Confidentiality and Privilege Issues Facing Banks in Employment Cases

Counsel representing banks in employment litigation need to understand the special privileges and rules regarding access to bank records and disclosures to regulators.

By Philip M. Berkowitz | July 13, 2022

Employment counsel representing banks in whistleblower retaliation and discrimination cases need to be fully familiar with federal and state banking laws concerning confidentiality and privilege, and that may limit bank clients from sharing certain information with third parties-including their own external counsel. A lack of familiarity with and understanding of these issues, which are top-of-mind to internal counsel at financial institutions, may put your client at legal jeopardy.

Banks and their holding companies are subject to the close oversight of a broad array of federal and state regulators. These entities include the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Consumer Financial Protection Bureau (CFPB). Moreover, state regulators, such as (in New York) the Department of Financial Services (DFS), will have concurrent jurisdiction over banks and branches of foreign banks, as well as other entities such as credit unions, charitable foundations, insurance companies, reinsurers, and many more.

Confidential Supervisory Information

As counsel advising a bank client that is being sued in a discrimination or whistleblower case, you may well want and expect your client to provide you access to documents, perhaps created by the plaintiff, that went to a regulator, as an exemplar of problems with their job performance. Alternatively, the plaintiff may seek documents of this nature in discovery.

Many of these documents, though, may be shielded not only from discovery, but from disclosure even to the bank counsel, without the regulator's permission. The issue involves what is termed confidential supervisory information, or CSI. This generally refers to (as defined by DFS) "reports of examinations and investigations, correspondence and memoranda concerning or arising out of such examinations and investigations, including any duly authenticated copy or copies thereof ..." N.Y. Banking Law §36(10).

The banking law shields CSI from discovery, providing that CSI "shall not be subject to subpoena and shall not be made public unless, in the judgment of the superintendent [of banking], the ends of justice and the public advantage will be subserved by the publication thereof."

The Federal Reserve's definition of CSI, found at 12 CFR §261.2(1), is even more comprehensive than is DFS's definition. It provides that "any portion of a document in the possession of any person, entity, agency or authority, including a supervised financial institution, that contains or would reveal confidential supervisory information is confidential supervisory information."

The federal statutory authority for the confidential nature of CSI is found in the Administrative Procedure Act at 5 U.S.C. §552(b)(B), which states that information "contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions" is exempt from the statute's requirement that federal government agencies make available to the public certain of its internal, deliberative records.

Regulations issued by DFS in March 2021 provide that a regulated entity "shall not disclose any confidential supervisory information to any person without the prior written approval of the Department and subject to any terms and conditions that are imposed by the Department on any such disclosure." 3 N.Y.C.R.R. §7.2(a)

The regulation provides an exception for external counsel (and independent auditors), permitting a regulated entity to disclose lawfully obtained CSI without DFS's permission, but only if counsel has been "retained or engaged by such regulated entity pursuant to an engagement letter or written agreement ...."

Further, to lawfully receive CSI from a bank client, counsel (and auditors) must acknowledge in writing that the disclosed information constitutes CSI under the Banking Law, and must agree to abide by the prohibition on the dissemination of confidential supervisory information contained in the DFS regulation. Id. §7.2(b)

Alas, the view of the various regulators regarding this issue is far from uniform.

The Federal Reserve regulations permit banks, when purposes," to disclose CSI to their directors, officers, or employees, and to the directors, officers, or employees of their affiliates. 12 C.F.R. §261.21(b)(1).

These regulations also permit banks to disclose CSI to their legal counsel or auditors, but only "[w]hen necessary or appropriate in connection with the provision of legal or auditing services to the supervised financial institution ...." Id. §261.21(b)(3). Moreover, CSI may be disclosed to service providers (such as consultants, contractors, contingent workers, and technology providers) of its legal counsel or auditors, but only if the service provider is under a written agreement with the legal counsel or auditor in which the service provider agrees that (1) It will treat the confidential supervisory information in accordance with applicable regulations, and (2) It will not use the confidential supervisory information for any purpose other than as necessary to provide the services to the supervised financial institution. Id.

