[Federal Register Volume 78, Number 32 (Friday, February 15, 2013)]
[Rules and Regulations]
[Pages 11483-11520]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-01737]



[[Page 11483]]

Vol. 78

Friday,

No. 32

February 15, 2013

Part V





Bureau of Consumer Financial Protection





-----------------------------------------------------------------------





12 CFR Part 1070





Disclosure of Records and Information; Final Rule

Federal Register / Vol. 78 , No. 32 / Friday, February 15, 2013 / 
Rules and Regulations

[[Page 11484]]


-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION

12 CFR Part 1070

[Docket No. CFPB-2011-0003]
RIN 3170-AA01


Disclosure of Records and Information

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule establishes procedures for the public to 
obtain information from the Bureau of Consumer Financial Protection, 
under the Freedom of Information Act, the Privacy Act of 1974, and in 
legal proceedings. This final rule also establishes the Bureau's rule 
regarding the confidential treatment of information obtained from 
persons in connection with the exercise of its authorities under 
Federal consumer financial law.

DATES: This final rule is effective March 18, 2013.

FOR FURTHER INFORMATION CONTACT: Monica Jackson, Office of the 
Executive Secretary, Consumer Financial Protection Bureau, 1700 G 
Street NW., Washington, DC 20552, 202-435-7275.

SUPPLEMENTARY INFORMATION:

I. Background

    On July 21, 2010, the President signed into law the Dodd-Frank Wall 
Street Reform and Consumer Protection Act (Pub. L. 111-203, codified at 
12 U.S.C. 5301 et seq.) (the Dodd-Frank Act). Title X of the Dodd-Frank 
Act created the Bureau of Consumer Financial Protection (the Bureau or 
the CFPB). Pursuant to the provisions of the Dodd-Frank Act, the Bureau 
began to exercise its authority to regulate the offering and provision 
of consumer financial products and services under Federal consumer 
financial law on July 21, 2011.\1\
---------------------------------------------------------------------------

    \1\ Pursuant to section 1062 of the Dodd-Frank Act, 12 U.S.C. 
5582, the Secretary of the Treasury designated July 21, 2011 as the 
``transfer date'' on which various provisions of Title X of the 
Dodd-Frank Act became effective. 75 FR 57252.
---------------------------------------------------------------------------

    In order to establish procedures to facilitate public interaction 
with the Bureau, the Bureau published an interim final rule on July 28, 
2011, 76 FR 45371 (Jul. 28, 2011), and solicited public comment on that 
rule. The Bureau is issuing this final rule in response to these 
comments as well as to clarify and correct certain aspects of the 
interim final rule.

II. Summary of the Final Rule

    The final rule consists of five subparts.
    Subpart A of the final rule consists largely of definitions of 
terms that are used throughout the remainder of the part.
    Subpart B of the final rule implements the Freedom of Information 
Act, 5 U.S.C. 552 (the FOIA). The FOIA grants the public an enforceable 
right to obtain access to or copies of Federal agency records unless 
disclosure of those records, or information contained within them, is 
exempt from disclosure pursuant to one or more statutory exemptions and 
exclusions. The FOIA also requires Federal agencies to routinely 
publish in the Federal Register, or make available to the public, 
certain information concerning their organizational structures, 
policies and procedures, final opinions and orders, and records that 
have or are likely to become the objects of frequent FOIA requests. The 
regulations in this subpart implement the FOIA as required or 
authorized by various provisions of the statute.
    The Bureau modeled its FOIA rule upon regulations promulgated by 
the other Federal agencies, including the U.S. Department of the 
Treasury. In drafting the rule, the Bureau sought the input of the 
Department of Justice and the National Archives and Records 
Administration's Office of Government Information Services, which is 
responsible for promoting best practices among Federal agencies as to 
their FOIA regulations and practices.
    Subpart C of the final rule sets forth procedures for serving the 
Bureau and its employees with copies of documents in connection with 
legal proceedings, such as summonses, complaints, subpoenas, and other 
litigation-related requests or demands for the Bureau's records or 
official information. Subpart C also describes the Bureau's procedures 
for considering such requests or demands for official information. 
These regulations (which are sometimes referred to as Touhy 
regulations) are modeled after similar regulations of other Federal 
agencies.
    Subpart D of the rule pertains to the protection and disclosure of 
confidential information that the Bureau generates and receives during 
the course of its work. Various provisions of the Dodd-Frank Act 
require the Bureau to promulgate regulations providing for the 
confidentiality of certain types of information and protecting such 
information from public disclosure. Other provisions of the Dodd-Frank 
Act, however, require or authorize the Bureau to share information, 
under certain circumstances, with other Federal and State agencies to 
the extent that they share jurisdiction with the Bureau as to the 
supervision of financial institutions, the enforcement of consumer 
financial protection laws, or the investigation and resolution of 
consumer complaints regarding financial institutions or consumer 
financial products and services. In implementing these provisions, the 
Bureau has sought to provide the maximum protection for confidential 
information, while ensuring its ability to share or disclose 
information to the extent necessary to achieve its mission.
    The Bureau recognizes that much of the information that it will 
generate and obtain during the course of its activities will be 
commercially, competitively, and personally sensitive in nature, and 
generally warrants heightened protection. The need for greater 
protection for these categories of information is reflected in the 
substantive law of privilege and in various statutes, including the 
FOIA and the Privacy Act of 1974, 5 U.S.C. 552a (the Privacy Act), that 
provide for the protection of such information from disclosure.
    Notwithstanding these concerns, there are instances in which the 
disclosure of confidential information will be necessary or appropriate 
for the Bureau to accomplish its statutory mission, such as the 
investigation and resolution of consumer complaints or the enforcement 
of Federal consumer financial laws. Disclosures may also serve the 
public interest where Federal and State agencies share elements of the 
Bureau's mission and where, by sharing information, they can do their 
jobs more effectively.
    The regulations in subpart D balance these competing concerns by 
generally prohibiting the Bureau and its employees from disclosing 
confidential information to non-employees, and even in certain cases to 
its employees, except in limited circumstances. Even where the Bureau 
permits disclosures of confidential information, the Bureau imposes 
strict limits upon the further use and dissemination of disclosed 
information.
    Where appropriate, the Bureau has based the regulations in this 
subpart upon regulations of the other Federal financial regulatory 
agencies that provide for the confidentiality and disclosure of certain 
information generated or received in the course of supervising, 
investigating, or pursuing enforcement actions against financial 
institutions.

[[Page 11485]]

    Subpart E contains the Bureau's rule implementing the Privacy Act. 
The Privacy Act serves to balance the government's need to maintain 
information about individuals with the rights of individuals to be 
protected against unwarranted invasions of their privacy stemming from 
Federal agencies' collection, maintenance, use, and disclosure of 
personal information about them.
    The regulations in this subpart establish procedures by which 
members of the public may request access to information or records that 
the Bureau maintains about them, request amendment or correction of 
such information or records, and request an accounting of disclosures 
of their records by the Bureau. As with its FOIA regulations, the 
Bureau modeled its Privacy Act regulations upon regulations promulgated 
by the other Federal agencies, including the Treasury Department.

III. Overview of Comments Received

    In response to the interim final rule, the Bureau received thirteen 
comment letters. Seven of these comment letters were submitted on 
behalf of financial institution trade associations. Three letters were 
submitted on behalf of individual financial institutions and two 
letters were submitted on behalf of public interest groups. The Bureau 
also received one comment letter from an individual that did not 
pertain to the interim final rule.
    Public interest groups, along with some of the financial services 
trade associations, wrote comments regarding subpart B of the Bureau's 
interim final rule, which implements the FOIA. Public interest group 
commenters propose minor modifications to the rule to facilitate public 
access to Bureau records. Several trade association commenters ask the 
Bureau to impose limitations on a rule that permits the Bureau to 
exercise its discretion to disclose information and records that are 
otherwise subject to FOIA exemptions.
    Most of the comments that the Bureau received from both financial 
services trade associations and financial institutions concern subpart 
D of the interim final rule. Commenters express concerns as to whether 
and to what extent the Dodd-Frank Act authorizes the Bureau to 
promulgate regulations that permit it to disclose confidential 
information that it obtains from covered persons and service providers. 
They also argue that subpart D is too permissive in its criteria for 
disclosing such confidential information to other agencies, and in 
particular, to State attorneys general. The commenters propose that the 
Bureau adopt stricter criteria that certain other Federal financial 
regulatory agencies apply when determining whether to share 
confidential information.
    The Bureau received no comments regarding subpart E of the interim 
final rule.
    The Bureau also received one public comment that pertains to the 
Bureau's general authority to promulgate the interim final rule. Rather 
than address this comment in Section IV, it does so here.
    The commenter argues that section 1066 of the Dodd-Frank Act did 
not authorize the Bureau to promulgate this interim final rule prior to 
the appointment of a director, at a time when, pursuant to section 1066 
of the Dodd-Frank Act, the Treasury Secretary performed functions of 
the Bureau pending such an appointment.\2\ The commenter argues that 
even if the Treasury Secretary had general authority to do so, pursuant 
to 31 U.S.C. 321(b)(1), the Secretary was bound to promulgate a rule 
that was entirely consistent with corresponding rules of the other 
prudential regulators.
---------------------------------------------------------------------------

    \2\ 12 U.S.C. 5586.
---------------------------------------------------------------------------

    This comment is moot insofar as the President has appointed a 
director of the Bureau who has authority to issue the rule pursuant to 
the statutes listed in Sec.  1070.1 of this rule. Moreover, prior to 
this appointment, the Secretary of the Treasury had ample authority to 
issue the interim final rule under section 1066 of the Dodd-Frank Act 
as well as 31 U.S.C. 321. The Secretary was not obligated, when 
exercising such authority, to issue regulations related to confidential 
information that were identical to those issued by the prudential 
regulators.
    In section IV below, the Bureau provides a section-by-section 
summary of the other comments it received to the interim final rule and 
the Bureau's responses to these comments.

IV. Section-by-Section Analysis

Subpart A--General Provisions and Definitions

Section 1070.01 Authority, Purpose, and Scope
    Section 1070.1 of the interim final rule sets forth the Bureau's 
authorities for issuing the rule in this part, including provisions of 
the Dodd-Frank Act that require or authorize the Bureau to disclose, 
share, or maintain the confidentiality of certain information that the 
Bureau obtains from others or generates itself. Section 1070.1 also 
identifies the various purposes of the rule. The Bureau received no 
comments on the interim final rule. The Bureau adopts the interim final 
rule without modification.
Section 1070.2 General Definitions
    Section 1070.2 defines terms that are utilized elsewhere in part 
1070 of the rule. For example, Sec.  1070.2(e) of the interim final 
rule defines the term ``civil investigative demand material'' to 
encompass all types of materials provided to the Bureau in response to 
a civil investigative demand that the Bureau issues in accordance with 
section 1052 of the Dodd-Frank Act. The definition of this term also 
includes materials that a person provides to the Bureau voluntarily or 
in lieu of receiving a civil investigative demand.
    Section 1070.2(f) defines the term ``confidential information.'' 
Confidential information refers to three categories of non-public 
information--confidential consumer complaint information, confidential 
investigative information, and confidential supervisory information--
that the Bureau, in subpart D, protects from various types of 
disclosure in accordance with the Dodd-Frank Act and other laws. The 
term also includes other Bureau information that is exempt from 
disclosure pursuant to one or more of the statutory exemptions to the 
FOIA.
    Section 1070.2(g) defines ``confidential consumer complaint 
information'' to mean information that the Bureau receives from the 
public or from other agencies or organizations, or which the Bureau 
generates through its own efforts pursuant to sections 1013 and 1034 of 
the Dodd-Frank Act, that comprises or documents consumer complaints or 
inquiries concerning financial institutions or consumer financial 
products and services. The term includes information, such as 
personally identifiable information, that is protected from public 
disclosure under the FOIA.
    Section 1070.2(h) defines ``confidential investigative 
information'' to include all manner of materials received, generated, 
or compiled by the Bureau in the course of its investigative 
activities, including materials received through the issuance of civil 
investigative demands. It also includes confidential supervisory 
information and confidential consumer complaint information to the 
extent that such materials serve as a basis for or are utilized for 
purposes of an investigation. Lastly, the term includes materials that 
other Federal and State agencies provide to the Bureau or create for 
its use in

[[Page 11486]]

investigating a possible violation of Federal consumer financial law.
    Section 1070.2(i) defines ``confidential supervisory information'' 
to include various materials that the Bureau generates or receives that 
relate to the examination of financial institutions. These materials 
include, first, examination, inspection, visitation, operating, 
condition, and compliance reports, and any information contained in, 
relating to, or derived from such reports. Second, the term includes 
documentary materials, including reports of examination, which the 
Bureau prepares or that are prepared by others for use by the Bureau in 
exercising its supervisory authority over financial institutions, as 
well as information derived from such documentary materials. Third, the 
term includes the Bureau's communications with financial institutions 
and agencies to the extent that such communications relate to the 
exercise of the Bureau's supervisory authority over financial 
institutions. Fourth, confidential supervisory information includes 
information that financial institutions provide to the Bureau to help 
it to evaluate the risks associated with consumer financial products 
and services and whether institutions should be deemed ``covered 
persons,'' as that term is defined by section 1002(6) of the Dodd-Frank 
Act. Finally, the term includes other supervision-related information 
that is also exempt from public disclosure under the FOIA pursuant to 5 
U.S.C. 552(b)(8).
    The Bureau received no comments on the interim final rule. In the 
final rule, the Bureau adds a definition of the term ``State'' that 
incorporates the definition of that term set forth in section 1002(27) 
of the Dodd-Frank Act and which clarifies that the term also includes 
all political subdivisions of States. Furthermore, the Bureau modifies 
the definition of the term ``confidential supervisory information'' to 
clarify that it includes information provided to the CFPB by a 
financial institution to assess whether an institution is subject to 
the Bureau's supervisory authorities. The Bureau also modifies the 
definition of the term ``supervised financial institution'' to clarify 
that this term includes financial institutions that both are presently 
and may become subject to the Bureau's supervisory authority.
Section 1070.3 Custodian of Records; Certification; Alternative 
Authority
    Section 1070.3 of the interim final rule designates the Chief 
Operating Officer of the Bureau to be the custodians of all Bureau 
records. Acting in this capacity, the Chief Operating Officer may 
certify the authenticity of any Bureau record or any copy of such 
record. The Chief Operating Officer may delegate his or her 
responsibilities as record custodian to other Bureau employees. The 
Bureau received no comments on the interim final rule. The Bureau 
adopts the interim final rule without modification.
Section 1070.4 Records of the CFPB Not To Be Otherwise Disclosed
    Section 1070.4 of the interim final rule states that except as 
provided in this part, employees or former employees of the Bureau, or 
others in possession of a record of the Bureau that the Bureau has not 
already made public, are prohibited from disclosing such records, 
without authorization, to any person who is not an employee of the 
Bureau. The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule without modification.

Subpart B--Freedom of Information Act

Section 1070.10 General
    Section 1070.10 introduces subpart B as consisting of regulations 
that implement the FOIA by setting forth procedures for requesting 
access to Bureau records. The rule also instructs the public to read 
subpart B together with the FOIA, the 1987 Office of Management and 
Budget Guidelines for FOIA Fees, the Bureau's Privacy Act regulations 
set forth in subpart E, and the FOIA page on the Bureau's Web site, 
http://www.consumerfinance.gov, because such materials offer important 
guidance on the topics that subpart B governs.
    A trade association commenter argues that the Bureau should amend 
Sec.  1070.10 to delete the phrase ``[t]hese regulations should be read 
together with,'' which immediately precedes ``the FOIA, the 1987 Office 
of Management and Budget Guidelines for FOIA Fees, the Bureau's Privacy 
Act regulations set forth in subpart * * *'' and the phrase ``which'' 
prior to ``provide additional information about this topic.'' The 
commenter argues that these phrases seemingly enable the Bureau to 
alter subpart B at will simply by specifying a contrary rule on its 
FOIA Web page. The commenter proposes that the rule simply state that 
the FOIA, the OMB Guidelines, the Privacy Act regulations, and the 
Bureau's FOIA Web page, provide additional information about this 
topic.
    The Bureau disagrees with the commenter that Sec.  1070.10 requires 
modification. As written, the rule makes clear that the public should 
consult the FOIA Web site, along with the other authorities cited, 
because they ``provide additional information on this topic.''
    The Bureau does not intend to utilize its FOIA Web page to effect 
substantive revisions to subpart B and it does not interpret Sec.  
1070.10 to be a source of authority to do so. The FOIA Web page exists 
to summarize and provide public guidance as to the FOIA and the 
procedures set forth in the Bureau's regulations that implement the 
FOIA. In certain cases, such guidance may indicate how the Bureau 
interprets its FOIA regulations, but it will not alter or supplant such 
regulations.
Section 1070.11 Information Made Available; Discretionary Disclosures
    Section 1070.11(a) of the interim final rule sets forth the three 
major categories of information that the FOIA requires the Bureau to 
publish or make accessible to the public. Paragraph (b) authorizes the 
Bureau, in response to a FOIA request, to make discretionary 
disclosures of information or records that are otherwise subject to 
non-mandatory FOIA exemptions. Paragraph (c) requires the Bureau to 
make publicly available all records that have become the subject of 
three or more requests or that are likely to become the subject of 
frequent requests because they are clearly of interest to the public at 
large.
    Several trade associations expressed concerns that Sec.  1070.11(b) 
does not specify who in the Bureau is responsible for making 
discretionary disclosures of Bureau records and what criteria this 
person will employ when doing so. One commenter argues that this 
provision should provide for notice and a means to contest a decision 
of the Bureau to make discretionary disclosures of information. Another 
commenter argues that this provision should clarify that the Bureau may 
not make discretionary disclosures of examination reports or 
confidential commercial information.
    Commenters differ in their reactions to Sec.  1071.11(c). Several 
commenters argue that the three-request publication threshold is too 
rigid and is easily manipulated to induce publication. One commenter 
argues that the Bureau should eliminate this provision in favor of a 
case-by-case approach to publishing frequently requested records. 
Another commenter suggests that the Bureau should publish records only 
when they are frequently and regularly requested by a broad range of 
requestors. Yet another commenter argues that the Bureau should revise 
the rule to allow for publication of frequently requested records 
regardless of whether they are ``clearly of interest to the public at 
large.''

[[Page 11487]]

    The Bureau adopts Sec.  1070.11(b) of the interim final rule 
without modification. This provision, which permits the Chief FOIA 
Officer to disclose FOIA exempt information ``if not precluded by 
law,'' \3\ is a common provision that exists in the FOIA regulations of 
many Federal agencies.\4\ This provision merely permits the Chief FOIA 
Officer to exercise the Bureau's discretion--to the extent that such 
discretion exists under law--to disclose information notwithstanding 
the fact that the Bureau could withhold such information pursuant to 
one or more of the FOIA exemptions. However, this provision does not 
grant the Chief FOIA Officer discretion to disregard Federal laws that 
require the Bureau to withhold information from public disclosure.
---------------------------------------------------------------------------

    \3\ Section 1070.15(b) of these rules authorizes the Bureau's 
Chief FOIA Officer to grant or deny all FOIA requests for Bureau 
records. This authority includes the power to make discretionary 
disclosures of information or records that are subject to FOIA 
requests, as set forth in section 1070.11(b). The Chief FOIA Officer 
exercises this authority with the input and advice of the program 
offices that maintain the requested information. To the extent that 
a business submits trade secrets or confidential commercial 
information to the Bureau that later becomes subject to a FOIA 
request, section 1070.20 of these rules requires the Chief FOIA 
Officer, in most cases, to obtain the input of that business before 
the Chief FOIA Officer decides whether to disclose the information.
    \4\ See, e.g., 12 CFR 261.14(c) (Federal Reserve Board 
regulation providing for discretionary release of exempt 
information); 12 CFR 4.12(c) (Office of Comptroller of Currency 
regulation providing for the same discretionary release of exempt 
information).
---------------------------------------------------------------------------

    For example, Sec.  1070.11(b) permits the Chief FOIA Officer to 
make public information that is subject only to FOIA Exemption 5, 5 
U.S.C. 552(b)(5), as long as no other Federal law prohibits the Bureau 
from disclosing such information. However, the Chief FOIA Officer lacks 
discretion to disclose a trade secret that is subject to FOIA Exemption 
4, 5 U.S.C. 552(b)(4), to the extent that the Trade Secrets Act, 18 
U.S.C. 1905, prohibits the Bureau from publicly disclosing the trade 
secret.\5\ In certain instances, the Privacy Act also precludes the 
Chief FOIA Officer from disclosing information about individuals that 
is subject to FOIA Exemptions 6 or 7(c), 5 U.S.C. 552(b)(6), (7)(C).
---------------------------------------------------------------------------

    \5\ The Trade Secrets Act prohibits agencies from disclosing 
trade secrets except where they are authorized by law to do so. See 
Chrysler Corp. v. Brown, 441 U.S. 281 (1979).
---------------------------------------------------------------------------

    To the extent that the Chief FOIA Officer has discretion to 
disclose confidential supervisory information that is otherwise subject 
to FOIA Exemption 8, 5 U.S.C. 552(b)(8), the Bureau's ``policy is to 
treat information obtained in the supervisory process as confidential 
and privileged'' and as ``exempt from disclosure under Exemption 8 of 
the Freedom of Information Act.'' CFPB Bulletin 12-01 (Jan. 4, 2012).
    The Bureau adopts Sec.  1070.11(c) of the interim final rule with 
minor modifications. Section 1070.11(c) implements the Electronic 
Freedom of Information Act amendments of 1996, codified at 5 U.S.C. 
552(a)(2)(D), which require each agency to make ``available for public 
inspection and copying * * * copies of all records, regardless of form 
or format, which have been released to any person * * * and which, 
because of the nature of their subject matter, the agency determines 
have become or are likely to become the subject of subsequent requests 
for substantially the same records.'' The Department of Justice, in 
guidance it issued to Federal agencies in 2003, interprets section 
(a)(2)(D) of the FOIA to mean that agencies must publish records that 
are already or are likely to become the subject of three or more FOIA 
requests. See Department of Justice, Office of Information & Privacy, 
FOIA Post: ``FOIA Counselor Q&A: `Frequently Requested' Records'' (Jul. 
25, 2003), at http://www.justice.gov/oip/foiapost/2003foiapost28.htm. 
Section 1070.11(c) is consistent with this guidance and with similar 
provisions in other agencies' FOIA regulations.\6\
---------------------------------------------------------------------------

    \6\ See, e.g., 12 CFR 261.11(4) (Federal Reserve Board rule 
providing for the publication of frequently requested records); 12 
CFR 309.4(D) (Federal Deposit Insurance Corporation rule providing 
for the publication of frequently requested records).
---------------------------------------------------------------------------

    Nevertheless, the Bureau agrees to remove from Sec.  1070.11(c) the 
qualifying language ``clearly of interest to the public at large.'' 
Such language is not part of the FOIA or the Department of Justice's 
FOIA guidance. The Bureau concludes that this language does not serve 
the Bureau's interest in promoting transparency.
Section 1070.12 Publication in the Federal Register
    Section 1070.12 implements section (a)(1) of the FOIA, 5 U.S.C. 
552(a)(1). It requires the Bureau to publish in the Federal Register 
certain details of its organization, policies, procedures, and rules, 
subject to the FOIA exemptions. The Bureau received no comments on the 
interim final rule. The Bureau adopts the interim final rule without 
modification.
Section 1070.13 Public Inspection and Copying
    Section 1070.12(a) implements section (a)(2) of the FOIA, 5 U.S.C. 
552(a)(2). Subject to the FOIA exemptions, it requires the Bureau to 
make available for public inspection and copying, including by posting 
on the Bureau's Web page, all of the Bureau's final opinions and 
orders, certain statements of its policies and administrative staff 
manuals, copies of all frequently requested records that it publishes 
pursuant to Sec.  1070.11(c), and an index of such records.
    Section 1070.12(b) requires the Bureau to establish an electronic 
FOIA reading room on its Web site to house the records that section 
1070.12(a) requires it to publish. Section 1070.12(c) requires the 
Bureau to also make such records available at its headquarters in a 
physical reading room that is accessible to the public upon request.
    The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule without modification, except that 
it updates the address of the reading room to reflect the new address 
of the Bureau: 1700 G Street NW., Washington, DC 20552.
Section 1070.14 Requests for CFPB Records
    Section 1070.14 sets forth the basic procedural requirements for 
submitting a FOIA request to the Bureau.
    Paragraph (a) implements section (a)(3) of the FOIA, 5 U.S.C. 
552(a)(3), which establishes the basic public right to obtain access to 
Federal agency records, upon request, and subject to the FOIA 
exemptions and exclusions.
    Paragraph (b) sets forth the acceptable formats for a Bureau FOIA 
request. It states that a FOIA request must be made in writing, labeled 
as such, and submitted to the Chief FOIA Officer in either paper or 
electronic formats.
    Paragraph (c) describes the required content of a Bureau FOIA 
request. This content includes a reasonably specific description of the 
records requested, contact information for the requester, a statement 
of whether the requester wants to inspect or obtain a copy of the 
records requested, an assertion of the requester's applicable fee 
category, an indication of whether the requester seeks an upper limit 
to or a waiver or reduction of applicable fees, and an indication of 
whether the requester seeks expedited processing of the request.
    Paragraph (d) states that the Bureau need not accept or process a 
FOIA request, or be bound by deadlines for responding to such a 
request, that does not conform to the requirements of paragraphs (b) 
and (c). If a request is materially deficient, then the Bureau may 
return it to the requester and advise the requester as to how to 
address the deficiency. If the requester does not

