• On September 9, 2020, the New York Department of Financial Services (“NYDFS”) published a notice of proposed rulemaking inviting public comment on changes to the regulatory framework governing the use and disclosure of confidential supervisory information (“CSI”) by supervised financial institutions (the “Proposed Rule”).
• The agency’s action came less than 10 months after it proposed an earlier package of CSI revisions and reflects comments received from the financial industry and attorneys in the interim.
• Under the current regime, regulated entities must receive prior written approval from NYDFS each time they want to share CSI with affiliates and third parties. The Proposed Rule would, among other changes, provide exceptions to this general rule, including by allowing regulated institutions to disclose CSI to their affiliates, legal counsel and independent auditors without prior approval.
• Although the Proposed Rule stops short of fully harmonizing NYDFS’s CSI regime with those of the federal banking agencies, it takes steps in that direction and, more generally, updates and modernizes the CSI framework in ways that are aimed at streamlining processes for supervised financial institutions.

On September 9, 2020, the New York Department of Financial Services (“NYDFS”) published a notice of proposed rulemaking inviting public comment on changes to the regulatory framework governing the use and disclosure of confidential supervisory information (“CSI”) by supervised financial institutions (the “Proposed Rule”). The agency’s action came less than 10 months after it proposed an earlier package of CSI revisions (the “2019 Proposal”) and reflects comments received from the financial industry and attorneys in the interim. The timing follows the Federal Reserve Board’s (the “FRB”) finalization of significant changes to its CSI framework in late July. Comments on the Proposed Rule are due November 8, 2020.

Under the current regime, regulated entities must receive prior written approval from NYDFS each time they want to share CSI with affiliates and third parties. The Proposed Rule would, among other changes, provide exceptions to this general rule, including by allowing regulated institutions to disclose CSI to their affiliates, legal counsel and independent auditors without prior approval.

Although the Proposed Rule stops short of fully harmonizing NYDFS’s CSI regime with those of the federal banking agencies, it takes steps in that direction and, more generally, updates and modernizes the CSI framework in ways that are aimed at streamlining processes for supervised financial institutions. Below we highlight several of its more salient features.

KEY FEATURES

Scope of CSI

The Proposed Rule defines CSI as “any information that is covered by Section 36.10 of the [New York] Banking Law.” Section 36.10, in turn, refers to “reports of examinations and investigations [of any NYDFS-supervised institution and its affiliates], correspondence and memoranda concerning or arising out of such examination and investigations, including any duly authenticated copy or copies thereof.”

In the NYS Register Notice announcing the proposed changes—although not in the proposed rule text itself—NYDFS helpfully clarified that documents created by a regulated entity for routine business purposes, and which are in its possession, are not considered CSI. This mirrors changes the FRB made to its definition of CSI.

Exception for Legal Counsel and Independent Auditors

Currently, supervised financial institutions must receive prior written approval to share CSI with their legal counsel and independent auditors. In this respect, NYDFS departs from the federal banking agencies, which, with certain restrictions, have generally permitted CSI disclosures to legal counsel and independent auditors without prior approval.

The Proposed Rule would harmonize the New York and federal CSI regimes. It would permit a regulated entity to disclose CSI to legal counsel and independent auditors without prior written approval, provided they have been retained or engaged pursuant to a written agreement in which the legal counsel or independent auditor has:

• stated its awareness of, and agreement to abide by, the prohibition on the dissemination of CSI;
• agreed to use any disclosed CSI only for the purpose of providing legal representation or auditing services, as applicable, under such agreement; and
• agreed not to disclose CSI to its employees, officers or directors, except to the extent necessary and appropriate for business purposes and on the condition that such persons maintain the confidentiality of such information; and
• agreed to return or certify the destruction of the CSI or, in the case of electronic files, render the files effectively inaccessible through access control measures or other means, at the conclusion of the engagement.

By better aligning the NYDFS CSI regime with those of the federal banking agencies, the Proposed Rule should make the process more efficient for regulated institutions seeking to share CSI with their legal counsel and independent auditors. Unlike the FRB in its recent CSI amendments, however, NYDFS declined to extend this authority to disclosures to other service providers. Thus, a supervised financial institution seeking to disclose CSI to consultants or vendors that are not legal counsel or independent auditors remains obligated to secure NYDFS’s prior approval.

Disclosure to Affiliates

The Proposed Rule provides an exception for disclosure of CSI to affiliates and their directors, officers and employees when “necessary and appropriate for business purposes”—a standard similar to the OCC’s and FRB’s under the FRB’s revised rules. NYDFS explained that it adopted this helpful change in response to industry feedback.

Disclosure to Regulators

The Proposed Rule would not change current law in respect of CSI disclosures to other federal or state financial institution supervisory agencies. In these cases, prior written approval is required from both the Senior Deputy Superintendent for Banking and the General Counsel of NYDFS or their respective delegates.

Duty to Notify

Persons in possession of CSI are prohibited from complying with requests, subpoenas or orders to provide CSI unless they obtain NYDFS’s prior approval. The Proposed Rule would require any regulated institution, affiliate, legal counsel, independent auditor or any other person that is served with a request, subpoena or order to provide CSI within its possession to immediately notify the Office of the General Counsel of the request so that NYDFS can intervene in the action as appropriate. CSI recipients also would be required to inform the requester and the relevant tribunal of the obligation to maintain the confidentiality of the CSI.