reports,
        and any information contained in, derived from, or related
        to such reports;

        (ii) Any documents, including reports of examination,
        prepared by, or on behalf of, or for the use of the CFPB
        or any other Federal, State, or foreign government agency
        in the exercise of supervisory authority over a financial
        institution, and any information derived from such
        documents;

        (iii) Any communications between the CFPB and a
        supervised financial institution or a Federal, State, or
        foreign government agency related to the CFPB's supervision
        of the institution;

        (iv) any information provided to the CFPB by a financial
        institution to enable the CFPB to monitor for risks to
        consumers in the offering or provision of consumer
        financial products or services, or to assess whether
        an institution should be considered a covered person,
        as that term is defined by 12 U.S.C. 5481, or is subject
        to the CFPB's supervisory authority; and/or

        (v) Information that is exempt from disclosure pursuant
        to [Exemption 8].

        (2) Confidential supervisory information does not include
        documents prepared by a financial institution for its own
        business purposes and that the CFPB does not possess. (26)


As can be seen by the preceding definitions, there is a fundamental dissimilarity in the definition of what constitutes CSI among the agencies. There are a range of questions that emerge. What constitutes information "derived from" or "related to" an examination report? Is any information developed by a bank in response to an examination finding considered CSI? Is it the case that information may be CSI, but not also covered by Exemption 8 for FOIA purposes? Or, are these equivalent such that case law developing the coverage of Exemption 8 can inform what is to be treated as CSI? Should a banking group with many regulators adopt the most conservative definition? Which one is that? Should the bank synthesize the definitions to derive its own? What are the risks of that?

Should a bank whose primary federal supervisor is the FDIC look to the other agencies' definitions for greater certainty? Does the FDIC's definition relate to any supervisory dialogue outside of examination reports? Does it clearly include state examination materials, as the Board's rule does? What about information provided to the FDIC in the context of an applications process, such as for a merger or a new activity, which are not clearly examination, operating, or condition reports?

With regard to interagency communications, the CFPB makes it clear that interagency communications pertaining to the CFPB's supervision of an institution constitute CSI. The Board includes any documents prepared by, on behalf of, or for the use of the Board, a Federal Reserve Bank, a federal or state financial institutions supervisory agency, but does not--as the CFPB does--include any foreign government agency. (27) The OCC only includes any confidential OCC information obtained by another agency. The FDIC is silent on this issue.

When the Board and the CFPB exclude documents prepared by the bank for its own business purposes, the Board references documents that are in the bank's possession, but the CFPB references documents that are not in the CFPB's possession. If, for example, a large organization obtains a third party review of its compliance management system for business purposes, and the report is also provided to the Board and the CFPB upon supervisory request, is that information only CSI for so long as it is "possessed" by the agency? What does this mean in the context of shared databases of documents and information? Which agency's information is it?

In many ways, these and other questions and apparent inconsistencies in definitions may seem academic, but they take on real world meaning in the context of civil or criminal supervisory sanction for misuse of CSI.

B. Definitions Based Upon Usage and Context

While the agencies have each defined CSI differently in their rules, ambiguities about CSI also emerge in the context of determining how it is used, by whom, and for what purpose. Again, these ambiguities are brought into sharp focus by the threat of civil penalties and potentially criminal sanctions for unlawful use or disclosure. An understanding of the agency CSI rules, and how they are applied, is therefore a significant practical concern for each bank.

Likely reflective of the emerging ubiquity of electronic data, as well as instances of misuse of CSI, the federal prudential banking supervisors began to issue guidance in the late 1990s to better refine what constitutes CSI and how the agencies expect that information to be treated. (28) Agency guidance was later codified by the agencies in their regulations, but the agencies diverged in the degree to which they granted banks authority to divulge CSI.

In addition, the agencies issued the 2005 Interagency Advisory, (29) which predated the CFPB. This advisory was prompted specifically by agency concerns about insurers requesting or requiring banks to provide their CAMELS ratings in the context of underwriting directors and officers liability ("D&O") policies. The 2005 Interagency Advisory generally referenced existing agency rules regarding disclosure of CSI, emphasized the importance of those rules, and pointed to a range of public sources of information about banks, such as Call Reports and Thrift Financial Reports, Uniform Bank Performance Reports, SEC filings, rating agency reports, and public enforcement actions as alternatives to disclosure of CAMELS ratings or other CSI. (30)

Collectively, these efforts have established a number of fundamental principles in understanding CSI. First, CSI is the property of the agency, not the supervised institution, and the agency has the power to permit or deny its use or disclosure for any purpose. (31) Second, supervisory ratings, such as the CAMELS, RFI/C, or ROCA ratings, are sacrosanct, and exam reports are of equal rank. (32) Third, the agencies will respond collectively to issues of common import, such as the demands of insurers for CSI, in order to provide "cover" to banks under pressure to provide CSI to third parties.

However, rules pertaining to permitted disclosures of CSI vary in material ways among the agencies, and more recent rules from the CFPB have altered the landscape. Again, recent civil and criminal enforcement actions have brought into focus how and whether any institution can assure compliance with the agencies' divergent standards. Given the blurring of lines among the supervisory authority of the agencies, in particular for larger institutions, these distinctions may require them to accept the lowest common denominator, which may constrain the flexibility of the permitted business use of CSI in unnecessary and potentially costly ways.

