The Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) issued Bulletin 12-01 on January 4, 2012 to clarify its practices regarding the collection and safeguarding of information obtained through the supervisory process. In the Bulletin, the CFPB instructs that upon its request, supervised financial institutions are required to provide any and all documents and other information responsive to the request, stating that the “supervisory process is based on the supervisor’s full and unfettered access to information.” The CFPB also stated that although it would treat information gathered through the supervisory process as confidential and privileged, sharing such information with law enforcement or other government agencies, including state attorneys general, may be appropriate or required in some circumstances.
Privilege and Waiver
Significantly, Bulletin 12-01 informs supervised entities that the CFPB may demand the production of privileged documents. According to the CFPB, the production of privileged information (such as information protected by the attorney-client or work product privileges) to the Bureau pursuant to a supervisory request would not constitute a waiver of any privilege that may attach to such information, and thus it will not consider waiver concerns to be a valid basis for withholding information from the agency. The Bureau’s conclusion was based largely on provisions of the Financial Services Regulatory Relief Act of 2006, whichapplies to the federal banking agencies (the OCC, Federal Reserve, FDIC, and formerly, the OTS), allowing the agencies to receive privileged documents from supervised entities without effectuating a waiver of privilege. But the statute does not expressly apply to the CFPB, leaving the Bureau’s position on privilege questionable. The CFPB asserts that Congress intended it to be treated as a prudential regulatory agency with respect to waiver; but, its position has yet to be challenged in court.
While the CFPB asserts that it is entitled to unfettered access to requested information, its Bulletin indicates that it intends to exercise some restraint with respect to requests for privileged material. In particular, the CFPB states that its policy is to request privileged information only when “such information is material to its supervisory objectives and . . . it cannot practicably obtain the same information from non-privileged sources.” The CFPB also assured that it will give “due consideration to . . . requests to limit the form and scope of any supervisory request for privileged information.” Furthermore, the Bureau would take “all reasonable and appropriate action” to rebut any claim of privilege waiver a supervised entity may face by providing information to the Bureau. These assurances, however, may do little to mollify industry concerns regarding how the CFPB may use any privileged information gleaned during its examinations given the CFPB’s stance regarding the sharing of such information with other government agencies.
Information Sharing with State Attorneys General and Other Government Agencies
Bulletin 12-01 also addresses the related issue of sharing information obtained during its examination process with other government agencies. Industry groups, including the American Banker Association (“ABA”), have expressed concern that such sharing of confidential information with state agencies could lead the state attorneys general to file lawsuits based on data collected by the CFPB, and ultimately private lawsuits could follow.
This concern stems from the ongoing controversy surrounding the CFPB’s interim final rule on Disclosure of Records and Information (the “Rule”), which became effective on July 28, 2011. Historically, supervised institutions could be confident that their prudential regulators would maintain the confidentiality of information provided to them during the examination process. The CFPB’s Rule, however, called into question industry understanding as to how confidential information might be treated, stating that sharing some confidential data with states may “serve the public interest.” The Rule is intended to establish procedures regarding the CFPB’s treatment of confidential information obtained in connection with its supervisory process. “Confidential Information” includes three categories of information:
- “confidential consumer complaint information” includes information the CFPB receives from the general public, other agencies or organizations, or information generated by the CFPB to document consumer complaints;
- “confidential investigative information” includes materials received, generated, or compiled by the CFPB “in the course of its investigative activities;” and
- “confidential supervisory information” includes various materials the CFPB generates or receives during its examination of financial institutions.
The Rule requires that the CFPB protect confidential information by prohibiting the CFPB and its employees from disclosing supervised entities’ confidential information to non-employees or even employees whose jobs do not require them to have the information. Consistent with the rules applicable to prudential regulators regarding the treatment of confidential information, the Rule allows for the disclosure of confidential information to accountants, legal counsel and consultants under certain circumstances. The similarity to existing regulations should come as no surprise since the Rule appears to be based primarily on the rules of the prudential regulators that provide for the confidentiality and disclosure of information generated or received in the course of supervising, investigating, or pursuing enforcement actions against financial institutions. (See e.g., Rules Relating to Investigations, 76 Fed. Reg. 45, 172-173 (July 28, 2011) and see generally 12 CFR §§ 4 (OCC), 261 (Board), 309 (FDIC), 510 (OTS)).
