March 6, 2001
Testimony of Julie L. Williams, First Senior Deputy Comptroller and Chief Counsel, before the U.S. House Subcommittees on Oversight and Investigations and on Financial Institutions and Consumer Credit, on information-sharing and issues of confidentiality
Statement required by 12 U.S.C. 250:
The views expressed herein are those of the Office of the Comptroller of the Currency and do not necessarily represent those of the President.
Madam Chair, Mr. Chairman, and members of the Subcommittees, thank you for inviting the Office of the Comptroller of the Currency (OCC) to participate in this hearing. Effective coordination and information sharing among the regulators of financial services providers — banks, securities firms, and insurance providers — are essential in order for the functional regulation framework established by the Gramm-Leach-Bliley Act (GLBA) to work as the Congress intended. In view of the integration of the financial services industries that the GLBA permits, and the possibilities that individuals will migrate between industries and entities will commence new activities, it is particularly important for a functional regulator to have a means to know whether individuals or entities have been subject to enforcement actions by another functional regulator. On behalf of the Comptroller, I would like to thank you for your efforts to further these objectives.
In my testimony today, I will first provide context for your current legislative work by highlighting the most important ways in which the OCC currently shares information with other Federal and with State regulators. I will then offer our perspectives on key confidentiality and liability issues that are raised by proposals to enhance information sharing among financial services regulators.
Coordination and Information Sharing: What the OCC Does Today
The OCC currently shares a variety of types of information with Federal and State regulators, including the other Federal banking agencies, the Securities and Exchange Commission (SEC), and State insurance regulators. I will first review our recent work with State insurance regulators, then turn to efforts involving the SEC and the other Federal banking agencies.
The OCC's Work with State Insurance Regulators
Last year, when I appeared before the Subcommittee on Finance and Hazardous Materials of the Commerce Committee, I described the progress the OCC and the National Association of Insurance Commissioners (NAIC) had made together in developing workable approaches to sharing information about consumer complaints. As I mentioned at that time, the OCC and the NAIC recognized several years ago that the sharing of certain types of information not only benefits consumers through more timely responses to inquiries and complaints, but also serves to identify common cross-industry trends or problems. As the first step in this process, the OCC and the NAIC jointly drafted a model agreement in 1998 to share consumer complaint information involving national bank insurance sales activities. This agreement requires the OCC to send to the appropriate State insurance regulator copies of all complaints that the OCC receives relating to insurance activities in that State by a national bank. Likewise, the State insurance regulator will send to the OCC copies of all complaints it receives involving a national bank insurance activity. To date, the OCC has entered into these agreements with 28 State insurance regulators.
Recently, the OCC and the NAIC have built upon their success with the complaint sharing process and jointly drafted a second, more encompassing model agreement that provides for the sharing of broader insurance-related supervisory and enforcement information, including, but not limited to the sharing of complaint information. Under the agreement, the OCC and State insurance regulators may request from each other, and provide to each other with or without a request, confidential information regarding: (1) material risks to the operations or financial condition of a regulated entity; (2) the insurance activities of a regulated entity; or (3) other confidential information necessary to disclose fully the relations between a regulated entity supervised by the OCC and a regulated entity supervised by the State insurance regulator. The information requested must be in furtherance of the agency's lawful examination or supervision of the regulated entity.
The NAIC adopted this model agreement in December of last year, and just recently transmitted the final version of the model agreement to its members. We expect to begin entering into these new agreements as early as this week.
The OCC also has taken other steps to promote the exchange of information that may be of use to other supervisory entities operating under the functional regulation regime established by GLBA. For example, shortly after GLBA was enacted, we amended our rules relating to national bank corporate activities to ensure that information the OCC receives in connection with bank applications to affiliate with entities engaged in insurance activities is shared with the appropriate State insurance department. Under the revised procedures, a national bank must describe in its notice or application to the OCC to establish a financial subsidiary or an operating subsidiary, or to make a non-controlling investment in an entity that will engage in insurance activities, the type of insurance activities that the bank is engaged in or will engage in and the lines of business for which the company holds or will hold an insurance license. This information is then forwarded to the appropriate State insurance regulator. To date, the OCC has forwarded information contained in almost 70 notices or applications that it has received.
Our information sharing is part of a comprehensive effort to further develop close working relationships with State insurance regulators. With respect to insurance matters, these efforts began in 1996 when the OCC invited State insurance commissioners to the OCC to discuss ways to better coordinate our respective regulatory responsibilities. Since then, the OCC and State insurance regulators have met, separately or through the auspices of the NAIC, on numerous occasions. Our most recent meeting, in fact, was yesterday. To date, regional representatives of the OCC have met individually with insurance regulators in all 50 states and the District of Columbia to learn more about how we each implement our regulatory responsibilities as well as to discuss ways we can assist each other in these responsibilities. Moreover, senior OCC representatives attend NAIC quarterly national meetings on a regular basis to exchange information about their respective regulatory priorities and supervisory approaches and to discuss ongoing regulatory or supervisory projects.
