Amendments Relating to Disclosure of Records and Information, 75194-75220 [2020-24113]

Agencies

• BUREAU OF CONSUMER FINANCIAL PROTECTION

[Federal Register Volume 85, Number 227 (Tuesday, November 24, 2020)]
[Rules and Regulations]
[Pages 75194-75220]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-24113]



[[Page 75193]]

Vol. 85

Tuesday,

No. 227

November 24, 2020

Part IV





Bureau of Consumer Financial Protection





-----------------------------------------------------------------------





12 CFR Parts 1070 and 1091





Amendments Relating to Disclosure of Records and Information; Final 
Rule

Federal Register / Vol. 85 , No. 227 / Tuesday, November 24, 2020 / 
Rules and Regulations

[[Page 75194]]


-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION

12 CFR Parts 1070 and 1091

[Docket No. CFPB-2016-0039]
RIN 3170-AA63


Amendments Relating to Disclosure of Records and Information

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule amends the Bureau's rule regarding the 
confidential treatment of information obtained from persons in 
connection with the exercise of its authorities under Federal consumer 
financial law.

DATES: This final rule is effective December 24, 2020.

FOR FURTHER INFORMATION CONTACT: David Snyder, Senior Counsel, Legal 
Division, 202-435-7758. If you require this document in an alternative 
electronic format, please contact [email protected].

SUPPLEMENTARY INFORMATION: 

I. Background

    The Bureau of Consumer Financial Protection (Bureau) was 
established by title X of the Dodd-Frank Wall Street Reform and 
Consumer Protection Act (Pub. L. 111-203, codified at 12 U.S.C. 5301 et 
seq.) (Dodd-Frank Act). The Dodd-Frank Act, among other things, 
directed the Bureau to ``prescribe rules regarding the confidential 
treatment of information obtained from persons in connection with the 
exercise of its authorities under Federal consumer financial law.'' 12 
U.S.C. 5512(c)(6)(A).
    In order to establish safeguards for protecting the confidentiality 
of information, as well as procedures for disclosing information as 
appropriate, the Bureau published an interim final rule on July 28, 
2011, 76 FR 45371 (Jul. 28, 2011), followed by a final rule on February 
15, 2013, 78 FR 11483 (Feb. 15, 2013). The Bureau also made limited 
revisions to the rule during that period, related to the treatment of 
privileged information. See Notice of Proposed Rulemaking, Confidential 
Treatment of Privileged Information, 77 FR 15286 (Mar. 15, 2012); Final 
Rule, Confidential Treatment of Privileged Information, 77 FR 39617 
(July 5, 2012).
    Based on its experience over the previous several years, the Bureau 
published a notice of proposed rulemaking on August 24, 2016, 81 FR 
58310 (Aug. 24, 2016), that proposed to amend the rule to clarify, 
correct, and amend certain provisions of the rule, and it solicited 
comments on the proposal. The Bureau issued a final rule on September 
12, 2018, 83 FR 46075 (Sept. 12, 2018), that pertained to the portions 
of the Bureau's proposal related to the Freedom of Information Act, 5 
U.S.C. 552, the Privacy Act of 1974, 5 U.S.C. 552a, and requests for 
Bureau information in legal proceedings. The Bureau now issues this 
final rule to address the portions of its proposal regarding the 
confidential treatment of information obtained from persons in 
connection with the exercise of its authorities under Federal consumer 
financial law.

II. Summary of the Final Rule

    The final rule revises subparts A and D of section 1070 of title 12 
of the Code of Federal Regulations.
    The revisions to subpart A address definitions of terms that are 
used throughout the remainder of the part. The Bureau has revised 
several of these definitions to clarify their intended meanings as well 
as Bureau practices. The Bureau has also included one new definition 
and deleted one definition in the final rule. The Bureau declines to 
finalize one new definition, ``agency,'' which was proposed in the 
notice of proposed rulemaking.
    The revisions to subpart D pertain to the protection and disclosure 
of confidential information that the Bureau generates and receives 
during the course of its work. Various provisions of the Dodd-Frank Act 
require the Bureau to promulgate regulations providing for the 
confidentiality of certain types of information and protecting such 
information from public disclosure. The Bureau has sought to provide 
the maximum protection for confidential information, while ensuring its 
ability to share or disclose information to the extent necessary to 
achieve its mission. The Bureau has included detailed procedures in its 
final rule in order to promote transparency regarding its practices and 
anticipated uses of confidential information.
    The Bureau has sought to balance concerns regarding the need to 
protect confidential information, including sensitive personal 
information, business information, confidential investigative 
information (CII) and confidential supervisory information (CSI), 
against the need to use and disclose certain information in the course 
of its work or, as appropriate, the work of other agencies with 
overlapping statutory or regulatory authority.
    The Bureau has revised subpart D to clarify, correct, and amend 
certain aspects of the rule based on its experience over the last 
several years. In response to comments, the Bureau has declined to 
finalize, or has further revised, several of the revisions initially 
proposed in its notice of proposed rulemaking. In particular, the 
Bureau has in part declined to finalize, and in part further revised, 
its proposal to address disclosure of confidential investigative 
information in Sec.  1070.42. In addition, the Bureau has declined to 
finalize its proposal to revise its standard for discretionary 
disclosure of confidential supervisory information to partner agencies 
under Sec.  1070.43(b)(1).

III. Overview of Comments Received

    The Bureau received twenty-seven comment letters in response to the 
notice of proposed rulemaking. Twenty-three of the comments addressed 
its proposal related to the confidential treatment of Bureau 
information, including proposed definitions in subpart A and proposed 
revisions to subpart D.\1\ Twelve of these comment letters were 
submitted on behalf of industry trade associations. Three of these 
comment letters came from public interest organizations; two comment 
letters from individual financial institutions; one comment letter from 
a consumer advocacy organization; one comment letter from a consulting 
organization; one comment letter from an individual; two comment 
letters from a member of Congress; and one comment letter from a group 
of State attorneys general.
---------------------------------------------------------------------------

    \1\ The Bureau received four comment letters that only addressed 
its proposal related to the Freedom of Information Act. The Bureau 
also received one comment letter that was unrelated to the notice of 
proposed rulemaking.
---------------------------------------------------------------------------

    Commenters generally expressed concerns about whether the rule, as 
proposed, would sufficiently protect sensitive information, including 
CSI. In particular, numerous commenters took issue with the Bureau's 
proposal to expand discretion under 12 CFR 1070.43(b) to disclose CSI 
to agencies that may not have ``jurisdiction'' over the supervised 
financial institution. Commenters also expressed concerns with a 
proposed new definition of ``agency'' in 12 CFR 1070.2, which they 
believed to be overly broad. Commenters expressed a variety of policy 
concerns with these proposals, and a number of commenters argued that 
the Bureau lacks statutory authority to make these revisions, 
disagreeing with the Bureau's interpretation of 12 U.S.C. 5512(c)(6), 
which was articulated in support of the proposal. One commenter 
expressed support for the Bureau expanding its discretion to disclose 
CSI.

[[Page 75195]]

    A number of commenters also expressed concerns about a Bureau 
proposal to expand 12 CFR 1070.42 to address the Bureau's disclosure of 
CII in the course of its enforcement activities, and limitations on 
further disclosure of CII. Several of these commenters argued that the 
proposal's restrictions on further disclosure of CII would constitute a 
content-based restriction and a prior restraint on speech and would run 
afoul of the First Amendment's free speech protections. Commenters also 
articulated various reasons why a recipient of CII may need or want to 
further disclose CII.
    Comment letters expressed various other concerns regarding the 
Bureau's proposal as well. These included concerns with, among other 
things, a proposal to eliminate a requirement that Bureau contractors 
and consultants provide written certification that they will comply 
with legal requirements associated with confidential information; a 
proposal that would have allowed the Bureau to disclose CSI or CII 
concerning a person to its service providers; proposed changes to 
Bureau procedures for processing requests from partner agencies for 
confidential information; a proposed change to procedures regarding 
Bureau disclosure of confidential information to Congress; a proposal 
that would have allowed the Bureau to disclose confidential information 
``related to'' an administrative or court proceeding to which the 
Bureau is a party; and a proposal to require persons in possession of 
confidential information to report to the Bureau improper disclosures 
of confidential information.

IV. Legal Authority

    The Bureau proposed the rule pursuant to its authority under (1) 
title X of the Dodd-Frank Act, 12 U.S.C. 5481 et seq., including (a) 
section 1022(b)(1), 12 U.S.C. 5512(b)(1); (b) section 1022(c)(6)(A), 12 
U.S.C. 5512(c)(6)(A); and (c) section 1052(d), 12 U.S.C. 5562(d); (2) 
the Freedom of Information Act, 5 U.S.C. 552; (3) the Privacy Act of 
1974, 5 U.S.C. 552a; (4) the Right to Financial Privacy Act, 12 U.S.C. 
3401 et seq.; (5) the Trade Secrets Act, 18 U.S.C. 1905; (6) 18 U.S.C. 
641; (7) the Paperwork Reduction Act, 44 U.S.C. 3501 et seq., and (8) 
the Federal Records Act, 44 U.S.C. 3101. The Bureau received no 
comments on the applicability of these statutes, and it promulgates the 
final rule pursuant to these authorities.

V. Section-by-Section Analysis

Part 1070--Disclosure of Records and Information

Subpart A--General Provisions and Definitions
Section 1070.2--General Definitions
Proposed Section 1070.2(a) Agency
    In the notice of proposed rulemaking, the Bureau proposed adding a 
new definition, ``agency,'' which it proposed to include ``a Federal, 
State, or foreign governmental authority or an entity exercising 
governmental authority.'' The Bureau declines to finalize this 
proposal.
    As previously drafted, Sec.  1070.43 provided the Bureau with 
discretion to share confidential information with Federal or State 
agencies in certain circumstances. The proposed definition, combined 
with proposed revisions to Sec. Sec.  1070.43 and 1070.45, was intended 
to clarify the Bureau's ability to share confidential information with 
a broader category of entities with whom the Bureau may at times 
collaborate in the course of carrying out its authorities under Federal 
consumer financial laws. The Bureau stated in its proposal that this 
could include registration and disciplinary organizations like State 
bar associations. Proposed revisions to Sec.  1070.47 also expanded 
protections for confidential information disclosed under subpart D to 
include information shared with these additional entities. Finally, the 
Bureau proposed additional technical corrections throughout the rule to 
account for use of the new term.\2\
---------------------------------------------------------------------------

    \2\ The Bureau also proposed renumbering the definitions in 
Sec.  1070.2 to account for the addition and subtraction of various 
definitions.
---------------------------------------------------------------------------

    The Bureau received a number of comment letters regarding this 
proposed definition, with particular emphasis on its interaction with 
proposed revisions to Sec.  1070.43 regarding the Bureau's 
discretionary disclosure of confidential information (including 
confidential supervisory information) to other agencies.\3\ Commenters 
largely took issue with the proposed definition's inclusion of 
``entit[ies] exercising governmental authority,'' though several 
expressed concerns regarding its inclusion of ``foreign governmental 
authorit[ies]'' as well.
---------------------------------------------------------------------------

    \3\ See below for discussion of comments regarding proposed 
Sec.  1070.43(b)(1).
---------------------------------------------------------------------------

    Several commenters stated that the proposed definition was overly 
broad. Commenters expressed concerns that non-governmental entities may 
lack jurisdiction over the persons that initially provided information 
to the Bureau, and that foreign agencies may not be subject to United 
States law. For example, one comment letter, from a group of industry 
trade associations, criticized the proposal's inclusion of ``entit[ies] 
exercising governmental authority'' as ``limitless;'' it stated that 
the Bureau provided no limitation on its interpretation of the term, 
and suggested that, in addition to State bar associations, it could 
include medical societies, national associations of State regulatory 
bodies (such as insurance or utility commissioners), or municipal 
entities (such as housing or transportation authorities). Another 
commenter suggested that the term could include quasi-governmental 
organizations such as State or local task forces, boards, commissions, 
licensing bodies, ombudsmen, self-regulatory organizations, or courts. 
Two industry trade association commenters questioned how confidential 
information from financial institutions could be relevant to entities 
like State bar associations--such as where the institution does not 
engage in the practice of law, or where the entity would not generally 
have authority over financial institutions.
    One comment letter, from an industry trade association, criticized 
the proposed definition as outside the intended and normal usage of the 
term ``agency.'' It argued that the term unambiguously means a 
governmental entity with legal authority to supervise and regulate the 
individual or company to whom confidential supervisory information 
relates, and the Bureau lacks authority to expand the definition to 
include entities that, in the commenter's view, are clearly not 
agencies. It stated that while a State bar association may exercise 
governmental authority, it is a non-governmental, voluntary 
professional membership organization, and is not an agency. The 
commenter also analogized that the term ``agency,'' when used in the 
regulatory context (such as in the Administrative Procedure Act, 5 
U.S.C. 551) refers to entities with administrative legal authority, and 
that section 342(g) of the Dodd-Frank Act defines ``agency'' to refer 
to specific financial regulatory bodies.\4\
---------------------------------------------------------------------------

    \4\ Section 342 of the Dodd-Frank Act establishes Offices of 
Minority and Women Inclusion in enumerated Federal financial 
regulators.
---------------------------------------------------------------------------

    Several commenters expressed concerns about the Bureau's authority 
to promulgate the proposed definition. One comment letter, from an 
industry trade association, stated that there is no legislative history 
to support a conclusion that the Bureau has discretion to share 
confidential

[[Page 75196]]

information with ``entities exercising governmental authority.'' Two 
comment letters, from an industry trade association and a group of 
industry trade associations, argued that 12 U.S.C. 5512(c)(6), which 
discusses Bureau disclosure of CSI to certain agencies, does not 
mention non-U.S. agencies or quasi-governmental authorities. One 
comment letter, from a member of Congress, suggested that the Bureau's 
proposed definition was meant to unlawfully expand its authority to 
share confidential supervisory information with entities that lack 
jurisdiction over the companies, including foreign regulators and 
entities that exercise governmental authority.
    Several comment letters from industry trade associations argued 
that the Bureau's proposal provides insufficient rationale for, or 
clarity regarding, its proposed definition. One of these commenters 
suggested that sharing confidential supervisory information with non-
regulatory or non-governmental entities is unnecessary for enforcement 
or supervisory purposes. Another commenter suggested that the Bureau 
publish a list of entities ``exercising governmental authority,'' and 
concrete examples about how the Bureau intends to share confidential 
information with them and how such sharing would advance the Bureau's 
purposes. This commenter also suggested that the Bureau provide more 
information regarding its procedures for sharing information with 
foreign agencies and create a procedure for institutions to challenge a 
proposed disclosure with a presumption in favor of nondisclosure.
    The Bureau also received two comment letters, from a group of 
industry trade associations and an industry trade association, raising 
concerns that non-regulatory or non-governmental entities may have 
insufficient information security, protections, controls, or expertise 
to protect the Bureau's confidential information. A third comment 
letter, from a financial institution, expressed similar concerns that 
the disclosure of confidential information to such entities could 
unintentionally result in exposing the information to the public. One 
comment letter, from an industry trade association, suggested that the 
disclosure of confidential information to bar associations would lead 
to further disclosure to the plaintiffs' bar and use in litigation 
against the financial institution at issue.
    One comment letter, from a group of industry trade associations, 
suggested that the proposed definition could raise tensions with other 
laws. It stated that the proposal would lead to financial institutions 
``effectively sharing information in a manner that is inconsistent'' 
with Regulation P, 12 CFR part 1016, and the Gramm-Leach-Bliley Act, 15 
U.S.C. 6801 et seq., because it would enable certain entities to obtain 
data that they could not otherwise obtain from the financial 
institution itself. The commenter also suggested that the proposal 
would allow sharing of confidential information, including personally 
identifiable information about non-U.S. individuals, in a manner that 
could be inconsistent with non-U.S. privacy rules and other non-U.S. 
laws, though it did not identify specific laws or explain how the 
proposal would conflict.
    Finally, one commenter expressed concern regarding the Bureau's 
inclusion of foreign regulators in its proposal, noting that the 
proposal differed from the Federal Trade Commission's (FTC's) 
practices, which include certain restrictions on disclosures to foreign 
governments.
    In response to the comments received, the Bureau declines to 
include the proposed definition, ``agency,'' in the final rule. The 
Bureau likewise declines to finalize the technical corrections and 
renumbering proposed to account for the new definition. Any use of the 
word ``agency(ies)'' in subpart D will not be capitalized because the 
final rule does not define the term.
    The proposal's inclusion of ``entit[ies] exercising governmental 
authority'' had been intended primarily to facilitate limited and 
occasional collaboration in the course of carrying out the Bureau's 
enforcement activities. However, the Bureau recognizes that the defined 
term's use in provisions that address its disclosure of confidential 
supervisory information could give the impression that the Bureau 
intends to disclose confidential supervisory information to these 
entities as well. The Bureau also recognizes that the potential breadth 
of the proposal could create uncertainty and undermine confidence that 
information provided to the Bureau will be used and protected 
appropriately. In light of the minimal benefit of finalizing the 
proposal, relative to these concerns and others expressed in the 
comments received, the Bureau declines to include this proposed text in 
the final rule.
    The Bureau included ``foreign governmental authorit[ies]'' in the 
proposed definition because Bureau enforcement and supervisory 
activities occasionally require it to coordinate with foreign 
government regulators, such as where a transnational entity engages in 
related activities in multiple jurisdictions, or where an entity abroad 
interacts with U.S. consumers from a foreign location.
    The Bureau disagrees with commenters' contention that it lacks 
statutory authority to promulgate a regulation that authorizes 
disclosure of confidential information to foreign regulators. The 
Bureau has broad authority under 12 U.S.C. 5512(c)(6)(A) to draft 
regulations regarding the confidential treatment of information that it 
obtains from persons in connection with the exercise of its authorities 
under Federal consumer financial laws. Even assuming that this 
rulemaking authority is restricted by section 5512(c)(6)(C)(ii)--which 
says the Bureau ``may, in its discretion, furnish to a prudential 
regulator or other agency having jurisdiction over a covered person or 
service provider any other report or confidential supervisory 
information concerning such person examined by the Bureau under the 
authority of any other provision of Federal law''--disclosure to 
foreign regulators is consistent with this provision. First, section 
5512(c)(6)(C)(ii) does not address, and thus does not limit disclosure 
of, confidential investigative information or other confidential 
information that is not CSI. Second, the provision's reference to 
``other agency having jurisdiction'' is not expressly restricted to 
domestic agencies and can reasonably be read to include foreign 
agencies with jurisdiction over the supervised financial institution.
    Nevertheless, while the Bureau believes that it has authority to 
disclose confidential information to foreign regulators, it declines to 
expressly address such disclosures in the rule because, historically, 
its need to make these disclosures has been extremely rare. Revising 
the regulation to allow disclosure of confidential information to 
foreign regulators under the Bureau's standard information-sharing 
processes addressed in Sec.  1070.43 risks leaving a mistaken 
impression that such disclosures will take place with regularity.
    Instead, in the event that the Bureau identifies a future need to 
share confidential information with a foreign regulator, and it cannot 
otherwise make the disclosure pursuant to subpart D, it will do so 
pursuant to Sec.  1070.46, which permits the Bureau's director to 
authorize disclosure of confidential information other than as set 
forth in subpart D. The authorization must be in writing, must 
otherwise be permitted by law, and may not be delegated. See 12 CFR 
1070.46(a), (c).
    The Bureau recognizes that disclosure of confidential information 
to a foreign

[[Page 75197]]

regulator warrants special considerations, such as the regulator's 
ability to protect the information under its country's laws. And to the 
extent that the confidential information includes sensitive 
information, such as privileged information, proprietary information, 
or consumers' personal information, the Bureau will take that into 
consideration as well and will appropriately limit the scope of its 
disclosure. The Bureau intends to exercise its discretion to disclose 
confidential information to foreign regulators with caution, subject to 
appropriate confidentiality assurances and only when needed to support 
Bureau mission needs such as enhancing consumer protection. Limiting 
such disclosures to the Director's authority under Sec.  1070.46 
reflects this commitment by requiring decision-making to take place at 
the Bureau's highest level.
    For the aforementioned reasons, the Bureau declines to finalize the 
proposed definition of ``agency.''
Section 1070.2(a) Associate Director for Supervision, Enforcement and 
Fair Lending
    The Bureau proposed adding a new definition for ``Associate 
Director for Supervision, Enforcement and Fair Lending'' in order to 
clarify the meaning of a term already used in the rule, as well as 
several times in the proposed revisions to the rule. The Bureau 
received no comments regarding this proposal, and it finalizes the 
proposal without modification.
Former Section 1070.2(e) Civil Investigative Demand Material
    Former Sec.  1070.2(e) defined the term ``civil investigative 
demand material.'' The Bureau proposed eliminating this definition and 
instead incorporating it into the definition of ``confidential 
investigative information'' in Sec.  1070.2(h). The Bureau explained 
that, because the term ``civil investigative demand material'' only 
arose in the rule in Sec.  1070.2(h), the separate definition was 
unnecessary. The Bureau received no comments regarding the elimination 
of this definition, and it finalizes the proposal without 
modification.\5\
---------------------------------------------------------------------------

