CFPB Confidentiality Amendments

December 17, 2012

Congress has enacted legislation, now awaiting the President’s anticipated approval, which provides significant confidentiality protections to persons who must provide privileged or otherwise confidential information to the Consumer Financial Protection Bureau (CFPB).

The new legislation amends the Federal Deposit Insurance Act (FDIA), 12 U.S.C. §1811, et seq., to include the Consumer Financial Protection Bureau (CFPB) among a list of federal agencies covered by FDIA’s existing protection for information submitted to bank regulators.  Specifically, the amendments now provide that the “submission by any person of any information to any Federal banking agency [now including CFPB] … for any purpose in the course of any supervisory or regulatory process … shall not be construed as waiving, destroying or otherwise affecting any privilege such person may claim.” 12 U.S.C. §1828(x).  The law further protects the privileged status of confidential information if it is provided to another “covered” federal agency. 12 U.S.C. §1821(t).

This legislation was passed by unanimous consent in the House in March 2012, but the Senate did not act on the matter because a “hold” was placed on it by a single Senator. That Senator has recently announced his retirement from the Senate and has “lifted the hold,” which allowed the proposal to go to a vote.

Although the new legislation significantly improves the protections afforded to those who supply information, the new law only covers sharing among FDIA-covered federal agencies. The CFPB has previously announced that it will (and quite clearly it does) share confidential information with non-covered federal agencies such as the Federal Trade Commission (FTC) and the Department of Housing and Urban Development (HUD), as well as state regulators such as the Attorneys General and state bank regulators.

Any entity with concerns about such non-covered sharing should consider assuring that there are additional protections built into any production. These might include a commitment from the CFPB that it will only share such confidential information with non-FDIA covered government agencies which agree that they may be and, in fact, agree to be bound as though an FDIA-covered agency. We specifically note that particular care must be exercised in the case of state regulators because there may be conflicting obligations under state public records laws. But even if another agency not explicitly listed in FDIA agrees to provide confidential treatment, there is no guarantee that a court would find (for example) that attorney-client or work-product privilege would be preserved. In short, while the confidentiality amendments provide CFPB regulated entities with some helpful protection, the CFPB’s practice of sharing information with non-FDIA covered agencies means that this protection is still limited in scope.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:


This article was originally published by Bingham McCutchen LLP.