Most importantly, the OCC and the State insurance supervisors are no longer merely observers of each other's regulatory and supervisory activities. We each now actively seek the participation of the other in matters of common supervisory concern, and we recognize that the other offers unique and relevant perspectives to the responsibilities of each respective regulator. Two recent examples illustrate the point.
First, the OCC and other Federal banking regulators consulted with State insurance regulators, through the auspices of the NAIC, during the development of the insurance consumer protection regulations required by section 305 of GLBA. Section 305 required the OCC, the Federal Reserve Board (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly to issue regulations that apply to retail sales practices, solicitations, advertising, or offers of any insurance product by a bank (or other depository institution) or by any person engaged in such activities at an office of the institution or on behalf of the institution. The regulation includes, among other things, specific disclosure requirements that must be made to the consumer before completion of the insurance sale or in connection with an extension of credit. The insurance regulators and the NAIC proved to be a valuable resource providing timely and helpful insights from the experience of State insurance departments.
Second, the Consumer Protection Working Group of the NAIC, chaired by Nat Shapo, Director of the Illinois Department of Insurance, recently invited the OCC and the other Federal banking agencies to comment on proposed revisions to the NAIC's Model Unfair Trade Practices Act, a model statute that each State could use to establish standards for bank and thrift sales of insurance in that State. The revised Model Law is being specifically designed to take account of the preemption standards and safe harbors for State insurance laws contained in section 104 of GLBA, as well as the Federal consumer protection provisions set forth in section 305 and the implementing regulations of the Federal banking agencies. The OCC and the other Federal banking agencies participated in several meetings discussing relevant provisions of the Model Act. We offered suggestions based on our experiences in supervising national banks and found the process initiated by Director Shapo to be open, collegial, and very constructive. As a result, we believe that the draft Model Act will reflect an important and precedential consensus between the State insurance regulators and Federal bank regulators regarding the implementation of GLBA and the protection of consumers.
The OCC's Work with the SEC
The OCC also has developed a number of information sharing arrangements with the Securities and Exchange Commission (SEC). For example, we make referrals to the SEC when the OCC discovers potential violations of the Federal securities laws.1 We share relevant information on the alleged violation with the SEC, and coordinate with the SEC's investigation and enforcement proceedings. The OCC's participation includes1 The OCC has similar agreements to refer potential violations of law with the Department of Labor for potential violations of ERISA, and the Federal Elections Commission for potential violations of Federal elections law making available to the SEC our bank examination reports and other confidential examination information. We also provide bank examiners to assist the SEC in reviewing OCC materials, and to testify for the SEC in its enforcement proceedings.
We make access requests to the SEC for its investigatory and examination information when this information is relevant to the OCC's bank supervision responsibilities. We also request information from the SEC that may be relevant to pending licensing applications under consideration by the OCC, including new bank charter applications and notices of change in bank control.
We have shared information with the SEC on customer complaints received by the OCC when the complaints involve matters that may be subject to the SEC's authority. We have also received information on customer complaints from the SEC related to national banks. For example, we have shared customer complaint information with the SEC in cases involving investment product sales to bank customers, and in cases related to sales of brokered certificates of deposit.
When requested by the SEC, we advise the SEC of the existence of OCC enforcement actions on national bank affiliates of publicly traded bank holding companies, in connection with the SEC's review of securities disclosures made by the holding companies. Staff of the SEC's Division of Corporation Finance have made arrangements to routinely request information on OCC enforcement actions in connection with the SEC staff's review of securities disclosure filings made by publicly traded bank holding companies. The SEC staff uses this information to verify the accuracy and completeness of public disclosures made by these bank holding companies. For example, in the past the SEC staff formed a task force to focus on the accuracy of bank holding company securities disclosure filings related to loan losses, and the SEC staff made requests to the OCC for information on hundreds of national banks as part of this initiative.
Finally, we have been working with the SEC to implement GLBA's new functional regulation provisions as they pertain to national banks' securities activities. We have had several meetings with the SEC's senior staff responsible for examinations of broker-dealers and investment companies to discuss each agency's views of GLBA's functional regulation provisions. Our discussions have covered a review of the scope of examinations conducted by the agencies. We are also in the process of identifying the types of information sharing between the agencies that would serve to facilitate functional regulation.