[[Page 11488]]

respond to notification of a material deficiency within thirty (30) 
days, then the Bureau will deem the deficient request to be withdrawn. 
A determination that a request is materially deficient does not 
constitute a denial of access and is not subject to appeal.
    Paragraphs (e) and (f) set forth the procedure by which a requester 
may obtain access to Bureau records about him or herself or about 
another individual when requesting records on behalf of that 
individual.
    One commenter believes that the Bureau should amend Sec.  
1070.14(c)(5), which requires FOIA requesters to seek fee waivers at 
the time when they file their FOIA requests, to allow requesters to 
seek fee waivers at any time while FOIA requests are open.
    Another commenter argues that the Bureau should eliminate the 
portion of Sec.  1070.14(c)(5) which states that by submitting a FOIA 
request, the requester agrees to pay any and all fees associated with 
processing the request up to $25. The commenter argues that this 
requirement may deter individuals from seeking information pursuant to 
the FOIA. Instead, the commenter argues that requesters should be able 
to specify that they do not want the Bureau to process the request if 
doing so will exceed the two free search hours and 100 free pages of 
duplication to which the FOIA entitles them.
    Finally, one commenter argues that the Bureau should revise Sec.  
1070.14(d) to state that the failure by a requester to adhere to all of 
these procedural requirements--including the requirements that requests 
must be labeled ``Freedom of Information Act Request'' and that 
requesters specify an applicable fee category--will not necessarily 
result in the Bureau rejecting a request. The commenter also argues 
that this provision should require the Bureau to inform requesters when 
they have deemed requests to be deficient.
    The Bureau modifies Sec.  1070.14(b) of the interim final rule to 
reflect the new mailing address of the Bureau: 1700 G Street NW., 
Washington, DC 20552. The Bureau also modifies Sec.  1070.14(c)(2) to 
require that a requester include his, her, or its name in addition to 
the other contact information that the Bureau requires a requester to 
provide. The Bureau imposes this change to ensure that it can make 
proper fee category determinations, impose fees upon the requester, and 
properly determine whether a request is a Privacy Act or a FOIA 
request.
    The Bureau adopts Sec.  1070.14(c)(5) without modification for the 
reasons that it discusses in the portion of the section-by-section 
analysis that pertains to Sec.  1070.22 of the rule.
    To address the commenter's concern that paragraph (d) authorizes 
the Bureau to reject requests on the basis of immaterial deficiencies, 
and does not require the Bureau to advise requesters as to how to 
correct deficiencies in their requests, the Bureau modifies Sec.  
1070.14(d) to state that it will deem itself to have received a request 
when it contains ``substantially'' all of the information that the 
Bureau requires and that it need not accept or process a request that 
fails to conform in any ``material'' respect to the requirements of 
Sec.  1070.14.
Section 1070.15 Responsibility For Responding to Requests for CFPB 
Records
    Section 1070.15(a) states that the Bureau will deem records to be 
responsive to a FOIA request only to the extent that it possesses them 
as of the date when the Bureau commences its records search.
    Paragraph (b) states that the Bureau's Chief FOIA Officer is 
authorized to make determinations on behalf of the Bureau as to whether 
and to what extent to grant FOIA requests.
    Paragraph (c) sets forth the Bureau's procedures for consulting 
with or referring to another agency a requested record that originated 
with or contains information that originated with that agency.
    Paragraph (d) states that the Bureau will notify a requester 
whenever it refers all or part of a request to another agency.
    One commenter urges the Bureau to amend Sec.  1070.15(c), which 
authorizes the Bureau to consult other agencies when responding to 
requests for Bureau records that comprise other agencies' information, 
to require the Bureau to obtain the affirmative consent of such 
agencies, rather than merely consulting them, prior to releasing the 
records.
    The Bureau adopts the interim final rule without modification. The 
interim final rule reflects the standard practice among Federal 
agencies for consultations. It represents sound practice in that it 
balances the interests of other agencies with the right of requesters 
to obtain requested records in a timely fashion.
Section 1070.16 Timing of Responses to Requests for CFPB Records
    Section 1070.16 sets forth the order and timing of the Bureau's 
responses to FOIA requests.
    Paragraph (a) states that, except as set forth in paragraphs (b) 
through (d) of this section and Sec.  1070.17 of this subpart, the 
Bureau will respond to FOIA requests in the order of their receipt.
    Paragraph (b) authorizes the Bureau to establish separate tracks to 
process simple and complex requests in the order of their respective 
receipt. This multi-track process allows the Bureau to respond to 
simple requests more quickly than it could otherwise if the Bureau 
processed such simple requests in a single queue behind complex 
requests.
    Paragraph (c) establishes a twenty (20) business day deadline for 
the Bureau to respond to a FOIA request. The Bureau may toll this 
deadline once while it awaits a requester's response to a reasonable 
demand for clarification of a request. It may also toll the deadline 
while it is engaged in a dispute with a requester regarding the 
assessment of fees.
    Paragraph (d) permits the Bureau to unilaterally extend in writing 
the twenty (20) business day response deadline for responding to a FOIA 
request or appeal by up to an additional ten (10) business days if the 
Bureau determines that unusual circumstances exist that preclude the 
Bureau from meeting the twenty (20) business day deadline. If the 
Bureau determines that it needs more than an additional ten (10) 
business days to respond, then it must notify the requester and provide 
the requester with an opportunity to either narrow the scope of the 
request or appeal in such a way that the Bureau can respond by the 
deadline or arrange for an alternative time frame beyond the deadline 
to respond to the request or appeal.
    One commenter argues that Sec.  1070.16(c) impermissibly authorizes 
the Bureau to toll the twenty (20) day deadline for responding to FOIA 
requests while the Bureau awaits clarification from a requester as to 
subject matter of a request or while the Bureau resolves any dispute 
with the requester regarding fees. The commenter argues that the FOIA 
states that the request response deadline commences once a request or 
appeal has been received.
    The Bureau adopts the interim final rule without modification. The 
interim final rule implements section (a)(6)(A) of the FOIA, 5 U.S.C. 
552(a)(6)(A), which provides that an agency may toll the response 
deadline once while awaiting the requester's response to a reasonable 
request of the agency for information about a FOIA request or as 
necessary while awaiting the requester's clarification of fee issues 
regarding the FOIA request.

[[Page 11489]]

Section 1070.17 Requests for Expedited Processing
    Section 1070.17 establishes a procedure by which FOIA requesters 
may seek and the criteria by which the Bureau will grant expedited 
processing of FOIA requests.
    Paragraph (a) states that the Bureau will grant expedited 
processing to requesters that demonstrate a ``compelling need'' for 
such processing in accordance with this section.
    Paragraph (b) sets forth the form and content of requests for 
expedited processing and defines the term ``compelling need'' generally 
and with respect to requests made by persons primarily engaged in 
disseminating information.
    Paragraph (c) requires the Bureau to respond to requests for 
expedited processing within ten (10) calendar dates of their receipt.
    Paragraph (d) states that if granted, expedited processing entitles 
requesters to priority over non-expedited requests and responses as 
soon as practicable. It further states that the Bureau may process 
expedited requests on a multi-track basis and within each track, in the 
order of their receipt.
    Paragraph (e) establishes the rights of requesters to appeal 
denials of requests for expedited processing in accordance with Sec.  
1070.21 of this subpart.
    One commenter suggests that the Bureau should amend Sec.  1070.17 
by expanding its criteria for granting expedited processing of FOIA 
requests to include, in addition to instances where the requester 
demonstrates a ``compelling need'' for expedited process, ``other cases 
determined by the agency,'' which section (a)(6)(E)(i)(II) of the FOIA, 
5 U.S.C. (a)(6)(E)(i)(II), authorizes. The commenter asks that these 
``other cases'' include instances in which expedited processing is 
necessary to avoid the loss of substantial due process rights or where 
there is widespread and exceptional media interest in information that 
raises concerns about the government's integrity.
    The Bureau agrees with the commenter that the FOIA grants agencies 
discretion to process requests on an expedited basis for reasons other 
than demonstration by a requester of a compelling need. The Bureau 
modifies the interim final rule by permitting the Bureau to process a 
request for expedited processing whenever a requester demonstrates a 
compelling need ``or in other cases that the CFPB deems appropriate.''
Section 1070.18 Responses to Requests for CFPB Records
    Section 1070.18 sets forth the process by which the Bureau will 
acknowledge receipt of FOIA requests and communicate its initial 
determinations as to whether and to what extent to grant such requests. 
The rule also delineates information that the Bureau must include in 
notifications to requesters that acknowledge receipt of or determine 
whether and to what extent to grant FOIA requests. The Bureau received 
no comments on the interim final rule. The Bureau adopts the interim 
final rule without modification.
Section 1070.19 Classified Information
    Section 1070.19 sets forth a procedure for referring requests for 
classified information to the agency that originated or classified it. 
The Bureau received no comments on the interim final rule. The Bureau 
adopts the interim final rule without modification.
Section 1070.20 Requests for Business Information Provided to the CFPB
    Section 1070.20 requires the Bureau, under certain circumstances, 
to notify persons or entities that submit business information to the 
Bureau of its receipt of a FOIA request or appeal for such information, 
and to provide submitters with an opportunity to object to the Bureau's 
disclosure of such information on the basis of FOIA Exemption 4, 5 
U.S.C. 552(b)(4). If the Bureau rejects such objections, then the rule 
requires the Bureau to wait a certain period of time before it 
discloses the information so as to afford submitters an opportunity to 
file suit in Federal district court to enjoin disclosure. The rule 
states that the Bureau will notify submitters of the receipt of FOIA 
requests or appeals for their information whenever the Bureau has 
reason to believe that the information may be subject to Exemption 4 or 
that submitters have marked the information as such in good faith. 
Notification is not required if the Bureau determines independently 
that the requested information is exempt from disclosure, that it is 
already in the public domain, that disclosure is required by statute or 
regulation, or the submitter's designation of the information as being 
subject to Exemption 4 is obviously frivolous.
    Several commenters argue that the Bureau should eliminate or amend 
Sec.  1070.20(c), which allows submitters of business information to 
designate such information as being subject to FOIA Exemption 4 for a 
period of ten years after the date of submission. Several commenters 
argue that the Bureau should double or otherwise increase the ten year 
time period applicable to designations of trade secrets and other 
confidential supervisory information.
    The Bureau adopts the interim final rule without modification. The 
ten-year length of the business information designation period is 
consistent with similar rules adopted by other Federal agencies. The 
Bureau notes that the rule grants it discretion, upon request and with 
sufficient justification, to extend the length of the designation 
period beyond ten years. As such, the Bureau sees no reason to 
eliminate or extend the default length of the designation period.
Section 1070.21 Administrative Appeals
    Section 1070.21 discusses administrative appeals of initial Bureau 
determinations regarding FOIA requests.
    Paragraph (a) enumerates Bureau determinations that are subject to 
administrative appeal. These determinations include denial of access to 
records in whole or in part, assignment to the requester of a 
particular fee category, denial of a request for a reduction or waiver 
of fees, a determination that no records exist that are responsive to a 
request, and denial of a request for expedited processing.
    Paragraph (b) establishes a forty-five (45) calendar day time frame 
from the date of initial determination to file administrative FOIA 
appeals (except for appeals of denials of expedited processing, which 
must be filed within ten (10) days).
    Paragraph (c) sets forth the required form and content of 
administrative appeals.
    Paragraph (d) sets forth a procedure for acknowledging the receipt 
of administrative appeals.
    Paragraph (e) authorizes the General Counsel of the Bureau to 
decide whether to affirm or overturn initial determinations of the 
Bureau which are subject to administrative appeals. The rule requires 
the General Counsel to respond to appeals within twenty (20) business 
days after their receipt, unless that time period is extended pursuant 
to Sec.  1070.16(d) of this subpart. It requires the General Counsel to 
notify requesters in writing of appellate determinations and, if the 
appeals are denied, to inform requesters of their rights to seek 
redress in Federal district court.
    Paragraph (g) notes that an appeal ordinarily will not be 
adjudicated if a FOIA request becomes a matter of FOIA litigation.

[[Page 11490]]

    One commenter suggests that the Bureau should amend Sec.  
1070.21(b), which sets forth a 45-day time limit to file a FOIA appeal 
that runs from the later of the date of the Bureau's decision to deny 
or grant the request or the date of the letter transmitting the last 
records released to the requester. The commenter argues that this 
provision should state instead that this 45-day time period should run 
from the later of the date of the Bureau's initial determination or the 
date that the last records are received by (rather than mailed to) the 
requester.
    The Bureau declines to adopt the commenter's suggestion regarding 
paragraph (b) because the Bureau would have no way to know, for 
purposes of determining whether a requester has met the appellate 
filing deadline, when a requester actually receives the records it 
transmits. The Bureau believes that a more reliable basis for computing 
the appellate deadline is the date of the Bureau's transmission of such 
records.
    The Bureau modifies Sec.  1070.21 to add a new paragraph (e)(3) 
that authorizes the General Counsel, in deciding FOIA appeals, to 
remand FOIA requests to the Chief FOIA Officer for such further action 
as the General Counsel directs, including but not limited to new or 
modified record searches. Actions of the Chief FOIA Officer on remand 
will be treated once again as initial determinations of the Bureau that 
are subject to the regular procedures set forth in this subpart for the 
Bureau to process, decide, and respond to FOIA requests. For example, 
the Chief FOIA Officer must respond to a remanded request in accordance 
with the deadlines set forth in Sec.  1070.16, which will run from the 
date of the Bureau's transmission of the remand notification. If a 
requester disagrees with the actions of the Chief FOIA Officer on 
remand, then the requester may file an administrative appeal of those 
actions in accordance with Sec.  1070.21.
Section 1070.22 Fees for Processing Requests for CFPB Records
    Section 1070.22 sets forth the criteria that the Bureau will use to 
determine whether and to what extent the Bureau may assess fees in 
connection with processing and responding to FOIA requests and appeals.
    Paragraph (a) generally describes the applicable procedure for 
determining whether and to what extent to assess fees to a FOIA 
request. It also identifies a schedule of fees assessable for time 
spent by Bureau employees searching for and reviewing requested records 
and for duplicating such records for production to a requester.
    Paragraph (b) describes the various categories that the Bureau will 
assign to each requester for the purpose of determining which types of 
fees apply to a request.
    Paragraph (c) describes the types of fees that apply to each of the 
categories of fee requesters set forth in paragraph (b).
    Paragraph (d) describes circumstances where the Bureau will not 
charge fees to requesters.
    Paragraph (e) sets forth the procedure by which FOIA requesters may 
seek, and the criteria that the Bureau will use to determine whether to 
grant requests for, waivers of or reductions in applicable fees.
    Paragraph (f) identifies circumstances in which the Bureau requires 
FOIA requesters to pre-pay fees associated with FOIA requests and in 
which the Bureau shall charge interest on and collect overdue fees.
    One comment argues that the Bureau's FOIA fee schedule, which the 
Bureau references in Sec.  1070.22(a)(1) and posts on its FOIA Web 
site, must go through the Administrative Procedure Act's notice and 
comment process.
    Another comment urges the Bureau to amend Sec.  1070.22(d)(3) to 
waive FOIA duplication fees for representatives of the news media in 
the event that the Bureau fails to comply with time limits applicable 
to FOIA requests.
    A commenter urges the Bureau to modify Sec.  1070.22(e) to permit 
requesters to seek waivers of or reductions in applicable fees at any 
time prior to the Bureau's response date.
    Finally, a comment suggests that the Bureau should limit the 
circumstances under which it requires prepayment of FOIA fees pursuant 
to Sec.  1070.22(f). This comment argues that requesters should not 
have to pay outstanding fees associated with their prior FOIA requests 
before the Bureau will process new requests that they submit because 
the FOIA entitles all requesters to a certain amount of free search 
time and duplication of records.
    The Bureau disagrees with the comment that the Bureau's schedule of 
FOIA fees, which the Bureau has published on its FOIA Web page since it 
promulgated the interim final rule, requires further notice and 
comment. This fee schedule, like the rest of the interim final rule, 
was subject to public comment, as the CPFB referenced the schedule in 
the rule. The Bureau received no public comments regarding this fee 
schedule.
    The Bureau modifies Sec.  1070.22(a) of the interim final rule so 
that it now states expressly--rather than merely referencing--the fee 
rates that the Bureau charges requesters to duplicate, search for, and 
review records. The Bureau also modifies this provision to clarify the 
circumstances under which the Bureau will charge fees when searching 
for electronic records.
    The Bureau modifies Sec.  1070.22(d)(3) of the interim final rule 
to provide, in accordance with section (a)(4)(a)(viii), that the Bureau 
shall not charge FOIA duplication fees for representatives of the news 
media in the event that the Bureau fails to comply with time limits 
applicable to FOIA requests.
    The Bureau declines to adopt the suggestion that it modify Sec.  
1070.22(e) so that requesters may seek waivers of or reductions in 
applicable fees at any time prior to the dates of the Bureau's 
responses to requests. By requiring requesters to state, at the time 
when they file their FOIA requests, whether they seek waivers of or 
reductions in fees, the Bureau seeks to address and resolve fee 
disputes at the outset of the request process and before the Bureau 
expends its time, resources, and funds to respond to requests. This 
procedure ensures that the Bureau does not perform work that the 
requester cannot, or does not wish to pay for, if the Bureau denies a 
fee waiver request.
    The Bureau also declines to modify Sec.  1070.22(f) of the interim 
final rule. This provision, which sets forth circumstances for 
requiring prepayment of fees, is consistent with guidance issued by the 
Office of Management and Budget for FOIA fees. See OMB Guidelines for 
FOIA Fees (1987), available at http://www.whitehouse.gov/sites/default/files/omb/assets/omb/inforeg/foia_fee_schedule_1987.pdf.
Section 1070.23 Authority and Responsibilities of the Chief FOIA 
Officer.
    Section 1070.23 sets forth the various authorities and 
responsibilities of the Chief FOIA Officer of the Bureau. One commenter 
argues that Sec.  1070.23 should include a provision that authorizes 
the Chief FOIA Officer to oversee the FOIA section of Bureau's Web 
site. The Bureau agrees with this comment and modifies the interim 
final rule to add a new paragraph (a)(7) that requires the Chief FOIA 
Officer to ``maintain and update, as necessary and in accordance with 
the requirements of this subpart, the CFPB's FOIA Web site, including 
its e-FOIA Library.''

[[Page 11491]]

Subpart C--Disclosure of CFPB Information in Connection With Legal 
Proceedings

Section 1070.30 Purpose and Scope; Definitions
    Section 1070.30(a) outlines subpart C, which sets forth procedures 
for serving the Bureau and its employees with documents in legal 
proceedings, such as summonses, complaints, subpoenas, and other 
litigation-related requests or demands for records and information, as 
well as procedures and criteria for the Bureau to follow when 
responding to such materials. These regulations (which are sometimes 
referred to as Touhy regulations) are modeled after similar regulations 
of other Federal agencies.
    Paragraph (b) clarifies that these procedures for serving legal 
documents on the Bureau do not apply to persons who seek to file FOIA 
requests or Privacy Act requests with the Bureau or those agencies that 
seek access to confidential information of the Bureau.
    Paragraph (c) further clarifies that the procedures of subpart C do 
not apply to requests for information made in the course of 
adjudicating certain administrative employment actions brought by 
Bureau employees or applicants for employment.
    Paragraph (d) notes that subpart C is not intended to, does not 
create, and may not be relied upon to create, any right or benefit, 
substantive or procedural, against the Bureau or the United States.
    Paragraph (e) defines the terms ``demand,'' ``legal proceeding,'' 
``official information,'' ``request,'' and ``testimony'' ``for purposes 
of this [subpart C] and except as the Bureau may otherwise determine in 
a particular case.''
    One commenter argues that Sec.  1070.30(e) is too malleable in that 
its definitions apply ``except as the Bureau may otherwise determine in 
a particular case.'' The commenter notes that this exception provides 
the Bureau with authority to redefine key terms as it sees fit to 
authorize disclosures of confidential information. The commenter 
suggests that the Bureau should eliminate this exception.
    To eliminate any ambiguity as to the meaning of the defined terms 
of Sec.  1070.30(e), the Bureau strikes the phrase ``except as the CFPB 
may otherwise determine in a particular case.'' The Final Rule also 
addresses several drafting errors and omissions.
Section 1070.31 Service of Summonses and Complaints
    Section 1070.31 of the interim final rule states that only the 
Bureau's General Counsel is authorized to receive and accept service of 
process of summonses and complaints in which the Bureau or its 
employees (in their official capacities) are sued.
    The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule with the following modification to 
reflect the new mailing address of the Bureau: 1700 G Street NW., 
Washington, DC 20552.
Section 1070.32 Service of Subpoenas, Court Orders, and Other Demands 
for CFPB Information or Action
    Section 1070.32 of the interim final rule states that, except where 
the Bureau is represented by legal counsel who have entered an 
appearance or otherwise given notice of their representation, only the 
Bureau's General Counsel is authorized to receive and accept service of 
subpoenas, court orders, and litigation demands and requests for the 
production of the Bureau's records and official information that are 
directed to the Bureau or its employees (in their official capacities).
    The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule with modifications that reflect 
the new mailing address of the Bureau: 1700 G Street NW., Washington, 
DC 20552. The final rule also clarifies certain service requirements. 
For example, paragraph (c) of the final rule eliminates the requirement 
that Bureau employees consult the General Counsel before declining to 
accept service of process on behalf of the Bureau. This modification 
simplifies the course of conduct for Bureau employees who are contacted 
by a process server and have no opportunity to consult with the General 
Counsel prior to deciding whether to decline to accept service. The 
final rule also corrects grammatical errors.
Section 1070.33 Testimony and Production of Documents Prohibited Unless 
Approved by the General Counsel
    Section 1070.33 provides that no current or former Bureau employee 
shall provide oral or written testimony concerning any official 
information of the Bureau or produce any document or material acquired 
as part of or by virtue of his or her employment at the Bureau unless 
the Bureau's General Counsel authorizes the employee or former employee 
to do so. The Bureau received no comments on the interim final rule. 
The Bureau adopts the interim final rule without modification.
Section 1070.34 Procedure When Testimony or Production of Documents Is 
Sought; General
    Section 1070.34 requires parties demanding the production of the 
Bureau's documents or testimony, in legal proceedings in which the 
United States or the Bureau are not parties, to provide the Bureau with 
certain information about the demand or request, including the name and 
forum of the proceeding, a detailed description of the nature of the 
information or testimony sought and its intended uses and relevance, a 
showing that the evidence sought through the production of the Bureau's 
records or testimony is not available from other sources, and, as the 
General Counsel deems appropriate, a statement of the party's plans to 
demand additional testimony or documents in the future. Unless and 
until a party provides this required information, the Bureau will not 
respond to a demand it receives. The Bureau received no comments on the 
interim final rule. The Bureau adopts the interim final rule without 
modification.
Section 1070.35 Procedure When Response To Demand Is Required Prior to 
Receiving Instructions
    Section 1070.35 states that, whenever a response to a demand for 
testimony or the production of documents or materials described in 
Sec.  1070.34 is due before the General Counsel renders a decision, 
then the Bureau will seek an extension of time to respond. If no 
extension is available or granted, then the Bureau will request that 
the court or other applicable authority stay the proceedings until such 
time as the General Counsel is able to respond. The Bureau received no 
comments on the interim final rule. The Bureau adopts the interim final 
rule without modification.
Section 1070.36 Procedure in the Event of an Adverse Ruling
    Section 1070.36 states that, whenever a court or other applicable 
authority declines to stay proceedings until the General Counsel is 
able to respond to a demand for testimony or the production of 
documents or materials described in Sec.  1070.34, or the court or 
other authority rules that the Bureau must comply with the demand 
irrespective of the General Counsel's instructions otherwise, then the 
employee upon whom the demand has been made shall respectfully decline

[[Page 11492]]

to comply with the demand citing this subpart and United States ex rel. 
Touhy v. Ragen, 340 U.S. 462 (1951). The Bureau received no comments on 
the interim final rule. The Bureau adopts the interim final rule 
without modification.
Section 1070.37 Considerations in Determining Whether the CFPB Will 
Comply With a Demand or Request
    Section 1070.37 sets forth various factors that the General Counsel 
shall consider in deciding whether to comply with a demand or request 
for the production of the Bureau's records or testimony. This section 
also lists factors that will normally cause the Bureau to refuse 
compliance with such a demand or request. These factors pertain to 
prudential considerations and discovery privileges established by 
Federal statutes, rules, and case law.
    Commenters argued generally that the provisions of subpart C do not 
do enough to protect confidential supervisory information from 
disclosure in a litigation context. Commenters note that the 
regulations of other Federal bank regulatory agencies contain 
provisions which state that normally, the agency will not release 
confidential supervisory information in response to a demand or request 
for such information.
    Section 1070.37 of the rule reflects the Bureau's intention to 
protect confidential supervisory information from disclosure in a 
litigation context. Paragraph (b) lists several factors that if found 
to exist would normally preclude the Bureau from granting a demand or 
request for confidential supervisory information. These factors 
include: (b)(4) ``[c]ompliance would reveal confidential or privileged 
commercial or financial information or trade secrets without the 
owner's consent''; (b)(6) ``[c]ompliance would not be appropriate or 
necessary under the relevant substantive law governing privilege''; and 
(b)(7) ``[c]ompliance would reveal confidential information.'' 
Paragraph (c) of this section also provides that the Bureau may 
condition disclosure of confidential supervisory information pursuant 
to a request or demand upon the entry of an appropriate protective 
order.
    Although the Bureau believes that these provisions adequately 
protect confidential supervisory information from disclosure, the 
Bureau nevertheless adds two new factors to paragraph (b) to bolster 
these protections further. The first new factor states that the Bureau 
will not normally grant a response to a request or demand for 
confidential supervisory information when doing so would compromise the 
Bureau's supervisory functions or programs or would undermine public 
confidence in supervised institutions. The second factor states that 
the Bureau will not normally grant a response when doing so would 
undermine the Bureau's ability to monitor for risks to consumers in the 
offering of consumer financial products or services.
Section 1070.38 Prohibition on Providing Expert or Opinion Testimony
    Section 1070.38 prohibits Bureau employees or former employees from 
providing opinion or expert testimony based upon information (other 
than general expertise) which they acquired in the scope and 
performance of their official Bureau duties, except to the extent that 
they provide such testimony on behalf of the United States or a party 
represented by the Bureau or the Department of Justice. The General 
Counsel has discretion to waive this prohibition if the requestor 
demonstrates an exceptional need or unique circumstances and that the 
anticipated testimony will neither be adverse to the United States nor 
require the United States to pay the employee's or former employee's 
travel or other expenses associated with providing the requested 
testimony.
    A commenter argues that the Bureau should eliminate Sec.  
1070.38(c), which permits Bureau employees to testify as expert 
witnesses under certain circumstances, because ``[g]iving free expert 
testimony is not among the permissible Bureau disclosures of 
information.''
    The Bureau adopts the interim final rule without modification. 
Paragraph (c) is consistent with the rules of other Federal agencies 
and with Federal ethics regulations regarding the provision of expert 
testimony by Federal employees.

