On August 24, 2016, the Consumer Financial Protection Bureau (CFPB) issued a Notice of Proposed Rule Making that proposed amendments to the CFPB’s Freedom of Information Act (FOIA), confidentiality rules, and Privacy Act regulations codified at 12 C.F.R. Part 1070. The proposed changes to the confidentiality rules include, but are not limited to: (i) allowing the CFPB to share a regulated entity’s confidential information with a wider range of government and foreign regulators; (ii) eliminating the CFPB’s obligation to inform a regulated entity before it shares the entity’s confidential information with Congress; and (iii) preventing entities from sharing CFPB enforcement correspondence without prior CFPB approval.
The comment period closed on October 24, 2016. Commenters generally expressed concern that the CFPB’s proposed changes to its confidentiality rules put privileged attorney-client communications at risk and infringed on companies’ First Amendment right to disclose CFPB communications. Some commenters suggested that the CFPB was exceeding its statutory authority in revising the rule.
I. Comments on CFPB’s Expansion of Its Ability to Share Confidential Information
Under current regulations, the CFPB may share confidential information only with agencies that have supervisory authority over the regulated entities. Moreover, the CFPB is required to notify a regulated entity before it shares the entity’s confidential information with Congress.
These regulations often preclude state regulators from receiving confidential information from the CFPB. For that reason, Attorneys General of Massachusetts, Hawaii, Iowa, Maryland, Minnesota, New York, Oregon, and Illinois submitted a joint comment expressing support for the new rule. The Attorneys General explained that, while they have the authority to bring enforcement actions against CFPB-covered businesses under state law, they often lack the ability to conduct investigations because their investigative power is preempted by federal law, as set forth in the U.S. Supreme Court’s decision in Cuomo v. Clearing House, LLC. The Attorneys General argued that if the CFPB could share more investigative information, such cooperation would help Attorneys General contribute to consumer protection investigations and enforcement actions.
On the other hand, commenters like the American Bar Association (ABA) expressed concern that expanding the number of entities with which the CFPB could share confidential information could waive the attorney-client privilege and work-product protection. As the law currently stands, certain specified regulators can share privileged information without resulting in a waiver of the privilege. 12 U.S.C. § 1821(t). The ABA argued that allowing the CFPB to share information with agencies that are not listed in § 1821(t) could waive the privilege. Some Circuit Courts have held that only statutory protections can preserve the privilege on shared information. The risk of waiver would not only potentially dilute the attorney-client privilege, but also may make regulated entities less willing to share privileged information with the CFPB, thereby impeding the CFPB’s enforcement activities.
The ABA letter also argued that the decision to cease giving regulated entities notice before disclosing their confidential information to Congress would have similar effects. Without such notice, regulated entities would no longer be able to contest CFPB decisions to share the information and assert their attorney-client and work-product privileges. The result, again, may make regulated entities less willing to share confidential information with the CFPB.
Several other commenters believed that expanding the entities with which the CFPB could share confidential information was not only unwise, but at odds with the Dodd-Frank Act. The Consumer Data Industry Alliance (CDIA) (a trade association of over 140 companies that promotes education about protecting consumer information privacy) argued that the CFPB’s effort to expand its sharing of confidential information is contrary to Congress’ intent to limit the number of regulators involved in regulating particular industries on particular questions.
Similar arguments were made in a comment letter from Representative Jeb Hensarling (R-TX), Chairman of the U.S. House Financial Services Committee. Chairman Hensarling’s letter stated that the CFPB is attempting to “unlawfully expand its authority,” while a comment from the U.S. Chamber of Commerce’s Center for Capital Markets Competitiveness argued that the revisions are contrary to Congress’ intent in passing the Dodd-Frank Act.
A comment from a collection of banking industry groups, including The Clearinghouse LLC and the American Bankers Association, similarly argued that the CFPB lacks the authority to implement the rule, and objected to the rule on the ground that it may put confidential information at risk. The banking industry groups also noted that the European courts have already struck down the U.S. government’s treatment of European citizens’ information, and argue that the CFPB’s proposed rule would increase the likelihood of other rulings of a similar nature by European courts.
II. Comments on CFPB’s Ban on Sharing CFPB Enforcement Correspondence
The proposed revisions to the confidentiality rule also provide that the CFPB’s civil investigative demands (CIDs) and Notice and Opportunity to Respond and Advise (NORA) letters are confidential and cannot generally be shared by individuals without prior consent by the CFPB.
Several comments argued that the confidentiality rule violates the First Amendment, including (i) a second comment letter from Chairman Hensarling of the House Financial Services Committee, (ii) the American Civil Liberties Union (ACLU) comment, (iii) the American Bar Association Business Law Section comment, (iv) the Consumer Data Industry Association (CDIA) comment, and (v) the U.S. Chamber of Commerce comment.
Most of the commenters explained that companies receiving CIDs and NORA letters should be free to disclose the documents because the ability to disclose such actions is a check on the CFPB and helps ensure that there is open discussion about the Bureau’s behavior.
Other commenters, like the CDIA, emphasized that communicating such information allows regulated institutions to satisfy fiduciary duties to their investors and make honest disclosures to potential business partners when doing due diligence related to proposed business ventures.