    \5\ See below for discussion of comments regarding the 
definition of ``confidential investigative information'' in Sec.  
1070.2(h).
---------------------------------------------------------------------------

Section 1070.2(f) Confidential Information
    Section 1070.2(f) defines the term ``confidential information.'' 
Confidential information refers to three defined categories of non-
public information--confidential consumer complaint information, 
confidential investigative information, and confidential supervisory 
information--as well as other Bureau information that may be exempt 
from disclosure pursuant to one or more of the statutory exemptions to 
the FOIA.
    Confidential information does not include information contained in 
records that have been made publicly available or otherwise publicly 
disclosed by the Bureau. The Bureau proposed revising the definition to 
clarify that such appropriate disclosures may be made by either Bureau 
employees or other authorized agents of the Bureau. An unauthorized 
disclosure of information would not affect the information's 
confidentiality.
    In addition, the Bureau proposed revising the definition to clarify 
that confidential information disclosed to a third party in accordance 
with subpart D shall remain the Bureau's confidential information.
    The Bureau received no comments regarding this proposal, and it 
finalizes the proposal without modification.
Section 1070.2(g) Confidential Consumer Complaint Information
    Section 1070.2(g) defines the term ``confidential consumer 
complaint information.'' The Bureau proposed expanding the definition 
to include any information received or generated by the Bureau through 
processes or procedures established under 12 U.S.C. 5493(b)(3). The 
Bureau has found that its Consumer Response system at times receives 
misdirected complaints for which it lacks authority to act, or 
complaints submitted by companies rather than consumers. The proposed 
revision was intended to clarify that any complaints submitted to the 
Bureau through its Consumer Response system, and any information 
generated therein, are similarly classified under its confidentiality 
rules and subject to the same confidentiality protections. The proposal 
did not alter the prior text which limits confidential consumer 
complaint information to only include information that is exempt from 
disclosure pursuant to 5 U.S.C. 552(b).
    One comment letter, from an industry trade association, expressed 
support for this proposal, which it described as an important safeguard 
for companies that may be named erroneously in consumer complaints 
submitted to the Bureau.
    The Bureau finalizes the proposal without modification.
Section 1070.2(h) Confidential Investigative Information
    Section 1070.2(h) defines the term ``confidential investigative 
information.'' As discussed above with respect to former Sec.  
1070.2(e), the Bureau proposed incorporating the definition of ``civil 
investigative demand material'' into Sec.  1070.2(h). In addition, we 
proposed revising the term to clarify that confidential investigative 
information includes any information obtained or generated in the 
course of Bureau enforcement activities, including general 
investigative activities that may not pertain to a specific 
institution. The Bureau also proposed replacing Sec.  1070.2(h)(2)'s 
reference to ``materials'' with ``documents, materials, or records'' in 
order to parallel similar language in the definition of ``confidential 
supervisory information'' at Sec.  1070.2(i)(2).
    An industry trade association criticized this proposal, alleging 
that it would ``greatly expand'' the definition of CII. The trade 
association argued that the revision would now include any information 
that may reveal the existence of communication between the Bureau and a 
company in the enforcement context, including the existence of a civil 
investigative demand (CID). The commenter expressed concerns that any 
such information would be subject to the Bureau's discretionary 
authority to share confidential information.
    The Bureau does not agree that its proposed revisions to the 
definition of CII would significantly expand it. The Bureau merely 
proposed to incorporate the text of the definition of ``civil 
investigative demand materials'' into the definition of ``confidential 
investigative information'' to eliminate the need for a separate 
defined term. It further proposed minor revisions to refine and clarify 
the definition's text, such as making clear that CII can be obtained or 
generated in the course of general investigative activities that may 
not pertain to a specific institution. The Bureau did not propose 
substantive changes along the lines described by the commenter.
    The commenter appears to take issue with the definition's inclusion 
of information ``derived from'' materials otherwise considered CII. 
However, this text predated the notice of proposed rulemaking and it is 
not new. Other than the non-substantive replacement of the word 
``documents'' with ``materials,'' the Bureau's proposed revisions did 
not impact this text or its meaning.
    The Bureau also disagrees with the commenter's implication that 
classifying information as ``confidential investigative information'' 
reduces its protections because the Bureau has procedures for sharing 
confidential

[[Page 75198]]

information with partner agencies. On the contrary, classification of 
information as ``confidential'' restricts the Bureau's disclosure 
(rather than expanding it) because it renders the information subject 
to subpart D's protections. Where information is not considered 
``confidential,'' the rule's protections do not attach to it, and the 
Bureau may share it with agency partners without taking into account 
the limitations and protections of the rule.
    For the aforementioned reasons, the Bureau finalizes the proposal 
without modification.
Section 1070.2(i) Confidential Supervisory Information
    Section 1070.2(i) defines the term ``confidential supervisory 
information.'' The Bureau proposed revising Sec.  1070.2(i)(1)(i) to 
clarify that the term includes supervisory letters and similar 
documents. Since adopting the current definition of ``confidential 
supervisory information,'' the Bureau has refined the formats it uses 
for summarizing and memorializing the results of an examination or 
other supervisory review of a supervised financial institution. The 
Bureau currently issues different types of documents, including 
examination reports and supervisory letters, to convey the results of 
its examinations and other supervisory reviews. These documents are the 
property of the Bureau and are provided to the supervised financial 
institution for its confidential use only.
    In addition, the Bureau proposed revising Sec.  1070.2(i)(1)(ii) to 
state that, in addition to ``documents'' prepared by, or on behalf of, 
or for the use of the Bureau or any other Federal, State, or foreign 
government agency in the exercise of its supervisory authority over a 
financial institution, confidential supervisory information also 
includes ``materials[ ] or records'' prepared by, or on behalf of, or 
for the use of the Bureau or any other Federal, State, or foreign 
government agency in the exercise of its supervisory authority over a 
financial institution. This revision was intended to clarify that any 
such physical materials can include confidential supervisory 
information, regardless of the format. Likewise, the Bureau proposed 
revising the definition to include information derived from such 
``materials[ ] or records.'' We noted in the notice of proposed 
rulemaking that information ``derived'' from such documents, materials, 
or records could include either physical materials (such as other 
documents, materials, or records) or information known to individuals 
(such as oral testimony or interviews based on knowledge gleaned from 
the documents, materials, or records).
    In addition, the Bureau proposed revising Sec.  1070.2(i)(1)(iv) to 
delete the reference to information collected using the Bureau's 
authority to monitor for risks to consumers in the offering or 
provision of consumer financial products or services under 12 U.S.C. 
5512(c)(4) (sometimes referred to as the Bureau's ``market monitoring'' 
authority). The Bureau explained that, in accordance with the 
definition of ``confidential information'' in Sec.  1070.2(f), market 
monitoring information would continue to be classified and protected as 
``confidential information'' to the extent that it is exempt from 
disclosure pursuant to one or more of the statutory exemptions to the 
FOIA.
    The Bureau proposed replacing the ``market monitoring'' reference 
in Sec.  1070.2(i)(1)(iv) with new language stating that confidential 
supervisory information includes information obtained by the Bureau 
``for purposes of detecting and assessing risks to consumers and to 
markets for consumer financial products or services pursuant to 12 
U.S.C. 5514(b)(1)(C), 5515(b)(1)(C), and 5516(b).'' The purpose of this 
revision was to clarify that confidential supervisory information 
continues to include information obtained by the Bureau under its 
supervisory authorities at 12 U.S.C. 5514(b)(1)(C), 5515(b)(1)(C), and 
5516(b). The Bureau had previously interpreted Sec.  1070.2(i)(1)(iv) 
to address information obtained using these authorities as well as 
information obtained using its market monitoring authority, and the 
proposal was intended to retain the former, but exclude the latter.
    Finally, the Bureau proposed deleting Sec.  1070.2(i)(2), which 
previously stated that confidential supervisory information does not 
include documents prepared by a supervised financial institution for 
its own business purposes and that the Bureau does not possess. This 
provision was intended to prevent any implication that a supervised 
financial institution's copies of internal documents would be deemed to 
be confidential supervisory information on the grounds that those 
documents had been submitted to the Bureau in the course of a Bureau 
supervisory process. The Bureau explained that because this 
interpretation already follows from the other provisions of the rule, 
including the definition of ``confidential supervisory information,'' 
the explicit inclusion of this exception is unnecessary. The Bureau 
proposed renumbering Sec.  1070.2(i) in light of this revision.
    In response to the Bureau's proposal, one comment letter, from a 
group of industry trade associations, requested further guidance 
regarding the type of information that the Bureau considers to be 
``derived from'' confidential supervisory information and therefore 
subject to the term's definition. For example, in a scenario where a 
supervised financial institution undertakes a project in response to 
Bureau concerns expressed in the course of supervision, the commenter 
asked whether the institution's work plan would be considered CSI. The 
commenter stated that such guidance is particularly important in light 
of the Bureau's proposal to delete Sec.  1070.2(i)(2), which previously 
stated that confidential supervisory information does not include 
documents prepared by a supervised financial institution for its own 
business purposes and that the Bureau does not possess.
    Where a supervised financial institution generates an internal work 
plan as part of its efforts to address Bureau supervisory concerns, 
information in the work plan that is ``derived from'' the types of 
documents, materials, or records described in Sec.  1070.2(i)(1) and 
(2) is CSI. For example, an internal document may reveal a Bureau 
compliance rating, a Bureau supervisory finding, a supervisory ``Matter 
Requiring Attention,'' or other confidential information that is 
contained in documents, materials, or records prepared by, or on behalf 
of, or for the use of the Bureau. This information is CSI even where it 
is contained in an internal document that is not shared with the Bureau 
(for example, minutes of an internal discussion).
    Certain work plans or other documents generated by a supervised 
financial institution in the course of a project undertaken in response 
to Bureau supervision may constitute CSI because they are ``prepared . 
. . for the use of the [Bureau]'' as described in Sec.  1070.2(i)(2). 
For example, updates or progress reports generated at the request of 
the Bureau and submitted to the Bureau by an institution as part of the 
Bureau supervisory process are generally CSI.
    On the other hand, work plans or other internal documents such as 
official business policies are not ``derived from'' the types of 
documents, materials, or records described in Sec.  1070.2(i)(1) and 
(2) simply because they are created, adopted, or modified in response 
to Bureau supervision. A

[[Page 75199]]

work plan that does not reveal the content or existence of confidential 
supervisory communications need not be treated as containing CSI.
    In addition, as explained above, the Bureau does not intend the 
deletion of Sec.  1070.2(i)(2) to substantively alter the meaning of 
``confidential supervisory information.'' Rather, we consider the 
paragraph to be superfluous because its substance is implied by the 
remainder of the rule. The Bureau does not consider ``confidential 
supervisory information'' to include documents prepared by a supervised 
financial institution for its own business purposes, which do not 
include communications or information about the Bureau's supervisory 
process, and that the Bureau does not possess. As the Bureau explained 
in its notice of proposed rulemaking, should a supervised financial 
institution submit copies of such documents to the Bureau in the course 
of a Bureau supervisory process, the copies of the documents in the 
Bureau's possession would be Bureau confidential supervisory 
information. However, submission of those documents to the Bureau does 
not convert the copies of those documents that are in the possession of 
the financial institution into Bureau confidential information.
    To the extent that institutions have additional questions along 
these lines, the Bureau encourages them to contact appropriate Bureau 
regional staff for further guidance.
    In addition to the request for guidance, the Bureau received two 
comment letters from industry trade associations that expressed 
concerns with the proposal's removal of information collected using the 
Bureau's market monitoring authority at 12 U.S.C. 5512(c)(4) from the 
definition of ``confidential supervisory information.'' One commenter 
expressed concerns that removing market monitoring information from the 
definition of CSI could result in disclosure of market monitoring 
information under the Freedom of Information Act. It argued that FOIA 
exemptions that do not pertain to confidential supervisory information 
provide less protection because they are subject to more agency 
discretion.
    The second commenter disagreed with the Bureau's reasoning, 
expressed in the notice of proposed rulemaking, that it is unnecessary 
to classify market monitoring information as CSI where the information 
is not used for supervisory purposes. The commenter argued that, with 
respect to supervised financial institutions, the Bureau has authority 
to collect the same information either through its market monitoring 
authority at 12 U.S.C. 5512(c)(4) or through its various supervisory 
authorities, and it expressed concerns that these different methods 
would provide different protections.
    With respect to the first comment, the Bureau does not agree that 
re-classifying categories of confidential information in the rule would 
alter the applicability of exemptions under the FOIA. The FOIA 
establishes a judicially enforced statutory regime that is distinct 
from the Bureau's treatment of confidential information. The FOIA 
exemption that pertains to the supervision of financial institutions, 5 
U.S.C. 552(b)(8) (Exemption (b)(8)), exempts from disclosure records 
``contained in, or related to, examination, operating, or condition 
reports prepared by, on behalf of, or for the use of an agency 
responsible for the regulation or supervision of financial 
institutions.'' Market monitoring information, which may be unrelated 
to the Bureau's supervision of financial institutions, is not 
necessarily subject to this exemption, regardless of whether the Bureau 
has a regulation that labels it ``confidential supervisory 
information.''
    If Exemption (b)(8), or any other FOIA exemption, applies to market 
monitoring information, then under the Bureau's proposal it will be 
protected both from disclosure under the FOIA and pursuant to the 
Bureau's confidentiality rules. However, categorically classifying 
market monitoring information as CSI would not prevent the 
information's disclosure pursuant to a FOIA request in the event that 
no FOIA exemption can apply to it--for example, information collected 
for a study that is publicly available on the internet. The comment's 
conflation of the FOIA and the Bureau's independent confidentiality 
protections highlights the need for the proposed revision, in order to 
improve transparency and manage expectations related to the protections 
that attach to information collected by the Bureau.
    The Bureau disagrees with the second commenter's argument as well. 
The comment letter correctly states that the Bureau could, conceivably, 
collect certain information under its 12 U.S.C. 5512(c)(4) market 
monitoring authority, or its 12 U.S.C. 5514(b), 5515(b), or 5516(b) 
supervisory authorities. While the commenter suggests that this 
counsels treating the information the same in all events, the Bureau 
thinks otherwise. Congress intentionally drafted the Dodd-Frank Act to 
provide the Bureau with distinct authorities to collect information for 
distinct purposes. The Bureau's proposal would categorize information 
in accordance with the authority used to collect the information and 
the information's intended use. Rather than conflating its authorities 
and uses, the proposal would improve transparency about the Bureau's 
classification and treatment of information.
    Furthermore, even if the Bureau does not label it ``confidential 
supervisory information,'' market monitoring information will continue 
to be protected as confidential information to the extent that it is 
exempt from disclosure under the FOIA--in particular, information that 
contains confidential business information or personal information. See 
5 U.S.C. 552(b)(4) & (6). Such information would largely be subject to 
the same protections accorded to CSI by the Bureau's confidentiality 
rules. And for the reasons already discussed, classifying this 
information as Bureau CSI would not protect it from disclosure under 
the FOIA to the extent that it is not actually subject to any exemption 
to the FOIA.
    For the aforementioned reasons, the Bureau finalizes the proposal 
without modification.
Section 1070.2(k) Employee
    Section 1070.2(k) defines the term ``employee.'' The Bureau 
proposed revising the definition to clarify that, for purposes of this 
rule, Bureau ``employees'' include certain contract personnel and 
employees of the Bureau's Inspector General.
    The Bureau received one comment letter, from an industry trade 
association, expressing concern that classifying employees of the 
Bureau's Inspector General as ``employees'' could restrict the 
employees' ability to disclose confidential information and impair 
their ability to perform their jobs. For example, the commenter argued 
that Sec.  1070.41 could prevent the Bureau's Inspector General from 
publishing reports regarding the Bureau's examination or supervision 
process, or other internal workings of the Bureau.
    The Bureau disagrees with this commenter's concerns. Classifying 
employees of the Bureau's Inspector General as ``employees'' under the 
rule clarifies that Inspector General employees may access confidential 
information consistent with the rule. Furthermore, the Bureau does not 
agree with the commenter's concerns regarding Sec.  1070.41's 
restrictions, as Sec.  1070.41(c) allows for the publication of reports 
derived from confidential information to the extent that they do not 
identify, either directly or indirectly, any particular person to

[[Page 75200]]

whom the information pertains. This concern is also addressed by 
proposed Sec.  1070.48, which states that subpart D does not prohibit 
the Inspector General's office from disclosing confidential information 
``as needed in accordance with the Inspector General Act of 1978, 5 
U.S.C. App. 3.'' \6\
---------------------------------------------------------------------------

    \6\ See below for additional discussion of comments regarding 
disclosures of confidential information by the Inspector General's 
office under Sec.  1070.48.
---------------------------------------------------------------------------

    For the aforementioned reasons, the Bureau finalizes this proposal 
without modification.
Subpart D--Confidential Information
Section 1070.41 Non-Disclosure of Confidential Information
Section 1070.41(b) Disclosures to Contractors and Consultants
    Section 1070.41(b) provides that contractors and consultants may 
only receive confidential information if they certify in writing to 
treat the confidential information in accordance with these rules, 
Federal laws and regulations that apply to Federal agencies for the 
protection of the confidentiality of personally identifiable 
information and for data security and integrity, as well as any 
additional conditions or limitations that the Bureau may impose. The 
Bureau proposed removing the certification requirement and replacing it 
with an affirmative statement that contractors and consultants are 
required to follow the obligations previously identified in the 
certification. The Bureau explained in its proposal that this revision 
was intended to clarify that contractors and consultants are subject to 
Sec.  1070.41(b)'s requirements irrespective of any affirmative 
certification. The Bureau will further revise its proposal in the final 
rule.
    In response to this proposal, the Bureau received one comment 
letter, from an industry trade association, stating that contractors 
and consultants should continue to be required to provide the written 
certification, to help them understand the gravity of their access to 
confidential information, and so their nondisclosure obligations can be 
more easily enforced. The commenter suggested that the Bureau can 
provide the clarity articulated in its notice of proposed rulemaking 
while continuing to require such certifications.
    The Bureau agrees with the commenter that it is a best practice for 
contractors and consultants to provide a written certification that 
they will follow the Bureau's confidentiality rules. The Bureau also 
agrees that this provision can be revised further to both clarify 
contractors' and consultants' obligations and retain the current 
certification requirement. The Bureau thus revises the proposed 
language by adding an additional sentence after the proposed text: 
``CFPB contractors or consultants may receive confidential information 
only if such contractors or consultants certify in writing to treat 
such confidential information in accordance with these requirements.'' 
This will retain the current certification requirement while addressing 
the need for clarity identified in the notice of proposed rulemaking.
Section 1070.41(c) Disclosures of Materials Derived From Confidential 
Information
    Section 1070.41(c) addresses the disclosure of materials derived 
from confidential information. It requires that, when the Bureau 
discloses such materials, they may not directly or indirectly identify 
any particular person to whom the confidential information pertains. 
The Bureau proposed replacing the phrase ``[n]othing in this subpart 
shall limit the discretion of the CFPB'' with ``[t]he CFPB may . . .'' 
in order to clarify that Sec.  1070.41(c) authorizes such disclosure by 
the Bureau. The Bureau received no comments regarding this proposal, 
and it finalizes the proposal without modification.
Section 1070.41(d) Disclosures of Confidential Information With Consent
    The Bureau proposed a new paragraph that, where practicable, 
authorizes the Bureau to, upon receipt of prior consent, disclose 
confidential information that directly or indirectly identifies 
particular persons. The proposed provision would require consent from 
all such persons to the extent that the identification constitutes 
confidential information, and any such disclosure would have to comply 
with applicable law. In the event that the person is a minor child or 
otherwise lacks capacity to give consent, consent can be provided on 
that person's behalf by someone with legal authority to give it, such 
as a parent or guardian, where applicable. The Bureau explained in its 
notice of proposed rulemaking that it may at times be useful to 
disclose such information in order to achieve the Bureau's mission 
objectives, and that by conditioning disclosure on consent, affected 
persons' interests would be appropriately protected. The Bureau also 
clarified that this new provision is intended to serve as a distinct 
authority for disclosure, and that it would in no way impact other 
methods of disclosure currently addressed in the rule, such as in Sec.  
1070.43. The Bureau proposed renumbering the section to account for the 
new paragraph.
    The Bureau received no comments regarding this proposal, and it 
finalizes the proposal without modification.
Section 1070.41(e) Nondisclosure of Confidential Information Belonging 
to Other Agencies
    Section 1070.41(e) previously provided that nothing in subpart D 
requires or authorizes the Bureau to disclose confidential information 
that it has received from other agencies where such disclosure would 
contravene applicable law or conflict with any agreement between the 
CFPB and the provider agency. The Bureau further revises this provision 
in the final rule to address concerns about this provision raised in a 
comment letter.
    The Bureau proposed replacing the word ``disclosability'' in the 
paragraph's title with ``nondisclosure'' in order to clarify that this 
provision protects the confidentiality of other agencies' confidential 
information; the Bureau explained in its proposal that it did not 
intend the revision to substantively change the provision. The Bureau 
received no comments regarding its proposed revision to the paragraph's 
title.
    However, the Bureau did receive one comment letter, from a 
consulting organization, which noted that the Bureau can at times 
obtain prudential regulators' CSI from financial institutions. The 
commenter expressed concern that the Bureau could potentially disclose 
that CSI via other provisions of the rule in ways in which the 
originating prudential regulator might disagree.
    The commenter correctly pointed out that, whereas Sec.  1070.41(e), 
as proposed, addressed information provided directly to the Bureau by 
another agency, it was silent regarding other agencies' information 
that the Bureau might obtain indirectly from a third party. The Bureau 
sees value in providing assurances, to other regulators and to 
regulated entities, that Sec.  1070.41(e) applies regardless of whether 
the Bureau received the information from the agency itself or from a 
third party.
    To that end, the Bureau is revising the paragraph's text in the 
final rule. Rather than referencing ``confidential information that 
another agency has provided to the CFPB,'' the paragraph will instead 
pertain to ``confidential information belonging to another agency that 
has been provided to the CFPB (either directly or through a holder of 
the information such as a financial institution).'' The Bureau likewise