Subpart D--Confidential Information

Section 1070.40 Purpose and Scope
    Section 1070.40 clarifies that subpart D does not apply to FOIA or 
Privacy Act requests or requests or demands for official information 
made within the context of litigation. The Bureau received no comments 
on the interim final rule. The Bureau adopts the interim final rule 
without modification.
Section 1070.41 Non-Disclosure of Confidential Information
    Section 1070.41(a) generally prohibits the disclosure of 
confidential information by the Bureau's employees, former employees, 
or other persons who possess the Bureau's confidential information, to 
non-employees of the Bureau or to Bureau employees for whom such 
information is not relevant to the performance of their assigned 
duties. This prohibition includes disclosures made by any means 
(including written or oral communications) or in any format (including 
paper and electronic formats).
    Excluded from this general prohibition are disclosures of 
confidential information to consultants and contractors of the Bureau 
who agree, in writing, to protect the confidentiality of the 
information in accordance with Federal law as well as any additional 
conditions or limitations that the Bureau may impose upon them.
    Section 1070.41(c) states that the Bureau is not precluded from 
disclosing materials that it derives from or creates using confidential 
information, provided that such materials do not identify, either 
directly or indirectly, any particular persons to whom the confidential 
information pertains. This paragraph clarifies that the Bureau may 
create and publish reports, analyses, and other materials derived from 
confidential information so long as the reports, analyses, or other 
materials do not identify the subject of such information or discuss 
the information in such a way that one could infer the identity of the 
person it concerns. For example, the Bureau is not precluded from 
publishing reports that contain aggregate data derived from 
confidential information, provided the report cannot be used in 
conjunction with other publicly available information to re-identify 
the source of the information.
    Section 1070.41(d) clarifies that nothing in subpart D requires or 
authorizes the Bureau to disclose confidential information that another 
agency has provided to the Bureau to the extent that such disclosure 
contravenes applicable law or the terms of any agreement that exists 
between the Bureau and the agency to govern the Bureau's treatment of 
information that the agency provides to the Bureau.
    The Bureau received several comments on Sec.  1070.41. One 
commenter argues that Sec.  1070.41(a)(2), which limits the internal 
dissemination of confidential information to Bureau employees with a 
bona fide need to know the information to perform assigned duties, is 
incongruous with Sec.  1070.41(b), which permits disclosures of 
confidential information to the Bureau's contractors without 
qualification. The commenter argues that the Bureau should either 
eliminate any restriction on the internal dissemination in paragraph 
(a) or apply

[[Page 11493]]

it equally to contractors in Sec.  1070.41(b). To the extent that the 
Bureau chooses to do the latter, another commenter argues that the 
Bureau should amend Sec.  1070.41(b) to state that disclosures to 
contractors or consultants may occur only as necessary to, and solely 
for purposes of, providing services for or rendering advice to the 
Bureau.
    One commenter argues that the Bureau should delete Sec.  
1070.41(c), which authorizes the Bureau to disclose materials derived 
from confidential information so long as such materials do not identify 
those to whom the confidential information pertains, because the Trade 
Secrets Act may prohibit certain of these disclosures. Another 
commenter also criticizes this provision because it fails to specify 
criteria for determining that materials derived from confidential 
information do not identify, either directly or indirectly, any 
particular person to whom the confidential information pertains.
    A commenter objects to Sec.  1070.41(d), which states that subpart 
D does not require or authorize the disclosure of confidential 
information otherwise prohibited by applicable law or by the terms of 
any agreements reached with other agencies. The commenter argues that 
the Bureau should delete the phrase ``or the terms of any agreement 
that exists between the CFPB and the agency to govern the CFPB's 
treatment of information that the agency provides to the CFPB'' 
because, according to the commenter, this provision allows the Bureau 
to withhold information, pursuant to agreement, that other laws, such 
as the Freedom of Information Act, require the Bureau to disclose.
    To address concerns that paragraphs (a) and (b) of Sec.  1070.41 
set forth inconsistent criteria for disclosing confidential information 
to Bureau employees on one hand and to Bureau contractors or 
consultants on the other hand, the Bureau modifies these paragraphs to 
provide for consistent treatment. In making these modifications, the 
Bureau deems it appropriate to retain restrictions in paragraph (a) on 
the internal dissemination of confidential information. By prohibiting 
the disclosure of confidential information to employees, contractors, 
and consultants who have no business reason to see it, the Bureau 
reduces the risk that such persons will misuse or inadvertently 
disclose the information. Such restrictions also are consistent with 
regulations established by other Federal agencies to protect 
confidential information.
    The Bureau adopts paragraph (c) of the interim final rule without 
modification. The Bureau declines to adopt more specific or stringent 
standards for determining that materials it derives from confidential 
information do not identify any particular person to whom the 
information pertains. The interim final rule allows the Bureau to 
report on and discuss its work involving confidential information while 
providing reasonable assurance that when it does so, it protects the 
persons to whom confidential information pertains.
    The interim final rule protects persons to whom confidential 
information pertains by allowing the Bureau to publish materials it 
derives from such confidential information only if the materials do not 
identify ``directly or indirectly'' the persons to whom it pertains. 
This provision precludes the Bureau from publishing materials that 
identify such persons expressly or that a reader could combine with 
materials readily available from other sources to deduce the identity 
of such persons.
    The Bureau believes that the interim final rule strikes an 
appropriate balance between the need to maintain the confidentiality of 
proprietary or other sensitive information and the Bureau's 
obligations, under provisions of the Dodd-Frank Act such as sections 
1021 and 1022, to inform the public about the functioning of the 
marketplace for consumer financial products and services.
    The Bureau also concludes that it is inappropriate to specify more 
detailed criteria for determining when materials derived from 
confidential information are sufficiently anonymized for disclosure. 
The applicable criteria will differ significantly depending upon the 
type of confidential information at issue and the context in which it 
exists. The interim final rule offers appropriate discretion to the 
Bureau to make determinations based upon the facts and circumstances of 
each set of materials it seeks to disclose.
    The Bureau adopts paragraph (d) of the interim final rule without 
modification. This paragraph does not authorize the Bureau, pursuant to 
the terms of its confidentiality agreements with other agencies, to 
withhold confidential information from disclosure when applicable laws, 
such as the FOIA, require its disclosure. Instead, this paragraph 
simply clarifies that subpart D does not permit or authorize the Bureau 
to voluntarily disclose confidential information that it obtains from 
other agencies, in violation of its confidentiality agreements with 
such agencies, where applicable law otherwise authorizes (but does not 
require) the Bureau to disclose the information. These agreements would 
not and could not preclude the disclosure of confidential information 
where applicable law requires the Bureau to disclose it. In this 
regard, the Bureau notes that Sec.  1070.41(a) of this subpart 
authorizes the Bureau to disclose confidential information ``as 
required by law'' and that Sec.  1070.40 states that the provisions of 
subpart D do not govern the Bureau's responses to FOIA requests. 
Finally, we note that none of the Bureau's confidentiality agreements 
purport to preclude the Bureau from disclosing confidential information 
where applicable law requires it do so.
Section 1070.42 Disclosure of Confidential Supervisory Information to 
and by Supervised Financial Institutions
    Section 1070.42(a) of the interim final rule provides that the 
Bureau may, in its discretion, disclose confidential supervisory 
information, such as reports of examination, to supervised financial 
institutions to which the reports pertain. To the extent that the 
Bureau chooses to do so, Sec.  1070.42(b) prohibits institutions from 
further disseminating the confidential information they receive except 
in limited circumstances. Supervised financial institutions may share 
confidential supervisory information with their directors, officers, 
and employees, and with those of their parent companies, to the extent 
that the disclosure of such confidential supervisory information is 
relevant to the performance of such individuals' assigned duties. 
Supervised financial institutions may also share confidential 
supervisory information with their (or their parent companies') outside 
legal counsel, certified public accountants, and consultants, provided 
that the supervised financial institutions take reasonable steps to 
ensure that such legal counsel, accountants, or consultants do not 
utilize, make or retain copies of, or further disclose confidential 
information except as is necessary to provide advice to the supervised 
financial institutions, their parent companies, or to their respective 
directors, officers, or employees. Furthermore, the institutions must 
keep written records of their disclosures of confidential information 
to their legal counsel, accountants, and consultants, along with the 
steps they have taken to ensure that these accountants, legal counsel, 
and consultants do not improperly utilize, make or retain copies of, or 
disclose such information. Supervised financial institutions shall

[[Page 11494]]

provide these written records to the Bureau, upon request or demand.
    One commenter criticizes Sec.  1070.42(b) of the interim final 
rule, which prohibits financial institutions in receipt of confidential 
information from further disclosing such information, except to its 
officers, directors, parents, and certain of its employees, and to its 
outside accountants, legal counsel, and consultants. The commenter 
argues that this provision is unreasonably restrictive in that 
financial institutions may have legitimate reasons to share 
confidential information with affiliates and with any manner of third-
party service providers acting on their behalf. Commenters also object 
to the requirement of Sec.  1070.42(b)(2)(ii) that financial 
institutions keep a written account of all of their disclosures of 
confidential information to third parties. The commenter argues that 
the Bureau has no authority to require such accounting to the extent 
that disclosures occur in a privileged context.
    The Bureau modifies paragraphs (a) and (b) of the interim final 
rule. The final rule permits the Bureau to disclose confidential 
supervisory information that concerns a supervised financial 
institution or its service providers (as section 1002(26) of the Dodd-
Frank Act defines that term) to that supervised financial institution, 
to its directors, officers, trustees, members, general partners, or 
employees, as well as to its ``affiliates'' (as section 1002(1) of the 
Dodd-Frank Act defines that term) and the directors, officers, 
trustees, members, general partners, or employees of such affiliates. 
The final rule also permits a supervised financial institution to 
further disclose confidential supervisory information that it lawfully 
receives from the Bureau to its directors, officers, trustees, members, 
general partners, and employees and to its affiliates and its 
affiliate's directors, officers, trustees, members, general partners, 
or employees, to the extent that such disclosures are relevant to the 
performance of these individuals' assigned duties.
    Furthermore, the final rule now permits a supervised financial 
institution or its affiliate to further disclose confidential 
supervisory information that it lawfully receives from the Bureau to 
its certified public accountants, outside legal counsel, contractors, 
consultants, and service providers as well as, with the prior written 
authorization of the Associate Director for Supervision, Enforcement, 
and Fair Lending or his or her delegee, to other persons, provided that 
the supervised financial institution or its affiliate shall take 
reasonable steps to ensure that such recipients do not, without the 
prior written approval of the Associate Director for Supervision, 
Enforcement, and Fair Lending or his or her delegee, utilize, make or 
retain copies of, or disclose confidential supervisory information for 
any purpose, except as is necessary to provide advice or services to 
the supervised financial institution or its affiliate.
    In response to the comments discussed above, the final rule deletes 
the disclosure accounting requirements of paragraph (b)(2)(ii) of this 
section. The Bureau agrees with commenters that this accounting 
requirement is burdensome and that the restrictions of Sec.  1070.47 of 
this subpart are sufficient to protect confidential supervisory 
information against further disclosures.
Section 1070.43 Disclosure of Confidential Information to Law 
Enforcement Agencies and Other Government Agencies
    Section 1070.43 sets forth circumstances under which the Bureau 
must or may disclose various categories of confidential information to 
other government agencies.
    Section 1070.43(a)(1) implements sections 1022(c)(6)(C)(i) and 
1025(e)(1)(C) of the Dodd-Frank Act, which require the Bureau to share 
with Federal and State agencies having jurisdiction over supervised 
financial institutions, the Bureau's reports of examination of those 
supervised financial institutions, including drafts thereof, final 
reports, and revisions to final reports, provided that the Bureau 
receives from the agencies reasonable assurances that they will 
maintain the confidentiality of the information provided.
    Section 1070.43(a)(2) implements section 1013(b)(3)(D) of the Dodd-
Frank Act, which requires the Bureau to share confidential consumer 
complaint information with Federal and State agencies, provided that 
the agencies first give written assurances to the Bureau that they will 
maintain such information in a manner that conforms to the standards 
that apply to Federal agencies for the protection of the 
confidentiality of personally identifiable information and for data 
security and integrity.
    Section 1070.43(b)(1) of the interim final rule authorizes the 
Bureau to make discretionary disclosures of confidential information to 
Federal and State agencies under certain circumstances. For example, 
this provision implements section 1022(c)(6)(C)(ii) of the Dodd-Frank 
Act, which authorizes the Bureau, upon request, to share examination 
reports as well as other reports and confidential supervisory 
information about supervised financial institutions with Federal and 
State agencies having jurisdiction over those institutions. Section 
1070.43(b)(1) also authorizes the Bureau, upon request, to share 
confidential investigatory information about supervised financial 
institutions with Federal and State agencies having jurisdiction over 
those institutions.
    Section 1070.43(b)(2) sets forth procedures for Federal and State 
agencies to follow when requesting access to the Bureau's confidential 
information as set forth in section 1070.43(b)(1). The Bureau's General 
Counsel is responsible for acting upon such requests in consultation 
with the Bureau's Associate Director for Supervision, Enforcement, and 
Fair Lending or with other appropriate Bureau personnel. Requests must 
be submitted in writing by authorized officers or employees of the 
requesting agencies. Requests should describe the nature of the 
confidential information and documents sought and the purposes for 
which it will be used. Requests should also identify the agency's legal 
authority for requesting the documents and any provisions that restrict 
the Bureau's authority to disclose the information. Finally, the 
requests should certify that the requesting agency will maintain the 
requested confidential information in accordance with this rule and in 
a manner that conforms to the standards that apply to Federal agencies 
for the protection of the confidentiality of personally identifiable 
information and for data security and integrity. Moreover, the requests 
should certify that the agencies will adhere to any additional 
conditions or limitations that the Bureau, in its discretion, decides 
to impose.
    Section 1070.43(c) clarifies that requests by State agencies for 
information or records of the Bureau that do not constitute 
confidential information must be made in accordance with the Bureau's 
FOIA regulations set forth in subpart B.
    Sections 1070.43(d) permits the Bureau to enter into agreements 
with Federal and State agencies that provide for standing access to 
confidential information.
    The majority of the comments that the Bureau received in response 
to the interim final rule pertain to Sec.  1070.43.
    Several commenters argue that the Bureau lacks authority under the 
Dodd-Frank Act to make disclosures of confidential information either 
at all or to the extent provided by Sec.  1070.43.

[[Page 11495]]

    One commenter asserts that the Dodd-Frank Act does not authorize 
the Bureau to disclose any confidential information to the State 
attorneys general or to private parties. This commenter argues that the 
Bureau promulgated Sec.  1070.43(b) of the interim final rule based 
upon a misinterpretation of section 1022(c)(6)(C)(ii) of the Dodd-Frank 
Act. Section 1022(c)(6)(C)(ii) of the Dodd-Frank Act provides that, 
``[i]n addition to the [examination] reports described in clause (i), 
the CFPB may, in its discretion, furnish to a prudential regulator or 
other agency having jurisdiction over a covered person or service 
provider any other report or other confidential supervisory information 
concerning such person examined by the CFPB under the authority of any 
other provision of Federal law.'' The commenter argues that this 
provision does not authorize the Bureau to disclose confidential 
supervisory information; rather, it authorizes the Bureau to withhold 
supervisory information. That is, the commenter believes that section 
1022(c)(6)(C)(ii) means that the Bureau may decline to disclose 
confidential supervisory information to other agencies when a provision 
of Federal law other than section 1022(c)(6)(C)(i) authorizes the 
disclosure. This commenter also asserts that section 1022(c)(6)(C)(ii) 
of the Dodd-Frank Act permits discretionary disclosures only to a 
``prudential regulatory or other agency'' and that these terms do not 
include State attorneys general or private parties.
    Other commenters argue that the Dodd-Frank Act does not authorize 
the Bureau to disclose confidential information to State attorneys 
general for purposes unrelated to the enforcement of consumer financial 
law or, as stated by one commenter, for purposes unrelated to the 
enforcement of Federal consumer financial law.
    Commenters furthermore argue that by authorizing the Bureau to 
share confidential information with State attorneys general in 
circumstances where they lack authority to enforce applicable law 
within the judicial process, Sec.  1070.43(b) expands State 
investigative powers beyond the limits set forth in section 1047 of the 
Dodd-Frank Act and the Supreme Court's decision in Cuomo v. 
Clearinghouse Ass'n, LLC, 557 U.S. 519 (2009). Section 1047 of the 
Dodd-Frank Act amends the National Bank Act (NBA) and the Home Owners 
Loan Act (HOLA) to confirm the Supreme Court's view in Cuomo that the 
NBA's references to visitorial authority of the Office of the 
Comptroller of the Currency do not limit or restrict the authority of 
State attorneys general to enforce applicable law against national 
banks or Federal savings associations or to seek relief as authorized 
by such law. According to the commenters, the Cuomo decision rejects a 
State attorney general's authority to obtain information directly from 
national banks when it does so outside of the context of a judicial 
proceeding where it is seeking to enforce applicable law. The 
commenters argue that in codifying the Cuomo decision in section 1047 
of the Dodd-Frank Act, Congress could not have intended for State 
attorneys general to be able to obtain from the Bureau confidential 
information relating to national banks that these attorneys general 
could not obtain directly from such banks. These commenters propose 
that the Bureau limit its disclosure of confidential information to 
State attorneys general to circumstances where the attorneys general 
exercise their authority to enforce applicable law within a judicial 
process and such disclosure relates to the exercise of that authority 
by the State attorneys general.
    Other commenters argue that the Bureau should either prohibit 
outright the disclosure of confidential information to other agencies, 
and to State attorneys general in particular, or restrict the 
circumstances under which the Bureau may do so. Commenters present 
varied proposals for applicable disclosure standards.
    One commenter proposes that the Bureau limit the disclosure of 
confidential information to State attorneys general to circumstances 
where the attorneys general demonstrate that they seek such information 
for purposes of enforcing consumer financial protection laws. Other 
commenters propose that disclosures of confidential supervisory 
information should be limited to agencies with financial institution 
supervisory authority.
    Some commenters suggest that, consistent with disclosure standards 
promulgated by some other Federal bank regulatory agencies, the Bureau 
should permit discretionary disclosures of confidential supervisory 
information only if requesters demonstrate a substantial need for the 
information that outweighs the need to maintain confidentiality and 
only when requestors have no other means of acquiring the information 
directly from the financial institutions to which it pertains or 
otherwise.
    Commenters also propose that the Bureau impose additional 
procedural requirements for the discretionary disclosure of 
confidential information. Several commenters propose that requests for 
confidential information should be granted only when made by senior 
officials of or the heads of requesting agencies. Others suggest that 
the Bureau should require requesters of confidential information to 
represent that they have implemented and maintain comprehensive 
information security programs to protect the confidentiality and 
security of the information requested. They maintain that the Bureau 
should take steps to confirm such representations and audit requesters' 
systems for maintaining the confidentiality and security of information 
disclosed.
    Commenters furthermore argue that the Bureau should provide 
financial institutions with notice of third party requests for 
confidential information as well as opportunities to object to such 
disclosures unless the Bureau determines, in its discretion, that doing 
so would advantage or prejudice any of the parties in the matter at 
issue. Similarly, one commenter suggests that the Bureau should refer 
requests for confidential information to prudential regulators so that 
they can prohibit disclosure if a rational basis exists to conclude 
that disclosure would threaten the safety and soundness of the 
institutions concerned.
    Finally, one commenter asks the Bureau to clarify that Sec.  
1070.43(a)(1), which requires the Bureau to disclose reports of 
examination to certain Federal and State agencies, pertains to 
examination reports of both depository and non-depository institutions.
    As a preliminary matter, the Bureau affirms its authority under the 
Dodd-Frank Act to promulgate a rule that provides for the disclosure of 
confidential information to Federal and State agencies, including State 
attorneys general.
    Section 1012 of the Dodd-Frank Act grants to the Director authority 
to establish rules for conducting the general business of the Bureau, 
to implement the Federal consumer financial laws through rules, and to 
perform such other functions as may be authorized or required by law. 
In addition, section 1022(b)(1) authorizes the Bureau to ``prescribe 
rules * * *, as may be necessary or appropriate to enable the Bureau to 
administer and carry out the purposes and objectives of the Federal 
consumer financial laws * * *.'' Finally, section 1022(c)(6)(A) of the 
Dodd-Frank Act authorizes the Bureau to ``prescribe rules regarding the 
confidential treatment of information obtained from persons in 
connection with the exercise of its authorities under Federal consumer 
financial law.'' These

[[Page 11496]]

and other provisions of the Dodd-Frank Act provide the Bureau with 
ample authority to prescribe rules that govern which of the information 
that it generates or obtains it will regard as ``confidential,'' what 
confidentiality means, and the terms and conditions under which the 
Bureau will share confidential information with other Federal or State 
agencies.
    Furthermore, Sec.  1070.43 implements several provisions of the 
Dodd-Frank Act that require or authorize the Bureau to share 
confidential information with Federal and State agencies.\7\
---------------------------------------------------------------------------

    \7\ Section 1070.43 of the rule comports with section 1022(c)(8) 
of the Dodd-Frank Act. Section 1022(c)(8) of the Dodd-Frank Act 
requires the Bureau to ``take steps to ensure that proprietary, 
personal, or confidential consumer information that is protected 
from public disclosure under section 552(b) or 552a of title 5, 
United States Code, or any other provision of law, is not made 
public under this title.'' The Bureau interprets this provision of 
the Dodd-Frank Act to require the Bureau to take steps to prevent 
``public'' disclosures of this information; section 1022(c)(8) does 
not preclude the Bureau from sharing this information with other 
agencies as long as the Bureau takes steps to ensure that these 
agencies will not make the information available to the public. If 
the Bureau takes such steps, then its sharing of confidential 
information with other agencies is not tantamount to a public 
disclosure.
    The rule includes appropriate measures to ensure that 
information that the Bureau shares with other agencies will remain 
confidential once shared. Section 1070.43(a) requires the Bureau to 
share certain confidential information with State agencies only to 
the extent that these agencies provide assurances to the Bureau that 
they will maintain the information in confidence. Section 1070.43(b) 
authorizes the General Counsel to grant agency requests for access 
to confidential information only to the extent that the requesting 
agencies first commit to maintain the information in confidence. 
Furthermore, section 1070.47(a) of the rule prohibits agencies in 
receipt of confidential information from further disclosing such 
information to third parties without the prior written permission of 
the Bureau. Lastly, section 1070.47(c) preserves any applicable 
legal privileges when the Bureau shares confidential information 
with other agencies.
---------------------------------------------------------------------------

    For example, section 1013 of the Dodd-Frank Act expressly requires 
the Bureau to route consumer complaints to Federal and State agencies 
as well as to share consumer complaint information with prudential 
regulators, the Federal Trade Commission, other Federal agencies, and 
State agencies, provided that such agencies protect the confidentiality 
of personally identifiable information associated with such complaints. 
Section 1070.43(a)(2) of the rule implements this provision of the 
Dodd-Frank Act.
    Section 1022(c)(6)(C)(i) of the Dodd-Frank Act requires the Bureau 
to share with prudential regulators, State regulators, or any other 
Federal agencies having jurisdiction over a covered person or service 
provider ``any report of examination made by the Bureau with respect to 
such person, and to all revisions made to such report,'' provided that 
such regulators or agencies give the Bureau reasonable assurances that 
they will maintain the confidentiality of the information shared. 
Section 1070.43(a)(1) of the rule implements this provision of the 
Dodd-Frank Act.
    In addition to requiring the Bureau to share examination reports 
with other regulators and Federal agencies, section 1022(c)(6)(C)(ii) 
of the Dodd-Frank Act permits the Bureau, ``in its discretion, [to] 
furnish to a prudential regulator or other agency having jurisdiction 
over a covered person or service provider any other report or other 
confidential supervisory information concerning such person examined by 
the Bureau under the authority of any other provision of Federal law.'' 
The Bureau interprets this provision as permitting it to share 
examination reports as well as other reports and confidential 
supervisory information with all prudential regulators and all 
agencies--including State attorneys general--that have jurisdiction 
over the covered persons or service providers to which the shared 
information pertains. Section 1070.43(b) of the rule implements this 
provision of the Dodd-Frank Act.
    The Bureau disagrees with the commenter who argues that section 
1022(c)(6)(C)(ii) of the Dodd-Frank Act should not be interpreted as a 
grant of discretionary authority to share confidential supervisory 
information with other agencies, and that it instead merely qualifies 
section 1022(c)(6)(C)(i) of the Dodd-Frank Act by authorizing the 
Bureau to withhold from other agencies reports or other confidential 
supervisory information that the Bureau generates or obtains pursuant 
to Federal laws other than the Dodd-Frank Act. The commenter's 
interpretation of section 1022(c)(6)(C)(ii) is contrary to what the 
Bureau concludes is the better meaning of the provision. Rather than 
use language which states or implies that section 1022(c)(6)(C)(ii) 
qualifies or limits the information sharing requirement of section 
1022(c)(6)(C)(i), Congress began section 1022(c)(6)(C)(ii) with the 
language ``[i]n addition to the reports described in clause (i), the 
Bureau may, in its discretion, furnish * * *.'' This language suggests 
that Congress intended for the information sharing authority it granted 
in clause (ii) to be a positive grant of authority that supplements the 
authority it granted in clause (i). Moreover, the last portion of 
section 1022(c)(6)(C)(ii)--``any other report or other confidential 
supervisory information concerning such person examined by the Bureau 
under the authority of any other provision of Federal law''--suggests 
that in addition to the examination reports that the Bureau must share 
with other agencies, the Bureau may also choose to share with other 
agencies other reports or confidential supervisory information that it 
creates or obtains through its exercise of examination powers other 
than those that Congress describes in section 1022(c)(6)(C) of the 
Dodd-Frank Act.
    The Bureau also disagrees with commenters that section 
1022(c)(6)(C) of the Dodd-Frank Act does not permit the Bureau to share 
examination reports or confidential supervisory information with State 
attorneys general. In delineating the Bureau's responsibilities and 
authorities to share confidential supervisory information, section 
1022(c)(6)(C) of the Dodd-Frank Act discusses sharing with a 
``regulator''--a term that, when applied to the States, may include a 
State attorney general in certain circumstances--and sharing with an 
``agency''--a broader term that, when applied to the States, 
encompasses State attorneys general in all circumstances. When section 
1022(c)(6)(C)(i) provides that the Bureau must share examination 
reports with a ``prudential regulator, a State regulator, or any other 
Federal agency having jurisdiction over a covered person or service 
provider,'' the Bureau interprets the provision to require it to share 
such reports with State attorneys general to the extent that they 
regulate the covered persons or service providers to which the reports 
pertain, but not to require the Bureau to share these reports with 
State attorneys general that do not regulate such entities. 
Nevertheless, when section 1022(c)(6)(C)(ii) provides that the Bureau 
may share examination reports, as well as other reports or confidential 
supervisory information, with ``a prudential regulator or other agency 
having jurisdiction over a covered person or service provider,'' it 
permits the Bureau to share examination reports as well as other 
reports and confidential supervisory information with all Federal and 
State agencies, including State attorneys general, that both do and do 
not regulate the covered persons or service providers to which the 
information pertains (to the extent that such agencies have 
jurisdiction over such covered persons or service providers).
    Although the Bureau has legal authority under the Dodd-Frank Act to 
promulgate Sec.  1070.43, and to share its confidential information 
with other agencies, including with State attorneys general, the Bureau 
has made clear that it intends to exercise its discretion

[[Page 11497]]

carefully. The Bureau recently articulated the following policy for 
sharing confidential supervisory information with law enforcement 
agencies:

    [T]he Bureau will not routinely share confidential supervisory 
information with agencies that are not engaged in supervision. 
Except where required by law, the Bureau's policy is to share 
confidential supervisory information with law enforcement agencies, 
including State Attorneys General, only in very limited 
circumstances and upon review of all of the relevant facts and 
considerations. The significance of the law enforcement interest at 
stake will be an important consideration in any such review. 
However, even the furtherance of a significant law enforcement 
interest will not always be sufficient, and the Bureau may still 
decline to share confidential supervisory information based upon 
other considerations, including the integrity of the supervisory 
process and the importance of preserving the confidentiality of the 
information. In these circumstances, the decision whether to provide 
confidential supervisory information to another agency will be made 
by the General Counsel, in consultation with appropriate Bureau 
personnel.

CFPB Bulletin 12-01 (Jan. 4, 2012) (footnote and citation omitted). The 
Bureau intends to employ this policy when it decides whether, and to 
what extent, to share confidential supervisory information with State 
attorneys general.
    The Bureau also declines to incorporate into Sec.  1070.43(b) 
additional procedural requirements for sharing confidential information 
with other agencies. Section 1070.43(b) already requires agencies that 
request confidential information to make formal written requests 
through authorized officers or employees. Such requests must describe 
the information requested, the purposes for which it will be used, the 
requesting agency's legal authority for requesting the information, and 
any applicable restrictions on its authority to protect the requested 
information. Furthermore, the requests must certify the requester's 
commitment to maintain the confidentiality, security, and integrity of 
the requested information. The General Counsel also may require the 
requester to certify adherence to such additional terms and conditions 
as she sees fit to impose. The Bureau believes that these procedures, 
which are largely consistent with those of other Federal bank 
regulatory agencies, adequately ensure that the General Counsel shares 
confidential information only with appropriate agencies, for 
appropriate purposes, and only to the extent that such agencies are 
willing and able to protect the confidentiality, security, and 
integrity of the information disclosed.
    The Bureau does not deem it necessary or appropriate to impose the 
more stringent procedural requirements that commenters propose.
    For example, the Bureau declines to seek approval of prudential 
regulators prior to granting requests to share its confidential 
information with other agencies. There is no basis in the Dodd-Frank 
Act for requiring such approval and in any event, there are inter-
agency agreements that govern the sharing of confidential information 
between Federal and State regulators.
    The Bureau also declines to require that only senior agency 
officials or agency heads may file requests for access to confidential 
information when it already requires that only authorized officials or 
employees may do so.
    Furthermore, the Bureau does not deem it necessary to undertake 
audits of the security systems of requesting agencies to determine 
whether these agencies are capable of adequately safeguarding 
confidential information. Prior to disclosing confidential information 
pursuant to Sec.  1070.43(b), the Bureau will take reasonable steps to 
ensure that requesting agencies are legally authorized to protect the 
confidentiality of the information and that they have systems in place 
to safeguard it from theft, loss, or unauthorized access or disclosure.
    The Bureau will not revise its rules to require it to notify 
financial institutions when it receives requests from other agencies 
for confidential information or to allow financial institutions to 
object to its determinations to grant such requests. The Bureau shares 
information with other agencies typically within the context of joint 
supervisory examinations and law enforcement investigations. Within 
this context, notification could reveal prematurely plans to 
investigate or examine financial institutions and might compromise 
these joint endeavors. Similarly, financial institutions could misuse a 
right to object to the Bureau's information sharing determinations to 
obstruct or stymie or joint investigations or examinations.
    Finally, the Bureau deems it unnecessary to modify Sec.  
1070.43(a)(1) to clarify that the Bureau must share with certain other 
agencies reports of examination of both depository and non-depository 
financial institutions. The definition of the phrase ``financial 
institution'' in Sec.  1070.2(l) of the rule is broad and includes all 
manner of covered persons and service providers, including non-
depository institutions.
    Although the Bureau declines to supplement the procedural 
requirements of Sec.  1070.43, the final rule modifies elements of that 
provision for purposes of clarification.
    First, the Bureau modifies Sec.  1070.43(a)(2) to clarify that the 
Bureau shall share confidential consumer complaint information with 
agencies to the extent that they provide written certifications to the 
Bureau that they will maintain the information in confidence, including 
by maintaining it in a manner that conforms to the standards that apply 
to Federal agencies for the protection of the confidentiality of 
personally identifiable information and for data security and 
integrity.
    Second, the Bureau modifies Sec.  1070.43(b)(2)(iv) of the interim 
final rule to clarify that the Bureau requires a requesting agency to 
identify its legal authority to protect the requested documents from 
public disclosure.
    Third, the Bureau modifies Sec.  1070.43(b)(2)(v) of the interim 
final rule to clarify that agencies seeking access to confidential 
information must certify that they will keep that information 
confidential in addition to safeguarding it ``in a manner that conforms 
to the standards that apply to Federal agencies for the protection of 
the confidentiality of personally identifiable information and for data 
security and integrity'' and complying with such additional conditions 
and limitations as the Bureau sees fit to impose. For purposes of both 
Sec. Sec.  1070.43(a)(2) and 1070.43(b)(2)(v), the Bureau interprets 
the phrase ``standards that apply to Federal agencies for the 
protection of the confidentiality of personally identifiable 
information and for data security and integrity'' to mean, at a 
minimum, that an agency shall store confidential information in a 
secure environment where access is limited only to those of its 
employees, contractors, and agents who have a bona fide need for the 
information to perform their official duties relating to the purpose 
for which the information was shared. Furthermore, the Bureau requires 
the agency to notify the Bureau immediately of any actual or suspected 
security breach involving confidential information, including any 
theft, loss, unauthorized disclosure, or misuse of any confidential 
information that consists of personally-identifiable information.
Section 1070.44 Disclosure of Confidential Consumer Complaint 
Information.
    Section 1070.44 states that nothing in this part limits the 
Bureau's discretion

[[Page 11498]]

to disclose confidential consumer complaint information, to the extent 
permitted by law, to the extent that such disclosure is necessary to 
investigate, resolve, or otherwise respond to consumer complaints or 
inquiries regarding financial institutions or consumer financial 
products and services.
    One commenter argues that the Bureau should specify, in Sec.  
1070.44, the circumstances in which it intends to disclose confidential 
consumer complaint information. The commenter suggests that the Bureau 
should keep consumer complaints confidential, especially to the extent 
that they are unsubstantiated, to avoid harming the reputations and 
financial performance of financial institutions. Even where 
substantiated, the commenter argues that the Bureau should address 
complaints privately or through enforcement actions, and not through 
public disclosure.
    The Bureau adopts the interim final rule without modification. On 
June 22, 2012, the Bureau published in the Federal Register its policy 
for publishing consumer complaints online. This policy addresses the 
commenter's concerns. See 77 FR 37558.
Section 1070.45 Affirmative Disclosure of Confidential Information
    Section 1070.45(a) of the interim final rule permits the Bureau to 
affirmatively disclose confidential investigative information, such as 
civil investigative demand material and other confidential information 
that becomes part of the Bureau's investigative files, to Bureau 
employees, to law enforcement and other governmental agencies, in 
investigational hearings and witness interviews, and to either House of 
or a committee or subcommittee of the Congress, upon request. The 
Bureau may also disclose confidential information in administrative or 
court proceedings to which the Bureau is a party. In the case of 
confidential investigatory material that contains any trade secret or 
privileged or confidential commercial or financial information, as 
claimed by designation by the submitter of such material, or 
confidential supervisory information, the submitter may seek an 
appropriate protective or in camera order prior to disclosure of such 
material in a proceeding.
    The Bureau received several comments regarding Sec.  1070.45. One 
commenter argues that the Bureau should implement section 1052(d)(2) of 
the Dodd-Frank Act by amending Sec.  1070.45(a)(2) of the interim final 
rule to state that the Bureau shall provide financial institutions with 
prior notice of its disclosures of confidential information to the 
Congress. Furthermore, the commenter suggests that the rule should 
state that the Bureau will provide information to the Congress only to 
the extent that it is stripped of identifying information. Finally, the 
commenter argues that the rule should state that the Bureau will 
eliminate its authorization to provide confidential information to 
subcommittees of Congress.
    One commenter also expresses concern that Sec.  1070.45(a)(4) of 
the interim final rule unfairly places the burden on financial 
institutions to seek a protective or in camera order whenever the 
Bureau seeks to disclose confidential investigatory material in the 
course of an administrative or court proceeding to which the Bureau is 
a party. The commenter argues that, in accordance with the practice of 
other Federal bank regulatory agencies, the Bureau should assert all 
applicable privileges and seek a protective order when using 
confidential information during the course of an administrative or 
court proceeding.
    Another commenter proposes that the Bureau delete Sec.  
1070.45(a)(5), which states that Bureau may affirmatively disclose 
confidential information ``[t]o law enforcement and other government 
agencies in accordance with this subpart.'' The commenter notes that 
this provision seems duplicative of Sec.  1070.43 of the interim final 
rule, and to the extent it is not so, it permits the disclosure of 
confidential supervisory information without restriction.
    The Bureau implements section 1052(d)(2) of the Dodd-Frank Act by 
modifying section 1070.45(a)(2) of the interim final rule to state that 
upon receiving a request from the Congress for confidential information 
that a financial institution has submitted to the Bureau, the Bureau 
shall provide written notice to the financial institution of its 
receipt of the request, along with a copy of the request.
    However, the Bureau declines to modify this paragraph to exclude 
disclosures to Congress of personally identifiable information insofar 
as section 1052(d)(2) of the Dodd-Frank Act expressly states that no 
rule of the Bureau shall prevent disclosures to the Congress of 
information obtained by the Bureau.
    The Bureau also disagrees with the commenter that this paragraph 
should exclude disclosures of confidential information to Congressional 
subcommittees.
    The Bureau declines to modify Sec.  1070.45(a)(4) of the interim 
final rule to require the Bureau to assert all available objections to 
the disclosure of confidential information and to seek an appropriate 
protective or in camera order prior to such disclosure.
    The Bureau revises Sec.  1070.45(a)(5) of the interim final rule to 
clarify its intended meaning. As revised, this provision allows the 
Bureau, on its own initiative, to alert other agencies of its discovery 
of evidence that may indicate violations of laws that are subject to 
these agencies' jurisdiction and, to the extent the Bureau deems it 
necessary to alert agencies of such evidence, to summarize evidence 
that constitutes confidential information.
    The Bureau intends for Sec.  1070.45(a)(5) to be a precursor to but 
not a substitute for the procedure set forth in Sec.  1070.43(b) of 
this subpart by which agencies submit to the General Counsel requests 
for access to full written copies of the Bureau's confidential 
information. For example, a Bureau employee may call a counterpart in 
another agency to advise the agency that, during the course of a Bureau 
investigation into violations of laws subject to the Bureau's 
jurisdiction, the Bureau uncovered evidence of conduct that may also 
constitute a violation of laws subject to the agency's jurisdiction. To 
the extent the Bureau employee deems it necessary to alert the agency 
of the relevant conduct, the employee may summarize to the agency 
counterpart the Bureau's evidence that constitutes confidential 
information. The Bureau employee may not, however, share with the 
agency counterpart a full written copy of such confidential 
information. To obtain a complete written copy of the confidential 
information, the agency must submit a request for it in accordance with 
section 1070.43(b) of the rule. In response to such a request, the 
Bureau's General Counsel will decide whether or not to grant access to 
the requested confidential information as set forth in Sec.  1070.43(b) 
and in accordance with relevant Bureau guidance, including CFPB 
Bulletin 12-01.
    The Bureau also notes that an agency that receives confidential 
information in summary form pursuant to Sec.  1070.45(a)(5) is subject 
to the same Bureau prohibition against further disclosing that 
information that applies when it receives a complete written copy of 
that confidential information. See 12 CFR 1070.47.
Section 1070.46 Other Disclosures of Confidential Information
    Section 1070.46 provides that notwithstanding the other provisions 
in subpart D that restrict the circumstances under which the CFPB may 
disclose

[[Page 11499]]

confidential information, the Director may authorize other disclosures 
of confidential information to the extent permitted by law.
    Section 1070.46(b) authorizes the CFPB to provide prior written 
notice to the person to whom the confidential information pertains--to 
the extent that the CFPB deems such notice to be appropriate under the 
circumstances--that the CFPB intends to disclose confidential 
information, in accordance with this section.
    Section 1070.46(c) clarifies that the authority to disclose 
confidential information pursuant to this section may be exercised only 
by the Director or by an individual acting in the capacity of the 
Director in the absence or unavailability of a Director, such as the 
Deputy Director (as set forth in section 1011(b)(5)(B) of the Dodd-
Frank Act).
    Several commenters also expressed concern that Sec.  1070.46 
renders meaningless the disclosure restrictions of subpart D by 
authorizing the Director to disclose confidential information without 
limitation. To address this concern, commenters propose either 
eliminating this provision entirely or imposing strict criteria on the 
Director's discretion. One commenter proposes permitting the Director 
to authorize discretionary disclosures only where such disclosures are 
expressly permitted under the Dodd-Frank Act and where there is an 
actual exigent need for such disclosure in order for the Bureau to 
perform a statutorily required duty under applicable law.
    The Bureau declines to eliminate or substantially modify Sec.  
1070.46. As the CPFB noted when it published the interim final rule, 
the Bureau does not intend to utilize this provision routinely, or as a 
matter of convenience, to circumvent applicable laws or provisions of 
the rule that exist elsewhere in subpart D to prohibit or restrict its 
disclosure of confidential information. Instead, the Bureau intends to 
use this provision in the same way that other Federal agencies utilize 
similar catch-all provisions--to account for rare situations in which 
an unforeseen and exigent need exists to disclose confidential 
information for purposes or in a manner not otherwise provided for in 
the rule. To help ensure that the CPFB utilizes Sec.  1070.46 as 
described, the rule states that the Director must personally authorize 
in writing disclosures of confidential information that occur pursuant 
to Sec.  1070.46 and that he or she may not delegate this 
responsibility to subordinates.
Section 1070.47 Other Rules Regarding the Disclosure of Confidential 
Information
    Section 1070.47(a) declares the Bureau's retained ownership of any 
confidential information it discloses to Federal or State agencies, to 
supervised financial institutions, or to other persons as provided in 
subpart D. It prohibits further disclosures of such information without 
the Bureau's prior written authorization. It directs recipients of 
confidential information who receive requests or demands for its 
further disclosure to refer such requests or demands to the Bureau, 
afford the Bureau an opportunity to respond or intervene, and to assert 
legal exemptions or privileges on the Bureau's behalf if so requested. 
To the extent that requests for confidential information are made 
pursuant to the FOIA, the Privacy Act, or State law equivalents of 
those statutes, Sec.  1070.47(a)(3) requires Federal or State agency 
recipients to refer such requests to the Bureau for its response. As 
provided by Sec.  1070.47(a)(4), nothing in this section precludes a 
recipient of confidential information under subpart D from disclosing 
such information pursuant to a valid Federal court order or a request 
or demand from a duly authorized committee of the United States 
Congress. In such cases where disclosure is compulsory, the disclosing 
party shall use its best efforts to secure a protective order or 
agreement that maintains the confidentiality of the confidential 
information disclosed.
    Section 1070.47(b) permits the Bureau to impose any additional 
conditions or limitations that it deems prudent upon the use or 
disclosure of confidential information by agencies or persons to whom 
such information has been disclosed pursuant to this subpart.
    After the publication of the interim final rule, the Bureau 
published a notice of proposed rulemaking that proposed an amendment to 
Sec.  1070.47(c). See 77 FR 15286 (Mar. 15, 2012). The amended version 
of this provision provides that the Bureau's provision of privileged 
information to another Federal or State agency does not waive any 
applicable privilege, whether the privilege belongs to the Bureau or 
any other person.
    The Bureau published its final rule on July 5, 2012. See 77 FR 
39617. In its final rule, the Bureau addressed public comments that it 
received in response to the notice of proposed rulemaking. Please see 
that final rule for further information.
    The Bureau received several comments about this provision. One 
commenter argues that the Bureau does not have authority to enforce 
this regulation to the extent that it applies to confidential 
information provided to other agencies. To incentivize agencies to 
abide by this restriction, the commenter suggests that the rule should 
state that if a party to whom the Bureau provides confidential 
information leaks it intentionally or otherwise, the Bureau will stop 
providing confidential information to that party.
    Another commenter argues that the Bureau should require third party 
recipients of confidential information to comply with all applicable 
laws, including State laws.
    To address concerns regarding the enforceability of the interim 
final rule with respect to State agencies, the Bureau makes several 
modifications in the final rule.
    First, the final rule now requires, in subparagraph (a)(3)(ii), 
that recipients of confidential information must re-direct all third 
party requests for that information to the Bureau and not simply those 
requests filed under the FOIA, the Privacy Act, or State analogues to 
such laws.
    Second, the Bureau modifies subparagraph (a)(3)(ii) to clarify that 
recipients of confidential information must provide the aforementioned 
instruction to third party requesters of that information only to the 
extent that applicable law permits them to do so.
    Third, the Bureau modifies subparagraph (a)(4) of the interim final 
rule to state that nothing in this section precludes compliance with a 
legally valid and enforceable order of a court of competent 
jurisdiction rather than, more narrowly, an order of a United States 
Federal court. The Bureau makes this modification principally to 
clarify that if a final and enforceable order of a State court requires 
a recipient of confidential information to disclose that information to 
a third party, the rule does not preclude the recipient from complying 
with the order.
    Fourth, the Bureau modifies subparagraphs (a)(2) and (a)(5) to make 
them consistent with Sec.  1070.42 of the rule. Section 1070.42 allows 
financial institutions that receive copies of confidential supervisory 
information to further disclose that information to certain other 
entities and persons. Subparagraph (a)(2) of the interim final rule 
seemingly precludes such disclosures altogether while subparagraph 
(a)(5) precludes such disclosures to the extent that they involve 
removing confidential supervisory information from the premises of 
financial institutions. The final rule eliminates this unintended 
result by stating that, except as

[[Page 11500]]

otherwise permitted by subpart D--rather than by Sec.  1070.47 only--
recipients of confidential information may not further disclose 
confidential information, including by making personal copies of such 
information and by removing it from the premises of financial 
institutions.
Section 1070.48 Privileges Not Affected by Disclosure to the CFPB
    After the publication of the interim final rule, the Bureau 
published a notice of proposed rulemaking that proposed to add to the 
interim final rule a new Sec.  1070.48. See 77 FR 15286, 15286 (Mar. 
15, 2012). This new section provides that the submission by any person 
of any information to the Bureau in the course of the Bureau's 
supervisory or regulatory processes will not waive or otherwise affect 
any privilege such person may claim with respect to such information 
under Federal or State law as to any other person or entity.
    The Bureau published its final rule on July 5, 2012. See 77 FR 
39617. In its final rule, the Bureau addressed public comments that it 
received in response to the notice of proposed rulemaking. Please see 
that final rule for further information.

Subpart E--The Privacy Act

Section 1070.50 Purpose and Scope; Definitions
    Section 1070.50 of the interim final rule sets forth the purpose of 
subpart E, which is to implement the requirements of the Privacy Act of 
1974, 5 U.S.C. 552a (the Privacy Act). Among other things, the Privacy 
Act requires Federal agencies to grant individuals access to records 
that agencies maintain about them in systems of records as well as the 
right to amend or correct such records. Section 1070.50 also defines 
certain terms that are used throughout subpart E. The Bureau received 
no comments on the interim final rule. The Bureau adopts the interim 
final rule without modification.
Section 1070.51 Authority and Responsibilities of the Chief Privacy 
Officer
    Section 1070.51 of the interim final rule authorizes the Chief 
Privacy Officer of the Bureau to respond to public requests made under 
the Privacy Act for access to, accounting of, or amendments to Bureau 
records contained in systems of records. It also authorizes the Chief 
Privacy Officer to approve the publication and amendment of systems of 
record notices. Finally, the interim final rule authorizes the Chief 
Privacy Officer to file any necessary reports required by the Privacy 
Act. The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule without modification.
Section 1070.52 Fees
    Section 1070.52 of the interim final rule identifies the fees that 
are associated with processing Privacy Act requests for copies of 
records submitted pursuant to this subpart. This provision also sets 
for circumstances in which the Bureau will not charge fees to process 
Privacy Act requests. The Bureau received no comments on the interim 
final rule. The Bureau adopts the interim final rule without 
modification except to correct a typographical error.
Section 1070.53 Requests for Access to Records
    Section 1070.53(a) of the interim final rule describes how 
individuals may request access to Bureau records that pertain to them.
    Paragraph (a) states that requests that requests may be made 
electronically or in paper form and submitted to designated addresses.
    Paragraph (b) identifies the required content of Privacy Act 
requests. Such content must include, among other things, the name of 
the system of records that the requester believes contains the records 
requested, or a description of the records sought that is sufficiently 
specific to enable Bureau personnel to locate the applicable system of 
records with a reasonable amount of effort. Wherever possible, it 
should also contain a description of the record sought, including any 
information that might assist the Bureau in locating it.
    Paragraph (c) requires requesters to provide proof of their 
identity to obtain access to Privacy Act protected records. Such proof 
includes a photocopy of identification cards or forms that bear the 
requester's photograph and signature or a statement swearing or 
affirming the requester's identity. Additional proof may be required in 
certain circumstances. For example, if a requester seeks records 
pertaining to another individual in the requester's capacity as that 
individual's guardian, then the requester must provide proof of 
guardianship before the Bureau will process the request.
    Paragraph (d) states that an individual may request an accounting 
of previous disclosures of records pertaining to such individual.
    The Bureau received no comments on the interim final rule. The 
Bureau modifies the interim final rule to reflect the new mailing 
address of the Bureau: 1700 G Street NW., Washington, DC 20552.
Section 1070.54 CFPB Procedures for Responding to a Request for Access
    Section 1070.54 of the interim final rule sets forth procedures for 
the Bureau to follow in responding to a Privacy Act request for 
records.
    Paragraph (a) provides that the Bureau will acknowledge and seek to 
respond to each request within twenty (20) business days of its 
receipt.
    Paragraph (b) identifies procedures for making requested records 
available for inspection and copying in the Bureau reading room or 
mailing or emailing the records directly to the requester.
    Paragraph (c) requires the Bureau to inform requesters in writing 
of its denials of requests. Such notification must include the reasons 
for denial and procedures for appealing the determination.
    The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule without modification.
Section 1070.55 Special Procedures for Medical Records
    Section 1070.55 of the interim final rule sets forth special 
procedures for the Bureau to apply when responding to Privacy Act 
requests for medical or psychological records. The Bureau received no 
comments on the interim final rule. The Bureau modifies the interim 
final rule to clarify that a physician or other appropriate 
representative whom a requester designates to receive the Bureau's 
medical or psychological records that pertain to the requester shall--
rather than may--disclose those records to the requester, but that 
physician or representative may disclose such records in a manner that 
he or she deems appropriate to prevent or mitigate adverse effects on 
the requester.
Section 1070.56 Request for Amendment of Records
    Section 1070.56(a) of the interim final rule comprises procedures 
for individuals to follow when making requests for the amendment of 
Bureau records that concern them. Individuals seeking amendment to a 
record must submit the request in writing, along with proof of identity 
(unless such proof was already provided in a related access or 
amendment request), and submit it, either in paper or electronic form, 
to the Chief Privacy Officer. The request must identify the relevant 
system of records and the portion of the record to be amended. The 
request also must

[[Page 11501]]

describe the nature and reasons for each requested amendment.
    Paragraph (b) states that the requester bears the burden of 
proving, through relevant and convincing evidence, that the record 
should be amended because it is not accurate, relevant, timely or 
complete.
    The Bureau received no comments on the interim final rule. The 
Bureau modifies section 1070.56(b) of the interim final rule to adopt 
the ``preponderance of the evidence'' standard of proof that the Office 
of Management and Budget prescribed in its guidance to agencies on the 
implementation of the Privacy Act. See Office of Management and Budget, 
Privacy Act Implementation: Guidelines and Responsibilities, 40FR 
28958-28959 (Jul. 9, 1975).
Section 1070.57 CFPB Review of a Request for Amendment of Records
    Section 1070.57 of the interim final rule sets forth procedures for 
the Bureau to follow in reviewing and responding to a request to amend 
records pertaining to an individual.
    Paragraph (a) requires the Bureau to acknowledge such a request 
within ten (10) business days after its receipt. The Bureau must make 
its determination as to whether to grant an amendment request promptly.
    Paragraph (b) requires the Bureau to respond to a request for 
amendment in writing by informing the requester of its determination, 
and if granted, the steps that it will take to amend the record. If 
denied, the Bureau must inform the requester of the reasons for denial 
and of the requester's appeal rights.
    The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule without modification.
Section 1070.58 Appeal of Adverse Determination of Request for Access 
or Amendment
    Section 1070.58 of the interim final rule sets forth procedures for 
filing appeals of Bureau denials of Privacy Act requests for access to 
or amendment of records.
    Paragraph (a) establishes a requester's right to file appeals of 
denials of requests for record access or amendment within ten (10) 
business days after the Bureau notifies the requester that it has 
denied such requests.
    Paragraph (b) requires appellants to file appeals in writing and to 
submit them, in paper or electronic form, to the General Counsel of the 
Bureau. Appeals must specify the background of the initial request and 
explain why the denial of access or amendment was in error.
    Paragraph (c) designates the General Counsel of the Bureau to 
decide appeals. The General Counsel must make his or her determination 
within thirty (30) business days from the date of his or her receipt of 
the appeal, unless the General Counsel extends the time for good cause. 
If the General Counsel denies the appeal, the General Counsel must 
inform the requester in writing. The denial notification must include 
the General Counsel's reasons for denying the appeal and describe the 
requester's right to file a statement of disagreement and to have a 
court review the appellate determination.
    Paragraph (d) sets forth the appellant's right to file a concise 
statement of disagreement with the General Counsel's denial of an 
appeal. The Bureau must maintain this statement of disagreement with 
the record that the requester sought to amend and any disclosure of the 
record must include a copy of the statement of disagreement. The Bureau 
also must, where practical and appropriate, provide a copy of the 
statement of disagreement to prior recipients of the record.
    The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule without modification.
Section 1070.59 Restrictions on Disclosure
    Section 1070.59 of the interim final rule states that the Bureau 
will not disclose any record about an individual contained in a system 
of records to any person or agency without the prior written consent of 
that individual unless the Privacy Act authorizes it to do so. 
Authorized disclosures include those that are compatible with so-called 
``routine uses'' that the Bureau publishes in the Federal Register as 
part of its System of Records Notices. Copies of the Bureau's System of 
Record Notices are available on the Bureau's Web site, at http://www.consumerfinance.gov. The Bureau received no comments on the interim 
final rule. The Bureau adopts the interim final rule without 
modification.
Section 1070.60 Exempt Records
    Section 1070.60 of the interim final rule lists certain Bureau 
systems of records that are exempt, pursuant to section (k)(2) of the 
Privacy Act, from the record access rights and certain other rights and 
obligations set forth in this subpart and in the Privacy Act itself. 
These systems of records are exempt insofar as they contain 
investigatory systems compiled for law enforcement purposes.
    After the publication of the interim final rule, the Bureau 
published a notice of proposed rulemaking that proposed to add to this 
section of the rule a new exempt system of records: CFPB .005--Consumer 
Response System. See 77 FR 64241 (Oct. 19, 2012).
    The Bureau received no comments on the interim final rule or on the 
notice of proposed rulemaking. The Bureau adopts the interim final rule 
and the proposed rule without modification except to correct a drafting 
error.
Section 1070.61 Training; Rules of Conduct; Penalties for Non-
Compliance
    Section 1070.61(a) of the interim final rule requires the Chief 
Privacy Officer to institute a training program to instruct Bureau 
employees and contractors as to their duties and responsibilities under 
the Privacy Act and the regulations of this subpart.
    Paragraph (b) sets forth standards of conduct applicable to Bureau 
employees and contractors regarding compliance with the Privacy Act and 
the regulations of this subpart.
    The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule without modification except to 
correct drafting and typographical errors.
Section 1070.62 Preservation of Records
    Section 1070.62 of the interim final rule requires the Bureau to 
preserve all correspondence relating to requests received under this 
part, as well as records responsive to such requests, until Federal 
records laws or record retention schedules approved by the National 
Archives and Records Administration authorizes the disposition or 
destruction of such records. The interim final rule also instructs 
Bureau employees not to dispose of such records while they are the 
subject of a pending request, appeal, proceeding, or lawsuit.
    One commenter suggests that the Bureau should modify Sec.  1070.62 
of the interim final rule to provide that records will not be disposed 
of ``or destroyed'' while they are subject to a pending request, 
appeal, proceeding, or lawsuit.
    The Bureau agrees with the commenter that Bureau employees should 
be instructed to neither dispose of nor destroy correspondence that 
relates to or records that are responsive to requests that the Bureau 
receives under this subpart while they are subject to a pending 
request, appeal, proceeding, or lawsuit.

[[Page 11502]]

Section 1070.63 Use and Collection of Social Security Numbers
    Section 1070.63 of the interim final rule requires the Bureau to 
inform employees that in collecting information from individuals, 
employees may not deny such individuals any rights, benefits, or 
privileges arising from such individuals' refusals to disclose social 
security numbers to the Bureau unless the collection of such numbers is 
authorized by law.
    In requesting social security numbers from individuals, the Bureau 
must inform individuals whether the provision of such numbers is 
mandatory or voluntary, the legal authority that authorizes the 
collection of such numbers, and the uses that the Bureau will make of 
the numbers.
    The Bureau received no comments on the interim final rule. The 
Bureau adopts the interim final rule without modification.

V. Section 1022(b)(2)(A) of the Dodd-Frank Act

    In developing the final rule, the Bureau has considered potential 
benefits, costs, and impacts, and has consulted or offered to consult 
with the prudential regulators, including with regard to consistency 
with any prudential, market, or systemic objectives administered by 
such agencies.\8\
---------------------------------------------------------------------------

    \8\ Section 1022(b)(2)(A) of the Dodd-Frank Act addresses the 
consideration of the potential benefits and costs of regulation to 
consumers and covered persons, including the potential reduction of 
access by consumers to consumer financial products or services; the 
impact on depository institutions and credit unions with $10 billion 
or less in total assets as described in section 1026 of the Dodd-
Frank Act; and the impact on consumers in rural areas. Section 
1022(b)(2)(B) directs the Bureau to consult, before and during the 
rulemaking, with appropriate prudential regulators or other Federal 
agencies, regarding consistency with objectives those agencies 
administer. The manner and extent to which these provisions apply to 
a rulemaking of this kind that does not establish standards of 
conduct, and to regulatory provisions that are compelled by 
statutory changes, is unclear. Nevertheless, to inform this 
rulemaking more fully, the Bureau performed the described analyses 
and consultations.
---------------------------------------------------------------------------

    The analysis considers the benefits, costs, and impacts of the key 
provisions of the rule against a pre-statutory baseline; that is, the 
analysis evaluates the benefits, costs, and impacts of the relevant 
statutory provisions and the regulations combined.\9\
---------------------------------------------------------------------------

    \9\ The Bureau has discretion in any rulemaking to choose an 
appropriate scope of analysis with respect to potential benefits and 
costs and an appropriate baseline. The Bureau, as a matter of 
discretion, has chosen to describe a broader range of potential 
effects to more fully inform the rulemaking.
---------------------------------------------------------------------------

    Subpart C of the final rule sets forth procedures by which the 
public, including consumers and covered persons, may serve summons, 
complaints, subpoenas, and other legal process, demands, and requests 
upon the Bureau. The rule imposes special procedural requirements for 
those who seek to serve third party subpoenas upon the Bureau in 
accordance with United States ex rel. Touhy v. Ragen, 340 U.S. 462 
(1951). These requirements may increase the time and burden associated 
with obtaining records of the Bureau in response to such subpoenas.
    Subpart D of the final rule, which restricts the circumstances 
under which the Bureau may disclose to the public or share with other 
agencies certain categories of confidential information, benefits 
consumers and covered persons to the extent that the confidential 
information that the rule protects is derived from or pertains to 
consumers or covered persons. For example, the rule protects consumers' 
privacy by restricting the Bureau's authority to disclose publicly 
personally-identifiable complaint information that consumers submit to 
the Bureau. The rule also protects the financial and reputational 
interests of covered persons by limiting the extent to which the Bureau 
may publicly disclose supervisory and law enforcement information about 
them.
    To the extent that the rule requires or authorizes the Bureau to 
share confidential information, the rule also has benefits for 
consumers and covered persons. Consumers may benefit when the Bureau 
shares complaint information to facilitate resolution of consumer 
complaints. They may also benefit when the Bureau shares supervisory 
information with other financial regulatory agencies to promote 
compliance by covered persons with consumer financial laws. Similarly, 
consumers may benefit when the Bureau shares its investigatory 
information with other law enforcement agencies to aid efforts to 
prevent and remedy harms to consumers caused by conduct that violates 
consumer financial law.
    There is a benefit to covered persons when the Bureau shares 
supervisory information with other regulatory agencies. Information 
exchange among regulatory agencies permits the Bureau and these 
agencies to conduct joint supervisory examinations of covered persons 
rather than separate examinations, thereby reducing regulatory burdens 
to covered persons.
    This rule may entail certain costs to covered persons. As one 
commenter to the interim final rule argues, the information sharing 
provisions of subpart D of the rule may increase the volume and costs 
of litigation for covered persons whose information the Bureau will 
share with other agencies and which such agencies may use as bases for 
administrative or judicial actions against covered persons. To the 
extent that such costs occur, the Bureau believes that in most cases, 
these costs would be associated with concomitant benefits to consumers 
from the prevention or remedy of harms associated with violations of 
law by covered persons.\10\
---------------------------------------------------------------------------

    \10\ The Bureau notes that it has taken steps since it issued 
the interim final rule to limit the circumstances in which it shares 
supervisory information with agencies that are not engaged in 
supervisory activities, including State attorneys general. In 
January 2012, the Bureau issued Bulletin 12-01, which states that 
the Bureau will not share confidential supervisory information 
routinely with such agencies and will only share such information 
after scrutinizing factors that include the significance of the law 
enforcement interest at stake and the impact on the integrity of the 
supervisory process. This Bulletin should limit litigation costs to 
covered persons that might otherwise arise from the final rule.
---------------------------------------------------------------------------

    One commenter also contends that the information sharing practices 
that the rule prescribes will result in a waiver of legal privileges 
that otherwise protect this information from disclosure to third 
parties, thereby rendering such information vulnerable to subpoenas and 
discovery requests. Although the Bureau believes that this concern is 
unwarranted, the Bureau has taken action since it issued the interim 
final rule to mitigate this potential cost. On July 5, 2012, the Bureau 
modified Sec.  1070.47(c) of the interim final rule and added a new 
Sec.  1070.48 to clarify that the provision by a covered person of 
confidential information to the Bureau and the Bureau's disclosure of 
such information to another agency does not waive legal privileges that 
otherwise protect such information from disclosure. See 77 FR 39617.
    One commenter suggests that Sec.  1070.46 of the rule imposes costs 
upon covered persons to the extent that it authorizes the Director of 
the Bureau to disclose their confidential information to the public 
notwithstanding other disclosure restrictions set forth in subpart D. 
To the extent that the Director exercises his authority under Sec.  
1070.46 to disclose confidential information, costs may indeed ensue to 
affected covered persons. However, at most only very few covered 
persons might actually face such a cost, because the circumstances are 
limited in which the Director can and will exercise this authority. To 
ensure that the Bureau will resort to Sec.  1070.46 only in limited 
circumstances, the provision's disclosure authority is exercisable only 
by the Director himself. The Director does not intend to exercise his 
authority

[[Page 11503]]

under Sec.  1070.46 except in unforeseen and exigent circumstances. 
Moreover, Sec.  1070.46 states that the Bureau may notify covered 
persons of the Director's intentions to disclose confidential 
information pursuant to 1070.46; such notice would enable covered 
persons to seek appropriate relief if they believe that the Director's 
disclosure of confidential information would be contrary to law.
    The CFPB does not expect that the final rule will have an 
appreciable impact on consumers' access to consumer financial products 
or services. The final rule does not have a unique impact on rural 
consumers. The final rule also has no unique impact on insured 
depository institutions or insured credit unions with less than $10 
billion in assets as described in section 1026(a) of the Dodd-Frank 
Act.

VI. Procedural Requirements

    The Regulatory Flexibility Act, 5 U.S.C. 601 et seq., as amended by 
the Small Business Regulatory Enforcement Fairness Act of 1996 (the 
RFA), requires each agency to consider the potential impact of its 
regulations on small entities, including small businesses, small 
governmental units, and small not-for-profit organizations, unless the 
head of the agency certifies that the rule will not have a significant 
economic impact on a substantial number of small entities. The 
undersigned so certifies. The rule does not impose any obligations or 
standards of conduct for purposes of analysis under the RFA, and it 
therefore does not give rise to a regulatory compliance burden for 
small entities.
    Finally, the Bureau has determined that this final rule does not 
impose any new recordkeeping, reporting, or disclosure requirements on 
members of the public that would be collections of information 
requiring approval under the Paperwork Reduction Act, 44 U.S.C. 3501, 
et seq.

List of Subjects in 12 CFR Part 1070

    Confidential business information, Consumer protection, Freedom of 
information, Privacy.

Authority and Issuance

    For the reasons set forth in the preamble, the Bureau revises part 
1070 to read as follows:

PART 1070--DISCLOSURE OF RECORDS AND INFORMATION

Subpart A--General Provisions and Definitions
Sec.
1070.1 Authority, purpose and scope.
1070.2 General definitions.
1070.3 Custodian of records; certification; alternative authority.
1070.4 Records of the CFPB not to be otherwise disclosed.
Subpart B--Freedom of Information Act
Sec.
1070.10 General.
1070.11 Information made available; discretionary disclosures.
1070.12 Publication in the Federal Register.
1070.13 Public inspection and copying.
1070.14 Requests for CFPB records.
1070.15 Responsibility for responding to requests for CFPB records.
1070.16 Timing of responses to requests for CFPB records.
1070.17 Requests for expedited processing.
1070.18 Responses to requests for CFPB records.
1070.19 Classified information.
1070.20 Requests for business information provided to the CFPB.
1070.21 Administrative appeals.
1070.22 Fees for processing requests for CFPB records.
1070.23 Authority and responsibilities of the Chief FOIA Officer.
Subpart C--Disclosure of CFPB Information in Connection With Legal 
Proceedings
Sec.
1070.30 Purpose and scope; definitions.
1070.31 Service of summonses and complaints.
1070.32 Service of subpoenas, court orders, and other demands for 
CFPB information or action.
1070.33 Testimony and production of documents prohibited unless 
approved by the General Counsel.
1070.34 Procedure when testimony or production of documents is 
sought; general.
1070.35 Procedure when response to demand is required prior to 
receiving instructions.
1070.36 Procedure in the event of an adverse ruling.
1070.37 Considerations in determining whether the CFPB will comply 
with a demand or request.
1070.38 Prohibition on providing expert or opinion testimony.
Subpart D--Confidential Information
Sec.
1070.40 Purpose and scope.
1070.41 Non-disclosure of confidential information.
1070.42 Disclosure of confidential supervisory information to and by 
supervised financial institutions.
1070.43 Disclosure of confidential information to law enforcement 
agencies and other government agencies.
1070.44 Disclosure of confidential consumer complaint information.
1070.45 Affirmative disclosure of confidential information.
1070.46 Other disclosures of confidential information.
1070.47 Other rules regarding the disclosure of confidential 
information.
1070.48 Privileges not affected by disclosure to the CFPB.
Subpart E--Privacy Act
Sec.
1070.50 Purpose and scope; definitions.
1070.51 Authority and responsibilities of the Chief Privacy Officer.
1070.52 Fees.
1070.53 Request for access to records.
1070.54 CFPB procedures for responding to a request for access.
1070.55 Special procedures for medical records.
1070.56 Request for amendment of records.
1070.57 CFPB review of a request for amendment of records.
1070.58 Appeal of adverse determination of request for access or 
amendment.
1070.59 Restrictions on disclosure.
1070.60 Exempt records.
1070.61 Training; rules of conduct; penalties for non-compliance.
1070.62 Preservation of records.
1070.63 Use and collection of social security numbers.

    Authority: 12 U.S.C. 5481 et seq.; 5 U.S.C. 552; 5 U.S.C. 552a; 
18 U.S.C. 1905; 18 U.S.C. 641; 44 U.S.C. ch. 30; 5 U.S.C. 301.

Subpart A--General Provisions and Definitions


Sec.  1070.1  Authority, purpose, and scope.

    (a) Authority. (1) This part is issued by the Bureau of Consumer 
Financial Protection, an independent Bureau within the Federal Reserve 
System, pursuant to the Consumer Financial Protection Act of 2010, 12 
U.S.C. 5481 et seq.; the Freedom of Information Act, 5 U.S.C. 552; the 
Privacy Act of 1974, 5 U.S.C. 552a; the Federal Records Act, 44 U.S.C. 
3101; the Paperwork Reduction Act, 44 U.S.C. 3501 et seq. the Right to 
Financial Privacy Act of 1978, 12 U.S.C. 3401; the Trade Secrets Act, 
18 U.S.C. 1905; 18 U.S.C. 641; and any other applicable law that 
establishes a basis for the exercise of governmental authority by the 
CFPB.
    (2) This part establishes mechanisms for carrying out the CFPB's 
statutory responsibilities under the statutes in paragraph (a)(1) of 
this section to the extent those responsibilities require the 
disclosure, production, or withholding of information. In this regard, 
the CFPB has determined that the CFPB, and its delegates, may disclose 
information of the CFPB, in accordance with the procedures set forth in 
this part, whenever it is necessary or appropriate to do so in the 
exercise of any of the CFPB's authority. The CFPB has determined that 
all such disclosures, made in accordance with the rules and procedures 
specified in this part, are authorized by law.
    (b) Purpose and scope. This part contains the CFPB's rules relating 
to the disclosure of records and information generated by and obtained 
by the CFPB.

[[Page 11504]]

    (1) Subpart A contains general provisions and definitions used in 
this part.
    (2) Subpart B implements the Freedom of Information Act, 5 U.S.C. 
552.
    (3) Subpart C sets forth the procedures with respect to subpoenas, 
orders, or other requests for CFPB information in connection with legal 
proceedings.
    (4) Subpart D provides for the protection of confidential 
information and procedures for sharing confidential information with 
supervised institutions, government agencies, and others in certain 
circumstances.
    (5) Subpart E implements the Privacy Act of 1974, 5 U.S.C. 552a.


Sec.  1070.2  General definitions.

    For purposes of this part:
    (a) Business day means any day except Saturday, Sunday or a legal 
Federal holiday.
    (b) CFPB means the Bureau of Consumer Financial Protection.
    (c) Chief FOIA Officer means the Chief Operating Officer of the 
CFPB, or any CFPB employee to whom the Chief Operating Officer has 
delegated authority to act under this part.
    (d) Chief Operating Officer means the Chief Operating Officer of 
the CFPB, or any CFPB employee to whom the Chief Operating Officer has 
delegated authority to act under this part.
    (e) Civil investigative demand material means any documentary 
material, written report, or answers to questions, tangible thing, or 
transcript of oral testimony received by the CFPB in any form or format 
pursuant to a civil investigative demand, as those terms are set forth 
in 12 U.S.C. 5562, or received by the CFPB voluntarily in lieu of a 
civil investigative demand.
    (f) Confidential information means confidential consumer complaint 
information, confidential investigative information, and confidential 
supervisory information, as well as any other CFPB information that may 
be exempt from disclosure under the Freedom of Information Act pursuant 
to 5 U.S.C. 552(b). Confidential information does not include 
information contained in records that have been made publicly available 
by the CFPB or information that has otherwise been publicly disclosed 
by an employee with the authority to do so.
    (g) Confidential consumer complaint information means information 
received or generated by the CFPB, pursuant to 12 U.S.C. 5493 and 5534, 
that comprises or documents consumer complaints or inquiries concerning 
financial institutions or consumer financial products and services and 
responses thereto, to the extent that such information is exempt from 
disclosure pursuant to 5 U.S.C. 552(b).
    (h) Confidential investigative information means:
    (1) Civil investigative demand material; and
    (2) Any documentary material prepared by, on behalf of, received 
by, or for the use by the CFPB or any other Federal or State agency in 
the conduct of an investigation of or enforcement action against a 
person, and any information derived from such documents.
    (i)(1) Confidential supervisory information means:
    (i) Reports of examination, inspection and visitation, non-public 
operating, condition, and compliance reports, and any information 
contained in, derived from, or related to such reports;
    (ii) Any documents, including reports of examination, prepared by, 
or on behalf of, or for the use of the CFPB or any other Federal, 
State, or foreign government agency in the exercise of supervisory 
authority over a financial institution, and any information derived 
from such documents;
    (iii) Any communications between the CFPB and a supervised 
financial institution or a Federal, State, or foreign government agency 
related to the CFPB's supervision of the institution;
    (iv) any information provided to the CFPB by a financial 
institution to enable the CFPB to monitor for risks to consumers in the 
offering or provision of consumer financial products or services, or to 
assess whether an institution should be considered a covered person, as 
that term is defined by 12 U.S.C. 5481, or is subject to the CFPB's 
supervisory authority; and/or
    (v) Information that is exempt from disclosure pursuant to 5 U.S.C. 
552(b)(8).
    (2) Confidential supervisory information does not include documents 
prepared by a financial institution for its own business purposes and 
that the CFPB does not possess.
    (j) Director means the Director of the CFPB or his or her designee, 
or a person authorized to perform the functions of the Director in 
accordance with law.
    (k) Employee means all current employees or officials of the CFPB, 
including employees of contractors and any other individuals who have 
been appointed by, or are subject to the supervision, jurisdiction, or 
control of the Director, as well as the Director. The procedures 
established within this part also apply to former employees where 
specifically noted.
    (l) Financial institution means any person involved in the offering 
or provision of a ``financial product or service,'' including a 
``covered person'' or ``service provider,'' as those terms are defined 
by 12 U.S.C. 5481.
    (m) General Counsel means the General Counsel of the CFPB or any 
CFPB employee to whom the General Counsel has delegated authority to 
act under this part.
    (n) Person means an individual, partnership, company, corporation, 
association (incorporated or unincorporated), trust, estate, 
cooperative organization, or other entity.
    (o) Report of examination means the report prepared by the CFPB 
concerning the examination or inspection of a supervised financial 
institution.
    (p) State means any State, territory, or possession of the United 
States, the District of Columbia, the Commonwealth of Puerto Rico, the 
Commonwealth of the Northern Mariana Islands, Guam, American Samoa, or 
the United States Virgin Islands or any Federally recognized Indian 
tribe, as defined by the Secretary of the Interior under section 104(a) 
of the Federally Recognized Indian Tribe List Act of 1994 (25 U.S.C. 
479a-1(a)), and includes any political subdivision thereof.
    (q) Supervised financial institution means a financial institution 
that is or that may become subject to the CFPB's supervisory authority.


Sec.  1070.3  Custodian of records; certification; alternative 
authority.

    (a) Custodian of records. The Chief Operating Officer is the 
official custodian of all records of the CFPB, including records that 
are in the possession or control of the CFPB or any CFPB employee.
    (b) Certification of record. The Chief Operating Officer may 
certify the authenticity of any CFPB record or any copy of such record, 
for any purpose, and for or before any duly constituted Federal or 
State court, tribunal, or agency.
    (c) Alternative authority. Any action or determination required or 
permitted to be done by the Chief Operating Officer may be done by any 
employee who has been duly designated for this purpose by the Chief 
Operating Officer.


Sec.  1070.4  Records of the CFPB not to be otherwise disclosed.

    Except as provided by this part, employees or former employees of 
the CFPB, or others in possession of a record of the CFPB that the CFPB 
has not already made public, are prohibited from disclosing such 
records, without

[[Page 11505]]

authorization, to any person who is not an employee of the CFPB.

Subpart B--Freedom of Information Act


Sec.  1070.10  General.

    This subpart contains the regulations of the CFPB implementing the 
Freedom of Information Act (the FOIA), 5 U.S.C. 552, as amended. These 
regulations set forth procedures for requesting access to records 
maintained by the CFPB. These regulations should be read together with 
the FOIA, the 1987 Office of Management and Budget Guidelines for FOIA 
Fees, the CFPB's Privacy Act regulations set forth in subpart E, and 
the FOIA Web page on the CFPB's Web site, http://www.consumerfinance.gov, which provide additional information about 
this topic.


Sec.  1070.11  Information made available; discretionary disclosures.

    (a) In general. The FOIA provides for public access to information 
and records developed or maintained by Federal agencies. Generally, the 
FOIA divides agency information into three major categories and 
provides methods by which each category of information is to be made 
available to the public. The three major categories of information are 
as follows:
    (1) Information required to be published in the Federal Register 
(see Sec.  1070.12 of this subpart);
    (2) Information required to be made available for public inspection 
and copying or, in the alternative, to be published and offered for 
sale (see Sec.  1070.13 of this subpart); and
    (3) Information required to be made available to any member of the 
public upon specific request (see Sec. Sec.  1070.14 through 1070.22 of 
this subpart).
    (b) Discretionary disclosures. Even though a FOIA exemption may 
apply to the information or records requested, the CFPB may, if not 
precluded by law, elect under the circumstances not to apply the 
exemption. The fact that the exemption is not applied by the CFPB in 
response to a particular request shall have no precedential 
significance in processing other requests, but is merely an indication 
that, in the processing of the particular request, the CFPB finds no 
necessity for applying the exemption.
    (c) Disclosures of records frequently requested. Subject to the 
application of the FOIA exemptions and exclusions (5 U.S.C. 552(b) and 
(c)), the CFPB shall make publicly available, as provided by Sec.  
1070.13 of this subpart, all records regardless of form or format, 
which have been released previously to any person under 5 U.S.C. 
552(a)(3) and Sec. Sec.  1070.14 through 1070.22 of this subpart, and 
which the CFPB determines have become or are likely to become the 
subject of subsequent requests for substantially the same records. When 
the CFPB receives three (3) or more requests for substantially the same 
records, then the CFPB shall also make the released records publicly 
available.


Sec.  1070.12  Publication in the Federal Register.

    (a) Requirement. The CFPB shall separately state, publish and 
maintain current in the Federal Register for the guidance of the public 
the following information:
    (1) Descriptions of its central and field organization and the 
established place at which, the persons from whom, and the methods 
whereby, the public may obtain information, make submissions or 
requests, or obtain decisions;
    (2) Statements of the general course and method by which its 
functions are channeled and determined, including the nature and 
requirements of all formal and informal procedures available;
    (3) Rules of procedure, descriptions of forms available or the 
places at which forms may be obtained, and instructions as to the scope 
and contents of all papers, reports, or examinations;
    (4) Substantive rules of general applicability adopted as 
authorized by law, and statements of general policy or interpretations 
of general applicability formulated and adopted by the CFPB; and
    (5) Each amendment, revision, or repeal of matters referred to in 
paragraphs (a)(1) through (4) of this section.
    (b) Exceptions. Publication of the information under clause (a) of 
this subpart shall be subject to the application of the FOIA exemptions 
and exclusions (5 U.S.C. 552(b) and (c)) and the limitations provided 
in 5 U.S.C. 552(a)(1).


Sec.  1070.13  Public inspection and copying.

    (a) In general. Subject to the application of the FOIA exemptions 
and exclusions (5 U.S.C. 552(b) and (c)), the CFPB shall, in 
conformance with 5 U.S.C. 552(a)(2), make available for public 
inspection and copying, including by posting on the CFPB's Web site, 
http://www.consumerfinance.gov, or, in the alternative, promptly 
publish and offer for sale the following information:
    (1) Final opinions, including concurring and dissenting opinions, 
and orders made in the adjudication of cases;
    (2) Those statements of policy and interpretations which have been 
adopted by the CFPB but are not published in the Federal Register;
    (3) Its administrative staff manuals and instructions to staff that 
affect a member of the public;
    (4) Copies of all records made publicly available pursuant to Sec.  
1070.11 of this subpart; and
    (5) A general index of the records referred to in paragraph (a)(4) 
of this section.
    (b) Information made available online. For records required to be 
made available for public inspection and copying pursuant to 5 U.S.C. 
552(a)(2) (paragraphs (a)(1) through (4) of this section), as soon as 
practicable, the CFPB shall make such records available on its e-FOIA 
Library, located at http://www.consumerfinance.gov.
    (c) Record availability at the on-site e-FOIA Library. Any member 
of the public may, upon request, access the CFPB's e-FOIA Library via a 
computer terminal at 1700 G Street NW., Washington, DC 20552. Such a 
request may be made by electronic means as set forth on the CFPB's Web 
site, http://www.consumerfinance.gov, or in writing, to the Chief FOIA 
Officer, Consumer Financial Protection Bureau, 1700 G Street NW., 
Washington, DC 20552. The request must indicate a preferred date and 
time for the requested access. The CFPB reserves the right to arrange a 
different date and time with the requester, if necessary.
    (d) Redaction of identifying details. To prevent a clearly 
unwarranted invasion of personal privacy, the CFPB may redact 
identifying details contained in any matter described in paragraphs 
(a)(1) through (4) of this section before making such matters available 
for inspection or publication. The justification for the redaction 
shall be explained fully in writing, and the extent of such redaction 
shall be indicated on the portion of the record which is made available 
or published, unless including that indication would harm an interest 
protected by the exemption in 5 U.S.C. 552(b) under which the redaction 
is made. If technically feasible, the extent of the redaction shall be 
indicated at the place in the record where the redaction is made.


Sec.  1070.14  Requests for CFPB records.

    (a) In general. Subject to the application of the FOIA exemptions 
and exclusions (5 U.S.C. 552(b) and (c)), the CFPB shall promptly make 
its records available to any person pursuant to a request that conforms 
to the rules and procedures of this section.

[[Page 11506]]

    (b) Form of request. A request for records of the CFPB shall be 
made in writing or by electronic means.
    (1) If a request is made in writing, it shall be addressed to the 
Chief FOIA Officer, Consumer Financial Protection Bureau, 1700 G Street 
NW., Washington, DC 20552. The request shall be labeled ``Freedom of 
Information Act Request.''
    (2) If a request is made by electronic means, it shall be submitted 
as set forth on the CFPB's Web site, http://www.consumerfinance.gov. 
The request shall be labeled ``Freedom of Information Act Request.''
    (c) Content of request. (1) In order to ensure the CFPB's ability 
to respond in a timely manner, a FOIA request should describe the 
records that the requester seeks in sufficient detail to enable CFPB 
personnel to locate them with a reasonable amount of effort. Whenever 
possible, the request should include specific information about each 
record sought, such as the date, title or name, author, recipient, and 
subject matter of the record. If known, the requester should include 
any file designations or descriptions for the records requested. As a 
general rule, the more specific the requester is about the records or 
type of records requested, the more likely the CFPB will be able to 
locate those records in response to the request;
    (2) In order to ensure the CFPB's ability to communicate 
effectively with the requester, a request should include contact 
information for the requester, including the name of the requester and, 
to the extent available, a mailing address, telephone number, and email 
address at which the CFPB may contact the requester regarding the 
request;
    (3) The request should state whether the requester wishes to 
inspect the records or desires to receive an electronic copy or have a 
copy made and furnished without first inspecting the records;
    (4) For the purpose of determining any fees that may apply to 
processing a request, a requester should indicate in the request 
whether the requester is a commercial user, an educational institution, 
non-commercial scientific institution, representative of the news 
media, governmental entity, or ``other'' requester, as those terms are 
defined in Sec.  1070.22(b) of this subpart, and the basis for claiming 
that fee category. Requesters may seek assistance in determining the 
appropriate fee category by contacting the CFPB's FOIA Public Liaison 
at the telephone number listed on the CFPB's Web site, http://www.consumerfinance.gov. The CFPB will use any information provided to 
the FOIA Public Liaison solely for the purpose of determining the 
appropriate fee category that applies to the requester;
    (5) If a requester seeks a waiver or reduction of fees associated 
with processing a request, then the request shall include a statement 
to that effect as is required by Sec.  1070.22(e) of this subpart. Any 
request that does not seek a waiver or reduction of fees constitutes an 
agreement of the requester to pay any and all fees (of up to $25) that 
may apply to the request, as otherwise set forth in Sec.  1070.22 of 
this subpart, except that the requester may specify in the request an 
upper limit (of not less than $25) that the requester is willing to pay 
to process the request; and
    (6) If a requester seeks expedited processing of a request, then 
the request must include a statement to that effect as is required by 
Sec.  1070.17 of this subpart.
    (d) Perfected requests; effect of request deficiencies. For 
purposes of computing its deadline to respond to a request, the CFPB 
will deem itself to have received a request only if, and on the date 
that, it receives a request that contains substantially all of the 
information required by and that otherwise conforms with paragraphs (b) 
and (c) of this section. The CFPB need not accept a request, process a 
request, or be bound by any deadlines in this subpart for processing a 
request that fails to conform, in any material respect, to the 
requirements of paragraphs (b) and (c) of this section. If a request is 
deficient in any material respect, then the CFPB may return it to the 
requester and if it does so, it shall advise the requester in what 
respect the request is deficient, and what additional information is 
needed to respond to the request. The requester may then amend or 
resubmit the request. A determination by the CFPB that a request is 
deficient in any respect is not a denial of a request for records and 
such determinations are not subject to appeal. If a requester fails to 
respond to a CFPB notification that a request is deficient within 
thirty (30) days of the CFPB's notification, the CFPB will deem the 
request withdrawn.
    (e) Requests by an individual for CFPB records pertaining to that 
individual. An individual who wishes to inspect or obtain copies of 
records of the Bureau that pertain to that individual shall file a 
request in accordance with subpart E of these rules.
    (f) Requests for CFPB records pertaining to another individual. 
Where a request for records pertains to a third party, a requester may 
receive greater access by submitting either a notarized authorization 
signed by that individual or a declaration by that individual made in 
compliance with the requirements set forth in 28 U.S.C. 1746 
authorizing disclosure of the records to the requester, or submits 
proof that the individual is deceased (e.g., a copy of a death 
certificate or an obituary). The CFPB may require a requester to supply 
additional information if necessary in order to verify that a 
particular individual has consented to disclosure.


Sec.  1070.15  Responsibility for responding to requests for CFPB 
records.

    (a) In general. In determining which records are responsive to a 
request, the CFPB ordinarily will include only records in its 
possession as of the date the CFPB begins its search for them. If any 
other date is used, the CFPB shall inform the requester of that date.
    (b) Authority to grant or deny requests. The Chief FOIA Officer 
shall be authorized to grant or deny any request for a record of the 
CFPB.
    (c) Consultations and referrals. (1) When a requested record has 
been created by an agency other than the CFPB, the CFPB shall refer the 
record to the originating agency for a direct response to the 
requester.
    (2) When a FOIA request is received for a record created by the 
CFPB that includes information originated by another agency, the CFPB 
shall consult the originating agency for review and recommendation on 
disclosure. The CFPB shall not release any such records without prior 
consultation with the originating agency.
    (d) Notice of referral. Whenever the CFPB refers all or any part of 
the responsibility for responding to a request to another agency, it 
will notify the requester of the referral and inform the requester of 
the name of each agency to which the request has been referred, in 
whole or in part.


Sec.  1070.16  Timing of responses to requests for CFPB records.

    (a) In general. Except as set forth in paragraphs (b) through (d) 
of this section, and Sec.  1070.17 of this subpart, the CFPB shall 
respond to requests according to their order of receipt.
    (b) Multitrack processing. (1) The CFPB may establish separate 
tracks to process simple and complex requests. The CFPB may assign a 
request to the simple or complex track(s) based on the amount of work 
and/or time needed to process the request. The CFPB shall process 
requests in each track based on the date the request was perfected in 
accordance with Sec.  1070.14(d).
    (2) The CFPB may provide a requester in its complex track with an 
opportunity to limit the scope of the request to

[[Page 11507]]

qualify for faster processing within the specified limits of the simple 
track(s).
    (c) Time period for responding to requests for records. Ordinarily, 
the CFPB shall have twenty (20) business days from when a request is 
received by the CFPB to determine whether to grant or deny a request 
for records. The twenty (20) business day time period set forth in this 
paragraph shall not be tolled by the CFPB except that the CFPB may:
    (1) Make one reasonable demand to the requester for clarifying 
information about the request and toll the twenty (20) business day 
time period while it awaits the clarifying information; or
    (2) Toll the twenty (20) business day time period while it awaits 
clarification from or addresses any dispute with the requester 
regarding the assessment of fees.
    (d) Unusual circumstances. (1) Where the CFPB determines that due 
to unusual circumstances it cannot respond either to a request within 
the time period set forth in paragraph (c) of this section or to an 
appeal within the time period set forth in Sec.  1070.21 of this 
subpart, the CFPB may extend the applicable time periods by informing 
the requester in writing of the unusual circumstances and of the date 
by which the CFPB expects to complete its processing of the request or 
appeal. Any extension or extensions of time with respect to a request 
or an appeal shall not cumulatively total more than ten (10) business 
days. However, if the CFPB determines that it needs additional time 
beyond a ten (10) business day extension to process the request or 
appeal, then the CFPB shall notify the requester and provide the 
requester with an opportunity to limit the scope of the request or 
appeal or to arrange for an alternative time frame for processing the 
request or appeal or a modified request or appeal. The requester shall 
retain the right to define the desired scope of the request or appeal, 
as long as it meets the requirements contained in this subpart.
    (2) As used in this paragraph, ``unusual circumstances'' means:
    (i) The need to search for and collect the requested records from 
field facilities or other establishments that are separate from the 
office processing the request;
    (ii) The need to search for, collect, and appropriately examine a 
voluminous amount of separate and distinct records which are demanded 
in a single request; or
    (iii) The need for consultation, which shall be conducted with all 
practicable speed, with another agency having a substantial interest in 
the determination of the request, or among two or more CFPB offices 
having substantial subject matter interest therein.


Sec.  1070.17  Requests for expedited processing.

    (a) In general. The CFPB shall process a request on an expedited 
basis whenever a requester demonstrates a compelling need for expedited 
processing in accordance with the requirements of this paragraph or in 
other cases that the CFPB deems appropriate.
    (b) Form and content of a request for expedited processing. A 
request for expedited processing shall be made as follows:
    (1) A request for expedited processing shall be made in writing or 
by electronic means and submitted as part of a request for records in 
accordance with section 1070.14(b). When a request for records includes 
a request for expedited processing, the request shall be labeled 
``Expedited Processing Requested.''
    (2) A request for expedited processing shall contain a statement 
that demonstrates a compelling need for the requester to obtain 
expedited processing of the requested records. A ``compelling need'' is 
defined as follows:
    (i) Failure to obtain the requested records on an expedited basis 
could reasonably be expected to pose an imminent threat to the life or 
physical safety of an individual. The requester shall fully explain the 
circumstances warranting such an expected threat so that the CFPB may 
make a reasoned determination that a delay in obtaining the requested 
records could pose such a threat; or
    (ii) With respect to a request made by a person primarily engaged 
in disseminating information, urgency to inform the public concerning 
actual or alleged Federal government activity. A person ``primarily 
engaged in disseminating information'' does not include individuals who 
are engaged only incidentally in the dissemination of information. The 
standard of ``urgency to inform'' requires that the records requested 
pertain to a matter of current exigency to the American public and that 
delaying a response to a request for records would compromise a 
significant recognized interest to and throughout the American general 
public. The requester must adequately explain the matter or activity 
and why the records sought are necessary to be provided on an expedited 
basis.
    (3) The requester shall certify the written statement that purports 
to demonstrate a compelling need for expedited processing to be true 
and correct to the best of the requester's knowledge and belief. The 
certification must be in the form prescribed by 28 U.S.C. 1746: ``I 
declare under penalty of perjury that the foregoing is true and correct 
to the best of my knowledge and belief. Executed on [date].'' The 
requester shall mail or submit electronically a copy of such written 
certification to the Chief FOIA Officer as set forth in Sec.  
1070.14(b) of this subpart. The CFPB may waive this certification 
requirement in appropriate circumstances.
    (c) Determinations of requests for expedited processing. Within ten 
(10) calendar days of its receipt of a request for expedited 
processing, the CFPB shall decide whether to grant it and shall notify 
the requester of the determination in writing.
    (d) Effect of granting requests for expedited processing. If the 
CFPB grants a request for expedited processing, then the CFPB shall 
give the expedited request priority over non-expedited requests and 
shall process the expedited request as soon as practicable. The CFPB 
may assign expedited requests to their own simple and complex 
processing tracks based upon the amount of work and/or time needed to 
process them. Within each such track, an expedited request shall be 
processed in the order of its receipt.
    (e) Appeals of denials of requests for expedited processing. If the 
CFPB denies a request for expedited processing, then the requester 
shall have the right to submit an appeal of the denial determination in 
accordance with Sec.  1070.21 of this subpart. The CFPB shall 
communicate this appeal right as part of its written notification to 
the requester denying expedited processing. The requester shall label 
its appeal request ``Appeal for Expedited Processing.'' The CFPB shall 
act expeditiously upon an appeal of a denial of a request for expedited 
processing.


Sec.  1070.18  Responses to requests for CFPB records.

    (a) Acknowledgements of requests. Upon receipt of a perfected 
request, the CFPB will assign to the request a unique tracking number. 
The CFPB will send an acknowledgement letter to the requester by mail 
or email within ten (10) calendar days of receipt of the request. The 
acknowledgment letter will contain the following information:
    (1) The applicable request tracking number;
    (2) The date of receipt of the request, as determined in accordance 
with section 1070.14(d) of this subpart, as well as the date when the 
requester may expect a response;

[[Page 11508]]

    (3) A brief statement identifying the subject matter of the 
request; and
    (4) A confirmation, with respect to any fees that may apply to the 
request pursuant to Sec.  1070.22 of this subpart, that the requester 
has sought a waiver or reduction in such fees, has agreed to pay any 
and all applicable fees, or has specified an upper limit (of not less 
than $25) that the requester is willing to pay in fees to process the 
request.
    (b) Initial determination to grant or deny a request. (1) The 
officer designated in Sec.  1070.15(b) to this subpart, or his or her 
delegate, shall make initial determinations either to grant or to deny 
in whole or in part requests for records.
    (2) If the request is granted in full or in part, and if the 
requester requests a copy of the records requested, then a copy of the 
records shall be mailed or emailed to the requester in the requested 
format, to the extent the records are readily producible in the 
requested format. The CFPB shall also send the requester a statement of 
the applicable fees, either at the time of the determination or shortly 
thereafter.
    (3) In the case of a request for inspection, the requester shall be 
notified in writing of the determination, when and where the requested 
records may be inspected, and of the fees incurred in complying with 
the request. The CFPB shall then promptly make the records available 
for inspection at the time and place stated, in a manner that will not 
interfere with CFPB's operations and will not exclude other persons 
from making inspections. The requester shall not be permitted to remove 
the records from the room where inspection is made. If, after making 
inspection, the requester desires copies of all or a portion of the 
requested records, copies shall be furnished upon payment of the 
established fees prescribed by Sec.  1070.22 of this subpart. Fees may 
be charged for search and review time as stated in Sec.  1070.22 of 
this subpart.
    (4) If it is determined that the request for records should be 
denied in whole or in part, the requester shall be notified by mail or 
by email. The letter of notification shall:
    (i) State the exemptions relied upon in denying the request;
    (ii) If technically feasible, indicate the amount of information 
deleted and the exemptions under which the deletion is made at the 
place in the record where such deletion is made (unless providing such 
indication would harm an interest protected by the exemption relied 
upon to deny such material);
    (iii) Set forth the name and title or position of the responsible 
official;
    (iv) Advise the requester of the right to administrative appeal in 
accordance with Sec.  1070.21 of this subpart; and
    (v) Specify the official or office to which such appeal shall be 
submitted.
    (5) If it is determined, after a reasonable search for records, 
that no responsive records have been found to exist, the requester 
shall be notified in writing or by email. The notification shall also 
advise the requester of the right to administratively appeal the CFPB's 
determination that no responsive records exist (i.e., to challenge the 
adequacy of the CFPB's search for responsive records) in accordance 
with Sec.  1070.21 of this subpart. The response shall specify the 
official or office to which the appeal shall be submitted for review.


Sec.  1070.19  Classified information.

    Whenever a request is made for a record containing information that 
another agency has classified, or which may be appropriate for 
classification by another agency under Executive Order 13526 or any 
other executive order concerning the classification of information, the 
CFPB shall refer the responsibility for responding to the request to 
the classifying or originating agency, as appropriate.


Sec.  1070.20  Requests for business information provided to the CFPB.

    (a) In general. Business information provided to the CFPB by a 
business submitter shall not be disclosed pursuant to a FOIA request 
except in accordance with this section.
    (b) Definitions. For purposes of this section:
    (1) Business information means commercial or financial information 
obtained by the CFPB from a submitter that may be protected from 
disclosure under Exemption 4 of the FOIA, 5 U.S.C. 552(b)(4).
    (2) Submitter means any person from whom the CFPB obtains business 
information, directly or indirectly. The term includes, without 
limitation, corporations, State, local, and tribal governments, and 
foreign governments.
    (c) Designation of business information. A submitter of business 
information will use good-faith efforts to designate, by appropriate 
markings, either at the time of submission or at a reasonable time 
thereafter, any portions of its submission that it considers to be 
protected from disclosure under Exemption 4 of the FOIA. These 
designations will expire ten (10) years after the date of the 
submission unless the submitter requests otherwise and provides 
justification for, a longer designation period.
    (d) Notice to submitters. The CFPB shall provide a submitter with 
prompt written notice of receipt of a request or appeal encompassing 
its business information whenever required in accordance with paragraph 
(e) of this section. Such written notice shall either describe the 
exact nature of the business information requested or provide copies of 
the records or portions of records containing the business information. 
When notification of a voluminous number of submitters is required, 
notification may be made by posting or publishing the notice in a place 
reasonably likely to accomplish it.
    (e) When notice is required. (1) The CFPB shall provide a submitter 
with notice of receipt of a request or appeal whenever:
    (i) The information has been designated in good faith by the 
submitter as information considered protected from disclosure under 
Exemption 4; or
    (ii) The CFPB has reason to believe that the information may be 
protected from disclosure under Exemption 4.
    (2) The notice requirements of this paragraph shall not apply if:
    (i) The CFPB determines that the information is exempt under the 
FOIA;
    (ii) The information lawfully has been published or otherwise made 
available to the public;
    (iii) Disclosure of the information is required by statute (other 
than the FOIA) or by a regulation issued in accordance with the 
requirements of Executive Order 12600 (3 CFR, 1988 Comp., p. 235); or
    (iv) The designation made by the submitter under paragraph 
(e)(1)(i) of this section appears obviously frivolous, except that, in 
such a case, the CFPB shall, within a reasonable time prior to a 
specified disclosure date, give the submitter written notice of any 
final decision to disclose the information.
    (f) Opportunity to object to disclosure. (1) Through the notice 
described in paragraph (d) of this section, the CFPB shall afford a 
submitter ten (10) business days from the date of the notice to provide 
the CFPB with a detailed statement of any objection to disclosure. Such 
statement shall specify all grounds for withholding any of the 
information under any exemption of the FOIA and, in the case of 
Exemption 4, shall demonstrate why the information is considered to be 
a trade secret or commercial or financial information that is 
privileged or confidential. In the event that a submitter fails to 
respond to the notice within the time specified in it, the submitter 
shall be considered to have no objection to disclosure of the 
information. Information provided by a

[[Page 11509]]

submitter pursuant to this paragraph may itself be subject to 
disclosure under the FOIA.
    (2) When notice is given to a submitter under this section, the 
requester shall be advised that such notice has been given to the 
submitter. The requester shall be further advised that a delay in 
responding to the request may be considered a denial of access to 
records and that the requester may proceed with an administrative 
appeal or seek judicial review, if appropriate. However, the requester 
will be invited to agree to a voluntary extension of time so that the 
CFPB may review the submitter's objection to disclose, if any.
    (g) Notice of intent to disclose. The CFPB shall consider carefully 
a submitter's objections and specific grounds for nondisclosure prior 
to determining whether to disclose business information. Whenever the 
CFPB decides to disclose business information over the objection of a 
submitter, the CFPB shall forward to the submitter a written notice 
which shall include:
    (1) A statement of the reasons for which the submitter's disclosure 
objections were not sustained;
    (2) A description of the business information to be disclosed; and
    (3) A specified disclosure date which is not less than ten (10) 
business days after the notice of the final decision to release the 
requested information has been mailed to the submitter. Except as 
otherwise prohibited by law, a copy of the disclosure notice shall be 
forwarded to the requester at the same time.
    (h) Notice to submitter of FOIA lawsuit. Whenever a requester 
brings suit seeking to compel disclosure of business information, the 
CFPB shall promptly notify the submitter of that business information 
of the existence of the suit.
    (i) Notice to requester of business information. The CFPB shall 
notify a requester whenever it provides the submitter with notice and 
an opportunity to object to disclosure; whenever it notifies the 
submitter of its intent to disclose the requested information; and 
whenever a submitter files a lawsuit to prevent the disclosure of the 
information.


Sec.  1070.21  Administrative appeals.

    (a) Grounds for administrative appeals. A requester may appeal an 
initial determination of the CFPB, including for the following reasons:
    (1) To deny access to records in whole or in part (as provided in 
Sec.  1070.18(b) of this subpart);
    (2) To assign a particular fee category to the requestor (as 
provided in Sec.  1070.22(b) of this subpart);
    (3) To deny a request for a reduction or waiver of fees (as 
provided in Sec.  1070.22(e) of this subpart);
    (4) That no records exist that are responsive to the request (as 
provided in Sec.  1070.18(b) of this subpart); or
    (5) To deny a request for expedited processing (as provided in 
Sec.  1070.17(e) of this subpart).
    (b) Time limits for filing administrative appeals. An appeal, other 
than an appeal of a denial of expedited processing, must be postmarked 
or submitted electronically on a date that is within forty-five (45) 
calendar days of the date of the initial determination or the date of 
the letter transmitting the last records released, whichever is later. 
An appeal of a denial of expedited processing must be made within ten 
(10) days of the date of the initial determination letter to deny 
expedited processing (see Sec.  1070.17 of this subpart).
    (c) Form and content of administrative appeals. In order to ensure 
a timely response to an appeal, the appeal shall be made in writing or 
by electronic means as follows:
    (1) If appeal is made in writing, it shall be addressed to and 
submitted to the officer specified in paragraph (e) of this section at 
the address set forth in Sec.  1070.14(b) of this subpart. The appeal 
shall be labeled ``Freedom of Information Act Appeal.''
    (2) If an appeal is made by electronic means, it shall be addressed 
to the officer specified in paragraph (e) of this section and submitted 
as set forth on the CFPB's Web site, http://www.consumerfinance.gov. 
The appeal shall be labeled ``Freedom of Information Act Appeal.''
    (3) The appeal shall set forth contact information for the 
requester, including, to the extent available, a mailing address, 
telephone number, or email address at which the CFPB may contact the 
requester regarding the appeal; and
    (4) The appeal shall specify the applicable request tracking 
number, the date of the initial request, and the date of the letter of 
initial determination, and, where possible, enclose a copy of the 
initial request and the initial determination being appealed.
    (d) Processing of administrative appeals. Appeals will be stamped 
with the date of their receipt by the FOIA response office, and will be 
processed in the order of their receipt. The receipt of the appeal will 
be acknowledged by the CFPB and the requester will be advised of the 
date the appeal was received, the appeal tracking number, and the 
expected date of response.
    (e) Determinations to grant or deny administrative appeals. The 
General Counsel is authorized to and shall decide whether to affirm the 
initial determination (in whole or in part) or to reverse the initial 
determination (in whole or in part) and shall notify the requester of 
this decision in writing within twenty (20) business days after the 
date of receipt of the appeal, unless extended pursuant to Sec.  
1070.16(d) of this subpart.
    (1) If it is decided that the appeal is to be denied (in whole or 
in part) the requester shall be:
    (i) Notified in writing of the denial;
    (ii) Notified of the reasons for the denial, including which of the 
FOIA exemptions were relied upon;
    (iii) Notified of the name and title or position of the official 
responsible for the determination on appeal;
    (iv) Provided with a statement that judicial review of the denial 
is available in the United States District Court for the judicial 
district in which the requester resides or has a principal place of 
business, the judicial district in which the requested records are 
located, or the District of Columbia in accordance with 5 U.S.C. 
552(a)(4)(B); and
    (v) Provided with notification that mediation services are 
available to the requester as a non-exclusive alternative to litigation 
through the Office of Government Information Services in accordance 
with 5 U.S.C. 552(h)(3).
    (2) If the initial determination is reversed on appeal, the 
requester shall be so notified and the request shall be processed 
promptly in accordance with the decision on appeal.
    (3) If the initial determination is remanded on appeal to the Chief 
FOIA Officer for further action, the requester shall be so notified and 
the request shall be processed in accordance with the decision on 
appeal. The remanded request shall be treated as a new request received 
by the CFPB as of the date when the General Counsel transmits the 
remand notification to the requester. The procedures and deadlines set 
forth in this subpart for processing, deciding, responding to, and 
filing administrative appeals of new FOIA requests shall apply to the 
remanded request.
    (f) Adjudication of administrative appeals of requests in 
litigation. An appeal ordinarily will not be adjudicated if the request 
becomes a matter of FOIA litigation.

[[Page 11510]]

Sec.  1070.22  Fees for processing requests for CFPB records.

    (a) In general. The CFPB shall determine whether and to what extent 
to charge a requester fees for processing a FOIA request, for the 
services and in the amounts set forth in this paragraph, by determining 
an appropriate fee category for the requester (as set forth in 
paragraph (b) of this section) and then by charging the requester those 
fees applicable to the assigned category (as set forth in paragraph (c) 
of this section), unless circumstances exist (as described in paragraph 
(d) of this section) that render fees inapplicable or inadvisable or 
unless the requester has requested and the CFPB has granted a reduction 
in or waiver of fees (as set forth in paragraph (e) of this section).
    (1) The CFPB shall charge a requester fees for the cost of copying 
or printing records at the rate of $0.10 per page.
    (2) The CFPB shall charge a requester for all time spent by its 
employees searching for records that are responsive to a request. The 
CFPB shall charge the requester fees for search time as follows:
    (i) The CFPB shall charge for search time at the salary rate(s) 
(basic pay plus sixteen (16) percent) of the employee(s) who conduct 
the search. However, the CFPB shall charge search fees at the rate of 
$9.00 per fifteen (15) minutes of search time whenever only 
administrative/clerical employees conduct a search and at the rate of 
$23.00 per fifteen (15) minutes of search time whenever only 
professional/executive employees conduct a search. Search charges shall 
also include transportation of employees and records necessary to the 
search at actual cost. Fees may be charged for search time even if the 
search does not yield any responsive records, or if records are exempt 
from disclosure.
    (ii) The CFPB shall charge the requester for the actual direct 
costs of conducting an electronic records search, including computer 
search time, runs, and output. The CFPB shall also charge for time 
spent by computer operators or programmers (at the rates set forth in 
paragraph (a)(2)(i) of this section) who conduct or assist in the 
conduct of an electronic records search.
    (3) The CFPB shall charge a requester for time spent by its 
employees examining responsive records to determine whether any 
portions of such record are exempt from disclosure, pursuant to the 
FOIA exemptions of 5 U.S.C. 552(b). The CFPB shall also charge a 
requester for time spent by its employees redacting any such exempt 
information from a record and preparing a record for release to the 
requester. The CFPB shall charge a requester for time spent reviewing 
records at the salary rate(s) (i.e., basic pay plus sixteen (16) 
percent) of the employees who conduct the review. However, the CFPB 
shall charge review fees at the rate of $9.00 per fifteen (15) minutes 
of search time whenever only administrative/clerical employees review 
records and at the rate of $23.00 per fifteen (15) minutes of search 
time whenever only professional/executive employees review records. 
Fees shall be charged for review time even if records ultimately are 
not disclosed.
    (4) Fees for all services provided shall be charged whether or not 
copies are made available to the requester for inspection. However, no 
fee shall be charged for monitoring a requester's inspection of 
records.
    (5) Other services and materials requested which are not covered by 
this part nor required by the FOIA are chargeable at the actual cost to 
the CFPB. This includes, but is not limited to:
    (i) Certifying that records are true copies; or
    (ii) Sending records by special methods such as express mail, etc.
    (b) Categories of requesters. (1) For purposes of assessing fees as 
set forth in this section, each requester shall be assigned to one of 
the following categories:
    (i) Commercial user refers to one who seeks information for a use 
or purpose that furthers the commercial, trade, or profit interests of 
the requester or the person on whose behalf the request is made, which 
can include furthering those interests through litigation. The CFPB may 
determine from the use specified in the request that the requester is a 
commercial user.
    (ii) Educational institution refers to a preschool, a public or 
private elementary or secondary school, an institution of graduate 
higher education, an institution of undergraduate higher education, an 
institution of professional education, and an institution of vocational 
education, which operates a program or programs of scholarly research.
    (iii) Non-commercial scientific institution refers to an 
institution that is not operated on a ``commercial user'' basis as that 
term is defined in paragraph (b)(2)(i) of this section, and which is 
operated solely for the purpose of conducting scientific research, the 
results of which are not intended to promote any particular product or 
industry.
    (iv) Representative of the news media refers to any person or 
entity that gathers information of potential interest to a segment of 
the public, uses its editorial skills to turn the raw materials into a 
distinct work, and distributes that work to an audience. In this 
paragraph, the term `news' means information that is about current 
events or that would be of current interest to the public. Examples of 
news-media entities are television or radio stations broadcasting to 
the public at large and publishers of periodicals (but only if such 
entities qualify as disseminators of `news') who make their products 
available for purchase by or subscription by or free distribution to 
the general public. Other examples of news media entities include 
online publications and Web sites that regularly deliver news content 
to the public. These examples are not all-inclusive. Moreover, as 
methods of news delivery evolve (for example, the adoption of the 
electronic dissemination of newspapers through telecommunications 
services), such alternative media shall be considered to be news-media 
entities. A freelance journalist shall be regarded as working for a 
news-media entity if the journalist can demonstrate a solid basis for 
expecting publication through that entity, whether or not the 
journalist is actually employed by the entity. A publication contract 
would present a solid basis for such an expectation; the CFPB may also 
consider the past publication record of the requester in making such a 
determination.
    (v) ``Other'' requester refers to a requester who does not fall 
within any of the previously described categories.
    (2) Within twenty (20) calendar days of its receipt of a request, 
the CFPB shall make a determination as to the proper fee category to 
apply to a requester. The CFPB shall inform the requester of the 
determination in the request acknowledgment letter, or if no such 
letter is required, in writing. The CFPB shall base its determination 
upon a review of the requester's submission and the CFPB's own records. 
Where the CFPB has reasonable cause to doubt the use to which a 
requester will put the records sought, or where that use is not clear 
from the request itself, the CFPB should seek additional clarification 
before assigning the request to a specific category.
    (3) If the CFPB assigns to a requester a fee category, then the 
requester shall have the right to submit an appeal of the CFPB's 
determination in accordance with Sec.  1070.21 of this subpart. The 
CFPB shall communicate this appeal right as part of its written 
notification to the requester of an adverse fee category determination. 
The requester shall label its appeal request ``Appeal of Fee Category 
Determination.''

[[Page 11511]]

    (c) Fees applicable to each category of requester. The following 
fee schedule applies uniformly throughout the CFPB to requests 
processed under the FOIA. Specific levels of fees are prescribed for 
each category of requester defined in paragraph (b) of this section.
    (1) Commercial users shall be charged the full direct costs of 
searching for, reviewing, and duplicating the records they request. 
Moreover, when a request is received for disclosure that is primarily 
in the commercial interest of the requester, the CFPB is not required 
to consider a request for a waiver or reduction of fees based upon the 
assertion that disclosure would be in the public interest. The CFPB may 
recover the cost of searching for and reviewing records even if there 
is ultimately no disclosure of records or no records are located.
    (2) Educational and non-commercial scientific institution 
requesters shall be charged only for the cost of duplicating the 
records they request, except that the CFPB shall provide the first one 
hundred (100) pages of duplication free of charge. To be eligible, 
requesters must show that the request is made under the auspices of a 
qualifying institution and that the records are not sought for a 
commercial use, but are sought in furtherance of scholarly (if the 
request is from an educational institution) or scientific (if the 
request is from a non-commercial scientific institution) research. 
These categories do not include requesters who want records for use in 
meeting individual academic research or study requirements.
    (3) Representatives of the news media shall be charged only for the 
cost of duplicating the records they request, except that the CFPB 
shall provide them with the first one hundred (100) pages of 
duplication free of charge.
    (4) Other requesters who do not fit any of the categories described 
above shall be charged the full direct cost of searching for and 
duplicating records that are responsive to the request, except that the 
CFPB shall provide the first one hundred (100) pages of duplication and 
the first two hours of search time free of charge. The CFPB may recover 
the cost of searching for records even if there is ultimately no 
disclosure of records, or no records are located. Requests from persons 
for records about themselves filed in the CFPB's systems of records 
shall continue to be treated under the fee provisions of the Privacy 
Act of 1974, 5 U.S.C. 552a, which permit fees only for duplication, 
after the first one hundred (100) pages are furnished free of charge.
    (d) Other circumstances when fees are not charged. Notwithstanding 
paragraphs (b) and (c) of this section, the CFPB may not charge a 
requester a fee for processing a FOIA request if any of the following 
applies:
    (1) The cost of collecting a fee would be equal to or greater than 
the fee itself;
    (2) The fees were waived or reduced in accordance with paragraph 
(e) of this section;
    (3) If the CFPB fails to comply with any time limit under 
Sec. Sec.  1070.15 or 1070.21 of this subpart, and no unusual 
circumstances (as that term is defined in Sec.  1070.16(d)) or 
exceptional circumstances apply to the processing of the request, then 
the CFPB shall not assess search fees, or if the requester is a 
representative of the news media or an educational or noncommercial 
scientific institution, then the CFPB shall not assess duplication 
fees. The term ``exceptional circumstances'' does not include a delay 
that results from a predictable CFPB workload of requests, unless the 
CFPB demonstrates reasonable progress in reducing its backlog of 
pending requests; or
    (4) If the CFPB determines, as a matter of administrative 
discretion, that waiving or reducing the fees would serve the interest 
of the United States Government.
    (e) Waiver or reduction of fees. (1) A requester shall be entitled 
to receive from the CFPB a waiver or reduction in the fees otherwise 
applicable to a FOIA request whenever the requester:
    (i) Requests such waiver or reduction of fees in writing or by 
electronic means as part of the FOIA request;
    (ii) Labels the request for waiver or reduction of fees ``Fee 
Waiver or Reduction Requested'' on the FOIA request; and
    (iii) Demonstrates that the fee reduction or waiver request that a 
waiver or reduction of the fees is in the public interest because:
    (A) Furnishing the information is likely to contribute 
significantly to public understanding of the operations or activities 
of the government; and
    (B) Furnishing the information is not primarily in the commercial 
interest of the requester.
    (2) To determine whether the requester has satisfied the 
requirements of paragraph (e)(1)(ii)(A), the CFPB shall consider the 
following factors:
    (i) The subject of the requested records must concern identifiable 
operations or activities of the Federal government, with a connection 
that is direct and clear, and not remote or attenuated.
    (ii) The disclosable portions of the requested records must be 
meaningfully informative about government operations or activities in 
order to be ``likely to contribute'' to an increased public 
understanding of those operations or activities. The disclosure of 
information that already is in the public domain, in either a 
duplicative or a substantially similar form, is not as likely to 
contribute to the public's understanding.
    (iii) The disclosure must contribute to the understanding of a 
reasonably broad audience of persons interested in the subject, as 
opposed to the individual understanding of the requester. A requester's 
expertise in the subject area and ability and intention to effectively 
convey information to the public shall be considered. It shall be 
presumed that a representative of the news media will satisfy this 
consideration.
    (iv) The public's understanding of the subject in question, as 
compared to the level of public understanding existing prior to the 
disclosure, must be enhanced by the disclosure to a significant extent.
    (3) To determine whether the requester has satisfied the 
requirements of paragraph (e)(1)(ii)(B), the CFPB shall consider the 
following factors:
    (i) The CFPB shall consider any commercial interest of the 
requester (with reference to the definition of ``commercial user'' in 
(b)(1)(i) of this section), or of any person on whose behalf the 
requester may be acting, that would be furthered by the requested 
disclosure. Requesters shall be given an opportunity in the 
administrative process to provide explanatory information regarding 
this consideration.
    (ii) A fee waiver or reduction is justified where the public 
interest standard is satisfied and that public interest is greater in 
magnitude than that of any identified commercial interest in 
disclosure. The CFPB ordinarily shall presume that where a news media 
requester has satisfied the public interest standard, the public 
interest will be the interest primarily served by disclosure to that 
requester. Disclosure to data brokers or others who merely compile and 
market government information for direct economic return shall not be 
presumed to primarily serve the public interest.
    (4) Where only some of the records to be released satisfy the 
requirements for a waiver of fees, a waiver shall be granted for those 
records.
    (5) The CFPB shall decide whether to grant or deny a request to 
reduce or waive fees prior to processing a request. The CFPB shall 
notify the requester of the determination in writing.

[[Page 11512]]

    (6) If the CFPB denies a request to reduce or waive fees, then the 
CFPB shall advise the requester, in the denial notification letter, 
that the requester may incur fees if the CFPB proceeds to process the 
request. The notification letter shall also advise the requester that 
the CFPB will not proceed to process the request further unless the 
requester, in writing, directs the CFPB to do so and either agrees to 
pay any fees that may apply to processing the request or specifies an 
upper limit (of not less than $25) that the requester is willing to pay 
to process the request. If the CFPB does not receive this written 
direction and agreement/specification within thirty (30) calendar days 
of the date of the denial notification letter, then the CFPB shall deem 
the request to be withdrawn.
    (7) If the CFPB denies a request to reduce or waive fees, then the 
requester shall have the right to submit an appeal of the denial 
determination in accordance with section 1070.21 of this subpart. The 
CFPB shall communicate this appeal right as part of its written 
notification to the requester denying the fee reduction or waiver 
request. The requester should label its appeal request ``Appeal for Fee 
Reduction/Waiver.''
    (f) Advance notice and prepayment of fees. (1) When the CFPB 
estimates the fees for processing a request to exceed the limit set by 
the requester, and that amount is less than $250, or the requester did 
not specify a limit and the amount is less than $250, the requester 
shall be notified of the estimated fees, and provided a breakdown of 
the fees attributable to search, review, and duplication, respectively. 
The requester must provide an agreement to pay the estimated fees; 
however, the requester shall also be given an opportunity to 
reformulate the request in an attempt to reduce fees.
    (2) If the requester has failed to state a limit and the fees are 
estimated to exceed $250, the requester shall be notified of the 
estimated fees and provided a breakdown of the fees attributable to 
search, review, and duplication, respectively. The requester must pre-
pay such amount prior to the processing of the request, or provide 
satisfactory assurance of full payment if the requester has a history 
of prompt payment of FOIA fees. The requester shall also be given an 
opportunity to reformulate the request in such a way as to lower the 
applicable fees.
    (3) The CFPB reserves the right to request prepayment after a 
request is processed and before documents are released.
    (4) If a requester has previously failed to pay a fee within thirty 
(30) calendar days of the date of the billing, the requester shall be 
required to pay the full amount owed plus any applicable interest and 
to make an advance payment of the full amount of the estimated fee 
before the CFPB begins to process a new request or the pending request.
    (5) When the CFPB acts under paragraphs (f)(1) through (4) of this 
section, the statutory time limits of twenty (20) days (excluding 
Saturdays, Sundays, and legal public holidays) from receipt of initial 
requests or appeals, plus extensions of these time limits, shall begin 
only after fees have been paid, a written agreement to pay fees has 
been provided, or a request has been reformulated.
    (g) Form of payment. Payment may be tendered as set forth on the 
CFPB's Web site, http://www.consumerfinance.gov.
    (h) Charging interest. The CFPB may charge interest on any unpaid 
bill starting on the 31st day following the date of billing the 
requester. Interest charges will be assessed at the rate provided in 31 
U.S.C. 3717 and will accrue from the date of the billing until payment 
is received by the CFPB. The CFPB will follow the provisions of the 
Debt Collection Act of 1982 (Pub. L. 97-365, 96 Stat. 1749), as 
amended, and its administrative procedures, including the use of 
consumer reporting agencies, collection agencies, and offset.
    (i) Aggregating requests. Where the CFPB reasonably believes that a 
requester or a group of requesters acting together is attempting to 
divide a request into a series of requests for the purpose of avoiding 
fees, the CFPB may aggregate those requests and charge accordingly. The 
CFPB may presume that multiple requests of this type made within a 
thirty (30) day period have been made in order to avoid fees. Where 
requests are separated by a longer period, the CFPB will aggregate them 
only where there exists a solid basis for determining that aggregation 
is warranted under all the circumstances involved. Multiple requests 
involving unrelated matters will not be aggregated.


Sec.  1070.23  Authority and responsibilities of the Chief FOIA 
Officer.

    (a) Chief FOIA Officer. The Director authorizes the Chief FOIA 
Officer to act upon all requests for agency records, with the exception 
of determining appeals from the initial determinations of the Chief 
FOIA Officer, which will be decided by the General Counsel. The Chief 
FOIA officer shall, subject to the authority of the Director:
    (1) Have CFPB-wide responsibility for efficient and appropriate 
compliance with the FOIA;
    (2) Monitor implementation of the FOIA throughout the CFPB and keep 
the Director, the General Counsel, and the Attorney General 
appropriately informed of the CFPB's performance in implementing the 
FOIA;
    (3) Recommend to the Director such adjustments to agency practices, 
policies, personnel and funding as may be necessary to improve the 
Chief FOIA Officer's implementation of the FOIA;
    (4) Review and report to the Attorney General, through the 
Director, at such times and in such formats as the Attorney General may 
direct, on the CFPB's performance in implementing the FOIA;
    (5) Facilitate public understanding of the purposes of the 
statutory exemptions of the FOIA by including concise descriptions of 
the exemptions in both the CFPB's handbook and the CFPB's annual report 
on the FOIA, and by providing an overview, where appropriate, of 
certain general categories of CFPB records to which those exemptions 
apply;
    (6) Designate one or more FOIA Public Liaisons; and
    (7) Maintain and update, as necessary and in accordance with the 
requirements of this subpart, the CFPB's FOIA Web site, including its 
e-FOIA Library.
    (b) FOIA Public Liaisons. FOIA Public Liaisons shall report to the 
Chief FOIA Officer and shall serve as supervisory officials to whom a 
requester can raise concerns about the service the requester has 
received from the CFPB's FOIA office, following an initial response 
from the FOIA office staff. FOIA Public Liaisons shall be responsible 
for assisting in reducing delays, increasing transparency and 
understanding of the status of requests, and assisting in the 
resolution of disputes.

Subpart C--Disclosure of CFPB Information in Connection With Legal 
Proceedings


Sec.  1070.30  Purpose and scope; definitions.

    (a) This subpart sets forth the procedures to be followed with 
respect to:
    (1) Service of summonses and complaints directed to the CFPB, the 
Director, or to any CFPB employee in connection with Federal or State 
litigation arising out of or involving the performance of official 
activities of the CFPB; and
    (2) Subpoenas, court orders, or other requests or demands for any 
CFPB information, whether contained in the files of the CFPB or 
acquired by a CFPB employee as part of the performance of

[[Page 11513]]

that employee's duties or by virtue of employee's official status.
    (b) This subpart does not apply to requests for official 
information made pursuant to subparts B, D, and E of this part.
    (c) This subpart does not apply to requests for information made in 
the course of adjudicating claims against the CFPB by CFPB employees 
(present or former) or applicants for CFPB employment for which 
jurisdiction resides with the U.S. Equal Employment Opportunity 
Commission, the U.S. Merit Systems Protection Board, the Office of 
Special Counsel, the Federal Labor Relations Authority, or their 
successor agencies, or a labor arbitrator operating under a collective 
bargaining agreement between the CFPB and a labor organization 
representing CFPB employees.
    (d) This subpart is intended only to inform the public about CFPB 
procedures concerning the service of process and responses to 
subpoenas, summons, or other demands or requests for official 
information or action and is not intended to and does not create, and 
may not be relied upon to create any right or benefit, substantive or 
procedural, enforceable at law by a party against the CFPB or the 
United States.
    (e) For purposes of this subpart:
    (1) Demand means a subpoena or order for official information, 
whether contained in CFPB records or through testimony, related to or 
for possible use in a legal proceeding.
    (2) Legal proceeding encompasses all pre-trial, trial, and post-
trial stages of all judicial or administrative actions, hearings, 
investigations, or similar proceedings before courts, commissions, 
boards, grand juries, arbitrators, or other judicial or quasi-judicial 
bodies or tribunals, whether criminal, civil, or administrative in 
nature, and whether foreign or domestic. This phrase includes all 
stages of discovery as well as formal or informal requests by attorneys 
or others involved in legal proceedings.
    (3) Official Information means all information of any kind, however 
stored, that is in the custody and control of the CFPB or was acquired 
by CFPB employees, or former employees as part of their official duties 
or because of their official status while such individuals were 
employed by or served on behalf of the CFPB. Official information also 
includes any information acquired by CFPB employees or former employees 
while such individuals were engaged in matters related to consumer 
financial protection functions prior to the employees' transfer to the 
CFPB pursuant to Subtitle F of the Consumer Financial Protection Act of 
2010.
    (4) Request means any request for official information in the form 
of testimony, affidavits, declarations, admissions, responses to 
interrogatories, document production, inspections, or formal or 
informal interviews, during the course of a legal proceeding, including 
pursuant to the Federal Rules of Civil Procedure, the Federal Rules of 
Criminal Procedure, or other applicable rules of procedure.
    (5) Testimony means a statement in any form, including personal 
appearances before a court or other legal tribunal, interviews, 
depositions, telephonic, televised, or videographed statements or any 
responses given during discovery or similar proceeding in the course of 
litigation.


Sec.  1070.31  Service of summonses and complaints.

    (a) Only the General Counsel is authorized to receive and accept 
summonses or complaints sought to be served upon the CFPB or CFPB 
employees sued in their official capacity. Such documents should be 
served upon the General Counsel, Consumer Financial Protection Bureau, 
1700 G Street NW., Washington, DC 20552. This authorization for receipt 
shall in no way affect the requirements of service elsewhere provided 
in applicable rules and regulations.
    (b) If, notwithstanding paragraph (a) of this section, any summons 
or complaint described in that paragraph is delivered to an employee of 
the CFPB, the employee shall decline to accept the proffered service 
and may notify the person attempting to make service of the regulations 
set forth herein. If, notwithstanding this instruction, an employee 
accepts service of a document described in paragraph (a) of this 
section, the employee shall immediately notify and deliver a copy of 
the summons and complaint to the General Counsel.
    (c) When a CFPB employee is sued in an individual capacity for an 
act or omission occurring in connection with duties performed on behalf 
of the CFPB (whether or not the officer or employee is also sued in an 
official capacity), the employee by law is to be served personally with 
process. See Fed. R. Civ. P. 4(i)(3). An employee sued in an individual 
capacity for an act or omission occurring in connection with duties 
performed on behalf of the CFPB shall immediately notify, and deliver a 
copy of the summons and complaint to, the General Counsel.
    (d) The CFPB will only accept service of process for an employee 
sued in his or her official capacity. Documents for which the General 
Counsel accepts service in official capacity shall be stamped ``Service 
Accepted in Official Capacity Only.'' Acceptance of service shall not 
constitute an admission or waiver with respect to jurisdiction, 
propriety of service, improper venue, or any other defense in law or 
equity available under applicable laws or rules.


Sec.  1070.32  Service of subpoenas, court orders, and other demands 
for CFPB information or action.

    (a) Except in cases in which the CFPB is represented by legal 
counsel who have entered an appearance or otherwise given notice of 
their representation, only the General Counsel is authorized to receive 
and accept subpoenas or other demands or requests directed to the CFPB 
or its employees, whether civil or criminal in nature, for:
    (1) Records of the CFPB;
    (2) Official information including, but not limited to, testimony, 
affidavits, declarations, admissions, responses to interrogatories, or 
informal statements, relating to material contained in the files of the 
CFPB or which any CFPB employee acquired in the course and scope of the 
performance of his or her official duties;
    (3) Garnishment or attachment of compensation of current or former 
employees; or
    (4) The performance or non-performance of any official CFPB duty.
    (b) Documents described in paragraph (a) of this section should be 
served upon the General Counsel, Consumer Financial Protection Bureau, 
1700 G Street NW., Washington, DC 20552. Service must be effected as 
provided in applicable rules and regulations governing service in 
Federal judicial and administrative proceedings. Acceptance of such 
documents by the General Counsel does not constitute a waiver of any 
defense that might otherwise exist with respect to service under the 
Federal Rules of Civil or Criminal Procedure or other applicable laws 
or regulations.
    (c) In the event that any demand or request described in paragraph 
(a) of this section is sought to be delivered to a CFPB employee other 
than in the manner prescribed in paragraph (b) of this section, such 
employee shall decline service and direct the server of process to 
these regulations. If the demand or request is nonetheless delivered to 
the employee, the employee shall immediately notify, and deliver a copy 
of that document to, the General Counsel.

[[Page 11514]]

    (d) Except as otherwise provided in this subpart, the CFPB is not 
an agent for service for, or otherwise authorized to accept on behalf 
of its employees, any subpoenas, orders, or other demands or requests, 
which are not related to the employees' official duties except upon the 
express, written authorization of the individual CFPB employee to whom 
such demand or request is directed.
    (e) Copies of any subpoenas, orders, or other demands or requests 
that are directed to former employees of the CFPB in connection with 
the performance of official CFPB duties shall also be served upon the 
General Counsel. The CFPB shall not, however, serve as an agent for 
service for the former employee, nor is the CFPB otherwise authorized 
to accept service on behalf of its former employees. If the demand 
involves their official duties as CFPB employees, former employees who 
receive subpoenas, orders, or similar compulsory process should also 
notify, and deliver a copy of the document to, the General Counsel.


Sec.  1070.33  Testimony and production of documents prohibited unless 
approved by the General Counsel.

    (a) Unless authorized by the General Counsel, no employee or former 
employee of the CFPB shall, in response to a demand or a request 
provide oral or written testimony by deposition, declaration, 
affidavit, or otherwise concerning any official information.
    (b) Unless authorized by the General Counsel, no employee or former 
employee shall, in response to a demand or request, produce any 
document or any material acquired as part of the performance of that 
employee's duties or by virtue of that employee's official status.


Sec.  1070.34  Procedure when testimony or production of documents is 
sought; general.

    (a) If, as part of a proceeding in which the United States or the 
CFPB is not a party, official information is sought through a demand 
for testimony, CFPB records, or other material, the party seeking such 
information must (except as otherwise required by Federal law or 
authorized by the General Counsel) set forth in writing:
    (1) The title and forum of the proceeding, if applicable;
    (2) A detailed description of the nature and relevance of the 
official information sought;
    (3) A showing that other evidence reasonably suited to the 
requester's needs is not available from any other source; and
    (4) If testimony is requested, the intended use of the testimony, a 
general summary of the desired testimony, and a showing that no 
document could be provided and used in lieu of testimony.
    (b) To the extent he or she deems necessary or appropriate, the 
General Counsel may also require from the party seeking such 
information a plan of all reasonably foreseeable demands, including but 
not limited to the names of all employees and former employees from 
whom discovery will be sought, areas of inquiry, expected duration of 
proceedings requiring oral testimony, identification of potentially 
relevant documents, or any other information deemed necessary to make a 
determination. The purpose of this requirement is to assist the General 
Counsel in making an informed decision regarding whether testimony or 
the production of documents or material should be authorized.
    (c) The General Counsel may consult or negotiate with an attorney 
for a party, or the party if not represented by an attorney, to refine 
or limit a request or demand so that compliance is less burdensome.
    (d) The General Counsel will notify the CFPB employee and such 
other persons as circumstances may warrant of his or her decision 
regarding compliance with the request or demand.


Sec.  1070.35  Procedure when response to demand is required prior to 
receiving instructions.

    (a) If a response to a demand described in section 1070.34 of this 
subpart is required before the General Counsel renders a decision, the 
CFPB will request that the appropriate CFPB attorney or an attorney of 
the Department of Justice, as appropriate, take steps to stay, 
postpone, or obtain relief from the demand pending decision. If 
necessary, the attorney will:
    (1) Appear with the employee upon whom the demand has been made;
    (2) Furnish the court or other authority with a copy of the 
regulations contained in this subpart;
    (3) Inform the court or other authority that the demand has been, 
or is being, as the case may be, referred for the prompt consideration 
of the appropriate CFPB official; and
    (4) Respectfully request the court or authority to stay the demand 
pending receipt of the requested instructions.
    (b) In the event that an immediate demand for production or 
disclosure is made in circumstances which would preclude the proper 
designation or appearance of an attorney of the CFPB or the Department 
of Justice on the employee's behalf, the employee, if necessary, shall 
respectfully request from the demanding court or authority a reasonable 
stay of proceedings for the purpose of obtaining instructions from the 
General Counsel.


Sec.  1070.36  Procedure in the event of an adverse ruling.

    If a stay or, or other relief from, the effect of a demand made 
pursuant to sections 1070.34 and 1070.35 of this subpart is declined or 
not obtained, or if the court or other judicial or quasi-judicial 
authority declines to stay the effect of the demand made pursuant to 
sections 1070.34 and 1070.35 of this subpart, or if the court or other 
authority rules that the demand must be complied with irrespective of 
the General Counsel's instructions not to produce the material or 
disclose the information sought, the employee upon whom the demand has 
been made shall respectfully decline to comply with the demand citing 
this subpart and United States ex rel. Touhy v. Ragen, 340 U.S. 462 
(1951).


Sec.  1070.37  Considerations in determining whether the CFPB will 
comply with a demand or request.

    (a) In deciding whether to comply with a demand or request, CFPB 
officials and attorneys shall consider, among other pertinent 
considerations:
    (1) Whether such compliance would be unduly burdensome or otherwise 
inappropriate under the applicable rules of discovery or the rules of 
procedure governing the case or matter in which the demand arose;
    (2) Whether the number of similar requests would have a cumulative 
effect on the expenditure of CFPB resources;
    (3) Whether compliance is appropriate under the relevant 
substantive law concerning privilege or disclosure of information;
    (4) The public interest;
    (5) The need to conserve the time of CFPB employees for the conduct 
of official business;
    (6) The need to avoid spending time and money of the United States 
for private purposes;
    (7) The need to maintain impartiality between private litigants in 
cases where a substantial government interest is not implicated;
    (8) Whether compliance would have an adverse effect on performance 
by the CFPB of its mission and duties;
    (9) The need to avoid involving the CFPB in controversial issues 
not related to its mission;
    (10) Compliance would interfere with supervisory examinations, 
compromise the CFPB's supervisory functions or programs, or undermine 
public confidence in supervised financial institutions; and

[[Page 11515]]

    (11) Compliance would interfere with the CFPB's ability to monitor 
for risks to consumers in the offering or provision of consumer 
financial products and services.
    (b) Among those demands and requests in response to which 
compliance will not ordinarily be authorized are those with respect to 
which any of the following factors, inter alia, exist:
    (1) Compliance would violate a statute or applicable rule of 
procedure;
    (2) Compliance would violate a specific regulation or Executive 
order;
    (3) Compliance would reveal information properly classified in the 
interest of national security;
    (4) Compliance would reveal confidential or privileged commercial 
or financial information or trade secrets without the owner's consent;
    (5) Compliance would compromise the integrity of the deliberative 
processes of the CFPB;
    (6) Compliance would not be appropriate or necessary under the 
relevant substantive law governing privilege;
    (7) Compliance would reveal confidential information; or
    (8) Compliance would interfere with ongoing investigations or 
enforcement proceedings, compromise constitutional rights, or reveal 
the identity of a confidential informant.
    (c) The CFPB may condition disclosure of official information 
pursuant to a request or demand on the entry of an appropriate 
protective order.


Sec.  1070.38  Prohibition on providing expert or opinion testimony.

    (a) Except as provided in this section, and subject to 5 CFR 
2635.805, CFPB employees or former employees shall not provide opinion 
or expert testimony based upon information which they acquired in the 
scope and performance of their official CFPB duties, except on behalf 
of the CFPB or the United States or a party represented by the CFPB, or 
the Department of Justice, as appropriate.
    (b) Any expert or opinion testimony by a former employee of the 
CFPB shall be excepted from paragraph (a) of this section where the 
testimony involves only general expertise gained while employed at the 
CFPB.
    (c) Upon a showing by the requestor of exceptional need or unique 
circumstances and that the anticipated testimony will not be adverse to 
the interests of the United States, the General Counsel may, consistent 
with 5 CFR 2635.805, exercise his or her discretion to grant special, 
written authorization for CFPB employees, or former employees, to 
appear and testify as expert witnesses at no expense to the United 
States.
    (d) If, despite the final determination of the General Counsel, a 
court of competent jurisdiction or other appropriate authority orders 
the appearance and expert or opinion testimony of a current or former 
CFPB employee, that person shall immediately inform the General Counsel 
of such order. If the General Counsel determines that no further legal 
review of or challenge to the court's order will be made, the CFPB 
employee, or former employee, shall comply with the order. If so 
directed by the General Counsel, however, the employee, or former 
employee, shall respectfully decline to testify.

Subpart D--Confidential Information


Sec.  1070.40  Purpose and scope.

    This subpart does not apply to requests for official information 
made pursuant to subparts B, C, or E of this part.


Sec.  1070.41  Non-disclosure of confidential information.

    (a) Non-disclosure. Except as required by law or as provided in 
this part, no current or former employee or contractor or consultant of 
the CFPB, or any other person in possession of confidential 
information, shall disclose such confidential information by any means 
(including written or oral communications) or in any format (including 
paper and electronic formats), to:
    (1) Any person who is not an employee, contractor, or consultant of 
the CFPB; or
    (2) Any CFPB employee, contractor, or consultant when the 
disclosure of such confidential information to that employee, 
contractor, or consultant is not relevant to the performance of the 
employee's, contractor's, or consultant's assigned duties.
    (b) Disclosures to contractors and consultants. CFPB contractors or 
consultants may receive confidential information only if such 
contractors or consultants certify in writing to treat such 
confidential information in accordance with these rules, Federal laws 
and regulations that apply to Federal agencies for the protection of 
the confidentiality of personally identifiable information and for data 
security and integrity, as well as any additional conditions or 
limitations that the CFPB may impose.
    (c) Disclosure of materials derived from confidential information. 
Nothing in this subpart shall limit the discretion of the CFPB to 
disclose materials that it derives from or creates using confidential 
information to the extent that such materials do not identify, either 
directly or indirectly, any particular person to whom the confidential 
information pertains.
    (d) Disclosability of confidential information provided to the CFPB 
by other agencies. Nothing in this subpart requires or authorizes the 
CFPB to disclose confidential information that another agency has 
provided to the CFPB to the extent that such disclosure contravenes 
applicable law or the terms of any agreement that exists between the 
CFPB and the agency to govern the CFPB's treatment of information that 
the agency provides to the CFPB.


Sec.  1070.42  Disclosure of confidential supervisory information to 
supervised financial institutions and their affiliates and by 
supervised financial institutions and their affiliates to others.

    (a) Discretionary disclosure of confidential supervisory 
information to supervised financial institutions and their affiliates. 
The CFPB may, in its discretion, and to the extent consistent with 
applicable law, disclose confidential supervisory information 
concerning a supervised financial institution or its service providers 
to that supervised financial institution or to its affiliates.
    (b) Disclosure of confidential supervisory information by a 
supervised financial institution or its affiliates. Unless directed 
otherwise by the Associate Director for Supervision, Enforcement, and 
Fair Lending or by his or her delegee:
    (1) Any supervised financial institution lawfully in possession of 
confidential supervisory information of the CFPB pursuant to this 
section may disclose such information, or portions thereof, to its 
affiliates and to the following individuals to the extent that the 
disclosure of such confidential supervisory information is relevant to 
the performance of such individuals' assigned duties:
    (i) The directors, officers, trustees, members, general partners, 
or employees of the supervised financial institution; and
    (ii) The directors, officers, trustees, members, general partners, 
or employees of the affiliates of the supervised financial institution.
    (2) Any supervised financial institution or affiliate thereof that 
is lawfully in possession of confidential supervisory information of 
the CFPB pursuant to this section may disclose such information, or 
portions thereof, to:

[[Page 11516]]

    (i) Its certified public accountant, legal counsel, contractor, 
consultant, or service provider; or
    (ii) Another person, with the prior written approval of the 
Associate Director for Supervision, Enforcement, and Fair Lending or 
his or her delegee.
    (3) Where a supervised financial institution or its affiliate 
discloses confidential supervisory information pursuant to this 
paragraph (b) of this section:
    (i) The recipient of such confidential supervisory information 
shall not, without the prior written approval of the Associate Director 
for Supervision, Enforcement, and Fair Lending or his or her delegee, 
utilize, make, or retain copies of, or disclose confidential 
supervisory information for any purpose, except as is necessary to 
provide advice or services to the supervised financial institution or 
its affiliate; and
    (ii) The supervised financial institution or affiliate disclosing 
the confidential supervisory information shall take reasonable steps to 
ensure that the recipient complies with paragraph (b)(3)(i) of this 
section.


Sec.  1070.43  Disclosure of confidential information to law 
enforcement agencies and other government agencies.

    (a) Required disclosure of confidential information to government 
agencies. The CFPB shall:
    (1) Disclose a draft of a report of examination of a supervised 
financial institution prior to its finalization, in accordance with 12 
U.S.C. 5515(e)(1)(C), and disclose a final report of examination, 
including any and all revisions made to such a report, to a Federal or 
State agency with jurisdiction over that supervised financial 
institution, provided that the CFPB receives from the agency reasonable 
assurances as to the confidentiality of the information disclosed; and
    (2) Disclose confidential consumer complaint information to a 
Federal or State agency to facilitate preparation of reports to 
Congress required by 12 U.S.C. 5493(b)(3)(C) and to facilitate the 
CFPB's supervision and enforcement activities and its monitoring of the 
market for consumer financial products and services, provided that the 
agency shall first give written assurance to the CFPB that it will 
maintain such information in confidence, including in a manner that 
conforms to the standards that apply to Federal agencies for the 
protection of the confidentiality of personally identifiable 
information and for data security and integrity.
    (b) Discretionary disclosure of confidential information to 
government agencies.
    (1) Upon receipt of a written request that contains the information 
required by paragraph (b)(2) of this section, the CFPB may, in its sole 
discretion, disclose confidential information to a Federal or State 
agency to the extent that the disclosure of the information is relevant 
to the exercise of the agency's statutory or regulatory authority or, 
with respect to the disclosure of confidential supervisory information, 
to a Federal or State agency having jurisdiction over a supervised 
financial institution.
    (2) To obtain access to confidential information pursuant to 
paragraph (b)(1) of this section, an authorized officer or employee of 
the agency shall submit a written request to the General Counsel, who 
shall act upon the request in consultation with the CFPB's Associate 
Director for Supervision, Enforcement, and Fair Lending or other 
appropriate CFPB personnel. The request shall include the following:
    (i) A description of the particular information, kinds of 
information, and where possible, the particular documents to which 
access is sought;
    (ii) A statement of the purpose for which the information will be 
used;
    (iii) A statement certifying and identifying the agency's legal 
authority for requesting the documents;
    (iv) A statement certifying and identifying the agency's legal 
authority for protecting the requested information from public 
disclosure; and
    (v) A certification that the agency will maintain the requested 
confidential information in confidence, including in a manner that 
conforms to the standards that apply to Federal agencies for the 
protection of the confidentiality of personally identifiable 
information and for data security and integrity, as well as any 
additional conditions or limitations that the CFPB may impose.
    (c) State requests for information other than confidential 
information. A request or demand by a State agency for information or 
records of the CFPB other than confidential information shall be made 
and considered in accordance with the rules set forth elsewhere in this 
part.
    (d) Negotiation of standing requests. The CFPB may negotiate terms 
governing the exchange of confidential information with Federal or 
State agencies on a standing basis, as appropriate.


Sec.  1070.44  Disclosure of confidential consumer complaint 
information.

    Nothing in this part shall limit the discretion of the CFPB, to the 
extent permitted by law, to disclose confidential consumer complaint 
information as it deems necessary to investigate, resolve, or otherwise 
respond to consumer complaints or inquiries concerning financial 
institutions or consumer financial products and services.


Sec.  1070.45  Affirmative disclosure of confidential information.

    (a) The CFPB may disclose confidential investigative information 
and other confidential information, in accordance with applicable law, 
as follows:
    (1) To a CFPB employee, as that term is defined in Sec.  1070.2 of 
this part and in accordance with Sec.  1070.41 of this subpart;
    (2) To either House of the Congress or to an appropriate committee 
or subcommittee of the Congress, as set forth in 12 U.S.C. 5562(d)(2), 
provided that, upon the receipt by the CFPB of a request from the 
Congress for confidential information that a financial institution 
submitted to the CFPB along with a claim that such information consists 
of a trade secret or privileged or confidential commercial or financial 
information, or confidential supervisory information, the CFPB shall 
notify the financial institution in writing of its receipt of the 
request and provide the institution with a copy of the request;
    (3) In investigational hearings and witness interviews, as is 
reasonably necessary, at the discretion of the CFPB;
    (4) In an administrative or court proceeding to which the CFPB is a 
party. In the case of confidential investigatory material that contains 
any trade secret or privileged or confidential commercial or financial 
information, as claimed by designation by the submitter of such 
material, or confidential supervisory information, the submitter may 
seek an appropriate protective or in camera order prior to disclosure 
of such material in a proceeding;
    (5) To law enforcement agencies and other government agencies in 
summary form to the extent necessary to notify such agencies of 
potential violations of laws subject to their jurisdiction; or
    (6) As required under any other applicable law.


Sec.  1070.46  Other disclosures of confidential information.

    (a) To the extent permitted by law and as authorized by the 
Director in writing, the CFPB may disclose confidential information 
other than as set forth in this subpart.
    (b) Prior to disclosing confidential information pursuant to 
paragraph (a) of this section, the CFPB may, as it deems

[[Page 11517]]

appropriate under the circumstances, provide written notice to the 
person to whom the confidential information pertains that the CFPB 
intends to disclose its confidential information in accordance with 
this section.
    (c) The authority of the Director to disclose confidential 
information pursuant to paragraph (a) shall not be delegated. However, 
a person authorized to perform the functions of the Director in 
accordance with law may exercise the authority of the Director as set 
forth in this section.


Sec.  1070.47  Other rules regarding the disclosure of confidential 
information.

    (a) Further disclosure prohibited. (1) All confidential information 
made available under this subpart shall remain the property of the 
CFPB, unless the General Counsel provides otherwise in writing.
    (2) Except as set forth in this subpart, no supervised financial 
institution, Federal or State agency, any officer, director, employee 
or agent thereof, or any other person to whom the confidential 
information is made available under this subpart, may further disclose 
such confidential information without the prior written permission of 
the General Counsel.
    (3) A supervised financial institution, Federal or State agency, 
any officer, director, employee or agent thereof, or any other person 
to whom the CFPB's confidential information is made available under 
this subpart, that receives from a third party a legally enforceable 
demand or request for such confidential information (including but not 
limited to, a subpoena or discovery request or a request made pursuant 
to the Freedom of Information Act, 5 U.S.C. 552, the Privacy Act of 
1974, 5 U.S.C. 552a, or any State analogue to such statutes) should:
    (i) Inform the General Counsel of such request or demand in writing 
and provide the General Counsel with a copy of such request or demand 
as soon as practicable after receiving it;
    (ii) To the extent permitted by applicable law, advise the 
requester that:
    (A) The confidential information sought may not be disclosed 
insofar as it is the property of the CFPB; and
    (B) Any request for the disclosure of such confidential information 
is properly directed to the CFPB pursuant to its regulations set forth 
in this part.
    (iii) Consult with the General Counsel before complying with the 
request or demand, and to the extent applicable:
    (A) Give the CFPB a reasonable opportunity to respond to the demand 
or request;
    (B) Assert all reasonable and appropriate legal exemptions or 
privileges that the CFPB may request be asserted on its behalf; and
    (C) Consent to a motion by the CFPB to intervene in any action for 
the purpose of asserting and preserving any claims of confidentiality 
with respect to any confidential information.
    (4) Nothing in this section shall prevent a supervised financial 
institution, Federal or State agency, any officer, director, employee 
or agent thereof, or any other person to whom the information is made 
available under this subpart from complying with a legally valid and 
enforceable order of a court of competent jurisdiction compelling 
production of the CFPB's confidential information, or, if compliance is 
deemed compulsory, with a request or demand from either House of the 
Congress or a duly authorized committee of the Congress. To the extent 
that compulsory disclosure of confidential information occurs as set 
forth in this paragraph, the producing party shall use its best efforts 
to ensure that the requestor secures an appropriate protective order 
or, if the requestor is a legislative body, use its best efforts to 
obtain the commitment or agreement of the legislative body that it will 
maintain the confidentiality of the confidential information.
    (5) No person obtaining access to confidential information pursuant 
to this subpart may make a personal copy of any such information, and 
no person may remove confidential information from the premises of the 
institution or agency in possession of such information except as 
permitted under this subpart or by the CFPB.
    (b) Additional conditions and limitations. The CFPB may impose any 
additional conditions or limitations on disclosure or use under this 
subpart that it determines are necessary.
    (c) Non-waiver. (1) In General. The CFPB shall not be deemed to 
have waived any privilege applicable to any information by transferring 
that information to, or permitting that information to be used by, any 
Federal or State agency.
    (2) Rule of Construction. Paragraph (c)(1) of this section shall 
not be construed as implying that any person waives any privilege 
applicable to any information because paragraph (c)(1) of this section 
does not apply to the transfer or use of that information.


Sec.  1070.48  Privileges not affected by disclosure to the CFPB.

    (a) In General. The submission by any person of any information to 
the CFPB for any purpose in the course of any supervisory or regulatory 
process of the CFPB shall not be construed as waiving, destroying, or 
otherwise affecting any privilege such person may claim with respect to 
such information under Federal or State law as to any person or entity 
other than the CFPB.
    (b) Rule of Construction. Paragraph (a) of this section shall not 
be construed as implying or establishing that--
    (1) Any person waives any privilege applicable to information that 
is submitted or transferred under circumstances to which paragraph (a) 
of this section does not apply; or
    (2) Any person would waive any privilege applicable to any 
information by submitting the information to the CFPB but for this 
section.

Subpart E--The Privacy Act


Sec.  1070.50  Purpose and scope; definitions.

    (a) This subpart implements the provisions of the Privacy Act of 
1974, 5 U.S.C. 552a (the Privacy Act). The regulations apply to all 
records maintained by the CFPB and which are retrieved by an 
individual's name or personal identifier. The regulations set forth the 
procedures for requests for access to, or amendment of, records 
concerning individuals that are contained in systems of records 
maintained by the CFPB. These regulations should be read in conjunction 
with the Privacy Act, which provides additional information about this 
topic.
    (b) For purposes of this subpart, the following definitions apply:
    (1) The term Chief Privacy Officer means the Chief Information 
Officer of the CFPB or any CFPB employee to whom the Chief Information 
Officer has delegated authority to act under this part;
    (2) The term guardian means the parent of a minor, or the legal 
guardian of any individual who has been declared to be incompetent due 
to physical or mental incapacity or age by a court of competent 
jurisdiction;
    (3) Individual means a citizen of the United States or an alien 
lawfully admitted for permanent residence;
    (4) Maintain includes maintain, collect, use, or disseminate;
    (5) Record means any item, collection, or grouping of information 
about an individual that is maintained by an agency, including, but not 
limited to, his education, financial transactions, medical history, and 
criminal or employment history and that contains his name or the 
identifying number, symbol, or other identifying particular assigned to 
the individual, such as a finger or voiceprint or a photograph;

[[Page 11518]]

    (6) Routine use means the disclosure of a record that is compatible 
with the purpose for which it was collected;
    (7) System of records means a group of any records under the 
control of an agency from which information is retrieved by the name of 
the individual or by some identifying number, symbol, or other 
identifying particular assigned to the individual; and
    (8) Statistical record means a record in a system of records 
maintained for statistical research or reporting purposes only and not 
used in whole or in part in making any determination about an 
identifiable individual, except as provided by 13 U.S.C. 8.


Sec.  1070.51  Authority and responsibilities of the Chief Privacy 
Officer.

    The Chief Privacy Officer is authorized to:
    (a) Respond to requests for access to, accounting of, or amendment 
of records contained in a system of records maintained by the CFPB;
    (b) Approve the publication of new systems of records and amend 
existing systems of record; and
    (c) File any necessary reports related to the Privacy Act.


Sec.  1070.52  Fees.

    (a) Copies of records. The CFPB shall provide the requester with 
copies of records requested pursuant to Sec.  1070.53 of this subpart 
at the same cost charged for duplication of records under Sec.  1070.22 
of this part.
    (b) No fee. The CFPB will not charge a fee if:
    (1) Total charges associated with a request are less than $5, or
    (2) The requester is a CFPB employee or former employee, or an 
applicant for employment with the CFPB, and the request pertains to 
that employee, former employee, or applicant.


Sec.  1070.53  Request for access to records.

    (a) Procedures for making a request for access to records. An 
individual's requests for access to records that pertain to that 
individual (or to the individual for whom the requester serves as 
guardian) may be submitted to the CFPB in writing or by electronic 
means.
    (1) If submitted in writing, the request shall be labeled ``Privacy 
Act Request'' and shall be addressed to the Chief Privacy Officer, 
Consumer Financial Protection Bureau, 1700 G Street NW., Washington, DC 
20552.
    (2) If submitted by electronic means, the request shall be labeled 
``Privacy Act Request'' and the request shall be submitted as set forth 
at the CFPB's Web site, http://www.consumerfinance.gov.
    (b) Content of a request for access to records. A request for 
access to records shall include:
    (1) A statement that the request is made pursuant to the Privacy 
Act;
    (2) The name of the system of records that the requester believes 
contains the record requested, or a description of the nature of the 
record sought in detail sufficient to enable CFPB personnel to locate 
the system of records containing the record with a reasonable amount of 
effort;
    (3) Whenever possible, a description of the nature of the record 
sought, the date of the record or the period in which the requester 
believes that the record was created, and any other information that 
might assist the CFPB in identifying the record sought (e.g., maiden 
name, dates of employment, account information, etc.).
    (4) Information necessary to verify the requester's identity 
pursuant to paragraph (c) of this section;
    (5) The mailing or email address where the CFPB's response or 
further correspondence should be sent.
    (c) Verification of identity. To obtain access to the CFPB's 
records pertaining to a requester, the requester shall provide proof to 
the CFPB of the requester's identity as provided below.
    (1) In general, the following will be considered adequate proof of 
a requester's identity:
    (i) A photocopy of two forms of identification, including one form 
of identification that bears the requester's photograph, and one form 
of identification that bears the requester's signature;
    (ii) A photocopy of a single form of identification that bears both 
the requester's photograph and signature; or
    (iii) A statement swearing or affirming the requester's identity 
and to the fact that the requester understands the penalties provided 
in 5 U.S.C. 552a(i)(3).
    (2) Notwithstanding paragraph (c)(1) of this section, a designated 
official may require additional proof of the requester's identity 
before action will be taken on any request, if such official determines 
that it is necessary to protect against unauthorized disclosure of 
information in a particular case. In addition, if a requester seeks 
records pertaining to an individual in the requester's capacity as that 
individual's guardian, the requester shall be required to provide 
adequate proof of the requester's legal relationship before action will 
be taken on any request.
    (d) Request for accounting of previous disclosures. An individual 
may request an accounting of previous disclosures of records pertaining 
to that individual in a system of records as provided in 5 U.S.C. 
552a(c). Such requests should conform to the procedures and form for 
requests for access to records set forth in paragraphs (a) and (b) of 
this section.


Sec.  1070.54  CFPB procedures for responding to a request for access.

    (a) Acknowledgment and response. The CFPB will provide written 
acknowledgement of the receipt of a request within twenty (20) business 
days from the receipt of the request and will, where practicable, 
respond to each request within that twenty (20) day period. When a full 
response is not practicable within the twenty (20) day period, the CFPB 
will respond as promptly as possible.
    (b) Disclosure. (1) When the CFPB discloses information in response 
to a request, the CFPB will make the information available for 
inspection and copying during regular business hours as provided in 
Sec.  1070.13 of this part, or the CFPB will mail it or email it the 
requester, if feasible, upon request.
    (2) The requester may bring with him or her anyone whom the 
requester chooses to see the requested material. All visitors to the 
CFPB's buildings must comply with the applicable security procedures.
    (c) Denial of a request. If the CFPB denies a request made pursuant 
to Sec.  1070.53 of this subpart, it will inform the requester in 
writing of the reason(s) for denial and the procedures for appealing 
the denial.


Sec.  1070.55  Special procedures for medical records.

    If an individual requests medical or psychological records pursuant 
to Sec.  1070.53 of this subpart, the CFPB will disclose them directly 
to the requester unless the CFPB determines that such disclosure could 
have an adverse effect on the requester. If the CFPB makes that 
determination, the CFPB shall provide the information to a licensed 
physician or other appropriate representative that the requester 
designates, who shall disclose those records to the requester in a 
manner he or she deems appropriate.


Sec.  1070.56  Request for amendment of records.

    (a) Procedures for making request. (1) If an individual wishes to 
amend a record that pertains to that individual in a system of records, 
that individual may submit a request in writing or by electronic means 
to the Chief Privacy Officer, as set forth in Sec.   1070.53(a). The 
request shall be labeled ``Privacy Act Amendment Request.''
    (2) A request for amendment of a record must:

[[Page 11519]]

    (i) Identify the system of records containing the record for which 
amendment is requested;
    (ii) Specify the portion of that record requested to be amended; 
and
    (iii) Describe the nature and reasons for each requested amendment.
    (3) When making a request for amendment of a record, the CFPB will 
require a requester to verify his or her identity under the procedures 
set forth in Sec.  1070.53(c) of this subpart, unless the requester has 
already done so in a related request for access or amendment.
    (b) Burden of proof. In a request for amendment of a record, the 
requester bears the burden of proving by a preponderance of the 
evidence that the record is not accurate, relevant, timely, or 
complete.


Sec.  1070.57  CFPB review of a request for amendment of records.

    (a) Time limits. The CFPB will acknowledge a request for amendment 
of records within ten (10) business days after it receives the request. 
In the acknowledgment, the CFPB may request additional information 
necessary for a determination on the request for amendment. The CFPB 
will make a determination on a request to amend a record promptly.
    (b) Contents of response to a request for amendment. When the CFPB 
responds to a request for amendment, the CFPB will inform the requester 
in writing whether the request is granted or denied, in whole or in 
part. If the CFPB grants the request, it will take the necessary steps 
to amend the record and, when appropriate and possible, notify prior 
recipients of the record of its action. If the CFPB denies the request, 
in whole or in part, it will inform the requester in writing:
    (1) Why the request (or portion of the request) was denied;
    (2) That the requester has a right to appeal; and
    (3) How to file an appeal.


Sec.  1070.58  Appeal of adverse determination of request for access or 
amendment.

    (a) Appeal. A requester may appeal a denial of a request made 
pursuant to Sec. Sec.  1070.53 or 1070.56 of this subpart within ten 
(10) business days after the CFPB notifies the requester that it has 
denied the request.
    (b) Content of Appeal. A requester may submit an appeal in writing 
or by electronic means as set forth in Sec.   1070.53(a). The appeal 
shall be addressed to the General Counsel and labeled ``Privacy Act 
Appeal.'' The appeal must also:
    (1) Specify the background of the request; and
    (2) Provide reasons why the requester believes the denial is in 
error.
    (c) Determination. The General Counsel will make a determination as 
to whether to grant or deny an appeal within thirty (30) business days 
from the date it is received, unless the General Counsel extends the 
time for good cause.
    (1) If the General Counsel grants an appeal regarding a request for 
amendment, he or she will take the necessary steps to amend the record 
and, when appropriate and possible, notify prior recipients of the 
record of its action.
    (2) If the General Counsel denies an appeal, he or she will inform 
the requester of such determination in writing, including the reasons 
for the denial, and the requester's right to file a statement of 
disagreement and to have a court review its decision.
    (d) Statement of disagreement. (1) If the General Counsel denies an 
appeal regarding a request for amendment, a requester may file a 
concise statement of disagreement with the denial. The CFPB will 
maintain the requester's statement with the record that the requester 
sought to amend and any disclosure of the record will include a copy of 
the requester's statement of disagreement.
    (2) When practicable and appropriate, the CFPB will provide a copy 
of the statement of disagreement to any prior recipients of the record.


Sec.  1070.59  Restrictions on disclosure.

    The CFPB will not disclose any record about an individual contained 
in a system of records to any person or agency without the prior 
written consent of that individual unless the disclosure is authorized 
by 5 U.S.C. 552a(b). Disclosures authorized by 5 U.S.C. 552a(b) include 
disclosures that are compatible with one or more routine uses that are 
contained within the CFPB's Systems of Records Notices, which are 
available on the CFPB's Web site, at http://www.consumerfinance.gov.


Sec.  1070.60  Exempt records.

    (a) Exempt systems of records. Pursuant to 5 U.S.C. 552a(k)(2), the 
CFPB exempts the systems of records listed below from 5 U.S.C. 
552a(c)(3), (d), (e)(1), (e)(4)(G)-(H), and (f), and Sec. Sec.  1070.53 
through 1070.59 of this subpart, to the extent that such systems of 
records contain investigatory materials compiled for law enforcement 
purposes, provided, however, that if any individual is denied any 
right, privilege, or benefit to which he or she would otherwise be 
entitled under Federal law, or for which he or she would otherwise be 
eligible as a result of the maintenance of such material, such material 
shall be disclosed to such individual, except to the extent that the 
disclosure of such material would reveal the identity of a source who 
furnished information to the CFPB under an express promise that the 
identity of the source would be held in confidence:
    (1) CFPB.002 Depository Institution Supervision Database
    (2) CFPB.003 Non-Depository Institution Supervision Database
    (3) CFPB.004 Enforcement Database
    (4) CFPB.005 Consumer Response System
    (b) Information compiled for civil actions or proceedings. This 
subpart does not permit an individual to have access to any information 
compiled in reasonable anticipation of a civil action or proceeding.


Sec.  1070.61  Training; rules of conduct; penalties for non-
compliance.

    (a) Training. The Chief Privacy Officer shall institute a training 
program to instruct CFPB employees and employees of Government 
contractors covered by 5 U.S.C. 552a(m), who are involved in the 
design, development, operation, or maintenance of any CFPB system of 
records, on a continuing basis with respect to the duties and 
responsibilities imposed on them and the rights conferred on 
individuals by the Privacy Act, the regulations in this subpart, and 
any other related regulations. Such training shall provide suitable 
emphasis on the civil and criminal penalties imposed on the CFPB and 
the individual employees by the Privacy Act for non-compliance with 
specified requirements of the Act as implemented by the regulations in 
this subpart.
    (b) Rules of conduct. The following rules of conduct are applicable 
to employees of the CFPB (including, to the extent required by the 
contract or 5 U.S.C. 552a(m), Government contractors and employees of 
such contractors), who are involved in the design, development, 
operation or maintenance of any system of records, or in maintain any 
records, for or on behalf of the CFPB.
    (1) The head of each office of the CFPB shall be responsible for 
assuring that employees subject to such official's supervision are 
advised of the provisions of the Privacy Act, including the criminal 
penalties and civil liabilities provided therein, and the regulations 
in this subpart, and that such employees are made aware of their 
individual and collective responsibilities to protect the security of 
personal information, to assure its

[[Page 11520]]

accuracy, relevance, timeliness and completeness, to avoid unauthorized 
disclosure either orally or in writing, and to insure that no system of 
records is maintained without public notice.
    (2) Employees of the CFPB involved in the design, development, 
operation, or maintenance of any system of records, or in maintaining 
any record shall:
    (i) Collect no information of a personal nature from individuals 
unless authorized to collect it to achieve a function or carry out a 
responsibility of the CFPB;
    (ii) Collect information, to the extent practicable, directly from 
the individual to whom it relates;
    (iii) Inform each individual asked to supply information, on the 
form used to collect the information or on a separate form that can be 
retained by the individual of--
    (A) The authority (whether granted by statute, or by executive 
order of the President) which authorizes the solicitation of the 
information and whether disclosure of such information is mandatory or 
voluntary;
    (B) The principal purpose or purposes for which the information is 
intended to be used;
    (C) The routine uses which may be made of the information, as 
published pursuant to 5 U.S.C. 552a(e)(4)(D); and
    (D) The effects on the individual, if any, of not providing all or 
any part of the requested information.
    (iv) Not collect, maintain, use or disseminate information 
concerning an individual's religious or political beliefs or activities 
or membership in associations or organizations, unless expressly 
authorized by statute or by the individual about whom the record is 
maintained or unless pertinent to and within the scope of an authorized 
law enforcement activity;
    (v) Advise their supervisors of the existence or contemplated 
development of any record system which is capable of retrieving 
information about individuals by individual identifier;
    (vi) Assure that no records maintained in a CFPB system of records 
are disseminated without the permission of the individual about whom 
the record pertains, except when authorized by 5 U.S.C. 552a(b);
    (vii) Maintain and process information concerning individuals with 
care in order to insure that no inadvertent disclosure of the 
information is made either within or without the CFPB;
    (viii) Prior to disseminating any record about an individual to any 
person other than an agency, unless the dissemination is made pursuant 
to 5 U.S.C. 552a(b)(2) of this section, make reasonable efforts to 
assure that such records are accurate, complete, timely, and relevant 
for agency purposes; and
    (ix) Assure that an accounting is kept in the prescribed form, of 
all dissemination of personal information outside the CFPB, whether 
made orally or in writing, unless disclosed under 5 U.S.C. 552 or 
subpart B of this part.
    (3) The head of each office of the CFPB shall, at least annually, 
review the record systems subject to their supervision to insure 
compliance with the provisions of the Privacy Act of 1974 and the 
regulations in this subpart.


Sec.  1070.62  Preservation of records.

    The CFPB will preserve all correspondence pertaining to the 
requests that it receives under this part, as well as copies of all 
requested records, until disposition or destruction is authorized by 
title 44 of the United States Code or the National Archives and Records 
Administration's General Records Schedule 14. Records will not be 
disposed of or destroyed while they are the subject of a pending 
request, appeal, proceeding, or lawsuit.


Sec.  1070.63  Use and collection of social security numbers.

    The CFPB will ensure that employees authorized to collect 
information are aware:
    (a) That individuals may not be denied any right, benefit, or 
privilege as a result of refusing to provide their social security 
numbers, unless the collection is authorized either by a statute or by 
a regulation issued prior to 1975; and
    (b) That individuals requested to provide their social security 
numbers must be informed of:
    (1) Whether providing social security numbers is mandatory or 
voluntary;
    (2) Any statutory or regulatory authority that authorizes the 
collection of social security numbers; and
    (3) The uses that will be made of the numbers.

    Dated: January 15, 2013.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2013-01737 Filed 2-14-13; 8:45 am]
BILLING CODE 4810-AM-P