1. The Board's Rules

Below are key points of the Board's rules that guide a Board-supervised institution in determining whether and when disclosure of CSI is permitted. The Board explicitly permits a bank to provide CSI "to its directors, officers, and employees, and to its parent bank holding company or parent savings and loan holding company and its directors, officers, and employees." (33) The Board also permits a bank to provide CSI to any certified public accountant or legal counsel employed by the supervised financial institution, subject to certain conditions, including that these advisors may review CSI only on the premises of the supervised financial institution, and shall not make or retain any copies of such information, and may not make any further disclosure of the CSI except upon prior written approval of the Board's General Counsel, except as necessary to provide advice to the bank. (34) The Board's rules state further that "[n]o person obtaining access to confidential supervisory information pursuant to this section may make a personal copy of any such information; and no person may remove confidential supervisory information from the premises of the institution or agency in possession of such information except as permitted by specific language in this regulation or by the Board." (35)

As recently as 2013, largely reiterating the 2005 Interagency Advisory, the Board summarized and reinforced its warnings to community banks to ensure appropriate treatment of CSI, as follows:

OK to Disclose:

* Directors, officers, employees

* Parent company directors, officers, employees

* Certified public accountant (subject to limitations)

* Legal counsel (subject to limitations)

Check with Appropriate Agency:

* Insurers

* Creditors

* Shareholders

* Customers

* Rating agencies

* General public

* Potential acquirers (36)

The Board has required, since at least 1988, that certified public accountants and legal counsel may only access CSI "on the premises" of the supervised institution. (37) This means that, without specific permission, a Board-supervised institution may not reveal "matters requiring attention" or citations of legal violations for which the institution may require legal advice, unless the lawyer is on site at an office of the institution. While conceivably an outside lawyer may review electronic documents containing CSI, according to this rule, the lawyer may only do so at a computer that is "on the premises" of the supervised institution. The Board's pre-email and pre-Internet rule, while clearly intended to maintain custody and control of paper documents, does not reflect the modern reality of secure email, protected data rooms, and other mechanisms for sharing CSI with legal counsel or a CPA. (38) Because the Board's rule also restricts making or retaining "copies" of CSI--defined to include any information derived from exam reports--the Board could also sanction a bank, and its legal counsel or CPA, if memoranda or analyses of legal or accounting concerns include references to CSI, as broadly defined. Further, "copies" of that information would be made as a matter of course as files are shared (within the sanctioned relationship with counsel or the CPA). On their face, the Board's rules also would seem to prohibit a law firm from retaining records of privileged attorney-client discourse that contains CSI.

Moreover, this limitation is incongruent with the statutory requirement that an insured state member bank "shall transmit" a copy of its most recent examination report and any non-public enforcement action to its external auditor. (39) Further, the Board, along with the other prudential agencies, have long indicated, that banks "should provide [external auditors] with access to all examination reports and written communication between the institution and the agencies or state bank supervisor since the last external auditing activity." (40)

Similarly, the Board's rules do not permit disclosure of CSI to other advisors that are not legal counsel or public accountants. In recent years, a variety of consulting firms have evolved into key resources for banks addressing complex regulatory concerns and compliance matters. In some instances, these consulting firms are hired by legal counsel, establishing legal privilege protections for the work of the consultants. However, the Board's rule does not permit direct disclosure of CSI by a bank to its consultants, and prohibits disclosure of CSI by lawyers or CPAs to those consultants "without the prior written approval of the Board's General Counsel except as necessary to provide advice to the supervised financial institution, its parent bank holding company, or the officers, directors, and employees of such supervised financial institution and parent bank holding company."

The Board's rule permits disclosure of CSI by a bank to its parent holding company, but not to other affiliates. For example, information necessary to enable a holding company to develop an enterprise-wide view of the company's risks can include CSI. However, it is unclear whether the results of that risk analysis, increasingly expected of nearly every bank holding company by the Board as a supervisory matter, can be provided to the non-bank sister affiliates of the bank, unless the analysis is not derived from or related to CSI. Further, the Board's rules also would not permit CSI to be disclosed to insurers for important insurance coverage such as D&O policies, including to provide a notice of circumstances in order to preserve rights of claims against the policy.

2. The OCC's Rules

Below are key points of the OCC's rules that guide an OCC-supervised institution in determining whether and when a disclosure of CSI is permitted. First, while impliedly permitted by the rule, there is no express provision permitting an OCC-supervised bank to disclose CSI to its holding company, in contrast with the Board's rules and the rules of the FDIC, described below. On the other hand, the OCC expressly permits disclosures "when necessary or appropriate for business purposes" to "a person or organization officially connected with the bank or Federal savings association as officer, director, employee, attorney, auditor, or independent auditor." (41) Further, the OCC permits disclosure of CSI to consultants, subject to a non-disclosure agreement meeting prescribed terms. There are no restrictions in the OCC's rules on making such disclosures only on the premises of the bank, or subject to limitations on retention of copies, as in the Board's rules.

3. The FDIC's Rules

The FDIC provides detailed rules for limited disclosure of its CSI pertaining to disclosure by the FDIC itself in its various capacities, but these rules provide only limited flexibility with regard to a bank's ability to share CSI with third parties without permission of the FDIC. (42) In general, the FDIC will provide directors, officers, employees, or agents of the regulated entity access to CSI in the performance of their official duties. However, the authorization provided by the FDIC's regulation does not extend, for example, to an officer of the bank providing CSI to any agent, such as a lawyer hired by the bank or its external auditor, if not authorized by the FDIC itself. Despite the FDIC's restriction, as noted above with regard to the Board's rules, federal statutes require that insured banks "shall transmit" copies of examination reports and other CSI to their external auditors, and this was reinforced by interagency policy. (43)

Unlike the other agencies, the FDIC has a highly prescriptive rule that permits disclosure of FDIC exam reports to the bank's parent holding company and its directors, officers, and employees. Requirements include that the parent must own 50% of the bank's voting stock, the bank board of directors must annually resolve, in a prescribed manner, to authorize the reproduction and furnishing of reports, and the minutes must record certain information pertaining to the disclosure. (44) As noted above, the Board's rules authorize disclosure, and the OCC only impliedly authorizes disclosure. Neither of these agencies have the same prescribed standards as the FDIC.