[[Page 75201]]

revises the paragraph's title to reflect this revision.
    The paragraph further states that the CFPB will not disclose 
confidential information belonging to another agency ``to the extent 
such disclosure contravenes applicable law or the terms of any 
agreement that exists between the CFPB and the agency to govern the 
CFPB's treatment of information that the agency provides to the CFPB.'' 
The Bureau understands the ``applicable law'' reference to include 
limits on its further disclosure of information in accordance with 
other agencies' regulations related to confidential treatment of 
information. See, e.g., 12 CFR 261.20(a); 12 CFR 4.37(b); 12 CFR 
309.6(a); 12 CFR 792.31. We note, though, that Sec.  1070.41(e) does 
not limit the Bureau's use and disclosure of business records or other 
company materials simply because that information has also been 
provided to another agency.
Section 1070.42 Disclosure of Confidential Supervisory Information and 
Confidential Investigative Information
    Section 1070.42 previously provided that the Bureau may, in its 
discretion, disclose confidential supervisory information concerning a 
supervised financial institution or its service providers to that 
supervised financial institution or its affiliates. In addition, Sec.  
1070.42 provided that, unless directed otherwise by the Bureau's 
Associate Director for Supervision, Enforcement and Fair Lending or by 
his or her delegee, any supervised financial institution in possession 
of confidential supervisory information pursuant to this section may 
further disclose the information to certain recipients, subject to 
certain conditions.
    In its notice of proposed rulemaking, the Bureau proposed several 
discrete changes to this section. First, it proposed expanding the 
scope of Sec.  1070.42 to also address the Bureau's disclosure of CII 
in the course of its enforcement activities, as well as the further 
disclosure of CII by recipients of the information. Second, the Bureau 
proposed revising Sec.  1070.42(a) to provide that, in addition to 
disclosing information concerning a person, its affiliates, or its 
service providers to that person or its affiliates, the Bureau may also 
disclose such information to that person's service providers. Third, 
the Bureau proposed revising Sec.  1070.42(b)(2) to allow disclosure of 
information to insurance providers in certain circumstances without 
first seeking permission from the CFPB. Finally, the Bureau proposed 
removing references to the Associate Director for Supervision, 
Enforcement and Fair Lending's delegee, which was rendered unnecessary 
due to the new definition of the term ``Associate Director for 
Supervision, Enforcement and Fair Lending'' in Sec.  1070.2. Each of 
these discrete proposals, and the comments responding to them, will be 
addressed in turn.
    The majority of the comments submitted to the Bureau regarding 
Sec.  1070.42 pertained to its proposal to expand the section's scope 
to address enforcement activities. In response to comments received, 
the Bureau in part declines to finalize, and in part further revises, 
this proposal.
    As the Bureau explained in its notice of proposed rulemaking, it 
proposed this revision to lend clarity (1) to how the Bureau discloses 
CII in the course of its enforcement activities, and (2) regarding 
financial institutions' discretion to further disclose CII. This was 
intended to reduce confusion caused by the dynamic in the previously 
promulgated rule, which provided explicit and detailed instructions in 
the supervisory context, but lacked such specificity in the enforcement 
context. The Bureau's proposed solution was to mirror the CSI 
instructions with respect to CII.
    The Bureau received a number of comment letters expressing concerns 
about the proposal's limitations on further disclosure of CII. In 
particular, the Bureau received seven comment letters--four from 
industry trade associations, two from public interest organizations, 
and one from a member of Congress--arguing that the proposal would 
infringe on free speech rights protected by the First Amendment. They 
stated that the proposal's requirement to obtain permission from the 
Bureau prior to further disclosing CII (other than as permitted in the 
section) would constitute a content-based restriction and a prior 
restraint on speech. For such restrictions to be constitutionally 
valid, they must be narrowly tailored to meet a compelling government 
interest, and commenters argued that the Bureau's proposal does not 
meet this test. Commenters also stated that courts and Congress have 
required procedural safeguards where agencies have imposed limitations 
on further disclosure of information regarding their investigative 
activities, and that the Bureau's proposal did not include such 
procedures.
    These comment letters also described free speech benefits that 
commenters believed the proposal would harm. For example, commenters 
noted that entities may need to further disclose CII to meet 
contractual obligations and for other business dealings; to consult 
with others who may have information relevant to the investigation 
(such as former employees of the institution); to seek guidance or 
assistance from a trade association; and to complain to the press, the 
public and elected officials about perceived government misconduct. 
Commenters noted that free speech in this context promotes the public 
interest by enabling accountability and oversight of government, and in 
turn discouraging government overreach.
    In addition, two industry trade association commenters and one 
financial institution commenter argued that the Bureau provided 
insufficient rationale for its proposal, such as that the Bureau did 
not detail the confusion that its proposal was intended to resolve. 
Finally, two commenters--an industry trade association and a member of 
Congress--argued that the Bureau lacks authority to promulgate its 
proposal because, in their view, the Bureau's statutory authority for 
its rule only limits the Bureau's own disclosures of information. One 
comment letter, from a public interest organization, encouraged the 
Bureau to state in its final rule that a recipient of CII in the course 
of an enforcement investigation is not prohibited from further 
disclosing the CII.
    The Bureau received one comment letter from a financial institution 
that was supportive of this proposal because it would lend clarity 
regarding treatment of CII.
    The Bureau has evaluated the comments that it received regarding 
this proposal, and it declines to finalize Sec.  1070.42 as proposed.
    As explained above, the two purposes of this proposal were to 
clarify (1) how the Bureau discloses CII in the course of its 
enforcement activities, and (2) financial institutions' discretion to 
further disclose CII. Rather than finalize its proposal in full, the 
Bureau will finalize it in part, and will further revise the section's 
text in part, in order to achieve these purposes while taking into 
account the comments that it received.
    First, in order to clarify how the Bureau discloses CII in the 
course of its enforcement activities, the Bureau will finalize its 
proposed revisions to paragraph (a), which addresses the Bureau's own 
disclosure of confidential supervisory information and confidential 
investigative information (subject to additional revisions related to 
disclosures to service providers, discussed below). Although commenters 
were largely critical of proposed limits

[[Page 75202]]

on further disclosure of CII, comment letters did not express concerns 
about the Bureau clarifying its own discretion to disclose CII in the 
course of its enforcement activities.
    Second, the Bureau declines to expand paragraph (b)--which 
addresses further disclosure of CSI--to include CII. Instead, paragraph 
(b) will retain its previous scope and only address further disclosure 
of CSI. To effectuate this, the Bureau will revise the paragraph's 
title to read ``Further disclosure of confidential supervisory 
information.'' In addition, the Bureau declines to finalize its 
proposal to have all references in paragraph (b) to ``confidential 
supervisory information'' be accompanied by the phrase ``confidential 
investigative information.'' Furthermore, although the Bureau had 
proposed replacing references to ``supervised financial institution'' 
in paragraph (b) with a broader reference to ``person'' in order to 
account for recipients of CII, the Bureau declines to make this change 
because it is unnecessary if paragraph (b) only pertains to further 
disclosure of CSI. The Bureau finalizes several non-substantive 
technical revisions that it included in its proposal for clarity, and 
on which it received no comments. In addition, to clarify that 
paragraph (b) only authorizes the further disclosure of the Bureau's--
and not other agencies'--information, the Bureau revises paragraph 
(b)(3) to, like (b)(1) and (2), refer to confidential supervisory 
information ``of the CFPB;'' and it adds a new paragraph (b)(4), 
stating that nothing in paragraph (b) authorizes the disclosure of 
confidential information belonging to another agency.
    Third, in order to lend greater clarity to financial institutions' 
discretion to further disclose CII, the Bureau will include a new 
paragraph (c) in its final rule. This paragraph, titled ``Further 
disclosure of confidential investigative information,'' states that 
``[n]othing in this subpart shall prohibit any person lawfully in 
possession of confidential investigative information of the CFPB 
pursuant to paragraph (a) of this section from further disclosing that 
confidential investigative information.'' This paragraph will thus make 
clear that the Bureau's rule does not prohibit the recipients of the 
Bureau's CII under paragraph (a) from further disclosing it.\7\ The 
Bureau also inserts ``paragraph (a) of'' before two references to 
``this section'' in paragraphs (b)(1) and (2), respectively, for 
clarity and to mirror the specificity in new paragraph (c).
---------------------------------------------------------------------------

    \7\ The Bureau notes that while it disagrees with two 
commenters' arguments that its authority under the Dodd-Frank Act to 
promulgate its confidentiality rules is limited to the Bureau's own 
disclosure of information, these commenters' arguments are rendered 
moot by the Bureau's revision in the final rule.
---------------------------------------------------------------------------

    The Bureau proposed several other revisions to Sec.  1070.42 in its 
notice of proposed rulemaking that garnered fewer comments. For 
instance, the Bureau proposed revising Sec.  1070.42(a) to provide 
that, in addition to disclosing information concerning a person, its 
affiliates, or its service providers to that person or its affiliates, 
the Bureau may also disclose such information to that person's service 
providers. In proposing this change, the Bureau reasoned that such 
information may at times be relevant to supervision or enforcement 
activities related to service providers. The Bureau declines to 
finalize this proposal in the final rule.
    The Bureau received several comment letters expressing concerns 
about this proposal. Two comment letters, from an industry trade 
association and from a financial institution, expressed concern that 
disclosure of CSI or CII by the Bureau to an institution's service 
providers could lead to unintended consequences, particularly if the 
disclosure includes attorney-client privileged materials or proprietary 
information obtained from the financial institution. Another comment 
letter, from an industry trade association, argued that such 
disclosures could interfere with contractual relations between the 
financial institution and its vendors, and expressed concern that 
disclosures of preliminary allegations of wrongdoing could ``poison the 
well'' with the vendor. This commenter suggested that the financial 
institution, and not the Bureau, should determine when service 
providers should have access to confidential information.
    In response to these comments, the Bureau declines to finalize this 
proposal, and the final rule will instead contain the status quo text, 
unmodified (subject to revisions to Sec.  1070.42(a) related to the 
Bureau's disclosure of CII, discussed above), which only authorizes 
disclosure to a person or its affiliates.
    The Bureau declines to address disclosure of CSI or CII to a 
person's service provider in the rule because, historically, its need 
to make such disclosures has been extremely rare. Revising the 
regulation to allow Bureau staff to disclose such CSI or CII to service 
providers pursuant to Sec.  1070.42(a) risks leaving a mistaken 
impression that these disclosures will take place with regularity.
    Instead, in the event that the Bureau identifies a future need to 
share CSI or CII pertaining to a person with its service provider, and 
it cannot otherwise make the disclosure pursuant to subpart D, it will 
do so pursuant to Sec.  1070.46, which permits the Bureau's Director to 
authorize disclosure of confidential information other than as set 
forth in subpart D. The authorization must be in writing, must 
otherwise be permitted by law, and may not be delegated. See 12 CFR 
1070.46(a), (c).
    The Bureau anticipates that, for example, we may need to disclose 
CSI obtained from a financial institution to that institution's service 
provider in limited circumstances where we identify problems at a 
supervised service provider through the supervision of its client. We 
anticipate such disclosures to be rare, such as where CSI pertains to 
the service provider and the service provider is subject to the 
Bureau's supervisory authority. In instances such as these, where 
disclosure pertains to the Bureau's authority over the service 
provider, it should be in the Bureau's purview to make the disclosure.
    However, the Bureau appreciates commenters' concerns, such as that 
the Bureau could ``poison the well'' or otherwise make these 
disclosures in inappropriate ways or for inappropriate purposes. In 
deciding whether to use its discretion to disclose information to 
service providers, we would consider in part whether the information 
contains otherwise sensitive information, such as attorney-client 
privileged information or proprietary information, and we will limit 
the scope of disclosure as appropriate. Vesting the Director alone with 
authority to approve these disclosures under Sec.  1070.46 reflects 
this commitment by requiring decision-making to take place at the 
Bureau's highest level.
    In addition, the Bureau also proposed revising Sec.  1070.42(b)(2) 
to clarify that a person in possession of confidential information 
pursuant to this section may disclose such information to an insurance 
provider pursuant to a claim for coverage made by that person under an 
existing policy.
    The Bureau explained in its proposal that such disclosures could 
only be made if the Bureau had not precluded indemnification or 
reimbursement for the claim. The Bureau further explained that this 
revised language would only authorize disclosure to the extent 
necessary for the insurance provider to process and administer the 
claim for coverage. Further distribution or use of the information 
would be prohibited. We noted that these limitations do not foreclose 
an insurance provider from using information that has been publicly 
disclosed by the Bureau in making future underwriting determinations

[[Page 75203]]

regarding the person or for other purposes--even if that information 
was originally submitted to the insurance provider as confidential 
information under this provision.
    The Bureau received two comment letters regarding this proposal. 
One comment letter, from an industry trade association, expressed 
concerns about the proposal's limitation. It noted that insurance 
contracts may require timely notice of claims (including receipt of a 
CID or initiation of a regulatory proceeding) and argued that waiting 
to learn whether the CFPB has precluded indemnification or 
reimbursement may preclude recovery. The commenter also argued that, 
following an enforcement action, an entity may be subject to a private 
class action suit, and therefore should be permitted to disclose 
information to its insurers to obtain reimbursement for legal and other 
expenses associated with the follow-on lawsuit.
    A second comment letter, from a financial institution, suggested 
that the Bureau allow the disclosure of confidential information to 
insurance providers for the purpose of underwriting insurance coverage, 
such as directors and officers liability coverage. The commenter 
reasoned that, although an institution can seek approval from the 
Associate Director for Supervision, Enforcement and Fair Lending, this 
process would add time and uncertainty, which could impact 
institutions' ability to timely obtain insurance coverage.
    The Bureau notes that facets of these comments--that relate to the 
disclosure of CII to insurance companies--are rendered moot by 
revisions to the proposal described above. Under the final rule, Sec.  
1070.42 contains no limitations on institutions' disclosure of CII to 
an insurance company, and this appears to resolve much of the 
commenters' concerns.
    In addition, it is unclear from the industry trade group's comment 
whether the group interprets proposed Sec.  1070.42(b)(2) to require 
financial institutions, prior to disclosing information to an insurance 
provider, to first inquire as to whether the Bureau precludes 
indemnification or reimbursement for a claim. It does not. The 
provision would permit such disclosures without first seeking 
permission from the Bureau; if the Bureau has not already notified the 
financial institution that it precludes indemnification or 
reimbursement, the financial institution may make the disclosure.
    The Bureau disagrees with the second commenter's suggestion that it 
allow disclosures to insurance providers for underwriting purposes. 
Again, the provision is now limited to further disclosure of CSI, and 
the Bureau does not believe that underwriting would be an appropriate 
use of its supervisory communications and ratings. We note that the 
prudential regulators similarly concluded in 2005 that their nonpublic 
information should not be disclosed to insurance companies for 
underwriting purposes. See FDIC, Financial Institution Letter, FIL-13-
2005, ``Interagency Advisory on the Confidentiality of CAMELS Ratings 
and Other Nonpublic Supervisory Information (Feb. 28, 2005), available 
at https://www.fdic.gov/news/news/financial/2005/fil1305.html (last 
visited Oct. 8, 2020).
    For the aforementioned reasons, the Bureau finalizes this proposal 
without modification.
    Finally, the Bureau proposed to remove references to the Associate 
Director for Supervision, Enforcement and Fair Lending's delegee. The 
Bureau reasoned that such reference is no longer necessary because the 
new definition of Associate Director for Supervision, Enforcement and 
Fair Lending, located at Sec.  1070.2, includes delegees. The Bureau 
received no comments regarding this proposal, and it finalizes the 
proposal without modification.
    In addition to the comments regarding its proposed revisions to 
Sec.  1070.42, the Bureau also received a comment letter, from a group 
of industry trade associations, asking the Bureau to revise the rule to 
allow service providers to disclose CSI to the financial institutions 
to which they provide service. The current rule allows financial 
institutions to disclose CSI to their service providers, and the 
commenter suggested making this allowance reciprocal. The commenter 
reasoned that financial institutions' responsibility to monitor third-
party relationships is made more difficult if the service provider can 
withhold negative supervisory evaluations from the financial 
institution.
    The Bureau declines to make this suggested revision. The Bureau 
believes that supervisory communications with service providers could 
be undermined if the service providers knew that their clients could 
request the information. This concern is heightened with supervised 
nonbank institutions that are subject to the Bureau's supervision and 
happen to act as service providers.
    Lastly, the Bureau received one comment letter, from a group of 
industry trade associations, seeking guidance on whether the Bureau's 
rule prohibits entities from making certain disclosures pursuant to 
securities law. This issue was similarly raised in comment letters that 
argued against the proposal's limitation on further disclosure of CII 
(discussed above) due to securities law obligations.
    The Bureau agrees that further clarity on this issue would be 
helpful, as the comment letter makes clear that it is a source of 
confusion. As a preliminary matter, under Sec.  1070.42(c) of the final 
rule, there are no restrictions on institutions' further disclosure of 
CII obtained pursuant to Sec.  1070.42(a). In addition, the rule does 
not prohibit an institution from further disclosing confidential 
information, including confidential supervisory information, where such 
disclosure is otherwise required by law. See 12 CFR 1070.41(a). This 
includes where an institution determines that it is required to make a 
disclosure in order to comply with securities law. Such disclosure 
should be limited to that which is necessary to comply with securities 
law. The Bureau encourages financial institutions to reach out to 
appropriate regional staff with further questions regarding this issue.
    The Bureau notes that its discussion of the authorization to make 
disclosures under the securities laws is limited to disclosure of the 
Bureau's confidential information; with respect to confidential 
information that belongs to other regulators, financial institutions 
should consult with the regulator(s) to which the confidential 
information belongs.
Section 1070.43 Disclosure of Confidential Information to Agencies
    Section 1070.43 sets forth the circumstances in which the Bureau 
may disclose confidential information to other government agencies. The 
Bureau proposed several revisions to this section. First, as a general 
matter, the Bureau proposed to revise the section's title and subtitles 
to delete the references to ``law enforcement agencies'' and ``other 
government agencies;'' to revise the text throughout the section to 
account for the new defined term ``agency;'' and to make various other 
non-substantive technical corrections. Second, the Bureau proposed 
revising the standard, in Sec.  1070.43(b)(1), regarding the Bureau's 
discretion to disclose CSI to other agencies. Third, the Bureau 
proposed revising Sec.  1070.43(b)(2) to, among other things, move 
responsibility for acting on agency requests for confidential 
information from the Bureau's General Counsel to the Bureau's Associate 
Director for Supervision, Enforcement and Fair Lending. Fourth, the 
Bureau