The Federal Reserve's policy is consistent with that of the OCC, which permits a national bank, federal savings association, or holding company, or any director, officer, or employee thereof, "when necessary or appropriate for business purposes," to disclose CSI to certain categories of individuals, including outside counsel or independent auditors, without requiring prior written approval. 12 C.F.R.§4.37(b)(2)

The Consumer Financial Protection Bureau (CFPB) also permits disclosure of CSI to "certified public accountant[s], legal counsel, contractor[s], consultant[s] or service provider[s]," by excepting these individuals from the general prohibition on disclosure or CSI. 12 C.F.R. §1070.42(b)

The FDIC, on the other hand, has far more restrictive policies. That agency permits disclosure of CSI to directors, officers, employees, or agents of the regulated entity who have a need for such records in the performance of their official duties, but does not include attorneys in this category. 12 C.F.R.§309.6

The Bank Examination Privilege

These legislative and regulatory definitions of CSI and restrictions on their disclosure are essentially codifications of what is known, in common law, as the bank examination privilege, a qualified privilege belongs to the bank regulator, not the bank. The privilege arises out of the practical need for openness and honesty between bank examiners and the banks they regulate, and is intended to protect the integrity of the regulatory process by privileging such communications.

Thus, any reports issued by a regulator or any documentation arising out of regulators' reports of examinations and investigations are subject to the privilege, and if they are sought in discovery, even if they are in the physical possession of the bank, the financial institution must give the regulator the opportunity to assert and defend the privilege.

Suspicious Activity Reports (SARs)

The Bank Secrecy Act requires certain financial institutions to file a Suspicious Activity Report (SAR) when they detect a known or suspected violation of federal law or a suspicious transaction related to a money laundering activity or a violation of the Act. 31 U.S.C. 5218(g).

SARs are filed with the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury that collects and analyzes information about financial transactions to combat money laundering, terrorist financing, and other financial crimes.

The law prohibits entity filing SAR or its employees from informing the subject or the media of the SAR of its filing. Further, any national bank or person subpoenaed or otherwise requested to disclose a SAR or the information contained in it must decline to produce the SAR or to provide any information that would disclose that it has been prepared or filed, or both, and must notify the regulators. 12 C.F.R. §21.11(k).

The statute and the regulation thus "create an unqualified discovery and evidentiary privilege that cannot be waived." United States v. Holihan, 248 F. Supp. 2d 179, 187 (W.D.N.Y. 2003)

These restrictions are intended to encourage financial institutions to communicate openly with law enforcement to facilitate law enforcement's access to accurate and complete information, to keep confidential bank methods for identifying and preventing wrongdoing, to prevent tipping of wrongdoers, and to protect privacy of bank customers.

Waiver of Privilege By Production to Government

The doctrine of "selective waiver" permits the privilege holder, in certain circumstances, to produce privileged material to the government, while preserving the privilege claims as to third-party litigants. The Second Circuit has held that the applicability of this doctrine should be assessed on a case-by-case basis and may not be appropriate where there is an adversarial relationship between the disclosing party and the government agency. Moreover, selective waiver is disfavored by most federal circuit courts.

Enter the special privilege enjoyed by banks who make disclosure to regulators. Regulations governing depository institutions, at 12 U.S.C. §1828(x), holds that submitting information to the Bureau of Consumer Financial Protection, any federal banking agency, state bank supervisor, or foreign banking authority "for any purpose in the course of any supervisory or regulatory process of such Bureau, agency, supervisor, or authority shall not be construed as waiving, destroying, or otherwise affecting any privilege such person may claim with respect to such information under federal or state law as to any person or entity other than such Bureau, agency, supervisor, or authority."

It is unclear, however, whether this provision bars waiver claims as to information submitted to a bank authority in the context of the authority’s role, as opposed to supervisory or regulatory role.


Counsel representing banks in employment litigation need to understand the special privileges and rules regarding access to bank records and disclosures to regulators. Some of these issues, particularly those pertaining to CSI, must be addressed in writing, perhaps in an engagement letter or other formal documentation between the bank client and counsel.


Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm’s U.S. international employment law and financial services practices.

Read the full article here:

Reprinted with permission from the July 13, 2022 edition of the New York Law Journal© 2022 ALM Media Properties, LLC. All rights reserved.

Further duplication without permission is prohibited. – 877-257-3382 –