One of the Interim Final Rules released by the CFPB, Disclosure of Records and Information Rules, sets forth the CFPB’s position with regard to sharing information that it gathers and obtains though its activities.
The Rule begins by defining much of the information received or generated by the CFPB as “confidential” – including consumer complaint-related information, “investigative” information obtained through the Bureau’s investigative processes, and “supervisory” information generated by the CFPB’s (or any other entity’s) supervision of financial institutions.
First, the good news: the Rules suggest that the CFPB will be unwilling to equip private litigants with any of this information, even in response to a subpoena. Section 1070.37(b)(7) of the Rules states that the CFPB will not “ordinarily,” in response to a subpoena, provide “confidential information,” which includes consumer complaint information, investigative information and supervisory information. So, entities supervised or investigated by the CFPB seem to be safe from the threat of having information they share with the Bureau provided to private lawyers who might bring lawsuits against them.
Then there’s the “but.”
The Rules make it abundantly clear that the Bureau intends to share information openly not only between its various divisions, but also with the federal banking agencies, the FTC and state attorneys general and state banking regulators. This isn’t really a surprise, since the Dodd-Frank Act itself, in sections like § 1013(b)(3)(D), either mandates or permits the CFPB to do precisely that. Moreover, § 1070.47(a)(2) of the Interim Final Rule prohibits other agencies from further disclosing “confidential information” without the CFPB’s prior written consent. But the issuance of the new Disclosure Rules serves as a reminder to “covered persons” who interact with the CFPB that the information they provide may be disseminated far and wide among a host of regulators, both in Washington, D.C. and in state capitals throughout the country.