[[Page 75204]]

proposed deleting Sec.  1070.43(c), which pertains to requests for 
information that is not confidential information. The Bureau also 
received a comment on proposed Sec.  1070.43(c) (formerly Sec.  
1070.43(d)) which addresses the negotiation of standing requests for 
confidential information between the Bureau and other agencies.
    The Bureau proposed revising the section's title and subtitles to 
delete the references to ``law enforcement agencies'' and 
``government'' agencies because it believed the references to be 
superfluous. Instead, the title and subtitles would reference 
``agencies.'' This was not intended to be a substantive change. The 
Bureau proposed various other non-substantive technical corrections in 
the section as well. The Bureau received no comments that directly 
address these proposed revisions, and it finalizes them without 
modification.
    The Bureau also proposed revisions throughout the section to 
account for the proposed defined term ``agency.'' \8\ For the reasons 
discussed above with respect to proposed Sec.  1070.2(a), and because 
the Bureau has declined to include the new definition in the final 
rule, the Bureau declines to finalize these proposed revisions in Sec.  
1070.43. Previous references to ``Federal or State agency'' will remain 
references to ``Federal or State agency'' without modification.
---------------------------------------------------------------------------

    \8\ See above for discussion of comments regarding the proposed 
definition of ``Agency'' in proposed Sec.  1070.2(a).
---------------------------------------------------------------------------

Section 1070.43(a)(1)
    Section 1070.43(a)(1) requires, among other things, that the Bureau 
disclose a final report of examination, including any and all revisions 
to that report, to a Federal or State agency with jurisdiction over a 
supervised financial institution, provided that the Bureau receives 
from the agency reasonable assurances as to the confidentiality of the 
information disclosed. The Bureau revises this provision in the final 
rule.
    The Bureau has previously explained that this provision implements 
12 U.S.C. 5512(c)(6)(C)(i). See 78 FR 11484, 11494, 11496 (Feb. 13, 
2013). In particular, in the preamble to its 2013 final rule, the 
Bureau concluded that section 5512(c)(6)(C)(ii)'s mandate that the 
Bureau disclose examination reports to ``State regulator[s]'' does not 
require the disclosure of CSI to a State attorney general unless that 
State attorney general regulates the covered person or service 
provider. See 78 FR 11484, 11496. The Bureau concedes that although it 
articulated this interpretation in the 2013 final rule's preamble, 
Sec.  1070.43(a)'s inclusion of the more general term ``Federal or 
State agency'' could be cause for confusion.
    Although the Bureau proposed no revisions to Sec.  1070.43(a), it 
revises this provision in the final rule to clarify that it will 
disclose a final report or examination, including any and all revisions 
to such a report, ``as provided in 12 U.S.C. 5512(c)(6)(C)(i),'' to a 
Federal or State agency with jurisdiction over that financial 
institution, provided that the Bureau receives from the agency 
reasonable assurances as to the confidentiality of the information 
disclosed.
    Several comments, while addressing the Bureau's proposed revisions 
to other provisions, touched on issues raised by Sec.  1070.43(a). For 
example, one comment letter, from an industry trade association, 
expressed concern that, between the Bureau's proposed definition of 
``agency'' and the Bureau's proposed interpretation of 12 U.S.C. 
5512(c)(6), the Bureau could draft a rule that enables a State bar 
association to require the Bureau to disclose reports to it--a dynamic 
that the commenter described as absurd. Another comment letter, from a 
group of State attorneys general, expressed support for the Bureau's 
proposal to remove the jurisdictional requirement for sharing CSI with 
a partner agency under Sec.  1070.43(b), suggesting that this revision 
would permit the Bureau to share CSI with State enforcement agencies 
more freely.
    The Bureau notes, in response to the first comment, that concerns 
regarding the disclosure of CSI to State bar associations are fully 
addressed by the Bureau's decision to not finalize the proposed 
definition of ``agency'' in the final rule; and regarding the 
commenter's broader point, that the Bureau could conceivably draft 
Sec.  1070.43(a) more broadly, the Bureau has not proposed such a rule. 
In response to the second comment, the Bureau notes that its policy 
regarding sharing CSI with State attorneys general is set forth in 
Bulletin 12-01. It did not intend its proposal to alter this policy, 
and Bulletin 12-01 will remain in place after the final rule becomes 
effective.
    Nevertheless, these comments do highlight concerns and confusion 
related to disclosure of reports of examination to State agencies, 
including under Sec.  1070.43(a). The Bureau thus revises the provision 
to clarify in its text that its scope parallels the scope of 12 U.S.C. 
5512(c)(6)(C)(i). This revision does not change the interpretation 
articulated in the preamble to the 2013 final rule; it merely codifies 
that interpretation in the regulation's text.
    In addition, for consistency with this new text, the Bureau revises 
Sec.  1070.43(a)'s separate reference to disclosures of draft reports 
of examination ``in accordance with 12 U.S.C. 5515(e)(1)(C)'' to say 
that the draft reports of examination will be disclosed ``as provided 
in 12 U.S.C. 5515(e)(1)(C).'' Replacing the phrase ``in accordance 
with'' with the phrase ``as provided in'' is a technical revision that 
is not intended to change the meaning of that text.
Section 1070.43(b) Discretionary Disclosure of Confidential Information 
to Agencies
Section 1070.43(b)(1)
    Section 1070.43(b)(1) sets forth the standard under which the 
Bureau may disclose confidential information to other agencies in its 
discretion. The Bureau's prior rule established two distinct standards 
for disclosing confidential supervisory information and other 
confidential information. It stated that the Bureau may disclose 
confidential information to an agency ``to the extent that the 
disclosure of the information is relevant to the exercise of the 
[Agency's] statutory or regulatory authority,'' but that it may only 
share confidential supervisory information with agencies ``having 
jurisdiction over a supervised financial institution.''
    The Bureau proposed removing the separate standard for confidential 
supervisory information, which would have aligned the two standards and 
provided the Bureau with discretion to disclose either confidential 
supervisory information or other confidential information to another 
agency ``to the extent that the disclosure of the information is 
relevant to the exercise of the [agency's] statutory or regulatory 
authority.'' The Bureau declines to finalize this proposed revision.
    The Bureau explained in its notice of proposed rulemaking that this 
proposed change was intended to facilitate communication and 
information-sharing among the Bureau and other governmental 
authorities. The Bureau stated that it had determined that sharing 
confidential supervisory information in situations where the disclosure 
of the information is relevant to the exercise of the receiving 
agency's statutory or regulatory authority would facilitate the 
Bureau's purposes and objectives. It noted that multiple agencies 
engage in operations that potentially affect the offering and provision 
of consumer financial products and services, as well as the

[[Page 75205]]

markets, industries, companies, and other persons relevant to the 
Bureau's work, and that multiple agencies have interests and 
obligations relating to implementation, interpretation, and enforcement 
of the Dodd-Frank Act and the other Federal consumer financial laws 
administered by the Bureau. The Bureau also explained that the proposed 
change would have assisted it in implementing and administering Federal 
consumer financial law in a more consistent and effective fashion, and 
would have enabled the Bureau to work together with other agencies 
having responsibilities related to consumer financial matters. The 
Bureau said that it believed that the proposed change would comport 
with the intent of the Dodd-Frank Act, since effective coordination and 
communication among agencies is essential in order for the regulatory 
framework established by that Act to work as Congress intended.
    The Bureau stated in its proposal that, in its judgment, the prior 
rule's restrictions had proven overly cumbersome in application, posed 
unnecessary impediments to cooperating with other agencies, and 
otherwise risked impairing the Bureau's ability to fulfill its 
statutory duties. Unnecessary impediments to information-sharing in 
such circumstances impede supervisory and enforcement coordination and 
create opportunities for potential conflict, inefficiency, and 
duplication of efforts across agencies. The Bureau reasoned that 
retaining discretion to share confidential supervisory information in 
such situations would better promote the Bureau's mission and overall 
effectiveness.
    The Bureau also stated in its proposal that the proposed change 
would codify a revised interpretation of 12 U.S.C. 5512(c)(6). See 
generally 81 FR 58310, 58317-18 (Aug. 24, 2016).
    The Bureau received a number of comments regarding its proposed 
revision to Sec.  1070.43(b)(1), and they were largely critical of the 
proposal. Commenters expressed general concerns regarding the potential 
breadth of proposed Sec.  1070.43(b)(1), and the proposal's potential 
impact on the supervisory process. Commenters also raised concerns 
regarding the proposal's interaction with definition of ``agency'' in 
proposed Sec.  1070.2(a).\9\ In addition, a number of comment letters 
took issue with the Bureau's revised interpretation of 12 U.S.C. 
5512(c)(6).
---------------------------------------------------------------------------

    \9\ The Bureau's final rule does not include the proposed 
definition of ``agency'' in response to these and related concerns. 
See above for discussion of comments regarding proposed Sec.  
1070.2(a).
---------------------------------------------------------------------------

    Several commenters criticized the Bureau's proposed revision to 
Sec.  1070.43(b)(1) for being overly broad. For example, several 
industry trade associations stated that the proposed ``relevance'' 
standard would allow the Bureau to disclose CSI to any interested 
domestic or foreign agency, even if it has no role in the regulation of 
financial institutions. One comment letter, from a group of industry 
trade associations, suggested that if an institution operated in only 
one State and only sold a product in that State, any domestic or 
foreign regulator might find CSI regarding the institution ``relevant'' 
to their statutory or regulatory authority to the extent that consumers 
within their jurisdiction could purchase the same product. Another 
commenter argued that there is no logical stopping point to 
``relevance,'' and that the proposal would enable disclosure of CSI by 
the Bureau even if information were only tangentially related to an 
agency's authority.
    The Bureau received several comment letters that stated that 
broader disclosure of confidential supervisory information raises 
concerns regarding the protection of privileged material. Although not 
all Bureau CSI consists of material subject to a financial 
institution's privilege, financial institutions do at times submit 
materials subject to the attorney-client privilege and/or attorney 
work-product privilege in the course of the Bureau's supervisory 
activities. See generally 12 U.S.C. 1828(x). Commenters expressed 
concern that the transfer of privileged information to agencies or 
entities that are not covered by 12 U.S.C. 1828(x) or 12 U.S.C. 1821(t) 
could result in a breach or waiver of the privilege. Commenters also 
stated that the Bureau's proposal was likely to make entities less 
willing to voluntarily produce privileged materials to the Bureau due 
to such risks. One commenter suggested that uncertainty regarding the 
Bureau's protection of privilege could make institutions less likely to 
engage counsel or obtain written advice, which could negatively impact 
compliance. This commenter also stated that the U.S. Department of 
Justice and Securities and Exchange Commission do not condition 
cooperation credit on the waiver of privilege. Another comment letter 
stated that there is no indication in 12 U.S.C. 1828(x) that Congress 
intended the provision to enable a banking agency to circumvent the 
inability of other agencies to obtain privileged materials.
    In light of these concerns, one commenter suggested that the Bureau 
modify its proposal to limit disclosure of privileged information to 
Federal agencies that are referenced in 12 U.S.C. 1821(t). Another 
commenter went further, suggesting that the Bureau state that it would 
not transfer privileged materials subject to 12 U.S.C. 1828(x) to other 
agencies or parties at all.
    The Bureau also received several comment letters that expressed 
concern that broader dissemination of CSI increases risk that the CSI 
may not be protected sufficiently, including from data breach, hacking, 
and other unauthorized disclosures. One comment letter, from an 
industry trade association, stated that such disclosures could lead to 
the information being taken out of context, or could raise safety and 
soundness issues. A comment letter, from a group of industry trade 
associations, stated that, once the Bureau discloses CSI to an agency 
or entity, there is no mechanism to ensure that the recipient has taken 
appropriate steps to prevent data breaches or to resolve data breaches 
when they occur; and there is no meaningful way for the Bureau to 
prevent the further transmission of CSI by a recipient. This commenter 
also argued that the recipient's certification, required by Sec.  
1070.43(b)(2)(v), is inadequate. One comment letter, from an industry 
trade association, expressed concern that recipients of CSI may be 
unable to protect it from disclosure due to State and foreign 
disclosure or privacy laws (which may require greater disclosure than 
that mandated by the Freedom of Information Act, 5 U.S.C. 552) or 
discovery requests in civil litigation.
    Commenters also stated that broad disclosure of CSI would undermine 
the Bureau's supervisory process. One commenter explained that it is 
logical to share CSI subject to heightened disclosure restrictions, 
compared to other confidential information like CII, because CSI plays 
a critical role in effective supervision. Several industry trade 
association commenters stated that the proposal would make institutions 
less likely to cooperate with the Bureau and produce information to the 
Bureau in the course of its supervisory activities. One comment letter, 
from a group of industry trade associations, articulated that the 
proposal would undermine the relationship of trust between banks and 
the Bureau, and it suggested that this could be detrimental to banks' 
safety and soundness. This commenter argued that the proposal would 
undermine the bank examination privilege because more routine

[[Page 75206]]

disclosure of CSI would increase the risk that courts will no longer 
protect confidential supervisory information from disclosure in private 
litigation. This commenter suggested that the Bureau only disclose CSI 
in rare cases when the disclosure serves a strong governmental 
interest, and not merely advancement of the Bureau's mission.
    The Bureau also received a number of comment letters that 
criticized its proposal for providing insufficient rationale or 
clarity. Several commenters stated that the Bureau's proposal did not 
establish a record for how the status quo rules impede its activities, 
and how the proposal would resolve those issues. One comment letter, 
from a group of industry trade associations, stated that the Bureau had 
not conducted a thorough analysis of the risks associated with expanded 
disclosure of CSI, including supervisory, litigation, and reputational 
risks, which it suggested surpassed the potential benefits of the 
proposal. Another comment letter, from an industry trade association, 
disagreed with the Bureau's justification for its proposal--that it 
would enable cooperation with other agencies having responsibilities 
related to consumer financial matters--because the proposal's 
definition of ``agency'' included non-financial regulators and other 
entities without responsibilities related to the enforcement of 
consumer financial laws or prudential regulation. A second industry 
trade association commenter argued that the proposal to disclose CSI to 
agencies that lack jurisdiction over supervised financial institutions 
would not help the Bureau administer consumer financial laws, reasoning 
that the status quo rule did not restrain the Bureau's supervisory or 
enforcement authorities. This same commenter rejected the Bureau's 
coordination rationale, reasoning that any agency that has supervisory 
or enforcement authority over a covered financial institution could 
already receive CSI under the previous rule.
    In addition, the Bureau received several comment letters that 
argued that the Bureau's proposal was inconsistent with other 
regulators' practices, stating that other regulators do not disclose 
CSI to agencies that lack jurisdiction. For example, one comment 
letter, from a group of industry trade associations, stated that the 
proposal was inconsistent with the policies of Federal prudential 
regulators, which it said have broader statutory authority than the 
Bureau to share CSI. See 12 U.S.C. 1817(a)(2)(C)(iii) (Federal banking 
agencies may ``furnish any report of examination or other [CSI] 
concerning any . . . entity examined by such agency . . . to . . . any 
. . . person that the Federal Banking agency determines to be 
appropriate.''). The commenter contrasted this language with 12 U.S.C. 
5512(c)(6)(C)(ii), arguing that by not extending section 1817's 
discretionary authority to the Bureau, Congress indicated an intent to 
limit the Bureau's discretion to disclose CSI. The commenter stated 
that, in practice, regulators have adopted regulations that strictly 
limit such disclosure, which provides comfort to supervised entities. 
The commenter noted, for example, that the Office of the Comptroller of 
the Currency (OCC) has promulgated regulations that limit disclosure of 
non-public OCC information to State agencies where those agencies have 
``authority to investigate violations of criminal law'' or are ``state 
bank and state savings association regulatory agencies,'' and when 
disclosure is ``necessary, in the performance of their official 
duties.'' 12 CFR 4.37(c).
    Another comment letter, from a consulting organization, argued that 
the Bureau's proposal was inconsistent with other agencies' practices, 
and that it would compromise the reliability of the bank examination 
privilege and would violate the Bureau's obligations to the FFIEC to 
maintain supervisory consistency. This same commenter stated that 
Congress had intended 12 U.S.C. 5512(c)(6)(C) to mirror regulations by 
the Board of Governors of the Federal Reserve System (``FRB''), at 12 
CFR 261.20, which it described as limiting the Board's sharing of CSI 
to agencies with supervisory jurisdiction. Another comment letter, from 
an industry trade association, similarly stated that FRB regulations, 
at Sec.  261.20, permit disclosure to Federal prudential regulators and 
State supervisory agencies. This commenter also stated that the Bureau 
failed to explain why it needed greater flexibility in light of other 
agencies' practices.
    The Bureau received other critical comments as well. For example, 
one comment letter, from a group of industry trade associations, 
suggested that the Bureau's proposal would result in an increase in 
requests for the Bureau's information, which would burden Bureau staff. 
Two commenters, a consulting organization and an industry trade 
association, expressed concern that sharing CSI with non-supervisory 
agencies would expand the Bureau's supervisory power in contravention 
of Cuomo v. Clearing House Ass'n, 557 U.S. 519 (2009), and related 
authorities.
    Several commenters suggested that, in the event that the Bureau 
adopted its proposal, it should provide formal guidance or make 
additional changes to the rule. For example, one commenter proposed 
that the Bureau codify in the rule a formal policy and practice of 
sharing CSI only in limited circumstances, such as where the requestor 
demonstrates a substantial need for the requested information that 
outweighs the Bureau's need to maintain its confidentiality. This 
commenter also suggested that, absent circumstances that compel 
otherwise, the Bureau should notify the impacted supervised financial 
institution prior to disclosing CSI related to the institution to any 
entity other than Federal or State financial supervisory agencies with 
jurisdiction, or in certain cases U.S. Department of Justice, and give 
the supervised financial institution a reasonable opportunity to object 
and redact the information. Another commenter suggested that, in the 
event that the Bureau receives misdirected complaint data from credit 
unions over which it lacks jurisdiction, it should not share the data 
with any agency other than the National Credit Union Administration 
(NCUA) and that it should defer to the NCUA on whether the information 
is ``relevant'' to other agencies' statutory or regulatory authority.
    In addition to these issues, a number of the comment letters 
received by the Bureau disagreed with the revised interpretation of 12 
U.S.C. 5512(c)(6) that the Bureau articulated in its proposal. 
Commenters described the Bureau's interpretation as ``tortured,'' 
``unreasonable,'' and contrary to statutory language and to the 
statute's clear intent. In particular, several of the comment letters, 
received from industry trade associations and a member of Congress, 
disagreed with the Bureau's conclusion that 12 U.S.C. 5512(c)(6)(C)(ii) 
is ambiguous, instead concluding that the provision is unambiguous and 
restrictive. The Bureau also received several comment letters, from 
industry trade associations, that stated that the Bureau's 
interpretation of 12 U.S.C. 5512(c)(6) renders subparagraph (C)(ii) 
superfluous. And several comment letters, also from industry trade 
associations, argued that its proposed interpretation conflicted with 
legislative history and congressional intent. Finally, one comment 
letter, from a consulting organization, suggested that the Bureau did 
not sufficiently substantiate the change in policy articulated in its 
proposal. See Encino

[[Page 75207]]

Motorcars v. Navarro, 136 S. Ct. 2117, 2125-26 (2016).\10\
---------------------------------------------------------------------------

    \10\ One commenter interpreted 12 U.S.C. 5512(c)(6)(C) to apply 
to confidential investigative information (in addition to 
confidential supervisory information), and to require the Bureau to 
provide confidentiality assurances to the impacted financial 
institution prior to disclosing the confidential information to 
another agency under subparagraph (C)(i). The Bureau disagrees with 
these interpretations. First, subparagraph (C) explicitly references 
``confidential supervisory information,'' which is a narrower term 
than subparagraph (A)'s more general reference to ``information 
obtained from persons in connection with the exercise of its 
authorities under Federal consumer financial law.'' CII is thus 
outside the scope of subparagraph (C), and the Bureau's rule makes 
clear in Sec.  1070.2(h) and (i) that the Bureau considers 
``confidential investigative information'' to be different from 
``confidential supervisory information.'' Second, the Bureau 
disagrees that subparagraph (C)(i) requires the Bureau to provide 
confidentiality assurances to the supervised financial institution 
about whom a report of examination pertains; because the provision 
addresses the exchange of information between the Bureau and another 
agency, the Bureau understands it to require the agency obtaining 
the report of examination to provide such assurances of 
confidentiality to the Bureau.
---------------------------------------------------------------------------