Notably, unlike other agencies, the FDIC does not provide for the disclosure of CSI by a bank to its lawyers, consultants, or service providers, without permission of the agency. The FDIC has been particularly sensitive in the context of its receivership role for troubled or failing banks. In 2012, the FDIC issued guidance stating that it is a breach of fiduciary duty, and a violation of FDIC regulations, for directors and officers, and their lawyers, to copy and remove CSI and other financial institution records in anticipation of litigation or an enforcement action against that director or officer in his or her personal capacity. (45)

4. The CFPB's Rules

As the newest agency on the block, the CFPB's current rules provide both the most clearly defined and the most permissive rules of those surveyed with regard to the permitted use and disclosure of CSI that belongs to the CFPB. (46) The CFPB provides the most definitional certainty and operational flexibility of any of the agencies with regard to use and disclosure of CSI. Affiliates, lawyers, contractors, consultants, and "service providers" are all permitted to obtain CSI as necessary to provide advice or services to the institution. Further, unlike any of the other agencies, the CFPB's rules explicitly permit disclosure to directors, officers, and employees of all affiliates "to the extent that the disclosure of such CSI is relevant to the performance of such individuals' assigned duties." (47) In turn, these affiliates may also disclose CSI to CPAs, lawyers, contractors, consultants, or service providers.

Instead of requiring prior permission in these instances, the CFPB permits disclosure unless otherwise directed by the agency, and imposes requirements on the recipients of the CSI. The recipient may not "utilize, make, or retain copies of, or disclose CSI for any purpose, except as is necessary to provide advice or services to the supervised financial institution or its affiliate." (48) This approach allows, for example, a bank to include restrictions on the use of CSI in the form of non-disclosure terms in services contracts, rather than having to seek prior approval of senior staff of the agency. These provisions perhaps reflect that modern banks need the services of third parties, often on an expedited basis, and that these institutions are part of larger organizations with consolidated operations and risk management needs.

While the CFPB's rules are notable for their clarity and utility, the CFPB has also proposed a controversial loosening of its rules with regard to sharing of CSI by the CFPB with non-supervisory agencies, such as state attorneys general. (49) This proposal received significant industry response, including concerns about the chilling effect that such disclosure would have on the confidential supervisory relationship and the potential waiver of legal privilege. (50) As of the close of 2017, the CFPB has not finalized its proposed rule.

III. ILLUSTRATIVE PRACTICAL IMPLICATIONS OF THE AGENCIES' CSI REGIME

In considering the landscape above, there are a range of practical issues that arise with regard to the definition and use of CSI. A list of those issues includes, but is not limited to, the following:

* When can a bank reveal CSI of one agency to another agency? For example, if an on-site examiner demands to see the responses of the bank to supervisory "matters requiring attention" issued by another agency.

* In a joint exam by state and federal prudential supervisors, which agency's rules govern the treatment of CSI?

* In an examination of a third-party service provider by the FFIEC under its authority pursuant to the Bank Service Company Act, which agency's definitions and rules govern?

* How should a bank track, label, and maintain CSI? Is this a risk governance issue, a legal issue, an information security issue? Should the bank maintain labels, or header/footer legends, to identify CSI? What should those legends say? How should CSI information be maintained when it may also be subject to legal privilege, to private non-disclosure agreements, or to FOIA exemptions? Should institutions establish compliance programs that ensure they meet the standards emerging from the Goldman Sachs Order? (51)

* What should a bank do when it receives unsolicited CSI from a third party? For example, what if an applicant for a job at the bank references work history that included remediation of non-public supervisory concerns at another bank?

* If the bank has entered into a non-disclosure agreement with a third party, the agencies have asserted that such agreements should not impede supervisory access to such information. (52) Further, the Board has asserted that "identification of information requested by, or provided to, supervisory staff--including the fact that an examination has taken or will take place--is related to an examination and falls within the definition of confidential supervisory information." (53) In this case, the bank must ensure that non-disclosure agreements expressly permit access by their supervisors to confidential information shared by third parties. This access can create friction in negotiations.

* For publicly traded institutions, tensions may be created between restrictions on disclosure of CSI and securities law disclosure requirements. Many publicly traded banks feel obliged by the securities laws to pre-emptively disclose the impact of their regulatory status in securities filings. While the bank cannot reveal its CAMELS composite, RFI/C, compliance or other ratings, it may feel compelled by the securities laws to describe the effect of any memorandum of understanding or other non-public enforcement order on matters important to shareholders, such as limitations on dividends or debt. Surprisingly, the agencies have not issued any clarifying guidance on this issue, despite its impact on a wide range of firms.

