On January 17, 2024, the New York Department of Financial Services (NYDFS) entered into a consent order with Industrial and Commercial Bank of China Ltd. (ICBC or the Bank), resolving a matter in which ICBC’s New York branch disclosed confidential supervisory information (CSI) without authorization. The order includes a civil monetary penalty of $30 million. Two days later, the Board of Governors of the Federal Reserve System (Federal Reserve) entered into a consent cease-and-desist order with ICBC and its New York branch that includes a fine of approximately $2.4 million for the unauthorized disclosure of CSI. The Federal Reserve specifically noted that its action was taken in conjunction with the prior action of NYDFS.
The total monetary penalties of approximately $32.4 million are notably high for enforcement actions related to the mishandling of CSI, although the NYDFS order addressed additional conduct unrelated to CSI. These orders should serve as a stark reminder to financial institutions of the seriousness with which regulators take the appropriate handling of CSI and the importance of having in place policies and procedures, internal controls, and employee training on the proper handling of CSI.
CSI is a broad term that generally refers to information arising from the supervisory relationship between federal or state regulators and a regulated institution that is prohibited from disclosure without consent of the regulator. In the case of NYDFS, the CSI requirements apply to more than just banking organizations, extending to any entity or individual licensed, chartered, authorized, registered, or otherwise subject to supervision by NYDFS under the Banking Law.1 These entities include credit unions, mortgage companies, money transmitters, licensed lenders, pharmacy benefit managers, and risk retention groups.
Although the terminology varies across agencies in its precise name and scope, CSI broadly encompasses communications and other information related to the regular course of supervision by regulatory agencies as well as to investigations and enforcement actions. Examples of CSI include examination reports, supervisory assessments and ratings, investigative requests for documents or other information, and certain supervisory correspondence or other supervisory communications. CSI is highly confidential and cannot be shared or disclosed without an applicable regulatory exemption or waiver. Importantly, the decision of whether CSI can be shared with or disclosed to any third party rests with the relevant regulator, not with the regulated institution. This is often the case even with respect to disclosures of CSI pursuant to judicial process or the regulatory or supervisory processes of other regulators of the institution. Unauthorized disclosures of CSI can give rise to civil or criminal penalties.
The NYDFS Order
The NYDFS order describes the conduct that it deemed a breach of the applicable CSI regulations. According to the order, the Bank had been asked by a foreign regulator, in connection with a request to approve the transfer of a New York–based employee to an overseas affiliate, whether the employee or the Bank’s New York branch was the subject of any regulatory or disciplinary investigations. Before responding to the foreign regulator, the Bank informed NYDFS and the Federal Reserve of the request and provided background information and proposed language for a response. The proposed response included CSI. Notwithstanding the notification and proposed response, the Bank did not wait for authorization from NYDFS and the Federal Reserve and sent the response and documents to the overseas affiliate. The overseas affiliate then sent the information on to the foreign regulator. NYDFS was informed of the breach in December 2021 when counsel to the Bank’s New York branch reported the disclosure to NYDFS.
NYDFS found that the Bank’s New York Branch failed to comply with regulations on the sharing of CSI in violation of New York Banking Law § 36(10) and 3 NYCRR § 7.2. 3 NYCRR § 7.2 requires that regulated entities, such as the New York branch, “shall not disclose any [CSI] to any person without the prior written approval of the department and subject to any terms and conditions that are imposed by the department on any such disclosure.” Other findings of violations of law and regulations included, but were not limited to, deficiencies in the Bank’s Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control compliance programs. As a result of these violations, the Bank agreed, among other things, to pay to NYDFS a monetary civil penalty of $30 million. NYDFS’s investigation and the subsequent consent order underscore the strict enforcement of regulations regarding the sharing of CSI and importance of attaining authorization — not just providing notice — in advance of any disclosure.