    The Bureau received one comment that was supportive of its 
proposal, from a group of State attorneys general. The comment letter 
suggested that the proposal would permit the Bureau to share CSI with 
State enforcement agencies. It argued that sharing CSI would properly 
increase resources available to address consumer abuses by supervised 
institutions, and that it would support coordination and collaboration 
between State attorneys general and the Bureau in their enforcement 
efforts.\11\
---------------------------------------------------------------------------

    \11\ The Bureau notes that its policy regarding sharing CSI with 
State attorneys general is set forth in Bulletin 12-01. It did not 
intend its proposal to alter this policy, and Bulletin 12-01 remains 
in place subsequent to the final rule becoming effective.
---------------------------------------------------------------------------

    The Bureau disagrees with commenters' claims that it did not 
sufficiently substantiate the change in policy articulated in its 
proposal. The Bureau stated in its proposal that it had determined that 
broader discretion to disclose CSI would facilitate the Bureau's 
purposes and objectives, and it explained how such discretion would 
assist its work. See 81 FR 58310, 58317 (Aug. 24, 2016).
    However, the Bureau declines to finalize its proposal. Instead, the 
final rule will retain Sec.  1070.43(b)(1)'s status quo dual standards, 
unmodified: The Bureau may disclose confidential information to an 
agency ``to the extent that the disclosure of the information is 
relevant to the exercise of the [Agency's] statutory or regulatory 
authority,'' and confidential supervisory information to an agency 
``having jurisdiction over a supervised financial institution.''
    The Bureau had proposed changing the standard for disclosure of CSI 
to provide flexibility to address rare situations where it may have a 
need to disclose information identified as confidential supervisory 
information to an agency that does not necessarily have jurisdiction 
over a given financial institution. However, the Bureau acknowledges 
that commenters have raised the general concern that, as proposed, 
Sec.  1070.43(b)(1)'s potential breadth could create uncertainty and 
decrease confidence that information provided to the Bureau in the 
course of its supervisory activities will be used and protected 
appropriately. In light of these concerns, the Bureau declines to 
revise the regulation as proposed.
Section 1070.43(b)(2)
    Section 1070.43(b)(2) sets forth a process for agencies to submit 
written requests (sometimes referred to as ``access requests'') to the 
Bureau in order to obtain access to its confidential information 
pursuant to Sec.  1070.43(b). Whereas the section previously required 
submission of access requests to the General Counsel, the Bureau 
proposed to instead require submission to the Associate Director for 
Supervision, Enforcement and Fair Lending.\12\ The Bureau further 
revises Sec.  1070.43(b)(2) in the final rule in several ways. In 
particular, rather than vesting authority to act upon access requests 
with either the General Counsel or the Associate Director for 
Supervision, Enforcement and Fair Lending, the final rule will vest the 
authority with the Director or her designee. Thus, instead of codifying 
a delegation via regulation, the final rule will provide the Director 
with the flexibility to change the delegation if warranted, without the 
need for further rulemaking.
---------------------------------------------------------------------------

    \12\ The Bureau likewise proposed moving the General Counsel's 
related ``access request'' authorities in 12 CFR 1070.47(a)(1)-(2) 
to the Associate Director for Supervision, Enforcement and Fair 
Lending. The comment letters received by the Bureau generally 
addressed both revisions together.
---------------------------------------------------------------------------

    The Bureau explained in its notice of proposed rulemaking that it 
believed the proposed change would lead to increased efficiency because 
the vast majority of access requests submitted to the Bureau pertain to 
work conducted by its Division of Supervision, Enforcement and Fair 
Lending. The Bureau stated that the Associate Director for Supervision, 
Enforcement and Fair Lending would continue to consult with other 
Bureau stakeholders, including the Legal Division, as necessary. The 
Bureau reasoned that, in making these changes, the authority to act 
upon access requests would shift from the Legal Division to other 
Bureau staff with expertise more directly related to processing these 
requests. The Bureau also proposed that access requests be emailed to a 
single email address, [email protected], or to the Bureau's 
mailing address at 1700 G Street NW, Washington, DC 20552, in order to 
facilitate processing.
    The Bureau received five comment letters, all from industry trade 
associations, that were critical of the proposal to shift the authority 
to act upon access requests from the General Counsel to the Associate 
Director for Supervision, Enforcement and Fair Lending.
    Three comment letters expressed concern that the proposal could 
create a conflict of interest. For example, one commenter argued that 
the Associate Director could use access requests as a ``negotiating 
tool'' in situations where an agency may ask the Associate Director for 
CSI regarding an entity while the Division is simultaneously engaged in 
an enforcement action against the same entity. A second commenter 
expressed concerns that the Associate Director might lack impartiality, 
given that he or she also oversees requests for information from 
institutions during the course of an investigation, as well as requests 
from institutions to further disclose information under Sec.  
1070.42(b). Another comment letter, from a group of industry trade 
associations, stated that the Associate Director would have a potential 
conflict of interest because he or she may have reasons to grant access 
requests related to the work conducted by his or her Division.
    Four comment letters argued that the Bureau's General Counsel is 
better suited to the role of approving access requests. The group of 
trade associations stated that the General Counsel is in a better 
position to weigh the impact of disclosure on the bank examination 
privilege and other legal obligations. The commenter also argued that 
agencies' assertions in access requests regarding their legal authority 
are more appropriately addressed by the General Counsel. Similarly, two 
commenters asserted that the General Counsel is better suited than the 
Associate Director for making determinations that impact personal and 
commercial privacy interests of entities. One commenter argued that 
shifting the authority for access requests could lose a check on 
ensuring that disclosure of CSI is rooted in the Bureau's statutory and 
regulatory authority, rather than political or ideological motivations. 
Two commenters recommended that the General Counsel maintain a role in 
deciding whether to approve access

[[Page 75208]]

requests, with one suggesting more specifically that General Counsel 
approval be required, in addition to the Associate Director's approval.
    Two commenters also criticized the proposal for departing from 
other agencies' practices. The group of industry trade associations 
noted that the FRB vests authority to decide access requests with its 
Legal Division. Another commenter argued that other agencies vest their 
General Counsel with responsibility to ``oversee FOIA requests and 
production of information.'' This same commenter expressed concern that 
moving access-request authority could result in inconsistent decisions 
regarding the release of information in response to access requests, 
FOIA requests, or requests under the Bureau's Touhy regulations at 12 
CFR 1070.30 through 1070.37.\13\
---------------------------------------------------------------------------

    \13\ This commenter also claimed that the Bureau's proposal 
would shift responsibility for determining FOIA requests to the 
Associate Director for Supervision, Enforcement, and Fair Lending. 
The Bureau made no such proposal. Authorities to decide FOIA 
requests remained unchanged in the Bureau's proposal, and are 
unchanged in this final rule and in 83 FR 46075 (Sept. 12, 2018).
---------------------------------------------------------------------------

    As the Bureau explained in the notice of proposed rulemaking, we 
proposed moving access-request authority from the General Counsel to 
the Associate Director for Supervision, Enforcement and Fair Lending in 
order to increase efficiency because most access requests submitted to 
the Bureau pertain to work conducted by that Division. The Bureau 
believes that the Associate Director may be in a better position than 
the General Counsel to make a policy determination whether to authorize 
an access request, since the Division of Supervision, Enforcement and 
Fair Lending is more familiar with the information at issue and the 
context of the access request. The Bureau does not agree with the 
contention that this change creates a conflict of interest, as the 
Bureau would consider the same policy grounds for granting an access 
request regardless of where the authority is located.
    In addition, while some agencies, such as the FRB, may vest access-
request authority with their General Counsel, others do not. For 
example, the FDIC vests access-request authority in the director of the 
division having primary authority over the records. See 12 CFR 309.6. 
Likewise, the Securities and Exchange Commission vests access-request 
authority in senior officers at or above the level of Associate 
Director or Associate Regional Director. See Securities and Exchange 
Commission, Division of Enforcement, Enforcement Manual section 5.1 
(Nov. 28, 2017), available at https://www.sec.gov/divisions/enforce/enforcementmanual.pdf (last visited Oct. 8, 2020); 17 CFR 240.24c-1. 
Given the size and organization of the Bureau, and for the reasons 
described above, we think it reasonable to vest access-request 
authority in an official other than the General Counsel.
    Nevertheless, in light of the concerns expressed, the Bureau 
declines to codify in the rule that authority to act upon access 
requests is vested in the Associate Director for Supervision, 
Enforcement and Fair Lending. Instead, the final rule will vest the 
authority in the ``Director,'' which is defined in 12 CFR 1070.2(j) to 
include a designee of the Director. Thus, while the Director may 
delegate the authority to the Associate Director for Supervision, 
Enforcement and Fair Lending, this shift can be reversed or otherwise 
changed without requiring a rulemaking--such as if experience shows 
that the Bureau's Legal Division was in a better position to address 
access requests.
    The Bureau notes that if responsible for acting upon access 
requests, the Division of Supervision, Enforcement and Fair Lending 
would continue to consult with the Legal Division as needed, such as 
when an access request raises legal questions regarding authority, 
privilege, privacy, trade secrets, or other legal obligations.\14\
---------------------------------------------------------------------------

    \14\ The Bureau occasionally receives access requests for 
confidential information that is neither CII nor CSI, such as 
information originating from another Bureau Division that is exempt 
from disclosure under the FOIA. In those instances, the Division of 
Supervision, Enforcement and Fair Lending would consult with 
impacted Divisions as warranted.
---------------------------------------------------------------------------

    Furthermore, the Bureau does not share one commenter's concern that 
its proposal could lead to different results where determinations are 
made in response to an access request, a FOIA request, or a request 
under the Bureau's Touhy regulations. These disclosures occur in 
different contexts, subject to different protections, and should not 
necessarily result in identical determinations. In addition, as stated 
above, the Bureau's Legal Division would continue to be consulted as 
needed in access-request determinations.
    Finally, although the Bureau received no comments on the email 
address or mailing address that it proposed for access request 
submissions, it declines to include this contact information in the 
final rule because it has concluded that codification of such 
information is unnecessary.
    In addition to changing the authority to act on access requests, 
the Bureau proposed revising Sec.  1070.43(b)(2)(iii), for purposes of 
clarity, to state that, among other things, access requests must 
include a statement certifying and identifying the agency's ``statutory 
or regulatory authority that is relevant to the requested information, 
as required by paragraph (b)(1).'' We explained in the proposal that, 
in our experience, the previous formulation (the agency must certify or 
identify its ``authority for requesting the documents'') can lead to 
confusion.
    The Bureau received no comments on this proposal. However, because 
the Bureau has declined to finalize its proposed revision to Sec.  
1070.43(b)(1) regarding discretionary disclosure of CSI, it needs to 
further revise paragraph (b)(2)(iii) to track the dual standards in 
paragraph (b)(1) and achieve the same clarity sought in the proposal. 
Thus, the Bureau further revises the text in the final rule to read, 
``A statement certifying and identifying, as required by paragraph 
(b)(1) of this section, the agency's statutory or regulatory authority 
that is relevant to the requested information or, with respect to a 
request for confidential supervisory information, the agency's 
jurisdiction over a supervised financial institution.''
    Finally, although the Bureau proposed no revisions to Sec.  
1070.43(b)(2)(v), it received two comment letters from industry trade 
associations regarding the paragraph, which requires agencies to 
include in an access letter ``[a] certification that the agency will 
maintain the requested confidential information in confidence, 
including in a manner that conforms to the standards that apply to 
Federal agencies for the protection of the confidentiality of 
personally identifiable information and for data security and 
integrity, as well as any additional conditions or limitations that the 
CFPB may impose.'' One commenter described the requirement as 
inadequate, and the other argued that the certification does not 
substitute for evaluation of the agencies' data security policies.
    These comments are similar to a comment that the Bureau received 
when it initially promulgated the rule, where a commenter suggested 
that the Bureau audit agencies' data security practices prior to 
sharing confidential information with them. See 78 FR 11484, 11495 
(Feb. 15, 2013). We considered and rejected the suggestion at the time, 
explaining in the previous final rule that, prior to disclosure, the 
Bureau takes reasonable steps to ensure that a requesting agency is 
legally authorized to protect the information, and that it has systems 
in place to safeguard the information from theft, loss, or

[[Page 75209]]

unauthorized access or disclosure. See id. at 11497. The Bureau's view 
remains unchanged, and it finalizes Sec.  1070.43(b)(2)(v) without 
modification.
Former Section 1070.43(c) State Requests for Information Other Than 
Confidential Information
    Former Sec.  1070.43(c) stated that State agency requests for 
information other than confidential information were not to be made and 
considered under Sec.  1070.43. The Bureau proposed deleting this 
paragraph because it believed the paragraph to be unnecessary and 
confusing. Because, by its own terms, Sec.  1070.43 only applies to 
confidential information, there is no need to state that it does not 
apply to information that is not confidential. The Bureau received no 
comments on this proposal, and it finalizes the proposal without 
modification.
Proposed Section 1070.43(c) Negotiation of Standing Requests
    Proposed Sec.  1070.43(c) (formerly Sec.  1070.43(d)) states that 
the Bureau may negotiate terms governing the exchange of confidential 
information with agencies on a standing basis. The Bureau proposed no 
substantive revisions to this paragraph (other than replacing a 
reference to ``Federal or State agencies'' with ``Agencies,'' which is 
discussed above).
    The Bureau received one comment letter, from an industry trade 
association, which stated that the Bureau could use this authority to 
negotiate data security standards, and it requested clarification from 
the Bureau that such standards are non-negotiable.
    The Bureau disagrees with the commenter's implication that the 
Bureau can use proposed Sec.  1070.43(c) to negotiate data security 
standards lower than the standards required by Sec.  1070.43(b)(2). 
Paragraph (b)(2) requires agencies to make certain confidentiality 
assurances in order for the Bureau to approve an access request. 
Proposed paragraph (c), meanwhile, merely states that the Bureau can 
agree to the exchange of information on a standing, rather than a case-
by-case, basis. In this context, the Bureau interprets proposed 
paragraph (c) to require that such standing agreements be consistent 
with the requirements of paragraph (b)(2). In addition, we note that 
the Bureau's obligations under the Dodd-Frank Act, such as the 
confidentiality requirements of 12 U.S.C. 5512(c)(8), apply equally to 
disclosures under paragraphs (b) and (c).
    For the aforementioned reasons, the Bureau finalizes the proposal 
without modification.
Section 1070.44 Disclosure of Confidential Consumer Complaint 
Information
    Section 1070.44 addresses the Bureau's disclosure of confidential 
consumer complaint information in the course of investigating, 
resolving, or otherwise responding to consumer complaints. The Bureau 
proposed replacing the phrase ``[n]othing in this subpart shall limit 
the discretion of the CFPB'' with ``[t]he CFPB may . . .'' in order to 
clarify that Sec.  1070.44 authorizes such disclosure by the Bureau. 
The Bureau also proposed replacing the phrase ``concerning financial 
institutions or consumer financial products and services'' with 
``concerning consumer financial products and services or a violation of 
Federal consumer financial law'' in order to clarify that the section 
broadly addresses any information received or generated by the Bureau 
through processes or procedures established under 12 U.S.C. 5493(b)(3), 
including where complaints do not concern financial institutions, or 
where the Bureau lacks authority to act on them. The Bureau received no 
comments on this proposal, and it finalizes the proposal without 
modification.
Section 1070.45 Affirmative Disclosure of Confidential Information
    Section 1070.45 addresses various instances where the Bureau may 
make disclosures of confidential information on its own initiative. The 
Bureau proposed several revisions to clarify, supplement, or amend the 
disclosures previously addressed in the section. Any disclosures made 
pursuant to this section must be made in accordance with applicable 
law.
    The Bureau proposed deleting the reference in Sec.  1070.45(a) to 
``confidential investigative information'' in the phrase ``confidential 
investigative information or other confidential information.'' The 
Bureau explained in its proposal that this reference is unnecessary 
because confidential investigative information is a sub-category of 
confidential information. The Bureau also noted that, while it may 
disclose any category of confidential information under Sec.  
1070.45(a), disclosures made under this section--particularly 
paragraphs (a)(3) and (4) and proposed (a)(6)--are more likely to 
involve confidential investigative information, rather than other 
categories of confidential information, such as confidential 
supervisory information. The Bureau received no comments regarding this 
proposal, and it finalizes the proposal without modification.
    Paragraph (a)(2) addresses disclosure of confidential information 
to either House of the Congress, or to an appropriate committee or 
subcommittee of the Congress, as set forth in 12 U.S.C. 5562(d)(2). The 
text states that, upon receipt of a request from the Congress for 
confidential information that a financial institution submitted to the 
Bureau along with a claim that such information consists of trade 
secret or privileged or confidential commercial or financial 
information, or confidential supervisory information, the Bureau 
``shall notify'' the financial institution in writing of its receipt of 
the request and provide the institution with a copy of the request. The 
Bureau proposed revising the text to state that it ``may notify'' the 
financial institution in such circumstances. The Bureau declines to 
finalize this proposal.
    The Bureau reasoned in its proposal that this revision would 
provide greater flexibility and more closely align with 12 U.S.C. 
5562(d)(2), which states that the Bureau ``is permitted to adopt rules 
allowing prior notice to any party that owns or otherwise provided the 
material to the Bureau and had designated such material as 
confidential.''
    The Bureau received four comment letters that addressed this 
proposal. Three commenters--an industry trade association, a group of 
industry trade associations, and a financial institution--stated that 
notification should be mandatory so that financial institutions have an 
opportunity to object to the disclosure to Congress, or at least to 
prepare to be able to assist Congress or to respond to potential 
publicity. One comment letter, from a group of industry trade 
associations, argued that notice is critical to ensuring that 
information is not misused, misunderstood, inaccurately reported, or 
inadvertently disclosed. The commenter reasoned that notice allows 
institutions to be prepared to respond to questions and potentially 
avoid panic or inappropriate or harmful reactions. The two industry 
trade association commenters also stated that they did not believe the 
Bureau sufficiently explained its need for ``flexibility'' in its 
proposal, and that any such need is outweighed by the importance of 
preserving the confidentiality of CSI. One of the commenters also noted 
that the Bureau's proposal differs from a similar rule promulgated by 
the FTC that requires agency notice in similar situations. See 16 CFR 
4.11(b). Finally, the Bureau received a comment letter, from a public 
interest organization, expressing concern that the Bureau's