* In the context of any bank merger or acquisition, appropriate diligence naturally includes a review of the regulatory status of the partner, its compliance and risk management systems, and other areas not immediately apparent from a review of the financial statements. (54) The acquirer or resulting bank wants to be sure it is not assuming a set of problems that can undermine the value of the deal. The target wants some assurance that the acquirer can complete the transaction as it requires regulatory approval. While there is substantial information publicly available, and even though deal diligence is always pursued pursuant to non-disclosure agreements, where CSI is so broadly defined to include information "derived from or related to" examination materials there is a delicate dance required to ensure that appropriate diligence can be accomplished. (55)

IV. DO MARKET SIGNALS AND PERMITTED DISCLOSURES UNDERMINE THE PROTECTIVE REGIME FOR CSI?

While the agencies have expressed substantial interest in maintaining the secrecy of a bank's ratings, justifying an entire regime of protection for CSI, increasingly the regulatory status of an institution can be deduced from its behavior and by public regulatory sanctions. Some may argue that the composite CAMELS or compliance ratings of a bank are an open secret. Banks with a "4" or "5" composite CAMELS rating typically face a public enforcement action. The market also can often deduce when banks have a composite CAMELS rating of "3" or a subjective management rating of "3," as these institutions will typically have to stay on the sidelines for any "expansionary" activity, including not only mergers and acquisitions, but also any branching activity. The Board has made this policy explicit, and the OCC and FDIC have typically followed the same approach. (56)

While other factors, such as open investigations of consumer compliance concerns, may constrain expansionary activity, even for satisfactorily-rated institutions, the effect is the same, in that confidential supervisory discussions may be revealed by their known market impact on the supervised institution. Once filed and publicly noticed, withdrawals of applications or licensing matters are also publicly known, and provide market signals on an institution's supervisory status. In other words, the agencies use the blunt lever of enforcement actions, forced withdrawals or slowed processes for expansionary proposals, and other tools to drive banks to act upon supervisory concerns. As a result, in some instances the agencies themselves are revealing significant information about an institution's supervisory status, while simultaneously constraining the bank's ability to address with clarity, in a public manner, its efforts to address those concerns, as that information may be considered CSI.

V. OPPORTUNITIES FOR REFORM

Among the goals for regulatory reform should be the reconciliation of the disparate treatment of CSI by and among the agencies, to modernize rules, and to provide greater clarity to banks and others on the definitions and permissible usage of CSI. (57) Interagency collaboration to rectify this lack of clarity should be in the interest of the agencies themselves. Doing so would provide better clarity and transparency to all interested parties and remove unnecessary concerns that can impede the free-flow of information between regulators and regulated institutions necessary to both effective supervision and to the operations of the supervised bank. Unless required by Congress or as necessary given the unique powers or authority of the agency, rules governing the treatment of CSI should be as consistent as possible. To further the goal of confidentiality and candor to enable agencies to effectively supervise banks, the treatment of CSI should not be more or less stringent depending upon the choice of primary federal regulator. In addition, the treatment of CSI by the CFPB should be consistent with the treatment of such information by the prudential regulators, again except to the extent that the unique role and powers of the CFPB or the prudential agency dictate otherwise. Moreover, standards of interpretation of treatment of CSI should not be left to "agency policy" that is not set forth in law and regulation, or at a minimum set forth in interagency regulatory guidance.

The U.S. Government Accountability Office ("GAO") issued a study in 2016 ("GAO Report" or "Report") that found that "fragmentation and overlap have created inefficiencies in regulatory processes, inconsistencies in how regulators oversee similar types of institutions, and differences in the levels of protection afforded to consumers." (58) The Report encourages efforts by Congress to rectify these concerns. However, as the GAO Report points out, given the complex, overlapping, and fragmented nature of the U.S. regulatory system, reconciliation of competing interests among the agencies may require a mandate from Congress as an impetus to force the agencies to take action. The GAO Report also describes how legal constraints affect interagency sharing of confidential information to achieve the systemic risk monitoring and analysis goals set by the Dodd-Frank Act, which created the Office of Financial Regulation and the Financial Stability Oversight Council to achieve those goals. In other words, inconsistent standards for definitions and treatment of CSI not only impact supervised institutions, but also disrupt the government's ability to achieve its systemic oversight goals in a collaborative manner. (59)

Some have recommended an open dialogue among regulators, the regulated, and industry professionals, such as lawyers, consultants, and accountants, to facilitate a more consistent understanding of the definition and use of CSI. (60) These commentators also recommend reforms including: (1) having the prudential bank regulators adopt the CFPB's standard for sharing CSI with lawyers and other advisors as a practical step; (2) providing a common and streamlined approach to obtaining approvals for routine disclosures; and (3) taking into account the role of attorney-client privilege as an overlapping protection and justification for permitted disclosures. (61)

Moreover, in 1979, Congress established the Federal Financial Institutions Examinations Council ("FFIEC") "to prescribe uniform principles and standards for the Federal examination of financial institutions ... and make recommendations to promote uniformity in the supervision of these financial institutions." (62) From the FFIEC came the CAMELS rating system, schools for examiner training across agencies, and other interagency efforts. It seems that the FFIEC could also be an appropriate entity to reconcile disparate and in some cases outmoded approaches to the definition and treatment of CSI, which is so important to effective bank supervision.

In summary, the banking agencies have elevated the importance of the treatment of CSI by emphasizing concerns in enforcement actions and by issuing guidance and rules, but have not provided consistent and coherent definitions and guidance across the industry. Reform of these rules would remove unnecessary uncertainty and friction, and help foster the transparent and candid dialogue critical to effective bank supervision.

Clifford S. Stanford, Cliff Stanford is a Partner with Alston & Bird, where he chairs the firm's bank regulatory practice. Mr. Stanford was formerly an official with the Federal Reserve Bank of Atlanta. Mr. Stanford thanks students Roy G. Dixon, III, John H. Hykes, Joanne Wu, and Richard W. Gittings, and Professor Lissa L. Broome for their assistance in preparing this article.

(1.) GoodReads, https://www.goodreads.com/quotes/69197-it-s-not-me-who-can-t-keep-a-secret-it-s-the (last visited Jan. 22, 2018).

