Jeffrey Alberts and Dustin Nofziger
Jeffrey Alberts and Dustin Nofziger ()

Attorneys who do not work in the banking space are often shocked to learn that federal banking regulators use regulations governing confidential supervisory information (CSI) to prevent banks and their officers and directors from consulting with outside counsel and to monitor that communication when it occurs. When a bank, or one of its officers or directors, wants to seek legal advice concerning documents or information that a regulator deems to be “CSI,” banking regulators take the position that this can only be done with prior agency approval. That approval is often delayed or even entirely withheld, which prevents the client from discussing the CSI with counsel, even when the CSI already is in the client’s lawful possession. In addition, even when consent is given, it often is made contingent on counsel telling the regulator what CSI is being shared, which effectively results in the regulator monitoring the documents and topics about which banking clients seek legal advice.

Naturally, this unusual dynamic can drive a wedge between counsel and client. The client may need advice concerning how to respond to a document containing CSI—for example, a regulator’s report of examination setting forth purported violations of law—but cannot openly and freely discuss the contents of the document with counsel. Moreover, the knowledge that seeking legal counsel will require notifying a regulator can discourage a client from seeking legal advice in the first place, due to concern over how the regulator will react to learning that counsel is being sought. Before seeking legal advice from a criminal attorney, for example, the client has to ask, “Do I really want to contact my regulator and announce that I am consulting a criminal attorney concerning this CSI”?

While it is not possible to prevent banking regulators from using CSI regulations to interfere with the attorney-client relationship, it is critical for any attorney representing financial institutions to understand how these regulations work and what options are available to minimize the regulatory interference with attorney-client communications.

Framework for Authorization to Receive CSI. The federal banking regulators each have regulations defining CSI and governing authorization to receive CSI, which the Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) refer to as “exempt information” and “non-public OCC information,” respectively.1 These regulations assert that CSI is the property of the regulator, not the bank, and that it may only be disclosed to specific persons absent prior approval of the regulator.

Federal banking regulators take a broad view of what constitutes CSI. Although each regulator considers its reports of examination and related supervisory correspondence to constitute CSI, regulators’ interpretation of the overall scope of CSI is much broader. For example, FDIC regulations state that records that are “related” to reports of examination constitute CSI—a definition that arguably encompasses a wide variety of bank records that may be far afield from the report of examination itself. Meanwhile, OCC regulations assert that “[c]onfidential information relating to operating and no longer operating national banks” constitutes CSI, which, if taken literally, would encompass a wide variety of confidential bank “information” (not just documents) that has little or nothing to do with the OCC. The Federal Reserve Board (FRB) includes “information derived from, related to, or contained in” reports of examination within the scope of CSI—a poorly phrased definition that capture a wide swath of bank information and documents.

While each federal banking regulator provides that CSI may be disclosed to a bank’s directors, officers, and employees as a matter of right, only the OCC and the CFPB allow disclosure of CSI to a bank’s outside counsel without prior authorization. FDIC regulations, for example, contain no provision that would allow a bank’s outside counsel to review CSI absent the FDIC’s prior approval in any circumstances, meaning that authorization must always be requested from the FDIC for outside counsel to review CSI. The FRB, meanwhile, severely restricts the circumstances in which a bank’s outside counsel can review CSI without obtaining prior approval from the FRB—the review must be “on the premises of the supervised financial institution,” and counsel may not “make or retain any copies of such information.”

The regulatory framework is even more disadvantageous for counsel representing bank directors or officers. No federal regulator provides for disclosure of CSI to counsel for directors or officers without the regulator’s prior approval. To request authorization to disclose CSI to counsel for directors and officers, a written request to the appropriate federal banking regulator is thus required. This framework puts client and counsel at the whim of federal banking regulators, who may delay in ruling on requests for CSI authorization for strategic advantage and, when they do rule on such requests, may choose to authorize the disclosure of only limited types of CSI.

The Impact of Regulatory Intransigence on the Attorney-Client Relationship. There are a variety of ways in which regulatory requirements to request authorization to receive CSI in a client’s lawful possession drives a wedge between counsel and client. Often this gives regulators an inappropriate tactical advantage and unfairly prejudices the client.

For example, in the case of a bank that receives an unfavorable report of examination, the bank must decide whether to appeal the report of examination within a short timeframe. The advice of outside counsel who are experienced in challenging regulators in such matters can provide enormous benefits to the bank in deciding whether to appeal. Regulatory delay in granting authorization to disclose CSI may prevent the bank from obtaining legal advice sufficiently in advance of the relevant deadline to prepare an effective and timely appeal.

Similarly, in the case of counsel for a current bank director or officer, the report of examination—which is outside the reach of individual counsel absent regulatory authorization—may condemn the client’s alleged actions as unlawful. By prohibiting the automatic disclosure of the report of examination to counsel, regulators effectively take the position that after learning of these allegations, the client cannot discuss them with counsel and seek advice concerning how to prepare for a potential enforcement action based on the alleged misconduct until after the regulator consents to this disclosure. Meanwhile, the regulator is free to build its case against the client by issuing subpoenas to the bank, its employees and even the client for documents and information. In such circumstances, counsel for the director or officer desperately needs the report of examination to advise the client regarding a potential enforcement or even criminal action and how to respond to any subpoenas or other requests received from the regulator. Of course, this ability to prevent investigative targets from consulting with counsel gives regulators a significant and wholly unfair advantage over their targets.

Strategies for Dealing with Regulatory Intransigence Concerning Authorization to Receive CSI. Counsel for a bank or bank director or officer who require access to CSI to effectively represent his or her client should keep five points in mind.

First, counsel should ensure that a prompt request is made for authorization to share CSI with counsel, and that expedited consideration of the request is sought, as necessary. The request should include appropriate representations that counsel will maintain the confidentiality of the CSI.

Second, counsel should promptly request an extension from the regulator of any deadlines, such as deadlines for the filing of an intra-agency appeal of a report of examination or the time to respond to a subpoena, until after authorization to receive the required CSI is received.

Third, in the face of regulatory delay in ruling on a request for authorization to receive CSI, counsel should take care to create a written record documenting that the delay is interfering with the representation of the client and with the attorney-client relationship.

Fourth, if a regulator denies a request for CSI, counsel should consider whether to submit further written or oral appeals to the regulator concerning the denial, as well as whether to litigate the issue, for example under the Administrative Procedures Act, 5 U.S.C. §702.

Fifth, counsel should carefully consider whether documents necessary for the representation are not CSI under the relevant regulatory provisions, for example because they are not truly “related” to a report of examination.

These strategies will not level the playing field that has become improperly tilted against clients seeking legal advice, but they will limit the ability of banking regulators to use this unfairness to their tactical advantage.


1. See 12 C.F.R. §§4.31 et seq. (Office of the Comptroller of the Currency); 12 C.F.R. §§261.1 et seq. (Federal Reserve Board); 12 C.F.R. §§309.1 et seq. (Federal Deposit Insurance Corporation); 12 C.F.R. §§1070.1 et seq. (Consumer Financial Protection Bureau). State regulators also have CSI regulations, and, in our experience, often take even more aggressive positions with respect to CSI than federal regulators.