NAFCU comment letter to CFPB on proposed amendments relating to disclosure of records and information

WASHINGTON, DC (October 21, 2016) — October 21, 2016

Richard Cordray, Director
c/o Monica Jackson
Office of the Executive Secretary
Consumer Financial Protection Bureau
1700 G Street NW.,
Washington, DC, 20002

Re:      Amendments Relating to Disclosure of Records and Information
Docket No. CFPB-2016-0039
RIN 3170-AA63

Dear Director Cordray,

On behalf of the National Association of Federal Credit Unions (NAFCU), the only national trade association focusing exclusively on federal issues affecting the nation’s federally insured credit unions, I am writing to you regarding the request for comment on “Amendments Relating to Disclosure of Records and Information.” See 81 Fed. Reg. 58309 (Aug. 24, 2016). NAFCU and our members appreciate the Bureau’s efforts to streamline certain Freedom of Information Act procedures to make requesting records easier for the public. However, proposed enhancements to the Bureau’s discretionary power to share confidential information with newly defined agencies, including non-financial regulators, contradicts the clear intent of Congress.

The language in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) is unambiguous: “the Bureau may, in its discretion, furnish to a prudential regulator or other agency having jurisdiction over a covered person or service provider any other report or other confidential supervisory information concerning such person examined by the Bureau under the authority of any other provision of Federal law.” 12 U.S.C. 5512(c)(6)(C)(ii). However, proposed Section 1070.43 would essentially disregard statutory restraints designed to limit the Bureau’s ability to share confidential information with agencies lacking appropriate jurisdiction. Nothing in the legislative history of the Dodd-Frank Act suggests that 12 U.S.C. 5512(c)(6)(C)(ii) grants the Bureau total discretion to define how it exchanges confidential information with non-financial regulators, or “entities exercising governmental authority.”

Furthermore, the Bureau’s belief that Congress “did not include any restrictive language” cannot be reconciled with the statute’s plain delineation of agencies that the Bureau “may” share confidential information with. The fact that the statute does not go further by including the word “only” does not distract from what is unequivocally a limitation on the Bureau’s information sharing authority. Accordingly, NAFCU and our members believe that the Bureau’s should not attempt to expand its rulemaking authority under 12 U.S.C. 5512(c)(6)(A) to enable information sharing with agencies that lack jurisdiction over credit unions.

NAFCU asks that the Bureau clarify what type of cooperation it seeks to enable with its new rule that did not exist previously. For example, why is the Bureau’s current authority under Section 1070.43 inadequate to serve operational goals, and why is enhanced discretion to share this information with a broadly defined class of agencies necessary? The Bureau mentions impediments to cooperation with other agencies—yet offers no specific examples. NAFCU would like the Bureau to describe, in concrete terms, the type of enhanced cooperation it hopes to enable with its new amendments.

The rule also invites confusion with regard to how an entity like a state bar association would demonstrate that disclosure of confidential information is “relevant to the exercise of [its] statutory or regulatory authority.” Financial institutions are not law firms, and outside of the unauthorized practice of law context, it is difficult to envision how a state bar association would have authority over a credit union. Because potential collaboration between governmental entities and the CFPB would only arise in exceptional circumstances, NAFCU asks that the Bureau provide examples of how confidential information might be shared before proceeding with a final rule.

The proposal also explains that the proposed amendments would facilitate communication and “enable the Bureau to work together with other agencies having responsibilities related to consumer financial matters.” However, the Bureau’s definition of “agency” would encompass non-financial regulators, and other entities that have no responsibilities related to the enforcement of consumer financial protection laws or prudential regulation.

NAFCU does not think that the Bureau should collect confidential information, such as complaint data, from credit unions over which it has no jurisdiction, and share such information with any agency other than the National Credit Union Administration (NCUA). The language in 12 U.S.C. 5512(c)(6)(C)(ii) clearly supports this principle because complaint data concerning credit unions not supervised by the Bureau would not qualify as information concerning a “person examined by the Bureau.” NAFCU does not think that the CFPB should be able to independently determine how or under what circumstances misdirected complaint information is disseminated to entities claiming to exercise “relevant” statutory or regulatory authority. NAFCU asks that the CFPB respect the NCUA’s expertise and jurisdiction, and not attempt to redirect credit union complaint data to other regulators or entities.

NAFCU believes that sharing confidential information with entities that have no direct role in regulating credit unions would create unreasonable burdens if complaint data is taken out of context. These burdens include safety and soundness concerns if shared data is lost or stolen, and subsequently causes the public to draw unqualified conclusions about the health or integrity of their credit union. In some cases, inadvertent disclosure of complaint or supervisory data by a recipient agency could cause a run on the affected financial institution. NAFCU believes that the same policy concerns that underlie FOIA exemptions for confidential complaint information are generally applicable here; broad dissemination of sensitive, confidential material has the potential (even if indirect) to erode consumer confidence in the safety of financial institutions.

In circumstances where the CFPB lacks supervisory authority over the credit union, coordination of supervision and enforcement activities with other agencies should be the sole responsibility of the NCUA in order to minimize the potential for reputational harm. For credit unions supervised by the CFPB, allowing a liberally defined class of agencies to access confidential information could also create substantial reputational risks if the receiving entity lacks the proper controls to safeguard confidential supervisory information.

Proposed Section 1070.43(b)(2)(v) would require an agency requesting confidential information to certify that it will safeguard that information consistent with the standards that apply to Federal agencies. Yet such a certification is not a substitute for a careful evaluation of the recipient entity’s actual data security policies. Moreover, Section 1070.43(c) suggests that the Bureau may negotiate “terms governing the exchange of confidential information,” which could encompass data security issues. NAFCU believes that the Bureau should specify in any future rule that data security standards are non-negotiable. NAFCU and our members also believe that only the agencies described in 12 U.S.C. 5512(c)(6)(C)(ii) have the experience and capacity to handle confidential information. Accordingly, NAFCU asks that the Bureau refrain from sharing confidential information with additional agencies unnecessarily.

NAFCU appreciates this opportunity to share our thoughts on how the CFPB can calibrate its discretion to share confidential information with other agencies and improve the FOIA process for the public. As the Bureau continues to explore methods for enhancing cross-agency collaboration, NAFCU and our members hope to be a resource for CFPB staff to share our insights and experiences. Should you have any questions or concerns, or if you would like to discuss this issue further, please feel free to contact me at or (703) 842-2266.


Andrew Morris

Regulatory Affairs Counsel


The National Association of Federally-Insured Credit Unions is the only national trade association focusing exclusively on federal issues affecting the nation’s federally-insured credit unions. NAFCU membership is direct and provides credit unions with the best in federal advocacy, education and compliance assistance. For more information on NAFCU, go to or @NAFCU on Twitter.


Molly Safreed, (NAFCU)
Paula Morales, (CUNA)
Lewis Wood, (Virginia Credit Union League)

More News