(2.) In re Subpoena Served Upon the Comptroller of Currency, and Sec'y of the Bd. of Governors of the Fed. Reserve Sys., 967 F.2d 630, 633 (D.C. Cir. 1992).

(3.) The principle "ex facto jus oritur" (the law arises from the facts) may be as useful as any in derivation of a working understanding of CSI.

(4.) The bank employees' access to the CSI was part of larger concerns about the bank's behavior. See The Asahi Bank, LTD., Nos. 96-023-B-FB, 96-023-B-FBR 1997 WL 61521, at *1 (Bd. of Governors of the Fed. Reserve Sys. Feb. 13, 1997) ("Asahi and the New York Branch are hereby assessed and shall pay, in settlement of these proceedings, a civil money penalty in the amount of $5 million.").

(5.) See James M. Talbert, No. 12-0015-R2 (Nat'l Credit Union Admin. Bd. Mar. 9, 2012) ("[T]he NCUAB issues this order and prohibits Talbert from participating in any manner in the conduct of the affairs of any federally-insured credit union and from continuing or commencing to hold any office, or participate in any manner, in the conduct of the affairs of any other institution or agency described in Section 206(g)(7) of the FCUA...."); NCUA Bars Former DC FCU Board Member, Nat'l Credit Union Admin. (Mar. 28, 2012), https://www.ncua.gov/newsroom/Pages/NW20120328Talbert.aspx.

(6.) See The Goldman Sachs Group, Inc., Nos. 16-011-BH-C, 16-011-CMP-HC (Bd. of Governors of the Fed. Reserve Sys. Aug. 2, 2016) ("[T]he Firm lacked adequate policies and procedures designed to detect or prevent the unauthorized dissemination and use of confidential supervisory information belonging to the Board of Governors and other banking regulators, which resulted in legal and reputational risks to the Firm....").

(7.) See Joseph Jiampietro, Nos. 16-012-E-l, 16-012-CMP-l (Bd. of Governors of the Fed. Reserve Sys. Aug. 2, 2016) (showing the factual allegations of the Board's notice articulate a detailed review of the Board's findings that Mr. Jiampietro was aware of the restrictions on use of CSI, but allegedly fostered a culture over a course of several years that led to the misuse of CSI within the company, including use of CSI in "pitch" materials to potential clients).

(8.) 18 U.S.C. [section] 641 (2016).

(9.) See The Goldman Sachs Group, Inc., No. 16-011-BH-C, 16-011-CMP-HC (Bd. of Governors of the Fed. Reserve Sys. 2016) ("[T]he Firm shall submit to the Board of Governors an acceptable written plan, and timeline for implementation, to enhance the effectiveness of the internal controls and compliance functions regarding the identification, monitoring, and control of confidential supervisory information.").

(10.) 5 U.S.C. [section] 552(b)(8) (2016) (discussing "Exemption 8"). Each of the agencies has promulgated rules implementing the FOIA. Most states have similar "sunshine" or open government laws governing state agencies, including state bank supervisors. An exposition of these state laws is beyond the scope of this article. See, e.g., The Open Government Guide, THE REPORTERS COMMITTEE FOR FREEDOM OF THE PRESS, http://www.rcfp.org/ogg/index.php (listing a complete compendium of information on each state's open records and open meetings laws).

(11.) See, e.g., In re Subpoena Served Upon the Comptroller of Currency, and Sec'y of the Bd. of Governors of the Fed. Reserve Sys., 967 F.2d 630, at 634 (D.C. Cir. 1992) ("Bank management must be open and forthcoming in response to the inquiries of bank examiners, and the examiners must in turn be frank in expressing their concerns about the bank. These conditions simply could not be met as well if communications between the bank and its regulators were not privileged.").

(12.) Federal law provides for "selective waiver," such that no waiver results from compelled or voluntary disclosure to any federal banking agency, the CFPB, a state bank supervisor, or a foreign banking authority in the context of any supervisory or regulatory process. See 12 U.S.C. [section] 1828(x) (2016) (discussing privileges not affected by disclosure to banking agency or supervisor). Certain of these agencies may, in turn, share privileged information with certain other agencies without waiving privilege. 12 U.S.C. [section] 1821 (t) (2016). However, these statutes are not drafted of whole cloth. See, e.g., Bruce A. Green, The Attorney-Client Privilege--Selective Compulsion, Selective Waiver, and Selective Disclosure: Is Bank Regulation Exceptional?, 2013 J. Prof. Law. 85, 88 (2013) ("This state of affairs raises questions about the wisdom of the federal laws and regulatory policies....").

(13.) For purposes of simplicity, this article uses the term "bank" to mean any depository institution chartered by a state or by the OCC, any foreign banking organization operating in the United States, and the U.S. subsidiaries or affiliates of any of the foregoing. While this article focuses on banks, the same principles apply generally to credit unions in their relationships with the NCUA or to state credit union regulators. Further, certain non-bank firms are also subject to similar supervision by the CFPB, or as a result of the oversight of third party service providers by the agencies.

(14.) See infra Part II.

(15.) See infra Part III.

(16.) See infra Part IV.

(17.) See infra Part V.

(18.) The agencies also impose information security safeguards, premised on the protection of the confidentiality, integrity, and availability of information. In addition, privacy law, including the protection of certain consumer information, presents an entirely separate but related discipline that also brings forth a range of complex concerns that can bleed into how an institution approaches protection of sensitive information such as CSI.