Despite such apparent similarities, bank industry groups such as the ABA have cautioned that the Rule could lead to frequent disclosure of confidential information to unintended third parties (e.g., the state attorneys general and other state law enforcement officials). (See ABA Letter, dated September 26, 2011 to the Officer of the Executive Secretary, CFPB). It appears that the CFPB issued the Bulletin, at least in part, to respond to concerns articulated by the ABA. In fact, although the CFPB’s Rules allow it to share information, including privileged information, with law enforcement and other government agencies, the Bulletin states that the Bureau does not intend to routinely share supervisory information with agencies that are not engaged in supervision. The Bureau assures that it will not, for example, share such information with law enforcement agencies—including state attorneys general—on a regular basis unless required to do so by law. If not required by law to share the information, the Bureau states that it will review all relevant facts and considerations and determine whether the scenario presents one of the “very limited circumstances” under which it will share such information.
Such cooperation with state law enforcement and other agencies could significantly undermine the traditional relationships between large depository institutions and their federal regulators, notably the OCC, which are founded on trust and the supervised entities’ confidence that the federal regulator will maintain the confidentiality of any information provided to it. The necessary level of candor could not exist if full disclosures were likely to fuel civil litigation. Moreover, bank industry groups, including the ABA, have called into question the authority of the state attorneys general to rely on such cooperation to circumvent the judicial process that otherwise would be necessary to obtain such private data. In its September 26, 2011 letter, the ABA stated that the CFPB must consider the language of Section 1047 of Dodd-Frank and the Supreme Court’s decision in Cuomo v. Clearing House Association, in which the Court expressly rejected the authority of state attorneys general to obtain information directly from national banks outside of a judicial process. According to the ABA, by codifying Cuomo, Congress could not have intended for state attorneys general to be able to obtain confidential information pertaining to national banks through the CFPB that they could not have obtained elsewhere.
Bulletin 12-01 is merely the most recent development in what promises to be a continuously evolving policy with respect to the handling of confidential information. The Bulletin leaves important questions unanswered. In particular, it is unclear in the absence of statutory language extending the bank examination privilege to the CFPB whether courts will recognize that the provision of privileged documents to the CFPB will not result in a waiver. It also is unclear whether the CFPB will exercise sufficient restraint in the gathering and sharing of confidential information to give financial institutions the confidence necessary to promote full candor during the examination process. Finally, the extent to which the CFPB’s approach to privilege and information sharing will impact the relationship between the CFPB examiners and its supervised entities remains to be seen. It appears unlikely that the Bulletin will be the last word on these important issues.
 The CFPB also reasoned that because the disclosure to the CFPB would be mandatory not voluntary, the supervised institutions would not waive a privilege as to third parties, citing a district court opinion and an OCC interpretive letter. See Boston Auction Co., Ltd. v. Western Farm Credit Bank, 925 F. Supp. 1478, 1482 (D. Hawaii 1996); OCC Interpretative Letter, 1991 WL 338409 (Dec. 3, 1991).
 The pertinent federal statute, 12 U.S.C. § 1828(x), states: “The submission by any person of any information to any Federal banking agency . . . for any purpose in the course of any supervisory or regulatory process of such agency . . . shall not be construed as waiving, destroying, or otherwise affecting any privilege such person may claim with respect to such information . . . .” But, 12 U.S.C. § 1813 limits the definition of “Federal banking agency” to “the Comptroller of the Currency, the Director of the Office of Thrift Supervision, the Board of Governors of the Federal Reserve System, [and] the Federal Deposit Insurance Corporation” — the definition does not include the CFPB.
 The Rule implements the Freedom of Information Act and the Privacy Act of 1974 to establish procedures for the public to obtain information from the Bureau.
 129 S. Ct. 2719 (2009).