10 Key Takeaways from the Federal Reserve’s Final Rule on CSI and FOIA

by Luigi L. De Ghenghi, Randall D. GuynnJai R. Massari, Margaret E. Tahyar, Eric McLaughlin, Daniel E. Newman, and Eric B. Lewin 

The Federal Reserve’s recent updates to its regulations on confidential supervisory information (CSI) and availability of information under the Freedom of Information Act (FOIA)[1] include several meaningful modifications to adapt these rules for the digital age of emails, data rooms and slide decks and the modern organizational structure and operations of banking organizations.  

This memorandum calls out 10 key takeaways[2] from the final rule (the Final Rule).[3]  We also include several compliance updates where financial institutions will need to update existing processes, implement new record keeping procedures, enter into new agreements with service providers and potentially update standard form confidential treatment request letters. Although the Federal Reserve did not go as far as many had hoped, the preamble holds out hope that there may be further changes over time, especially in the mergers and acquisitions (M&A) and securities disclosure areas.

1. Certain Information That is CSI in the Hands of the Federal Reserve is Not CSI in the Hands of the Supervised Financial Institution

  • The Final Rule clarifies that certain internal business documents of a supervised financial institution are CSI in the hands of the Federal Reserve but not CSI in the hands of the supervised financial institution. This clarification lays to bed the concern that non-CSI internal business documents of a supervised financial institution would be transformed into CSI merely because they were provided to the Federal Reserve.
  • As the Federal Reserve explained in the preamble to the Final Rule, the CSI definition “is not intended to encompass internal business documents merely because in the Federal Reserve’s possession such documents are [CSI],”[4] and the Final Rule text includes modifications making this distinction explicit.

2. Still No Disclosure of CSI for M&A Transactions or Securities Law Disclosure, But Perhaps Down the Road?

  • The Final Rule, like the Current Regulations, does not permit disclosure of CSI in the contexts of M&A transactions or securities law disclosure—absent prior written approval, as required for any disclosure that is not specifically addressed by the Final Rule[5]—notwithstanding comments noting the benefits of permitting disclosures in these contexts.
  • The Final Rule did, however, hint at the possibility of changes down the road, stating that “guidance establishing parameters for such disclosures requires additional consideration and should be addressed on a consistent basis across the federal and state banking agencies and the CFPB.”[6]

3. Expiration of Confidential Treatment Requests After 10 Years

  • Under both the Final Rule and the Current Regulations, a supervised financial institution generally will be notified in writing by the Federal Reserve if records for which it has filed a confidential treatment request (CTR) are the subject of a FOIA request and the Federal Reserve determines that it may be required to disclose the records.[7] After receiving this notice, the supervised financial institution has the opportunity to provide a written objection to the release of such records.[8]
  • The Final Rule provides that CTRs under FOIA Exemption 4[9] generally expire after 10 years unless the submitter requests and provides justification for a longer period.[10]
    • Although the Current Regulations do not contain an explicit expiration date for CTRs, the Federal Reserve is not required to notify a submitter that a FOIA request has been filed if the related CTR under FOIA Exemption 4 is more than 10 years old.[11] The Current Regulations do not address the ability of a supervised financial institution to request that this time period be extended.
  • The 10-year expiration period in the Final Rule therefore is more of a clarification of how the Federal Reserve treats CTRs under FOIA Exemption 4 than a new limitation placed on CTRs, and the ability of supervised financial institutions to request a longer expiration period is a new tool at their disposal.
  • Compliance Update: Supervised financial institutions will want to update their standard form CTRs to ensure they do not forget to request a longer expiration period when appropriate.

4. Removal of Competitive Harm Requirement and Adoption of DOJ Guidance for FOIA Exemption 4

  • The Final Rule reflects changes to its treatment of FOIA Exemption 4 in light of the Supreme Court decision Food Marketing Institute v. Argus Leader Media, 139 S. Ct. 2356 (2019) and subsequent U.S. Department of Justice (DOJ) guidance. Food Marketing Institute held that FOIA Exemption 4 does not require a showing of “competitive harm.”[12]  Instead, the Court held that “where commercial or financial information is both customarily and actually treated as private by its owner and provided to the government under an assurance of privacy, the information is ‘confidential’ within the meaning of Exemption 4.”[13]  As a consequence, all references to “competitive harm” were removed in the Final Rule.
  • The Final Rule did not adopt the recommendation of some commenters to provide an explicit assurance of privacy with respect to commercially sensitive information provided by supervised financial institutions to the Federal Reserve. Instead, the Final Rule states that the Federal Reserve will use the DOJ’s step-by-step guide[14] to analyze the application of FOIA Exemption 4 and reiterates the DOJ’s statement that an assurance of confidentiality may be either explicit or implicit.[15]
  • Under the DOJ’s step-by-step guide, commercial or financial information is “confidential” for purposes of FOIA Exemption 4 if:
    • The submitter customarily keeps the information private or closely-held; and
    • Either of the following is true:
      • The government provided an express or implied assurance of confidentiality when the information was shared with the government; or
      • There were no express or implied indications at the time the information was submitted that the government would publicly disclose the information.
  • Compliance Update: If they have not already done so, supervised financial institutions will want to update their standard form CTRs to address the test set out in the DOJ’s step-by-step guide.