(19.) Reflective of the Board's role in coordinated supervision of state-chartered, Federal Reserve member banks, "exempt information" is defined by the Board to include any information exempt under Exemption 8, but expanded to include information contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of "a state financial institution supervisory agency." 12 C.F.R. [section] 261.14(a)(8) (2017).

(20.) Suspicious activity reports, or "SARs," pertain to reports of suspicious potential criminal activity by banks and others, and are subject to an independent scheme of law to restrict their disclosure, derived from the Bank Secrecy Act. 31 U.S.C. [section] 5311 (2016), et seq.; 12 C.F.R. [section][section] 208.62,211.5(k), 211.24(f), 225.4(f) (2017) (pertaining to reports prescribed by the Board); 12 C.F.R. Part 353 (2017) (requiring notifying the FDIC); 12 C.F.R. Part 748 (2017) (pertaining to credit unions notifying the NCUA); 12 C.F.R. [section] 21.11 (2017) (requiring all national banks licensed or chartered by the OCC to comply); 31 C.F.R. [section] 1020.320 (2017) (requiring SARs to be filed with FinCEN). Disclosure of SARs other than to law enforcement, to the supervisory agencies, or as otherwise expressly permitted, is subject to criminal sanction. See 31 U.S.C. [section] 5322 (2016) (setting forth criminal penalties). Courts also recognize a "SAR privilege" on similar grounds as bank examination privilege.

(21.) 12 U.S.C. [section] 1818(u) (2016) provides for public disclosure of formal enforcement actions such as written agreements, unless determined to be contrary to the public interest, of all final orders resulting from any administrative enforcement proceeding, and any modification or termination of the foregoing. Section 1818(u) further provides for the publication of hearing transcripts, subject to the agency's filing of documents under seal as disclosure is determined by the agency to be "contrary to the public interest." Notably, the statute does not authorize the withholding, or to prohibit the disclosure, of any information to Congress.

(22.) 12 C.F.R. [section] 261.2(c) (2017) (emphasis added).

(23.) The former Office of Thrift Supervision ("OTS") was absorbed by the OCC as a result of Dodd-Frank. Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank") [section] 312, 12 U.S.C. [section] 5412 (2016).

(24.) 12 C.F.R. [section] 4.32(b) (2017).

(25.) 12 C.F.R. [section] 309.5(g)(8) (2017). This is the FDIC's implementation of Exemption 8. The agency provides no other definition by regulation, but does expound upon the treatment of supervisory ratings as CSI in an advisory letter published by the Board, OCC, FDIC, and OTS. See BD. OF GOVERNORS OF THE FED. RESERVE SYS., 13-2005, INTERAGENCY ADVISORY ON THE CONFIDENTIALITY OF THE SUPERVISORY RATING AND OTHER NONPUBLIC SUPERVISORY INFORMATION (2005) [hereinafter 2005 INTERAGENCY ADVISORY] (reminding all banking organizations of the prohibition to disclose their CAMELS rating).

(26.) 12 C.F.R. [section] 1070.2(i) (2017) (emphasis added).

(27.) Note that other law specifically covers the interagency sharing of information with the Department of Justice or the Federal Trade Commission, for purposes of antitrust analysis in the context of a merger review. See 12 U.S.C. [section] 1828b (2016) ("To the extent not prohibited by other law, the Comptroller of the Currency, the Director of the Office of Thrift Supervision, the Federal Deposit Insurance Corporation, and the Board of Governors of the Federal Reserve System shall make available to the Attorney General and the Federal Trade Commission any data in the possession of any such banking agency that the antitrust agency deems necessary for antitrust review of any transaction requiring notice to any such antitrust agency or the approval of such agency....").

(28.) See e.g., FED. RESERVE BANK OF N.Y., CIRCULAR NO. 11002, IMPROPER DISCLOSURE OF CONFIDENTIAL SUPERVISORY INFORMATION BY FINANCIAL INSTITUTIONS (1997) (interestingly, this circular was not issued by the Board, but rather by its delegee, the Federal Reserve Bank of New York); FED. DEPOSIT INS. CORP., SARC-99-07, APPEALS OF MATERIAL SUPERVISORY DETERMINATIONS: GUIDELINES & DECISIONS (1999) (finding that a bank had violated FDIC rules when the bank provided members of Congress and the General Accounting Office with copies of its appeal of an examination rating).

(29.) See 2005 INTERAGENCY ADVISORY, supra note 25.

(30.) Subsequent developments have expanded this list. For example, the Dodd-Frank Act required public disclosures of certain larger banks' "living wills," as well as annual Comprehensive Capital Analysis and Review ("CCAR") and other stress test results.

(31.) This principle has been codified by the agencies. 12C.F.R. [section][section] 4.32(b)(2), 4.36 (2017) (OCC); 12 C.F.R. [section][section] 309.5(g)(8), 309.6(a), 350.9 (2017) (FDIC); 12 C.F.R. [section][section] 261.2(c)(1), 261.20(g), 261.22(e) (Board); 12 C.F.R. [section] 792.30 (NCUA).

(32.) Note that not every supervisor has held fast to this principle. In 2012, the North Carolina Credit Union Division permitted a state credit union to disclose its supervisory rating. In response, the NCUA suspended joint examinations with the state agency for a period of time, forcing North Carolina credit unions to submit to separate examinations. Credit Union Nat'l Ass'n, NEW: NCUA to Stop Separate Exams in N.C. (2013), http://news.cuna.org/articles/print/NEW:_NCUA_to_stop_separate_exams_in_NC.