The Bank also agreed in the consent order to submit status reports to NYDFS with updates on various compliance and governance frameworks, including any enhancements to the handling of CSI. At a minimum, the Bank’s CSI status reports must address or consider the following with regard to CSI: (a) actions the board of directors has taken and will continue to take to maintain effective control over, and oversight of, New York branch management’s compliance with state and federal laws and regulations concerning CSI; (b) a system of internal controls reasonably designed to ensure compliance with state and federal laws and regulations concerning CSI; (c) effective training for all appropriate New York branch personnel and appropriate Bank personnel in state and federal laws and regulations and internal policies and procedures regarding CSI; and (d) the designation of a subject matter expert to handle employee inquiries and requests regarding the handling and disclosure of CSI.
The Federal Reserve Order
The consent cease-and-desist order entered by the Federal Reserve does not contain much detail regarding the underlying conduct, but the enforcement action resolved by the order was focused solely on the unauthorized disclosure of CSI and related governance failures. The Federal Reserve order specifically states that Bank and its New York branch caused the unauthorized disclosure of CSI after receiving confirmation from the Federal Reserve that a proposed disclosure to a third party would constitute an unauthorized disclosure of CSI. While the details of the underlying conduct are not available, this statement implies that the Federal Reserve ultimately may not have approved the Bank’s request for authorization to disclose CSI, though the Bank made that disclosure nonetheless. The order also noted that “the Bank lacked any formal policies, procedures, training, and other internal controls designed to instruct employees regarding how to properly handle CSI or how to prevent the unauthorized dissemination and use of CSI” but further noted that the Bank has since begun enhancing those controls.
In addition to the Federal Reserve’s $2.4 million fine, the Federal Reserve order also requires certain remedial measures focused on improving governance around the handling of CSI. Within 90 days of the Federal Reserve’s order, the Bank is required to submit a written plan to enhance the effectiveness of the New York branch’s internal controls and compliance functions regarding the identification, monitoring, and control of CSI. The plan must include specific items to ensure that proper policies, procedures, internal controls, and personnel (including designation of a CSI officer) are in place to promote continued compliance.
The enforcement orders of NYDFS and the Federal Reserve stand as forceful reminders of the importance of having controls in place to ensure the proper handling of CSI and the need to understand, and adhere carefully to, the particular regulations that apply. The occasion of these orders provides a valuable opportunity for regulated institutions to evaluate their internal controls related to CSI, which should include, at a minimum, the following:
- Instituting Policies and Procedures and Internal Controls. Regulated institutions should ensure that they have clear policies and procedures regarding the identification, maintenance, and disclosure of CSI. Once policies and procedures are established, appropriate personnel across institutions should receive training and education regarding both CSI policies and legal requirements as well as technical controls (including education regarding proper data categorization). Additional internal controls are often appropriate as well. CSI may be implicated in a variety of contexts and will require coordination with in-house counsel, outside counsel, information technology personnel, and business personnel across institutions.
- Obtain Authorization for any Disclosure of CSI When Appropriate. Regulations require authorization from the appropriate regulator in advance of disclosing CSI unless another exemption from CSI disclosure clearly applies. The NYDFS order states that the New York branch’s counsel contacted regulators in advance of disclosing CSI in late 2021 and provided proposed language to send to an overseas affiliate’s regulator in response to that regulator’s request. However, apparently without the proper authorization from NYDFS or the Federal Reserve, the New York branch sent the proposed language and additional documents containing CSI to the overseas affiliate for further transmission to the foreign regulator. Communication with regulators is not merely a formality in advance of a disclosure. Clear authorization, not just notice, must be obtained when required under applicable CSI regulations.
- Coordinating Across Regulatory Communications. A government agency’s requests for documents and information, audits, or subpoenas may be broad enough to include CSI. CSI is generally the property of its respective agency and may not be shared with other regulators absent the requisite prior authorization. To properly limit what information is disclosed in the regular course of business, ensure that in-house counsel is knowledgeable, and consult with experienced outside counsel, regarding the institution’s obligations to comply with applicable state and federal banking laws even when responding to requests from other regulators, government agencies (including but not limited to Attorneys General), and courts.
1 3 NYCRR § 7.1(d).
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.