[[Page 75210]]

proposal could reduce institutions' ability to prevent, or at least 
object to, the disclosure of information to Congress, which could 
threaten the privileged status of any such information.
    In light of these comments, the Bureau declines to finalize this 
proposal, and the final rule instead will contain the status quo text, 
unmodified, which requires notification by the Bureau prior to 
disclosures to either House of the Congress or to an appropriate 
committee of subcommittee of the Congress. The Bureau appreciates 
commenters' concerns about a financial institution's need to know when 
its sensitive information is being produced to Congress. The Bureau 
also recognizes that a mandatory, rather than discretionary, 
notification process establishes predictability and increases 
confidence regarding the Bureau's protection and appropriate treatment 
of information. The Bureau's proposal had been intended to give the 
Bureau flexibility where it receives Congressional requests for less 
sensitive information--for example, publicly available market 
monitoring materials that the rule previously classified as 
``confidential supervisory information.'' However, other revisions to 
the rule, such as the removal of market monitoring material from the 
definition of ``confidential supervisory information'' in Sec.  
1070.2(i), alleviate the need for such flexibility. Further, the Bureau 
concludes that the benefits of the mandatory notice requirement 
outweigh the marginal benefits of retaining flexibility in instances 
where the Bureau receives requests for less sensitive information.
    Paragraph (a)(3) pertains to the disclosure of confidential 
information in ``investigational hearings and witness interviews, as is 
reasonably necessary, at the discretion of the CFPB.'' This paragraph 
was initially intended to address disclosure in the course of 
investigations and enforcement actions. See 76 FR 45372, 45375 (Jul. 
28, 2011). The Bureau proposed revising the paragraph to state that it 
may disclose confidential information in ``investigational hearings and 
witness interviews, or otherwise in the investigation and 
administration of enforcement actions, as is reasonably necessary, at 
the discretion of the CFPB.'' It explained that this revision would 
clarify that the Bureau may disclose confidential information in its 
discretion to conduct its investigations or perform administrative 
tasks to further its own enforcement actions. This includes, for 
example, disclosures to expert witnesses, service process servers, or 
other Federal and State agencies that may provide assistance with space 
for investigational hearings or advise the Bureau on local rules 
regarding a court filing. This would also include instances in which 
the Bureau is partnering with another agency and determines that it 
needs to share specific information with that agency to further an 
investigation or administer the filing or settlement of a joint 
enforcement action. The Bureau received no comments on this proposal, 
and it finalizes the proposal without modification.
    Paragraph (a)(4) authorizes the disclosure of confidential 
information ``[i]n an administrative or court proceeding to which the 
CFPB is a party.'' The Bureau proposed revising this paragraph to state 
that it may disclose confidential information ``[i]n or related to an 
administrative or court proceeding to which the Bureau is a party.'' 
The Bureau declines to finalize this proposal.
    The Bureau explained in its proposal that it intended this revision 
to clarify that it may disclose confidential information not only 
during an administrative or court proceeding to which the Bureau is a 
party, such as in complaints and consent orders, but also when related 
to the Bureau's implementation of ongoing administrative or court 
orders. It noted that such disclosures could be made in furtherance of 
the Bureau's reporting requirements and could include, for example, 
updates on required consumer remuneration and the payment of civil 
money penalties.
    The Bureau received two comments regarding this proposed revision. 
One comment letter, from a group of industry trade associations, 
criticized the proposal as overly broad and unnecessary. It expressed 
concern that such disclosure could increase litigation and reputation 
risk for financial institutions and potentially undermine the bank 
examination privilege. The commenter also stated that the Bureau's 
proposal did not indicate how broadly it could construe ``related to,'' 
and that it did not justify why such disclosures are necessary or how 
that need would outweigh the Bureau's need to maintain confidentiality. 
Another comment letter, from an industry trade association, expressed 
concern that the proposal could allow the Bureau to disclose 
confidential information prior to commencement or after conclusion of a 
proceeding.
    In light of these concerns, the Bureau declines to make the 
proposed revision in the final rule. As the Bureau explained in its 
proposal, it occasionally has a need to disclose confidential 
information about an administrative or court proceeding outside the 
context of the actual proceeding, such as updating the public and 
Congress about consumer remuneration and the payment of civil money 
penalties. While such disclosures are relatively rare and only occur in 
limited circumstances, addressing these disclosures in Sec.  
1070.45(a)(4) risks leaving a mistaken impression that such disclosures 
will take place with regularity. Furthermore, as indicated by the 
commenters' expressed concerns, the potential breadth of the proposed 
text could lead to this provision being applied more broadly than the 
proposal intended.
    Instead, in the event that the Bureau identifies a future need to 
disclose confidential information about an administrative or court 
proceeding outside the context of the actual proceeding, and it cannot 
otherwise make the disclosure pursuant to subpart D, it will do so 
pursuant to Sec.  1070.46, which permits the Bureau's director to 
authorize disclosure of confidential information other than as set 
forth in subpart D. The authorization must be in writing, must 
otherwise be permitted by law, and may not be delegated. See 12 CFR 
1070.46(a), (c).
    Disclosures contemplated by the proposal should only be made when 
appropriate and subject to due consideration of the disclosure's 
impact. Vesting the Director alone with authority to approve these 
disclosures under Sec.  1070.46 reflects this commitment by requiring 
decision-making to take place at the Bureau's highest level.
    Paragraph (a)(4) also permits the submitter of confidential 
investigatory materials that consists of trade secrets or privileged or 
confidential financial information, or confidential supervisory 
information, to seek a protective or other order prior to the 
information's disclosure in an administrative or court proceeding. For 
clarity, the Bureau proposed replacing the phrase ``confidential 
investigatory materials'' with ``confidential investigative 
information,'' a defined term used throughout the rule. Likewise, the 
Bureau proposed replacing the reference to ``appropriate protective or 
in camera order'' with ``appropriate order,'' which would encompass 
both examples in the previous version. Finally, the Bureau proposed 
revising the rule to also allow the Bureau to seek an appropriate order 
in its discretion. Whereas the prior text only discusses the submitter 
seeking such an order, there may be times where it would be more 
efficient or appropriate for the Bureau itself to make

[[Page 75211]]

such a request. The Bureau received no comments regarding these 
proposed revisions, and it finalizes the proposal without modification.
    The Bureau did, however, receive one comment letter, from a group 
of industry trade associations, asking the Bureau to further revise 
paragraph (a)(4) to require it to notify institutions of its intended 
use of certain information in connection with administrative or court 
proceedings. The commenter argued that, by allowing submitters to seek 
protective and similar orders, paragraph (a)(4) implicitly requires 
that the Bureau first notify submitters of its intended use of the 
information; it suggested that the Bureau make such a requirement 
explicit.
    In accordance with this provision, it is the Bureau's practice to 
take steps to ensure that the submitter has an opportunity to seek a 
protective order where it has a cognizable claim for one. However, the 
Bureau does not agree with the commenter's interpretation that 
paragraph (a)(4) imposes an implicit notification requirement on the 
Bureau, as there is no textual basis for that conclusion. Furthermore, 
we do not think it necessary for the rule to codify a formal 
notification process. For these reasons, the Bureau declines to revise 
the rule as suggested by the commenter.
    The Bureau proposed a new paragraph, proposed paragraph (a)(5), 
that states that the Bureau may disclose confidential information in 
``CFPB personnel matters, as necessary and subject to appropriate 
protections.'' The Bureau explained in its proposal that this paragraph 
was intended to clarify that confidential information may at times be 
disclosed in the course of equal employment opportunity matters, 
grievance proceedings, and other personnel matters. We noted that such 
disclosures would only be made as necessary, in accordance with 
applicable law, and subject to appropriate protections. The Bureau also 
proposed re-numbering Sec.  1070.45 to account for this new paragraph. 
The Bureau received no comments on this proposal, and it finalizes the 
proposal without modification.
    Proposed paragraph (a)(6) (formerly paragraph (a)(5)) addresses 
disclosure to other agencies of confidential information in summary 
form in certain circumstances. The Bureau explained in its proposal 
that the purpose of this provision is to allow it to inform agencies 
about potential legal violations in which they may have an interest, 
including situations in which they may wish to submit a request for 
information under Sec.  1070.43. The Bureau proposed revising this 
paragraph to authorize disclosure to ``Agencies in summary form to the 
extent necessary to confer with such Agencies about matters relevant to 
the exercise of the Agencies' statutory or regulatory authority.'' This 
was intended to clarify the paragraph's intended purpose and more 
closely align with the standard used for disclosing confidential 
information to agencies under Sec.  1070.43.
    The Bureau received one comment letter, from a group of industry 
trade associations, which stated that this revision was 
``unnecessary.'' The commenter argued that 12 U.S.C. 5566 mandates that 
the Bureau transmit evidence to the Attorney General if it has evidence 
that may constitute a violation of Federal criminal law, and that no 
similar provision suggests that the Bureau may share CSI with other 
Federal or State law enforcement agencies. The commenter also expressed 
concerns that the proposal was overbroad due to the definition of 
``agency'' in proposed Sec.  1070.2(a).
    The Bureau disagrees with the commenter's argument, which appears 
to misunderstand the purpose of this paragraph. The provision is 
primarily intended to enable preliminary, high-level discussion that 
facilitates submission of an access request under 12 CFR 1070.43. For 
example, it could include a summary of the nature of an investigation 
or the kinds of confidential information that the Bureau possesses; 
more substantive information may then be provided to the agency in 
response to a request under Sec.  1070.43. The discussions contemplated 
by this provision are necessary for other agencies to determine whether 
they have an interest in submitting an access request to the Bureau, 
and if so, what statements to include in it. Otherwise, an agency may 
not even know that the Bureau possesses confidential information in 
which it is interested. The Bureau proposed revising this paragraph to 
align it with Sec.  1070.43 in order to clarify and facilitate the two 
provisions' interaction.\15\ We do not agree that 12 U.S.C. 5566, which 
requires criminal referrals to the Attorney General in certain 
circumstances, forecloses the Bureau from drafting regulations pursuant 
to 12 U.S.C. 5512(c)(6)(A) that authorize other affirmative disclosures 
of confidential information to partner agencies.
---------------------------------------------------------------------------

    \15\ Although the Bureau has declined to finalize its proposed 
changes to Sec.  1070.43(b)(1), thus retaining dual standards for 
disclosure of CSI and other confidential information under that 
provision, we will not further revise proposed Sec.  1070.45(a)(6). 
While the Bureau will only disclose CSI under Sec.  1070.43(b)(1) to 
agencies with jurisdiction over a supervised financial institution, 
we may need to disclose CSI at a high level to confer with agencies 
about matters relevant to the exercise of their statutory or 
regulatory authority--for example, in order to determine whether the 
agency has jurisdiction over a supervised financial institution.
---------------------------------------------------------------------------

    In addition, as discussed above regarding proposed Sec.  1070.2(a), 
the Bureau has declined to finalize the proposed definition of 
``agency,'' addressing concerns regarding this paragraph's breadth.
    For the aforementioned reasons, the Bureau finalizes the proposal 
without modification.
Section 1070.47 Other Rules Regarding the Disclosure of Confidential 
Information
    The Bureau proposed reorganizing Sec.  1070.47 for clarity. 
Specifically, it proposed moving paragraph (a)(5) to immediately after 
paragraph (a)(2) because the two paragraphs both address further 
disclosure by the recipient of confidential information. The Bureau 
further proposed making paragraph (a)(3), which addresses third-party 
requests for information, a new paragraph titled ``Third party requests 
for information'' to highlight the provision and lead to better ease of 
use. Finally, the Bureau proposed re-numbering the section to account 
for these changes. The Bureau received no comments regarding this 
reorganization of the section, and it finalizes the proposal without 
modification.
Section 1070.47(a) Further Disclosure Prohibited
    Section 1070.47(a) describes certain steps that recipients of 
confidential information under subpart D must take to protect the 
information. It notes that confidential information disclosed under 
this subpart remains Bureau property, it prohibits further disclosure 
of confidential information without the Bureau's prior written 
permission, and it sets forth procedures to follow in the event that a 
recipient of confidential information receives from a third party a 
legally enforceable demand for the information.
    Consistent with proposed revisions to Sec.  1070.43(b), the Bureau 
proposed shifting from its General Counsel to the Associate Director 
for Supervision, Enforcement and Fair Lending the authority in 
paragraph (a)(1) to provide in writing that confidential information is 
no longer Bureau property, and the authority in paragraph (a)(2) to 
provide written permission to further disclose confidential 
information. In the final rule, the Bureau declines to finalize the 
proposed revision to paragraph (a)(1), and it further revises paragraph 
(a)(2).
    The Bureau explained in its proposal that it believed that its 
proposed

[[Page 75212]]

changes would lead to increased efficiency because the vast majority of 
access requests submitted to the Bureau pertain to work conducted by 
its Division of Supervision, Enforcement and Fair Lending. The Bureau 
also noted that it intended the General Counsel to retain his or her 
authority with respect to legally enforceable demands or requests for 
confidential information, described in paragraph (a)(3). Finally, as 
discussed above with respect to proposed Sec.  1070.2(a), the Bureau 
proposed revisions to account for the newly proposed defined term 
``agency.''
    Comment letters that addressed this proposal generally discussed it 
together with proposed revisions to Sec.  1070.43(b), regarding the 
move of access request authority from the General Counsel to the 
Associate Director for Supervision, Enforcement and Fair Lending. For a 
discussion of these comments, please see the discussion regarding Sec.  
1070.43(b) above. In light of these comments, the Bureau declines to 
finalize its proposal to transfer from the General Counsel to the 
Associate Director for Supervision, Enforcement and Fair Lending the 
authority in paragraph (a)(1) to provide in writing that confidential 
information is no longer Bureau property. This authority will instead 
be retained by the Bureau's General Counsel. In addition, for the 
reasons addressed in the discussion regarding Sec.  1070.43(b) above, 
the Bureau will further revise paragraph (a)(2) in the final rule, to 
vest with the Director (or her designee) the authority to provide 
written permission to further disclose confidential information.
    For a discussion of comments on the definition of ``agency,'' 
please see the discussion regarding proposed Sec.  1070.2(a) above. For 
the reasons addressed in that discussion, the Bureau declines to 
finalize revisions intended to account for the proposed definition of 
``agency.''
Section 1070.47(d) Return or Destruction of Records
    The Bureau proposed adding a new paragraph (d) to clarify that the 
Bureau may require any person in possession of confidential information 
to return the records to the Bureau or destroy them.
    Paragraph (d) is further revised in the final rule for consistency 
with new Sec.  1070.42(c), which was added in response to comments on 
proposed revisions to Sec.  1070.42.\16\ 12 CFR 1070.42(c) states, 
``Nothing in this subpart shall prohibit any person lawfully in 
possession of confidential investigative information of the CFPB 
pursuant to paragraph (a) of this section from further disclosing that 
confidential investigative information.'' The Bureau adds to paragraph 
(d), ``[e]xcept with respect to confidential investigative information 
disclosed pursuant to Sec.  1070.42(a) of this subpart,'' because a 
requirement to return or destroy these records would raise tension with 
the ability to further disclose the information. This further revision 
is not intended to impact the Bureau's ability to enter into a 
protective order, or to otherwise reach mutual agreement with a party 
with respect to the protection of CII.
---------------------------------------------------------------------------

    \16\ See above for discussion of comments regarding Sec.  
1070.42.
---------------------------------------------------------------------------

    The Bureau received one comment letter regarding this proposal, 
from a public interest organization. The commenter suggested that this 
proposal, among other proposed revisions to Sec.  1070.47, was intended 
to assure supervised and regulated entities that the Bureau's separate 
proposals that would expand its discretion to share information would 
not prejudice those entities. The commenter expressed concern that the 
provision may not be enforceable with respect to information disclosed 
to foreign agencies, State agencies, Congress, or other government 
agencies that are not subject to the Bureau's jurisdiction. The 
commenter suggested that this provision could create an ``illusion of 
certainty'' for entities that disclose privileged information to the 
Bureau in reliance on this and other provisions.
    The purpose of this proposal was to facilitate the Bureau's control 
over its own confidential information. The proposed text is relatively 
common for information sharing agreements, and the Bureau's intent was 
to codify such language in its regulations to put recipients of its 
confidential information on notice that it may require the return or 
destruction of such records. For these reasons, the Bureau finalizes 
this proposal without modifying it in response to this comment.
Section 1070.47(e) Non-Waiver of CFPB Rights
    The Bureau proposed adding a new paragraph (e) to clarify that the 
Bureau's disclosure of confidential information under subpart D does 
not waive the Bureau's right to control, or impose limitations on, the 
subsequent use and dissemination of its confidential information.
    Paragraph (e) is further revised in the final rule for consistency 
with new Sec.  1070.42(c), which was added in response to comments on 
proposed revisions to Sec.  1070.42.\17\ 12 CFR 1070.42(c) states, 
``Nothing in this subpart shall prohibit any person lawfully in 
possession of confidential investigative information of the CFPB 
pursuant to paragraph (a) of this section from further disclosing that 
confidential investigative information.'' The Bureau adds to paragraph 
(e), ``[e]xcept as provided in Sec.  1070.42(c),'' because the new text 
in Sec.  1070.42(c) permits further disclosure of confidential 
investigative information in certain circumstances.
---------------------------------------------------------------------------

    \17\ See above for discussion of comments regarding Sec.  
1070.42.
---------------------------------------------------------------------------

    The Bureau received one comment letter regarding proposed Sec.  
1070.47(e), from the same public interest organization that commented 
on proposed Sec.  1070.47(d). As it did with respect to proposed Sec.  
1070.47(d), the commenter suggested that this paragraph was intended to 
assure entities that the Bureau's separate proposals that would expand 
its discretion to share information would not prejudice them, and it 
expressed concerns that this provision may not be enforceable with 
respect to government authorities, and that the proposal could give 
create an ``illusion of certainty'' for entities that disclose 
privileged information to the Bureau in reliance on this provision.
    Like proposed Sec.  1070.47(d), the purpose of this proposal was to 
facilitate the Bureau's control over its own confidential information. 
The Bureau intended this provision to parallel 12 CFR 4.37(d), a 
provision that serves a similar purpose in analogous regulations 
promulgated by the OCC. The Bureau's purpose was to codify such 
language in its own regulations to put recipients of its confidential 
information on notice that the Bureau does not intend its disclosure of 
confidential information to waive its rights with respect to the 
information. For these reasons, the Bureau finalizes the proposal 
without modifying it in response to this comment.
Section 1070.47(f) Non-Waiver of Privilege
    The Bureau proposed moving the former paragraph (c), Non-waiver, to 
a new paragraph (f), and making corresponding technical corrections to 
paragraph (f)(2), in order to account for the two new paragraphs 
described above. In addition, the Bureau proposed replacing the title 
``Non-waiver'' with a new title ``Non-waiver of privilege'' so as to 
clarify the distinction between this paragraph and the new paragraph 
(e), Non-waiver of CFPB rights.

[[Page 75213]]

    The Bureau received two comment letters regarding this paragraph, 
from a public interest organization and a group of industry trade 
associations. The public interest organization commenter argued that 
most Federal circuits reject selective waiver doctrine and may not 
protect privilege in the absence of statutory authority, and that 
entities that rely on proposed Sec.  1070.47(f) to disclose privileged 
information to the Bureau may risk the Bureau waiving their privilege 
because the paragraph's reference to ``any Federal or State Agency'' is 
broader than the express anti-waiver protection in 12 U.S.C. 1821(t). 
The industry commenter expressed similar concerns, that if the Bureau 
transferred privileged material that it had received under 12 U.S.C. 
1828(x), that transfer could endanger the material's privilege.
    The Bureau notes that it did not propose any substantive changes to 
this provision, which already exists in the rule. We previously 
considered and addressed these issues in a 2012 rulemaking in which we 
readopted this provision in modified form. See generally Final Rule, 
Confidential Treatment of Privileged Information, 77 FR 39617 (July 5, 
2012). Our view has not changed since then. As we explained at the 
time, this provision is ``primarily intended to protect the Bureau's 
privileges--including, for example, its examination privilege, its 
deliberative process privilege, and its law enforcement privilege--in 
the context of a coordinated examination or joint investigation.'' Id. 
at 39621. We also explained that, per Bulletin 12-01, the Bureau only 
requests privileged information from institutions in limited 
circumstances, and there is a presumption against sharing confidential 
supervisory information with non-supervisory agencies. Id. We noted 
that ``[t]he Bulletin's presumption against sharing confidential 
supervisory information would be even stronger'' where it includes 
information subject to attorney-client or work-product privileges. Id.
    Moreover, the Bureau concluded in its 2012 rulemaking that it had 
statutory authority to promulgate a regulation that protected against 
waiver of privilege in the event that information is shared with State 
agencies. See Notice of Proposed Rulemaking, Confidential Treatment of 
Privileged Information, 77 FR 15286, 15289 (Mar. 15, 2012); see also 
Final Rule, 77 FR at 39621. This conclusion has been buttressed by 
Congress's subsequent amendment to 12 U.S.C. 5514(b)(3), which states 
that, in coordinating the supervision of nondepository covered persons 
with prudential regulators, the State bank regulatory authorities, and 
the State agencies that license, supervise, or examine the offering of 
consumer financial products or services, ``[t]he sharing of information 
with such regulators, authorities, and agencies shall not be construed 
as waiving, destroying, or otherwise affecting any privilege or 
confidentiality such person may claim with respect to such information 
under Federal or State law as to any person or entity other than such 
Bureau, agency, supervisor, or authority.''
    For the aforementioned reasons, the Bureau finalizes the proposal 
without modification.
Section 1070.47(g) Reports of Unauthorized Disclosure
    The Bureau proposed adding a new paragraph (g) that would have 
required any persons in possession of confidential information to 
immediately notify the Bureau upon discovery of any disclosures of 
confidential information made in violation of subpart D. The Bureau 
further revises the proposal in the final rule.
    The Bureau received three comment letters that addressed this 
provision, from a group of industry trade associations, from a consumer 
advocacy organization, and from a financial institution. The group of 
industry trade associations expressed concern that this proposal would 
create an ``independent violation'' for ``any person'' in possession of 
confidential information to fail to immediately notify the Bureau upon 
discovery of improper disclosures. The group argued that, unlike 
supervised financial institutions, imposing notification requirements 
on other potential recipients of confidential information, including 
individuals or non-regulated third parties, is not appropriate, and 
would heighten legal risks for individuals and institutions. The 
commenter noted that it can be difficult to determine whether a 
particular document or piece of information is CSI; it expressed 
further concerns that the provision presumes that recipients of 
confidential information would know what constitutes confidential 
information and what disclosures are permitted by the rule, and it 
concluded that such expectations are unreasonable. The commenter 
alleged that the ``imposition of additional liability'' on recipients 
of improper disclosures would ``improperly shift the burden to those 
who are, in essence, innocent bystanders in a violation.'' The consumer 
advocacy organization expressed similar concerns that journalists or 
other members of the public could be subject to these notification 
requirements, which could chill journalistic or other inquiries.
    This proposal was intended to instruct agencies, institutions, or 
other persons that may improperly disclose the Bureau's confidential 
information to notify the Bureau so that, where warranted, the Bureau 
can take appropriate steps to mitigate any harm caused by such 
disclosure. For example, if an agency partner were to publicly disclose 
CII without permission, the Bureau would work to limit public 
disclosure and protect the privacy or proprietary interests of those 
affected by the disclosure. This is in line with the Bureau's 
obligations under 12 U.S.C. 5512(c)(8), which requires that, ``[i]n 
collecting information from any person [or] publicly releasing 
information held by the Bureau, . . . the Bureau shall take steps to 
ensure that proprietary, personal, or confidential consumer information 
that is protected from disclosure under [the FOIA] or [the Privacy Act 
of 1974], or any other provision of law, is not made public under this 
title.''
    The Bureau appreciates commenters' concerns that the proposal's 
notification requirement could apply to third parties without a direct 
relationship with the Bureau, who may not realize that they possess 
confidential information or know of this subpart's requirements. And it 
likewise appreciates the commenter's concerns about chilling 
journalistic or other inquiries. To address these concerns, the Bureau 
will further revise and narrow the proposed text, limiting this 
provision to persons ``that obtain confidential information under this 
subpart.'' Agencies, institutions, and other persons that obtain 
confidential information under this subpart should be advised of their 
receipt of the Bureau's confidential information and any obligations to 
protect the information's confidentiality.
    In addition to these comments regarding the proposal's 
applicability to third parties, the Bureau also received a comment 
letter from a financial institution that expressed concern regarding 
the proposal's inclusion of the term ``immediately.'' The commenter 
suggested that ``immediately,'' read literally, would create an 
impossible standard to meet, and it instead recommended a ``more 
reasonable'' standard, such as ``promptly.''
    The Bureau agrees that a requirement for ``immediate'' 
notification, if read literally, could create compliance difficulties. 
To address this concern, the Bureau revises the proposal's temporal