(33.) 12 C.F.R. [section] 261.20(b) (2017) (emphasis added). The Board also provides specific rules governing disclosures of CSI by the Board to supervised institutions and to federal and state supervisory agencies, and to law enforcement, among other specific instances. See 12 C.F.R. [section][section] 261.20(a), (c) (2017) (discussing disclosure of confidential supervisory information to supervised financial institutions and disclosure upon request to Federal financial institution supervisory agencies); 12 C.F.R. [section] 261 (2017). The Board states that CSI is considered privileged information that it will not normally provide to the public, and provides rules governing when it would produce CSI in a litigation context or subject to a subpoena or other process. See 12 C.F.R. [section][section] 261.22,261.23 (2017) (setting requirements in other circumstances of disclosure).

(34.) Id.

(35.) 12 C.F.R. [section] 261.20(g) (2017). While not explicit, a fair reading of this rule is that it does not constrain the specific disclosures of CSI to legal counsel and CPAs, such that approval of the Board's General Counsel is not, for example, required for an outside lawyer to review a bank's exam reports on its premises.

(36.) See CMTY. BANKING CONNECTIONS, CONFIDENTIAL SUPERVISORY INFORMATION DISCLOSURE RULES (2013), https://communitybankingconnections.org/articles/2013/Q1/ Confidential-Supervisory-Information-Disclosure-Rules. Certain points of this guidance are further discussed below ("The Board of Governors of the Federal Reserve System (Board) has published rules regarding the disclosure of confidential supervisory information by financial institutions supervised by the Federal Reserve.").

(37.) See 53 Fed. Reg. 20815 (June 7, 1988).

(38.) The Board had opportunities in subsequent rounds of updates to this rule to address this anachronism, but has not done so. See 62 Fed. Reg. 54359 (Oct. 20, 1997); 76 Fed. Reg. 56601 (Sept. 13, 2011); 79 Fed. Reg. 6077 (Feb. 3, 2014).

(39.) 12 U.S.C. [section] 1831m(h) (2016). This statute was added by the Federal Deposit Insurance Corporation Improvement Act ("FDICIA") in 1991. Federal Deposit Insurance Corporation Improvement Act of 1991, Pub. L. No. 102-242, 105 Stat. 2236.

(40.) See BD. OF GOVERNORS OF THE FED. RESERVE SYS. ET AL., INTERAGENCY POLICY STATEMENT ON EXTERNAL AUDITING PROGRAMS OF BANKS AND SAVINGS ASSOCIATIONS (1999) (alteration in original) (emphasis added). The policy statement encourages disclosure of any supervisory MOU, written agreements, administrative orders, reports of action initiated by a federal or state banking agency, and any proposed or ordered assessments of civil money penalties against the institution or an institution-related party, as well as any associated correspondence. The auditor must maintain the confidentiality of examination reports and other confidential supervisory information. Also, the engagement letter should grant examiners access to all the accountant's or auditor's workpapers and other material pertaining to the institution prepared in the course of performing the external audit.

(41.) 12 C.F.R. [section] 4.37(b)(2) (2017).

(42.) 12 C.F.R. [section] 309.6(2017).

(43.) 12 U.S.C. [section] 1831m(h) (2016). This statute was added by the Federal Deposit Insurance Corporation Improvement Act ("FDICIA") in 1991. Federal Deposit Insurance Corporation Improvement Act of 1991, Pub. L. No. 102-242, 105 Stat. 2236.

(44.) 12 C.F.R. [section] 309.6(b)(7)(iii) (2017). The FDIC's rules for disclosure of CSI to parent holding companies do not provide for disclosure to any non-bank sister affiliates of the bank. See id. (permitting subsidiary depository institutions to furnish examination reports to the parent holding company without prior approval).

(45.) See Letter from the Fed. Deposit Ins. Corp. on Guidelines Regarding the Copying and Removal of Confidential Financial Institution Information (Mar. 19, 2012) (reminding that removal of supervisory records in anticipation of litigation or enforcement is a breach of fiduciary duty). This guidance was issued following the FDIC's lawsuits, as receiver, against law firms and a bank's holding company for having removed records of a failing bank. Id.; see, e.g., FDIC v. Bryan Cave, LLP, No. 10-CV-03666 (N.D. Ga. 2010) (discussing that the FDIC alleged that bank officers and directors provided the law firm with copies of the bank's books and records to aid in their defense, in violation of federal laws, internal bank policies, and in some cases written agreements by copying the documents and providing those copies to counsel. The FDIC ultimately dismissed its case after a private settlement). The FDIC has asserted that "[p]ursuant to 12 U.S.C. [section] 1821(d)(2)(A), the FDIC as receiver obtains the exclusive rights and benefits associated with the failed institution's documents and records." Letter from Michael Krimminger, Acting Gen. Counsel, Fed. Deposit Ins. Corp., to David Baris, Exec. Dir., American Assoc, of Bank Dirs. (Jan. 25, 2011), http://aabd.org/ fdicresponds-to-aabd-request-to-allow-bank-directors-access-to-bank-records-for-defense-againstlawsuits/.

(46.) See 12 C.F.R. [section] 1070.42(b) (2017) (discussing disclosure of confidential supervisory information by a supervised financial institution or its affiliates).

(47.) Id.

(48.) Id.

(49.) Amendments Relating to Disclosure of Records and Information, 81 Fed. Reg. 58310 (Aug. 24, 2016) (to be codified at 12 C.F.R. Pts. 1070 and 1091).

