Newsroom icon Authored article
Summer 2020

Confidential Supervisory Information

By Jeffery E. Smith
(Published in the Summer 2020 issue of The Bankers' Statement)

A recent Cease and Desist consent order published by the Federal Reserve Board involving disclosure actions by a (now former) bank employee helps to illustrate the importance of understanding what constitutes “confidential supervisory information” (CSI), the importance of maintaining the confidentiality of CSI, and the importance of educating bank employees, directors and other institution-affiliated parties in that regard.

In this instance, based on the text of the C&D the bank employee, while employed by the bank, apparently disclosed a copy of a Report of Examination (ROE) to the press and other third parties, along with other CSI. While the C&D indicates that the disclosure constituted a violation of the prohibition on disclosure of CSI, it also found that the conduct constituted an “unsafe and unsound practice.”

The case illustrates the importance with which the agencies treat CSI, the need to protect CSI, and the need to educate employees and others on the subject. Not only does management of CSI come into play when it comes to ROE issues, but it is very often an issue in the M&A process as well as in capital raises, debt issues, insurance applications, shareholder disclosures, and a number of other activities.

With the recent published C&D, it is timely to revisit the concept of CSI and its impact on M&A as well as other matters.

What exactly is CSI?

Defining CSI begins with the premise that virtually all regulatory communications with a regulated financial institution or holding company, regulated person, or institution-affiliated party, from the “one way” communications contained in reports of examination (ROEs) to “matters requiring board attention” (MRBAs) in those ROEs, CAMELS ratings, agency correspondence, and “informal” regulatory enforcement actions such as memoranda of understanding (MOUs), constitutes CSI unless it is specifically required by law to be disclosed publicly. This includes most everything having to do with the agency relationship and the examination process such as emails, letters, discussion in board minutes and anything constituting or reflecting a communication with the agencies. “Formal” agency actions such as consent agreements, enforcement orders and penalties are typically disclosed publicly by the agencies. When in doubt, it is best to contact the agency for a determination.

Agencies typically take the broadest possible view with regard to what constitutes CSI, and while they may grant waivers for disclosure those waivers are very few, very limited and very specific. Reviewing the preamble or cover letter to ROEs can be educational in revealing the seriousness with which the agencies treat CSI, and the fact that the ROE itself (and CSI) is treated as property of the agency. Both civil and criminal penalties can apply for violating the confidentiality of CSI, and unfortunately confidentiality agreements with third parties (such as those typically included in the M&A process) do not provide a “safe harbor.”

As an aside, agencies have specific agreements and protocols in place for purposes of sharing institutions’ CSI among the agencies. Those arrangements are strictly for agency use and do not provide access for private parties.

Addressing the issue

Information contained in CSI is critical to both value determinations and safety and soundness concerns, pro forma and otherwise, in the M&A process and other strategic actions. Given the lack of access to CSI and the enhanced use of “invisible” regulatory measures, which are protected from disclosure as CSI, more and more initial indications of interest and definitive agreements in M&A transactions require representations and warranties regarding regulatory contact by the parties and the lack of knowledge of any regulatory issues that could delay or impede a proposed transaction. While this method of “disclosure” itself may generate CSI concerns if used improperly, it not only provides some level of assurance from a due diligence perspective but also should result in the proposed parties to a transaction making direct contact with their respective regulators to discuss whether they should in fact have any concerns regarding their ability to participate. It may well be that a party is unaware that a recent examination has triggered a regulatory concern, or the agencies may be able to “signal” that engaging in a transaction at the present time will not be well-received. Regardless, it is further evidence of the advisability of involving regulators early and often if an institution plans to be active in the M&A market as either a seller or a buyer or involved in capital raising issues.


This treatment of CSI poses a unique dilemma for parties considering a strategic transaction, whether a strategic combination, capital issue, debt issue, or other corporate actions. In M&A, it denies access to critical information to both parties in the initial discussion phase, and can serve to mask “invisible” problems that could have a material adverse impact on the ability of an unaware party to receive regulatory approvals for a proposed transaction. Likewise, CSI may be material to an investor consideration in equity and debt transactions and regulatory restrictions and actions can inadvertently be inherited by a buyer. Regardless, CSI cannot be disclosed by law without relevant agency consent.

Outstanding CRA and consumer issues as well as UDAP concerns – which can be years in the making – can result in a hidden obstacle that can hinder, slow or even disqualify parties from conducting a transaction. These issues can exist prior to negotiations, or can arise during the pendency of a transaction. They are especially problematic when parties have already announced a deal, and they often cannot be disclosed by the target to the other party even though the transaction is already in process.

Institutions considering strategic transactions are well-advised to have discussions early and often with their respective regulators to ascertain whether there are any known reasons why they should not proceed. Hidden issues that are unable to be disclosed because they constitute CSI can delay or derail a transaction entirely, and it is always better to know of these issues before proceeding. And of course the party with the problems cannot disclose the reason for not proceeding if it is based on CSI. This is a real conundrum that can be embarrassing and can lead to unfortunate (and often inaccurate) assumptions and innuendo for the other party. Again, it is better to know up front than have to publicly backtrack on an announced transaction.

Other implications

Depending on the nature of the CSI, it may reflect an issue that is material to the business and prospects of the subject institution, resulting in a number of shareholder and market disclosure issues. The regulatory agencies understand these concerns and can be very helpful in discussing how best to address disclosure issues that can arise from otherwise undisclosed regulatory concerns, but care must be taken to avoid doing something that will exacerbate the situation with the agencies. Securities laws and the nature of CSI are inherently inconsistent, and can present significant challenges.

Likewise, the possession of CSI can place insiders on notice of issues and trigger the need to close “trading windows” and otherwise restrict or prohibit trading in shares of impacted institutions. Confidentiality remains critical, and a conservative approach here is always the best approach. Trades that take place while insiders are in possession of CSI that is or may be material to the business of the institution are always reviewed with 20-20 hindsight, and can themselves generate serious liability issues.

Litigation is another area impacted by CSI. Short of receiving prior regulatory approval for disclosure, which again is unusual and typically very limited if received, responding to discovery requests and/or court orders involving CSI can present challenges. Even providing minutes of board meetings to requesting shareholders can involve a risk of inadvertently disclosing CSI discussions in those minutes. If materials containing CSI are requested in litigation or by a shareholder, or are the subject of a court or administrative order, and attempts to limit the request, order or demand are contested, the target institution may wish to invoke the assistance of the regulatory agency in responding and even becoming a party to the matter.

No safe harbor

The seriousness with which banking agencies treat CSI, and the breadth of what constitutes CSI, is often a surprise to bankers. Education regarding the importance of the confidentiality of CSI should be part of training and education for all bank directors, officers, employees and other institution-affiliated parties. Chatting at the country club about the outcome of a recent examination, informal agency actions, exam ratings, and a plethora of other matters concerning the interaction of the bank with regulators can constitute a violation for which substantial civil money penalties and removal actions may result.

Unfortunately, despite decades of dealing with CSI in a variety of areas, there remains no “safe harbor” for disclosure. And no really comfortably clear definition of what in fact constitutes CSI.

Hopefully one day a protocol will be devised to enable institutions to share what presently constitutes CSI, or parts of CSI, in a careful and limited fashion and in specifically and narrowly defined circumstances, with appropriate oversight. However, attempts to define types of CSI that may be eligible for disclosure, and limit its post-disclosure distribution, is a significant challenge.

As a result, institutions are well advised to assume that agencies will continue to define CSI in the broadest possible terms for the foreseeable future, and act accordingly.

Related Industries

Jump to Page