[[Page 75214]]

standard to instead require notification ``as soon as possible and 
without unreasonable delay.'' In adopting this standard, the Bureau 
analogizes to the same temporal standard adopted by the Office of 
Management and Budget with respect to Federal agency breach reporting. 
See Office of Management and Budget, M-17-12, ``Preparing for and 
Responding to a Breach of Personally Identifiable Information'' (Jan. 
3, 2017). This is also intended to be analogous to the reporting 
standard set forth in interagency information security guidance by the 
prudential regulators, which advises as a best practice that a 
financial institution ``notify[] its primary Federal regulator as soon 
as possible when the institution becomes aware of an incident involving 
unauthorized access to or use of sensitive customer information.'' See 
Interagency Guidelines Establishing Information Security Standards, 12 
CFR part 208, appendix D-2 (emphasis in original).
    Finally, the same financial institution requested clarification 
regarding the proposal's interaction with existing requirements and 
supervisory expectations applicable to financial institutions, their 
employees, and other institution-affiliated parties, as defined in 12 
U.S.C. 1813(u). The commenter stated that, upon discovery of improper 
disclosure, supervised financial institutions would already be expected 
to take certain steps, including notifying regulators as appropriate, 
pursuant to supervisory expectations and under the Gramm-Leach-Bliley 
Act, 15 U.S.C. 6801 et seq., and State breach laws.
    This provision is consistent with the Bureau's existing supervisory 
expectations. In addition, this provision does not impact other 
notification expectations relating to the Gramm-Leach-Bliley Act or 
requirements under various State breach laws, as they generally do not 
require notification to the Bureau and, depending on the information's 
content, may not apply to the Bureau's confidential information.
Former Section 1070.48 Privileges not Affected by Disclosure to the 
CFPB
    Former Sec.  1070.48 provided that the submission by any person of 
any information to the Bureau in the course of the Bureau's supervisory 
or regulatory processes will not waive or otherwise affect any 
privilege such person may claim with respect to such information under 
Federal or State law as to any other person or entity. This section had 
been promulgated separately from the rest of the rule. See Final Rule, 
Confidential Treatment of Privileged Information, 77 FR 39617 (July 5, 
2012). Congress subsequently enacted Public Law 112-215, 126 Stat. 
1589, Dec. 20, 2012, which amended 12 U.S.C. 1828(x) to provide these 
same protections to privileged information submitted to the Bureau. 
Because 12 U.S.C. 1828(x), as revised, provided the exact same 
protections as former Sec.  1070.48, it rendered former Sec.  1070.48 
superfluous and unnecessary, and the Bureau therefore proposed deleting 
the provision in its regulation text to avoid potential confusion.
    The Bureau received no comments regarding this proposal, and it 
finalizes the proposal without modification.
Proposed Section 1070.48 Disclosure of Confidential Information by the 
Inspector General
    The Bureau proposed adding a new section to clarify that part 1070 
does not limit the discretion of its Inspector General's office to 
disclose confidential information as needed in fulfilling its 
responsibilities under the Inspector General Act of 1978, 5 U.S.C. App. 
3. Because the Bureau proposed deleting the current text of Sec.  
1070.48, this new section replaces that text.
    The Bureau received two comment letters regarding this proposal. 
One comment letter, from an industry trade association, stated that it 
was unclear whether the ``as needed'' language limits the Bureau's 
Inspector General's ability to publish reports containing confidential 
information. It asked that the Bureau either delete the proposal or 
clarify the extent to which its Inspector General's office may disclose 
confidential information. A second comment letter, from a public 
interest organization, expressed concern that the proposal could make 
it easier for the Bureau's Inspector General's office to further 
disclose privileged supervisory information submitted to the Bureau, 
which could undermine the information's privileged status and 
discourage the submission of privileged materials to the Bureau.
    To be clear, the proposal's ``as needed'' language is intended to 
enable the Bureau's Inspector General's office, in its discretion, to 
disclose confidential information to the extent that it deems such 
disclosure necessary to fulfill its duties under the Inspector General 
Act of 1978, 5 U.S.C. App. 3. Furthermore, as explained above with 
respect to inclusion of Inspector General employees in the definition 
of ``employee'' in Sec.  1070.2(k), Sec.  1070.41(c) already allows for 
the publication of reports derived from confidential information to the 
extent that they do not identify, either directly or indirectly, any 
particular person to whom the information pertains.\18\
---------------------------------------------------------------------------

    \18\ For further discussion of comments regarding the inclusion 
of Inspector General employees in the definition of ``employee,'' 
see the above discussion of proposed Sec.  1070.2(k).
---------------------------------------------------------------------------

    With respect to the commenter's concern that the Inspector 
General's office may further disclose financial institutions' 
privileged information in a manner that could undermine the privilege, 
the Inspector General's office will give due consideration to the 
applicable privileges associated with any disclosures that it may make.
    For the aforementioned reasons, the Bureau finalizes the proposal 
without modification.

Part 1091--Procedural Rule To Establish Supervisory Authority Over 
Certain Nonbank Covered Persons Based on Risk Determination

Section 1091.103 Contents of Notice
    The Bureau proposed to revise paragraph (a)(2)(vii) to remove the 
cross-reference to Sec.  1070.2(i)(1) and replace it with a cross-
reference to Sec.  1070.2(j). The Bureau received no comments on this 
proposal. Because the definitions in Sec.  1070.2 are renumbered in the 
final rule, the final rule further revises the proposal to 
appropriately cross-reference Sec.  1070.2(i).
Section 1091.115 Change of Time Limits and Confidentiality of 
Proceedings
    The Bureau proposed to revise Sec.  1091.115(c) to remove the 
cross-reference to Sec.  1070.2(i)(1) and replace it with a cross-
reference to Sec.  1070.2(j). The Bureau received no comments on this 
proposal. Because the definitions in Sec.  1070.2 are renumbered in the 
final rule, the final rule further revises the proposal to 
appropriately cross-reference Sec.  1070.2(i).

V. Section 1022(b)(2)(A) of the Dodd-Frank Act

    In developing this final rule, the Bureau has considered the 
potential benefits, costs, and impacts as required by section 
1022(b)(2)(A) of the Dodd-Frank Act.\19\ The Bureau has consulted, or 
offered to consult with, the

[[Page 75215]]

prudential regulators and the Federal Trade Commission, including 
consultation regarding consistency with any prudential, market, or 
systemic objectives administered by such agencies.\20\
---------------------------------------------------------------------------

    \19\ Section 1022(b)(2)(A) of the Dodd-Frank Act addresses the 
consideration of the potential benefits and costs of regulation to 
consumers and covered persons, including the potential reduction of 
access by consumers to consumer financial products or services; the 
impact on depository institutions and credit unions with $10 billion 
or less in total assets as described in section 1026 of the Dodd-
Frank Act; and the impact on consumers in rural areas. Section 
1022(b)(2)(B) directs the Bureau to consult, before and during the 
rulemaking, with appropriate prudential regulators or other Federal 
agencies, regarding consistency with objectives those agencies 
administer.
    \20\ Two comment letters received by the Bureau, from a 
consulting organization and a group of industry trade associations, 
suggested that the Bureau did not meet its obligations to consult 
with prudential regulators regarding its proposed rule pursuant to 
12 U.S.C. 5512(b)(2)(B). This is not true. The Bureau consulted with 
the prudential regulators regarding its proposed rule, including its 
proposed revision to Sec.  1070.43(b)(1) and the definition of 
``agency'' in proposed Sec.  1070.2(a). The Bureau consulted with 
the prudential regulators regarding its final rule as well.
---------------------------------------------------------------------------

    The Bureau has chosen to consider the benefits, costs, and impacts 
of the final rule as compared to the status quo: The current statutory 
provisions and the regulations as set forth by the Bureau on February 
15, 2013, 78 FR 11483 (Feb. 15, 2013) (which includes the protections 
for privileged information which Congress enacted in Pub. L. 112-215, 
126 Stat. 1589, Dec. 20, 2012, which amended 12 U.S.C. 1821(t)(2)(A) 
and 1828(x)).\21\ The Bureau does not have data with which to quantify 
the benefits or costs of the final rule, nor were any data provided by 
commenters. The discussion below considers the qualitative costs, 
benefits, and impacts that the Bureau anticipates from the rule. The 
Bureau also notes that the discussion below should be read in 
conjunction with the discussion of impacts in the Section by Section 
discussion above.
---------------------------------------------------------------------------

    \21\ The Bureau has discretion in any rulemaking to choose an 
appropriate scope of analysis with respect to potential benefits and 
costs and an appropriate baseline.
---------------------------------------------------------------------------

    Summary of main aspects of rule. In this analysis, the Bureau 
focuses on the benefits, costs, and impacts of the main aspects of the 
final rule, which are found in subparts A and D.
    The changes to the definitions in subpart A will alter the 
treatment of certain information submitted to the Bureau. The revised 
definition of confidential consumer complaint information will now 
include any information received or generated by the CFPB through 
processes or procedures established under 12 U.S.C. 5493(b)(3), 
clarifying that any complaints submitted to the CFPB through its 
Consumer Response system, and any information generated therein, are 
similarly classified under its confidentiality rules and subject to the 
same confidentiality protections. The revised definition of 
confidential supervisory information will no longer include reference 
to information collected using the Bureau's market monitoring 
authority.
    The changes in subpart D will provide that a person lawfully in 
possession of confidential supervisory information provided directly to 
it by the Bureau pursuant to Sec.  1070.42 may disclose the information 
to an insurance provider pursuant to a claim made under an existing 
policy, provided that the Bureau has not precluded indemnification or 
reimbursement for the claim and to the extent necessary for the 
insurance provider to process and administer any claims for coverage.
    In addition, the changes in subpart D will authorize the Bureau, 
upon receipt of prior consent, to disclose confidential information 
that directly or indirectly identifies particular persons. The rule 
includes a clarification that the Bureau may disclose confidential 
information in its discretion as needed to conduct its investigations 
or perform administrative tasks to further its own enforcement actions.
    Lastly, the final rule adds Sec.  1070.47(g), which will require 
any person that obtains confidential information under subpart D to, as 
soon as possible and without unreasonable delay, notify the CFPB upon 
the discovery of any further disclosures made in violation of subpart 
D.
    The Bureau views the remainder of the final rule to mainly include 
clarifications, corrections and technical changes, which will have 
limited impacts on consumers and covered persons.
    Costs and benefits to consumers and covered persons of changes in 
Subpart A. The final rule's changes to certain definitions in subpart A 
will impact the Bureau's ability to disclose confidential information, 
which will in turn result in some costs and benefits for consumers and 
covered persons.
    The expansion of the definition of confidential consumer complaint 
information to include any complaints submitted through the Bureau's 
Consumer Response system should provide benefits for consumers and 
covered persons. Specifically, because all such complaints will now be 
subject to the Bureau's confidentiality rules, this change should 
afford greater confidentiality protections to consumers and covered 
persons submitting or referenced in any misdirected complaints that the 
Bureau receives and that are now covered under the definition.
    The deletion of market monitoring information collected pursuant to 
12 U.S.C. 5512(c) from the definition of confidential supervisory 
information will not impose costs on financial institutions because 
this information will continue to be protected as confidential 
information under the Bureau's rules, to the extent that the 
information includes confidential business information, personal 
information, or other sensitive information that is exempt from 
disclosure under the Freedom of Information Act, 5 U.S.C. 552(b). But 
this change will mean that Bureau will have more flexibility to use and 
disclose less-sensitive, non-confidential information collected for 
market monitoring purposes, such as data that are already publicly 
available. This change will allow the Bureau to implement and 
administer Federal consumer financial law more efficiently, which will 
benefit consumers. In addition, this flexibility should not impose 
additional costs for covered persons because such less-sensitive 
information would already be subject to public access via the FOIA.
    Costs and benefits to consumers and covered persons of changes in 
Subpart D. As noted above, the new provisions in subpart D authorize 
the Bureau to disclose confidential information in certain 
circumstances. Consumers will generally benefit from these provisions 
because each of these changes allows more efficient sharing of 
confidential information between the CFPB and various parties and thus 
also results in more efficient administration of consumer financial 
laws. The Bureau notes, however, that any benefits are limited, 
relative to the proposal, given the narrower scope of the final rule.
    These changes may entail certain costs to covered persons, such as 
increased risk for a loss of confidentiality. However, the final rule 
expands the circumstances in which confidential information may be 
disclosed only in discrete circumstances, and moreover, any recipient 
of confidential information from the Bureau may not further disclose 
such information without the prior written permission of the Bureau. 
Therefore, any increased risk for a loss of confidentiality should be 
minimal. The Bureau continues to seek to provide stringent protection 
for confidential information while ensuring its ability to share or 
disclose information to the extent necessary to achieve its mission.
    The new requirement that any person that obtains confidential 
information under subpart D must notify the CFPB upon the discovery of 
any further disclosures made in violation of subpart D should not cause 
additional burden for supervised entities with respect to CSI, as this 
provision is consistent with the Bureau's existing supervisory 
expectations. It should not cause additional burden on recipients of 
CII

[[Page 75216]]

under Sec.  1070.42(a), as further disclosure of such information is 
not prohibited by the final rule. It may result in some additional 
burden in cases where confidential consumer complaint information is 
further disclosed by a covered person, which will now have the 
obligation to notify the Bureau. Consumers should benefit from this 
requirement because notification should facilitate the mitigation of 
any harms caused by the unauthorized disclosure.
    Other impacts. The CFPB does not expect that the final rule will 
have an appreciable impact on consumers' access to consumer financial 
products or services. The scope of the rulemaking is limited to matters 
related to access to and disclosure of certain types of information, 
and does not relate to credit access.
    The Bureau does not believe that this rule will have a unique 
impact on insured depository institutions or insured credit unions with 
$10 billion or less in assets as described in section 1026(a) of the 
Dodd-Frank Act. The rule does not distinguish in any material way 
information regarding such institutions. In addition, because the 
Bureau has limited supervisory authority over these institutions, they 
are generally less likely to share information with the Bureau, and 
therefore any impacts of the rule related to confidential supervisory 
information may be less compared to other institutions.
    The Bureau also does not believe that this rule will have a unique 
impact on consumers in rural areas. The rule does not distinguish 
information regarding consumers in rural areas, or regarding 
institutions that provide products or services to consumers in rural 
areas. In addition, to the extent that these consumers may use smaller 
financial service providers over which the Bureau has limited 
supervisory authority, and which may be less likely to share 
information with the Bureau, the impacts of the rule related to 
confidential supervisory information may be less for these consumers 
than for other consumers.

VI. Regulatory Requirements

    The Regulatory Flexibility Act, 5 U.S.C. 601 et seq., as amended by 
the Small Business Regulatory Enforcement Fairness Act of 1996 (the 
RFA), requires each agency to consider the potential impact of its 
regulations on small entities, including small businesses, small 
governmental units, and small not-for-profit organizations, unless the 
head of the agency certifies that the rule will not have a significant 
economic impact on a substantial number of small entities. The Director 
so certifies. The rule does not impose any obligations or standards of 
conduct for purposes of analysis under the RFA, and it therefore does 
not give rise to a regulatory compliance burden for small entities.
    The Bureau also has determined that this rule does not impose any 
new recordkeeping, reporting, or disclosure requirements on members of 
the public that would be collections of information requiring approval 
under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq.
    Finally, pursuant to the Congressional Review Act (5 U.S.C. 801 et 
seq.), the Bureau will submit a report containing this rule and other 
required information to the United States Senate, the United States 
House of Representatives, and the Comptroller General of the United 
States prior to the rule taking effect. The Office of Information and 
Regulatory Affairs (OIRA) has designated this rule as not a ``major 
rule'' as defined by 5 U.S.C. 804(2).

VII. Signing Authority

    The Director of the Bureau, Kathleen L. Kraninger, having reviewed 
and approved this document, is delegating the authority to 
electronically sign this document to Laura Galban, a Bureau Federal 
Register Liaison, for purposes of publication in the Federal Register.

List of Subjects

12 CFR Part 1070

    Confidential business information, Consumer protection, Freedom of 
information, Privacy.

12 CFR Part 1091

    Administrative practice and procedure, Consumer protection, Credit, 
Trade practices.

Authority and Issuance

    For the reasons set forth in the preamble, the Bureau amends 12 CFR 
parts 1070 and 1091 to read as follows:

PART 1070--DISCLOSURE OF RECORDS AND INFORMATION

0
1. The authority citation for part 1070 continues to read as follows:

    Authority:  12 U.S.C. 5481 et seq.; 5 U.S.C. 552; 5 U.S.C. 552a; 
18 U.S.C. 1905; 18 U.S.C. 641; 44 U.S.C. ch. 31; 44 U.S.C. ch. 35; 
12 U.S.C. 3401 et seq.

Subpart A--General Provisions and Definitions

0
2. Revise Sec.  1070.2 to read as follows:


Sec.  1070.2  General definitions.

    For purposes of this part:
    (a) Associate Director for Supervision, Enforcement and Fair 
Lending means the Associate Director for Supervision, Enforcement and 
Fair Lending of the CFPB or any CFPB employee to whom the Associate 
Director for Supervision, Enforcement and Fair Lending has delegated 
authority to act under this part.
    (b) Business day means any day except Saturday, Sunday or a legal 
Federal holiday.
    (c) CFPB means the Bureau of Consumer Financial Protection.
    (d) Chief FOIA Officer means the Chief Operating Officer of the 
CFPB.
    (e) Chief Operating Officer means the Chief Operating Officer of 
the CFPB, or any CFPB employee to whom the Chief Operating Officer has 
delegated authority to act under this part.
    (f) Confidential information means confidential consumer complaint 
information, confidential investigative information, and confidential 
supervisory information, as well as any other CFPB information that may 
be exempt from disclosure under the Freedom of Information Act pursuant 
to 5 U.S.C. 552(b). Confidential information does not include 
information contained in records that have been made publicly available 
by the CFPB or information that has otherwise been publicly disclosed 
by an employee, or agent of the CFPB, with the authority to do so. 
Confidential information obtained by a third party or otherwise 
incorporated in the records of a third party, including another agency, 
shall remain confidential information subject to this part.
    (g) Confidential consumer complaint information means information 
received or generated by the CFPB through processes or procedures 
established under 12 U.S.C. 5493(b)(3), to the extent that such 
information is exempt from disclosure pursuant to 5 U.S.C. 552(b).
    (h) Confidential investigative information means:
    (1) Any documentary material, written report, or written answers to 
questions, tangible thing, or transcript of oral testimony received by 
the CFPB in any form or format pursuant to a civil investigative 
demand, as those terms are set forth in 12 U.S.C. 5562, or received by 
the CFPB voluntarily in lieu of a civil investigative demand; and
    (2) Any other documents, materials, or records prepared by, on 
behalf of, received by, or for the use by the CFPB or any other Federal 
or State agency in the conduct of enforcement activities, and any 
information derived from such materials.
    (i) Confidential supervisory information means:
    (1) Reports of examination, inspection and visitation, non-public 
operating,

[[Page 75217]]

condition, and compliance reports, supervisory letter, or similar 
document, and any information contained in, derived from, or related to 
such documents;
    (2) Any documents, materials, or records, including reports of 
examination, prepared by, or on behalf of, or for the use of the CFPB 
or any other Federal, State, or foreign government agency in the 
exercise of supervisory authority over a financial institution, and any 
information derived from such documents, materials, or records;
    (3) Any communications between the CFPB and a supervised financial 
institution or a Federal, State, or foreign government agency related 
to the CFPB's supervision of the institution;
    (4) Any information provided to the CFPB by a financial institution 
for purposes of detecting and assessing risks to consumers and to 
markets for consumer financial products or services pursuant to 12 
U.S.C. 5414(b)(1)(C), 5515(b)(1)(C), or 5516(b), or to assess whether 
an institution should be considered a covered person, as that term is 
defined by 12 U.S.C. 5481, or is subject to the CFPB's supervisory 
authority; and/or
    (5) Information that is exempt from disclosure pursuant to 5 U.S.C. 
552(b)(8).
    (j) Director means the Director of the CFPB or his or her designee, 
or a person authorized to perform the functions of the Director in 
accordance with law.
    (k) Employee means all current employees or officials of the CFPB, 
including contract personnel, the employees of the Office of the 
Inspector General of the Board of Governors of the Federal Reserve 
System and the Consumer Financial Protection Bureau, and any other 
individuals who have been appointed by, or are subject to the 
supervision, jurisdiction, or control of the Director, as well as the 
Director. The procedures established within this part also apply to 
former employees where specifically noted.
    (l) Financial institution means any person involved in the offering 
or provision of a ``financial product or service,'' including a 
``covered person'' or ``service provider,'' as those terms are defined 
by 12 U.S.C. 5481.
    (m) General Counsel means the General Counsel of the CFPB or any 
CFPB employee to whom the General Counsel has delegated authority to 
act under this part.
    (n) Person means an individual, partnership, company, corporation, 
association (incorporated or unincorporated), trust, estate, 
cooperative organization, or other entity.
    (o) Report of examination means the report prepared by the CFPB 
concerning the examination or inspection of a supervised financial 
institution.
    (p) State means any State, territory, or possession of the United 
States, the District of Columbia, the Commonwealth of Puerto Rico, the 
Commonwealth of the Northern Mariana Islands, Guam, American Samoa, or 
the United States Virgin Islands or any federally recognized Indian 
tribe, as defined by the Secretary of the Interior under section 104(a) 
of the Federally Recognized Indian Tribe List Act of 1994 (25 U.S.C. 
479a-1(a)), and includes any political subdivision thereof.
    (q) Supervised financial institution means a financial institution 
that is or that may become subject to the CFPB's supervisory authority.

0
3. Revise subpart D to read as follows:
Subpart D--Confidential Information
Sec.
1070.40 Purpose and scope.
1070.41 Non-disclosure of confidential information.
1070.42 Disclosure of confidential supervisory information and 
confidential investigative information.
1070.43 Disclosure of confidential information to agencies.
1070.44 Disclosure of confidential consumer complaint information.
1070.45 Affirmative disclosure of confidential information.
1070.46 Other disclosures of confidential information.
1070.47 Other rules regarding the disclosure of confidential 
information.
1070.48 Disclosure of confidential information by the Inspector 
General.

Subpart D--Confidential Information


Sec.  1070.40   Purpose and scope.

    This subpart does not apply to requests for official information 
made pursuant to subpart B, C, or E of this part.


Sec.  1070.41  Non-disclosure of confidential information.

    (a) Non-disclosure. Except as required by law or as provided in 
this part, no current or former employee or contractor or consultant of 
the CFPB, or any other person in possession of confidential 
information, shall disclose such confidential information by any means 
(including written or oral communications) or in any format (including 
paper and electronic formats), to:
    (1) Any person who is not an employee, contractor, or consultant of 
the CFPB; or
    (2) Any CFPB employee, contractor, or consultant when the 
disclosure of such confidential information to that employee, 
contractor, or consultant is not relevant to the performance of the 
employee's, contractor's, or consultant's assigned duties.
    (b) Disclosures to contractors and consultants. CFPB contractors or 
consultants must treat confidential information in accordance with this 
part, other Federal laws and regulations that apply to Federal agencies 
for the protection of the confidentiality of personally identifiable 
information and for data security and integrity, as well as any 
additional conditions or limitations that the CFPB may impose. CFPB 
contractors or consultants may receive confidential information only if 
such contractors or consultants certify in writing to treat such 
confidential information in accordance with the requirements identified 
in this paragraph (b).
    (c) Disclosure of materials derived from confidential information. 
The CFPB may, in its discretion, disclose materials that it derives 
from or creates using confidential information to the extent that such 
materials do not identify, either directly or indirectly, any 
particular person to whom the confidential information pertains.
    (d) Disclosure of confidential information with consent. Where 
practicable, the CFPB may, in its discretion and in accordance with 
applicable law, disclose confidential information that directly or 
indirectly identifies particular persons if the CFPB obtains prior 
consent from such persons to make the disclosure.
    (e) Nondisclosure of confidential information belonging to other 
agencies. Nothing in this subpart requires or authorizes the CFPB to 
disclose confidential information belonging to another agency that has 
been provided to the CFPB (either directly or through a holder of the 
information such as a financial institution) to the extent that such 
disclosure contravenes applicable law or the terms of any agreement 
that exists between the CFPB and the agency to govern the CFPB's 
treatment of information that the agency provides to the CFPB.


Sec.  1070.42  Disclosure of confidential supervisory information and 
confidential investigative information.

    (a) Discretionary disclosure of confidential supervisory 
information or confidential investigative information by the CFPB. The 
CFPB may, in its discretion, and to the extent consistent with 
applicable law, disclose confidential supervisory information or 
confidential investigative information concerning a person or its 
service

[[Page 75218]]

providers to that person or to its affiliates.
    (b) Further disclosure of confidential supervisory information. 
Unless directed otherwise by the Associate Director for Supervision, 
Enforcement and Fair Lending:
    (1) Any supervised financial institution lawfully in possession of 
confidential supervisory information of the CFPB provided directly to 
it by the CFPB pursuant to paragraph (a) of this section may disclose 
such information, or portions thereof, to its affiliates and to the 
following individuals to the extent that the disclosure of such 
confidential supervisory information is relevant to the performance of 
such individuals' assigned duties:
    (i) Its directors, officers, trustees, members, general partners, 
or employees; and
    (ii) The directors, officers, trustees, members, general partners, 
or employees of its affiliates.
    (2) Any supervised financial institution or affiliate thereof that 
is lawfully in possession of confidential supervisory information of 
the CFPB provided directly to it by the CFPB pursuant to paragraph (a) 
of this section may disclose such information, or portions thereof, to:
    (i) Its certified public accountant, legal counsel, contractor, 
consultant, or service provider;
    (ii) Its insurance provider pursuant to a claim made under an 
existing policy, provided that the Bureau has not precluded 
indemnification or reimbursement for the claim; information disclosed 
pursuant to this paragraph (b)(2)(ii) may be used by the insurance 
provider solely for purposes of administering such a claim; or
    (iii) Another person, with the prior written approval of the 
Associate Director for Supervision, Enforcement and Fair Lending.
    (3) Where a supervised financial institution or its affiliate 
discloses confidential supervisory information of the CFPB pursuant to 
paragraph (b) of this section:
    (i) The recipient of such confidential supervisory information 
shall not, without the prior written approval of the Associate Director 
for Supervision, Enforcement and Fair Lending, utilize, make, or retain 
copies of, or disclose confidential supervisory information for any 
purpose, except as is necessary to provide advice or services to the 
supervised financial institution or its affiliate; and
    (ii) The supervised financial institution or its affiliate 
disclosing the confidential supervisory information shall take 
reasonable steps to ensure that the recipient complies with paragraph 
(b)(3)(i) of this section.
    (4) Nothing in this paragraph (b) authorizes a supervised financial 
institution or affiliate thereof to further disclose confidential 
information belonging to another agency.
    (c) Further disclosure of confidential investigative information. 
Nothing in this subpart shall prohibit any person lawfully in 
possession of confidential investigative information of the CFPB 
pursuant to paragraph (a) of this section from further disclosing that 
confidential investigative information.


Sec.  1070.43  Disclosure of confidential information to agencies.

    (a) Required disclosure of confidential information to agencies. 
The CFPB shall:
    (1) Disclose a draft of a report of examination of a supervised 
financial institution prior to its finalization, as provided in 12 
U.S.C. 5515(e)(1)(C), and disclose a final report of examination, 
including any and all revisions made to such a report, as provided in 
12 U.S.C. 5512(c)(6)(C)(i), to a Federal or State agency with 
jurisdiction over that supervised financial institution, provided that 
the CFPB receives from the agency reasonable assurances as to the 
confidentiality of the information disclosed; and
    (2) Disclose confidential consumer complaint information to a 
Federal or State agency to facilitate preparation of reports to 
Congress required by 12 U.S.C. 5493(b)(3)(C) and to facilitate the 
CFPB's supervision and enforcement activities and its monitoring of the 
market for consumer financial products and services, provided that the 
agency shall first give written assurance to the CFPB that it will 
maintain such information in confidence, including in a manner that 
conforms to the standards that apply to Federal agencies for the 
protection of the confidentiality of personally identifiable 
information and for data security and integrity.
    (b) Discretionary disclosure of confidential information to 
agencies. (1) Upon receipt of a written request that contains the 
information required by paragraph (b)(2) of this section, the CFPB may, 
in its discretion, disclose confidential information to a Federal or 
State agency to the extent that the disclosure of the information is 
relevant to the exercise of the agency's statutory or regulatory 
authority or, with respect to the disclosure of confidential 
supervisory information, to a Federal or State agency having 
jurisdiction over a supervised financial institution.
    (2) To obtain access to confidential information pursuant to 
paragraph (b)(1) of this section, an authorized officer or employee of 
the agency shall submit a written request to the Director. The request 
shall include the following:
    (i) A description of the particular information, kinds of 
information, and where possible, the particular documents to which 
access is sought;
    (ii) A statement of the purpose for which the information will be 
used;
    (iii) A statement certifying and identifying, as required by 
paragraph (b)(1) of this section, the agency's statutory or regulatory 
authority that is relevant to the requested information or, with 
respect to a request for confidential supervisory information, the 
agency's jurisdiction over a supervised financial institution;
    (iv) A statement certifying and identifying the agency's legal 
authority for protecting the requested information from public 
disclosure; and
    (v) A certification that the agency will maintain the requested 
confidential information in confidence, including in a manner that 
conforms to the standards that apply to Federal agencies for the 
protection of the confidentiality of personally identifiable 
information and for data security and integrity, as well as any 
additional conditions or limitations that the CFPB may impose.
    (c) Negotiation of standing requests. The CFPB may negotiate terms 
governing the exchange of confidential information with Federal or 
State agencies on a standing basis, as appropriate.


Sec.  1070.44  Disclosure of confidential consumer complaint 
information.

    The CFPB may, to the extent permitted by law, disclose confidential 
consumer complaint information as it deems necessary to investigate, 
resolve, or otherwise respond to consumer complaints or inquiries 
concerning consumer financial products and services or a violation of 
Federal consumer financial law.


Sec.  1070.45  Affirmative disclosure of confidential information.

    (a) The CFPB may disclose confidential information, in accordance 
with applicable law, as follows:
    (1) To a CFPB employee, as that term is defined in Sec.  1070.2 and 
in accordance with Sec.  1070.41;
    (2) To either House of the Congress or to an appropriate committee 
or subcommittee of the Congress, as set forth in 12 U.S.C. 5562(d)(2), 
provided that, upon the receipt by the CFPB of a request from the 
Congress for confidential information that a financial institution 
submitted to the CFPB along with a claim that such information

[[Page 75219]]

consists of a trade secret or privileged or confidential commercial or 
financial information, or confidential supervisory information, the 
CFPB shall notify the financial institution in writing of its receipt 
of the request and provide the institution with a copy of the request;
    (3) In investigational hearings and witness interviews, or 
otherwise in the investigation and administration of enforcement 
actions, as is reasonably necessary, at the discretion of the CFPB;
    (4) In an administrative or court proceeding to which the CFPB is a 
party. In the case of confidential investigative information that 
contains any trade secret or privileged or confidential commercial or 
financial information, as claimed by designation by the submitter of 
such material, or confidential supervisory information, the submitter, 
or the CFPB, in its discretion, may seek an appropriate order prior to 
disclosure of such material in a proceeding;
    (5) In CFPB personnel matters, as necessary and subject to 
appropriate protections;
    (6) To agencies in summary form to the extent necessary to confer 
with such agencies about matters relevant to the exercise of the 
agencies' statutory or regulatory authority; or
    (7) As required under any other applicable law.
    (b) [Reserved]


Sec.  1070.46  Other disclosures of confidential information.

    (a) To the extent permitted by law and as authorized by the 
Director in writing, the CFPB may disclose confidential information 
other than as set forth in this subpart.
    (b) Prior to disclosing confidential information pursuant to 
paragraph (a) of this section, the CFPB may, as it deems appropriate 
under the circumstances, provide written notice to the person to whom 
the confidential information pertains that the CFPB intends to disclose 
its confidential information in accordance with this section.
    (c) The authority of the Director to disclose confidential 
information pursuant to paragraph (a) of this section shall not be 
delegated. However, a person authorized to perform the functions of the 
Director in accordance with law may exercise the authority of the 
Director as set forth in this section.


Sec.  1070.47   Other rules regarding the disclosure of confidential 
information.

    (a) Further disclosure prohibited. (1) All confidential information 
made available under this subpart shall remain the property of the 
CFPB, unless the General Counsel provides otherwise in writing.
    (2) Except as set forth in this subpart, no supervised financial 
institution, Federal or State agency, any officer, director, employee 
or agent thereof, or any other person to whom the confidential 
information is made available under this subpart, may further disclose 
such confidential information without the prior written permission of 
the Director.
    (3) No person obtaining access to confidential information pursuant 
to this subpart may make a personal copy of any such information, and 
no person may remove confidential information from the premises of the 
institution or agency in possession of such information except as 
permitted under this subpart or by the CFPB.
    (b) Third party requests for information. (1) A supervised 
financial institution, Federal or State agency, any officer, director, 
employee or agent thereof, or any other person to whom the CFPB's 
confidential information is made available under this subpart, that 
receives from a third party a legally enforceable demand or request for 
such confidential information (including but not limited to, a subpoena 
or discovery request or a request made pursuant to the Freedom of 
Information Act, 5 U.S.C. 552, the Privacy Act of 1974, 5 U.S.C. 552a, 
or any State analogue to such statutes) should:
    (i) Inform the General Counsel of such request or demand in writing 
and provide the General Counsel with a copy of such request or demand 
as soon as practicable after receiving it;
    (ii) To the extent permitted by applicable law, advise the 
requester that:
    (A) The confidential information sought may not be disclosed 
insofar as it is the property of the CFPB; and
    (B) Any request for the disclosure of such confidential information 
is properly directed to the CFPB pursuant to its regulations set forth 
in this subpart; and
    (iii) Consult with the General Counsel before complying with the 
request or demand, and to the extent applicable:
    (A) Give the CFPB a reasonable opportunity to respond to the demand 
or request;
    (B) Assert all reasonable and appropriate legal exemptions or 
privileges that the CFPB may request be asserted on its behalf; and
    (C) Consent to a motion by the CFPB to intervene in any action for 
the purpose of asserting and preserving any claims of confidentiality 
with respect to any confidential information.
    (2) Nothing in this section shall prevent a supervised financial 
institution, Federal or State agency, any officer, director, employee 
or agent thereof, or any other person to whom the information is made 
available under this subpart from complying with a legally valid and 
enforceable order of a court of competent jurisdiction compelling 
production of the CFPB's confidential information, or, if compliance is 
deemed compulsory, with a request or demand from either House of the 
Congress or a duly authorized committee of the Congress. To the extent 
that compulsory disclosure of confidential information occurs as set 
forth in this paragraph (b)(2), the producing party shall use its best 
efforts to ensure that the requestor secures an appropriate protective 
order or, if the requestor is a legislative body, use its best efforts 
to obtain the commitment or agreement of the legislative body that it 
will maintain the confidentiality of the confidential information.
    (c) Additional conditions and limitations. The CFPB may impose any 
additional conditions or limitations on disclosure or use under this 
subpart that it determines are necessary.
    (d) Return or destruction of records. Except with respect to 
confidential investigative information disclosed pursuant to Sec.  
1070.42(a), the CFPB may require any person in possession of CFPB 
confidential information to return the records to the CFPB or destroy 
them.
    (e) Non-waiver of CFPB rights. Except as provided in Sec.  
1070.42(c), the disclosure of confidential information to any person in 
accordance with this subpart does not constitute a waiver by the CFPB 
of its right to control, or impose limitations on, the subsequent use 
and dissemination of the information.
    (f) Non-waiver of privilege--(1) In general. The CFPB shall not be 
deemed to have waived any privilege applicable to any information by 
transferring that information to, or permitting that information to be 
used by, any Federal or State agency.
    (2) Rule of construction. Paragraph (f)(1) of this section shall 
not be construed as implying that any person waives any privilege 
applicable to any information because paragraph (f)(1) of this section 
does not apply to the transfer or use of that information.
    (g) Reports of unauthorized disclosure. Any person that obtains 
confidential information under this subpart shall, as soon as possible 
and without unreasonable delay, notify the CFPB upon the discovery of 
any further disclosures made in violation of this subpart.

[[Page 75220]]

Sec.  1070.48   Disclosure of confidential information by the Inspector 
General.

    Nothing in this subpart shall limit the discretion of the Office of 
the Inspector General of the Board of Governors of the Federal Reserve 
System and the Consumer Financial Protection Bureau to disclose 
confidential information as needed in accordance with the Inspector 
General Act of 1978, 5 U.S.C. App. 3.

PART 1091--PROCEDURAL RULE TO ESTABLISH SUPERVISORY AUTHORITY OVER 
CERTAIN NONBANK COVERED PERSONS BASED ON RISK DETERMINATION

0
4. The authority citation for part 1091 continues to read as follows:

    Authority: 12 U.S.C. 5512(b)(1), 5514(a)(1)(C), 5514(b)(7).

Subpart B--Determination and Voluntary Consent Procedures

0
5. Section 1091.103 is amended by revising paragraph (a)(2)(vii) to 
read as follows:


Sec.  1091.103  Contents of Notice.

    (a) * * *
    (2) * * *
    (vii) In connection with a proceeding under this part, including a 
petition for termination under Sec.  1091.113, all documents, records 
or other items submitted by a respondent to the Bureau, all documents 
prepared by, or on behalf of, or for the use of the Bureau, and any 
communications between the Bureau and a person, shall be deemed 
confidential supervisory information under 12 CFR 1070.2(i).
* * * * *

Subpart D--Time Limits and Deadlines

0
6. Section 1091.115 is amended by revising paragraph (c) to read as 
follows:


Sec.  1091.115   Change of time limits and confidentiality of 
proceedings.

* * * * *
    (c) In connection with a proceeding under this part, including a 
petition for termination under Sec.  1091.113, all documents, records 
or other items submitted by a respondent to the Bureau, all documents 
prepared by, or on behalf of, or for the use of the Bureau, and any 
communications between the Bureau and a person, shall be deemed 
confidential supervisory information under 12 CFR 1070.2(i).

    Dated: October 27, 2020.
Laura Galban,
Federal Register Liaison, Bureau of Consumer Financial Protection.
[FR Doc. 2020-24113 Filed 11-23-20; 8:45 am]
BILLING CODE 4810-AM-P