(50.) See, e.g., Letter from The Clearing House, et al., to Monica Jackson, Office of the Exec. Sec'y, Consumer Fin. Prot. Bureau (Oct. 24, 2016), https://www.regulations.gov/document?D=CFPB-2016-0039-0013 ("We appreciate the Bureau's recognition of the importance of providing maximum protection to sensitive information and its efforts to provide additional clarity and transparency regarding its information protection and disclosure practices. However, we believe that certain of the Bureau's proposed amendments would inappropriately and unnecessarily expand the universe of entities that could receive protected information.").

(51.) See The Goldman Sachs Group, Inc., Nos. 16-011-BH-C, 16-011-CMP-HC (Bd. of Governors of the Fed. Reserve Sys. Aug. 2, 2016) ("[T]he Firm lacked adequate policies and procedures designed to detect or prevent the unauthorized dissemination and use of confidential supervisory information belonging to the Board of Governors and other banking regulators, which resulted in legal and reputational risks to the Firm....").

(52.) See, e.g Bd., of Governors of the Fed. Reserve Sys., Supervision and Regulation Letter on Confidentiality Provisions in Third-Party Agreements (Dec. 13, 2007) ("It is contrary to Federal Reserve regulation and policy for agreements to contain confidentiality provisions that (1) restrict the banking organization from providing information to Federal Reserve supervisory staff; (2) require or permit, without the prior approval of the Federal Reserve, the banking organization to disclose to a counterparty that any information will be or was provided to Federal Reserve supervisory staff; or (3) require or permit, without the prior approval of the Federal Reserve, the banking organization to inform a counterparty of a current or upcoming Federal Reserve examination or any nonpublic Federal Reserve supervisory initiative or action.").

(53.) Id.

(54.) This same diligence is appropriate for underwriters of a securities offering.

(55.) Notably, an assessment of the thoroughness of due diligence is an element of regulatory approval of an application. Question #3 of the Board's FR Y-3 reporting form (used for applications under Section 3 of the Bank Holding Company Act), states: "If the proposed transaction involves the acquisition of an unaffiliated banking operation or otherwise represents a change in ownership of established banking operations, describe briefly the due diligence review conducted on the target operations by Applicant. Indicate the scope of and resources committed to the review, explain any significant adverse findings, and describe the corrective action(s) to be taken to address those weaknesses."

(56.) See Bd. of Governors of the Fed. Reserve Sys., Supervision and Regulation Letter on Enhancing Transparency in the Federal Reserve's Applications Process (Feb. 24, 2014), https://www.federalreserve.gov/supervisionreg/srletters/srl402.htm ("To enhance transparency in the Federal Reserve's applications process and provide the banking industry and general public with better insight into the issues that could prevent the Federal Reserve from acting favorably on a proposal, the Federal Reserve will start publishing a semi-annual report that provides pertinent information on applications and notices filed with the Federal Reserve."). There are exceptions to the Board' general stance. For example, the Board allows expansionary proposals for banks with less than satisfactory safety and soundness ratings only upon: (1) convincingly demonstrating that the proposal would not distract management from addressing the existing problems of the organization or further exacerbate these problems, (2) demonstrating that the proposed acquisition would strengthen the organization, and (3) responding appropriately to and making notable progress in addressing supervisory concerns.

(57.) Others have pointed out procedural matters adjunct to the supervisory process that are similarly disparate and ripe for reform or harmonization, such as the appeal processes among the agencies for review of material supervisory determinations. See Julie Andersen Hill, When Bank Examiners Get It Wrong: Financial Institution Appeals of Material Supervisory Determinations, 92 Wash. U. L. Rev. 1101 (2015) (analyzing the appeals processes for material supervisory determinations made by regulators).

(58.) U.S. GOV'T ACCOUNTABILITY OFFICE, GAO-16-175, REPORT TO CONGRESSIONAL REQUESTERS: COMPLEX AND FRAGMENTED STRUCTURE COULD BE STREAMLINED TO IMPROVE EFFECTIVENESS (2016) [hereinafter GAO Report].

(59.) See GAO REPORT, supra note 57, at 68-75 ("[I]f the nature of open participation of FSOC member agency staff at the Systemic Risk Committee presents serious impediments to meaningful sharing and discussion of confidential supervisory and other information, other arrangements may help overcome such impediments. OFR staff said that although legal constraints preclude them from sharing some monitors' underlying data widely at the Systemic Risk Committee, they could share this information with a small group, as they have done in other settings."). At a minimum, such an approach leads to effectively unappealable agency action. See Greg Baer, Rethinking Safety and Soundness Supervision, THE CLEARING HOUSE BANKING PERSPECTIVES, Q3 2017, https://www.theclearinghouse.org/research/banking-perspectives/2017/ 2017-q3-banking-perspectives/safety-and-soundness-supervision (recommending modernization of the supervision system).

(60.) Edward P. O'Keefe, et al., Navigating the Complexities of CSI, THE CLEARING HOUSE BANKING PERSPECTIVES, Q1 2017, https://www.theclearinghouse.org/research/bankingperspectives/2017/ 2017-q1-banking-perspectives/csi-complexities.

(61.) Id.

(62.) 12 U.S.C. [section] 3301 (2016).
COPYRIGHT 2018 North Carolina Banking Institute
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2018 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Stanford, Clifford S.
Publication:North Carolina Banking Institute
Date:Mar 1, 2018
Words:9877
Previous Article:ADDRESSING THE FUNDAMENTAL BANKING POLICY PROBLEM OF RUNS: EFFECTIVELY SUBORDINATING LARGE AMOUNTS OF LONG-TERM DEBT TO SHORT-TERM DEBT TO END...
Next Article:THE EVOLUTION OF REDLINING POSTFINANCIAL CRISIS AND BEST PRACTICES FOR FINANCIAL INSTITUTIONS.
Topics:

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters