Over four years ago, the Consumer Financial Protection Bureau (CFPB or Bureau) proposed amending its rules to prohibit recipients of civil investigative demands (CIDs) from disclosing that they had received a CID except under limited circumstances. (You can read about that proposal here.) The Bureau’s proposal prompted an outcry from groups as varied as the American Civil Liberties Union (ACLU) and the US Chamber of Commerce, who objected to the proposed prohibition on various grounds, including that it would infringe on recipients’ First Amendment rights. At the same time, the proposed rule would have allowed the CFPB to share confidential supervisory information with a broader set of government agencies. On October 29, 2020, the CFPB finally took action on the proposed rule changes—and declined to implement them. Moreover, the CFPB took the opportunity to clarify its previously ambiguous regulation and make clear that there is no prohibition on CID recipients from disclosing the existence of a CFPB enforcement investigation.

The CFPB’s regulations on the Disclosure of Records and Information define certain categories of “confidential information” and govern that information’s dissemination. See 12 C.F.R. Part 1070. From the agency’s inception, the confidentiality rules have differentiated between two categories of “confidential information”: “confidential supervisory information,” which includes information prepared in the course of the Bureau’s exercise of its supervisory authority, such as reports of examination, and “confidential investigative information,” which includes information prepared in the course of the Bureau’s exercise of its investigatory authority. The rules were intended to apply differently to the two categories of information, recognizing the heightened protections typically afforded to supervisory information by the prudential regulators.

CID Confidentiality

As drafted, the rules contained an ambiguity. They defined “investigative information” broadly—to include any material “prepared by” the CFPB in the conduct of an investigation and “any information derived from such documents”—and then provided that “no … person in possession of confidential information” could disclose it by any means. On their face, therefore, the rules seemed to preclude the recipient of a CID from disclosing receipt of the CID—to their counsel, insurers, contractual counterparties or even to government officials. There was good reason to believe that the intent of that provision was to prevent the CFPB and its employees/agents from disclosing the existence of an investigation, in order to protect the target from being tarred by the mere existence of an investigation. And, indeed, the CFPB’s general practice is to not disclose the existence of pending investigations. But the plain language of the regulation suggested it applied more broadly, causing numerous CID recipients to seek the CFPB’s permission to disclose the existence of CIDs in various circumstances (e.g., to an insurance carrier or contractual counter-party).

In the proposed rules, the CFPB sought to clarify this ambiguity. But rather than make clear that the prohibition only applies to disclosure by the CFPB, the proposed rule sought to explicitly prohibit investigation targets from disclosing CIDs and other investigative information except under specific enumerated circumstances (which is how the rule applies to confidential supervisory information). The Bureau, however, provided no substantive justification for this proposed change and did not address either the relative merits of such a non-disclosure regime or its constitutional implications. As a result, it received multiple comment letters opposing the proposed change. Seven comment letters argued that the proposal would infringe on First Amendment rights, and several argued that the Bureau had provided an insufficient rationale for its proposal, which differed from how other law enforcement agencies like the US Securities and Exchange Commission and Federal Trade Commission treat this issue. One comment urged the Bureau to clarify its regulation but in the opposite direction—to make clear that the recipient of confidential investigative information (including a CID) in the course of an enforcement investigation was not prohibited from disclosure.

The Bureau apparently listened. In the final rule, the Bureau indeed clarified the issue, but not in the way it originally proposed. Instead, it added a subsection that clearly provides that “[n]othing in [the confidentiality rules] shall prohibit any person lawfully in possession of confidential investigative information of the CFPB pursuant to paragraph (a) of this section [which authorizes the CFPB to disclosure such information to an investigation target] from further disclosing that confidential investigative information.” With that amendment, CID recipients no longer have to worry whether notification of insurance companies, contractual counterparties, investors or even the press or Congress is a violation of CFPB rules. They are free to disclose—or not disclose—as they see fit.

Sharing CSI

As noted above, the proposed rule would also have amended the confidentiality rules to allow the CFPB to share confidential supervisory information (CSI) with a broader set of government agencies. The Dodd-Frank Act expressly authorizes the CFPB to disclose CSI to a prudential regulator or other government agency “having jurisdiction over” a CFPB-supervised entity. 12 U.S.C. § 5512(c)(6)(C)(ii). In its original confidentiality rules, the CFPB interpreted this statutory grant of authority as reflecting the limits on the agency’s authority to disclose CSI to other agencies, and the rules therefore only authorized the CFPB to disclose CSI to other agencies that “have jurisdiction over” the party to whom the information relates. In the proposed rule, the CFPB sought to reinterpret this statutory provision to be merely permissive (i.e., it authorizes such disclosure but does not limit disclosure to only such agencies) and to authorize disclosure of CSI to another agency “to the extent that the disclosure of the information is relevant to the exercise of the agency’s statutory or regulatory authority” (emphasis added).

As with the CID confidentiality provisions, the CFPB provided little by way of explanation for this proposed change. And as with the CID confidentiality provisions, the comments the CFPB received were, in the Bureau’s own words, “largely critical of the proposal.” The comments expressed concern over the potential breadth of the proposed revision and its impact on the supervisory process, and argued that the CFPB had provided insufficient rationale for the proposed change, which would result in a practice different from that of other prudential regulators. Once again, the Bureau listened—and decided to not make the proposed change. (Relatedly, the CFPB also decided not to make a proposed change to add a definition of “agency” to the rules, which would have included not only government agencies but also “an entity exercising governmental authority.” The term “agency” appears in the provisions governing to whom the CFPB can disclose confidential investigative and supervisory information, and the proposed definition would have further expanded the pool of recipients.)


The purpose of notice-and-comment rulemaking is to ensure that agency decision-making is informed by the views, experiences and perspectives of those to whom proposed regulations will apply. In this case, the process clearly worked. The CFPB’s proposals elicited a flurry of critical comments that identified a variety of presumably unintended consequences to the proposals. The agency responded by abandoning its proposed approach and took the further step of clarifying that the prohibition on the disclosure of confidential investigative information does not apply to those who are subject to a CFPB investigation. While cynical observers might say that what was at play was a change of administration, that does not appear to be the case. The CID proposal in particular elicited a negative response from a broad spectrum of commentators, and neither issue lends itself to easy political classification. At bottom, this was about the nitty-gritty operations of government. Let’s hope that it is a model for future rulemakings to come (without the four-year wait).