5. Clarified Scope of Criminal CSI Disclosures

  • The Federal Reserve, similar to the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC), takes the view that unauthorized disclosure of CSI may be subject to criminal penalties under 18 U.S.C. § 641, a general statute relating to the misappropriation of federal government property. Given the broad scope of what may be considered CSI and the fairly limited ability of supervised financial institutions to share CSI without prior written approval under the Current Regulations, the potential for criminal penalties has had a chilling effect on the sharing of information internally and with third party advisers. 
  • In the preamble to the Final Rule the Federal Reserve explains that “unauthorized disclosures that lack criminal intent, such as those made inadvertently, would not be subject to prosecution under section 641.”[16] This discussion brings much needed clarity to the question of whether and when the Federal Reserve believes it is appropriate to use section 641.

6. Streamlined Process to Obtain Approval to Share CSI with Other Banking Supervisors

  • The Final Rule creates a streamlined process for supervised financial institutions to obtain Federal Reserve approval to share certain internally-produced documents that are CSI with the OCC, FDIC, Consumer Financial Protection Bureau (CFPB) or a state financial supervisory agency that supervises the institution (each a Banking Supervisor).
  • Under the Final Rule, a supervised financial institution may share applicable CSI with a Banking Supervisor if it receives the concurrence of its central point of contact at its Reserve Bank or another designated Reserve Bank employee (Reserve Bank Point of Contact), who must determine that the receiving agency has a legitimate supervisory or regulatory interest in the CSI.[17]
    • Entire categories of internally-prepared business documents can be approved under this process.[18]
    • A supervised financial institution may request reconsideration of a determination made under this process,[19] although the Final Rule does not provide any details concerning how or to whom such a request would be made.
  • This process may be used to approve the disclosure of CSI “about the institution that is contained in documents prepared by or for the institution for its own business purposes.”[20] Such documents could include board and committee meeting minutes and materials.[21]
  • This new streamlined process has the potential to reduce the administrative burden on supervised financial institutions and allow them to provide CSI to Banking Supervisors in a more expeditious manner. Also, we do not expect the addition of this new streamlined process to result in the invalidation of any preexisting blanket authorization to share Federal Reserve CSI with another Banking Supervisor that a supervised financial institution may have previously received.

7. Sharing CSI with Affiliates Now Permitted Without Seeking Consent

  • In another welcome change, the Final Rule permits disclosure of CSI by supervised financial institutions to the directors, officers or employees of its affiliates, not just its parent holding company, when “necessary or appropriate for business purposes.”[22]

8. Modernized Process for Sharing CSI with Attorneys and Auditors

  • The Final Rule acknowledges the reality of information sharing in the digital age of emails, data rooms and slide decks and the ethical and confidentiality obligations of attorneys and auditors by eliminating the anachronistic requirement that attorneys and auditors may review CSI only on the premises of a supervised financial institution and may not make copies.[23] It also did not adopt a requirement from the Federal Reserve’s June 2019 proposal (Proposal)[24] that attorneys and auditors enter into a written agreement with several specific conditions before receiving CSI.[25] 
  • Instead of maintaining or imposing these requirements, the Final Rule simply permits CSI disclosures to attorneys and auditors “[w]hen necessary or appropriate in connection with the provision of legal or auditing services to the supervised financial institution.”[26]
  • The Final Rule also acknowledges the evolution of the legal and auditing services industries and the important role now played in them by litigation vendors, technology consultants and other service providers. Under the Final Rule, CSI may be shared with service providers of attorneys or auditors if the service provider is under a written agreement with the legal counsel or auditor pursuant to which it agrees to treat the CSI in accordance with applicable regulations and not use the CSI for any purpose other than as necessary to provide the services to the supervised financial institution.[27]

9. Sharing CSI with Consultants and Other Service Providers Now Permitted

  • The Final Rule makes it easier for a supervised financial institution to disclose CSI to consultants or other service providers it engages by providing a framework for permitted CSI disclosures to these parties.
  • Under the Final Rule, CSI may be shared with a service provider engaged by the supervised financial institution if (1) the service provider is under a written contract to provide services to the institution, (2) the disclosure of the CSI is deemed necessary to the service provider’s provision of services and (3) the service provider has a written agreement with the institution in which the service provider has agreed that:
    • It will treat the CSI in accordance with applicable regulations; and
    • It will not use the CSI for any purpose other than as provided under its contract to provide services to the supervised financial institution.[28]
  • Supervised financial institutions are also required to maintain a log of all CSI disclosures to service providers and provide those logs to the Federal Reserve upon request.[29] The log should include sufficient detail “to allow the supervised financial institution to identify the actual [CSI] that was disclosed to the service provider.”[30]
  • Compliance Update: Supervised financial institutions that regularly engage consultants or other service providers to work on matters that require the disclosure of CSI will want to draft a standard form agreement that satisfies the written agreement requirement described above.
  • Compliance Update: The Federal Reserve notes in the preamble to the Final Rule that it expects a supervised financial institution’s policies, procedures, and controls that apply to the disclosure of CSI, in addition to the maintenance of the log, to provide the supervised financial institution with reasonable assurance of accountability and compliance with the requirements described in this Item 9. This is a good reminder for supervised financial institutions that they will need to assess their CSI‑related policies, procedures, and controls to determine what updates are required to account for the Final Rule.

10. No New Requirement to Create a Public Version of Confidential Documents Submitted to the Federal Reserve

  • The Final Rule did not include a proposed requirement that CTRs “identify the specific information for which confidential treatment is requested.”[31]
  • The Federal Reserve explained in the preamble to the Final Rule that removal of the proposed requirement is meant to “eliminate any implication that the submitter needs to do a line-by-line review for confidential information or submit a public version of a document each time the submitter seeks confidential treatment,”[32] a concern that was raised by commenters.

[1] 5 U.S.C. § 552.  The Federal Reserve’s CSI and FOIA regulations are located in 12 C.F.R. pt. 261.  This memorandum refers to the regulations prior to the effective date of the Final Rule as the Current Regulations.

[2] This memorandum discusses key takeaways from the Final Rule.  It does not provide a comprehensive summary of the Final Rule.

[3] Federal Reserve System, Federal Register Notice: Rules Regarding Availability of Information (July 24, 2020), available here (PDF: 442.47 KB).

[4] Final Rule at p. 9.

[5] Under both the Final Rule and the Current Regulations, prior written permission of the Federal Reserve’s General Counsel is required to disclose CSI, unless disclosure is otherwise authorized under the regulations.  See Final Rule, 12 C.F.R. § 261.20(a); Current Regulations, 12 C.F.R. § 261.20(g).  We use “prior written approval” to refer to the prior written permission of the Federal Reserve’s General Counsel under these provisions. 

[6] Final Rule at p. 6.

[7] See Final Rule, 12 C.F.R. § 261.18(b); Current Regulations, 12 C.F.R. § 261.16(b).

[8] See Final Rule, 12 C.F.R. § 261.18(e); Current Regulations, 12 C.F.R. § 261.16(e).

[9] 5 U.S.C. § 552(b)(4).  FOIA Exemption 4 provides an exemption from disclosure under FOIA for trade secrets and confidential commercial or financial information.

[10] See Final Rule, 12 C.F.R. § 261.17(b).

[11] See Current Regulations, 12 C.F.R. § 261.16(b)(1)(ii).

[12] 139 S. Ct. at 2361.

[13] Id. at 2366. For a more detailed discussion of Food Marketing Institute, please see our memorandum on the case, available here (PDF: 213.04 KB)

[14] U.S. Department of Justice, Office of Information Policy, Step-by-Step Guide for Determining if Commercial or Financial Information Obtained From a Person is Confidential Under Exemption 4 of the FOIA (Oct. 7, 2019), available here.  See also U.S. Department of Justice, Office of Information Policy, Exemption 4 After the Supreme Court’s Ruling in Food Marketing Institute v. Argus Leader Media (Oct. 4, 2019), available here.

[15] Final Rule at pp. 21-22.

[16] Id. at p. 23.

[17] See Final Rule, 12 C.F.R. § 261.21(b)(2).  Action by the Reserve Bank Point of Contact may require concurrence of other Federal Reserve staff in accordance with the Federal Reserve’s internal supervisory procedures.  Id.

[18] Final Rule at p. 29.

[19] Id.

[20] Final Rule, 12 C.F.R. § 261.21(b)(2).

[21] If a Banking Supervisor wants access to other CSI, such as examination reports or supervisory correspondence, then it is “the responsibility of the Federal Reserve, not the supervised financial institution, to provide that information.” Final Rule at p. 28.

[22] Final Rule, 12 C.F.R. § 261.21(b)(1).  The requirement that CSI disclosure be “necessary or appropriate for business purposes” also applies to disclosures to a supervised financial institution’s own directors, officers and employees under the Final Rule.  Id.  

[23] See Current Regulations, 12 C.F.R. § 261.20(b)(2).

[24] Federal Reserve System, Rules Regarding Availability of Information, 84 Fed. Reg. 27976 (June 17, 2019).  We previously discussed Davis Polk’s views on the Proposal in a blog post and comment letter available here.

[25] Proposal, 12 C.F.R. § 261.21(b)(3).

[26] Final Rule, 12 C.F.R. § 261.21(b)(3) (emphasis added).

[27] See id.

[28] See Final Rule, 12 C.F.R. § 261.21(b)(4).

[29] See id.

[30] Final Rule at p. 35.

[31] Proposal, 12 C.F.R. § 261.17(b).

[32] Final Rule at p. 18.  

Luigi L. De Ghenghi, Randall D. Guynn, Jai R. Massari, and Margaret E. Tahyar are partners, Eric McLaughlin, and Daniel E. Newman are counsel, and Eric B. Lewin is an ssociate at Davis Polk & Wardwell LLP.  

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.