We also coordinate with the SEC in connection with the OCC's authority over national banks acting as transfer agents, municipal securities brokers and dealers, and government securities brokers and dealers. We routinely share examination information with the SEC on national banks that are registered transfer agents. We also have coordinated enforcement actions in the past related to transfer agents and government securities dealers. We have shared information on municipal securities dealers, including in cases involving compliance with the rules on political contributions by municipal securities professionals.
Finally, we have entered into an "Agreement in Principle" with the National Association of Securities Dealers covering information sharing on broker-dealers that are involved in selling investment products through banks.
The OCC's Work with the Federal Banking Agencies
We work in close coordination and cooperation with the other three Federal banking agencies — the Federal Reserve, FDIC and OTS — in virtually every significant aspect of our regulation and supervision of national banks. Coordination among the agencies has increased in recent years. Over the last 10 years, Congress has increasingly directed the agencies to work together to write implementing regulations for new legislation. Moreover, industry consolidation has resulted, in many instances, in banking organizations containing multiple charters that are supervised by different agencies. Few major supervisory or policy initiatives are today taken by one of the banking agencies without consultation with the others. In many cases, these initiatives are undertaken jointly by the four agencies even when there is no express statutory requirement to do so.
For this reason, it is difficult to catalog all of the ways in which the agencies coordinate and share information. I will, however, highlight a few of the more important areas where we work cooperatively with the other banking agencies on law enforcement matters. As you will note in the description that follows, the methods that the banking agencies use to share information differ depending on the level of sensitivity of the information.
The most widely available type of information is information pertaining to final enforcement actions, that is, actions initiated by one of the banking agencies pursuant to its enforcement authority2 that result either in an order issued by the head of an agency after the matter has been litigated or in a consent order or agreement entered into by the parties.
Copies of final formal enforcement actions are required by statute to be made public.3 The banking agencies separately share copies with one another. Moreover, the four banking agencies each maintain a searchable database, available on each agency's Internet website, that enables anyone to enter an individual's or bank's name and obtain information indicating whether that person has been the subject of a final enforcement action. Each banking agency's website is linked to the websites of other financial institutions' regulators, where similar information is available about actions taken by those agencies. For example, by logging on to the OCC's website,4 the Internet user can search the OCC's database of formal enforcement actions by party name or by bank name to find out if we have taken final action against a particular individual or bank. An electronic link is also provided to the sites of the Federal Reserve, the FDIC, the OTS, the National Credit Union Administration (NCUA) and the SEC to enable the user to search for similar enforcement information on each of those sites.
The four banking agencies also share information with each other when formal enforcement actions are initiated, including when an agency issues a notice of charges based on its statutory enforcement authority. Information about the initiation of informal enforcement actions also is shared among the agencies if, for example, the bank that is the subject of the enforcement action is affiliated with an institution directly regulated by one of these agencies. Finally, when appropriate on a case-by-case basis, the OCC provides supervisory and enforcement information to staff at the Federal Reserve, the OTS and the FDIC. This information about the initiation of enforcement proceedings is not publicly available.
Certain information that is not public may, however, be made available to Federal agencies other than the Federal banking agencies and to State agencies under certain circumstances. For example, OCC regulations authorize the sharing of non-public supervisory information to other Federal and State agencies when not otherwise prohibited by law, and the information sought is in furtherance of the performance of the requesting agency's official duties.5 Utilizing this regulatory mechanism, the OCC regularly provides access to certain confidential supervisory information to other Federal and State law enforcement and regulatory agencies.6 In addition, under the new model information available to relevant State supervisory authorities. In 1986, the OCC authorized each of the OCC's district offices to execute separate sharing agreements with State supervisory authorities seeking access to non-public supervisory information. See OCC Policies and Procedures Manual, PPM-6100-3 (rev.), January 22, 1986. The Federal banking agencies' most recent interagency sharing arrangement, in 1997, addressed the notification of enforcement actions among the Federal banking agencies. See Revised Policy Statement on "Interagency Coordination of Formal Corrective Action by the Federal Bank Regulatory Agencies," 62 Fed. Reg. 7782 (February 20, 1997).
In addition, under the new model information is available to relevant State supervisory authorities. In 1986, the OCC authorized each of the OCC's district offices to execute separate sharing agreements with State supervisory authorities seeking access to non-public supervisory information. See OCC Policies and Procedures Manual, PPM-6100-3 (rev.), January 22, 1986. The Federal banking agencies' most recent interagency sharing arrangement, in 1997, addressed the notification of enforcement actions among the Federal banking agencies. See Revised Policy Statement on "Interagency Coordination of Formal Corrective Action by the Federal Bank Regulatory Agencies," 62 Fed. Reg. 7782 (February 20, 1997).
Key Issues in Developing New Legislation
Based on our experience working and sharing information with Federal and State regulators, I would like to highlight two areas which, in our view, present critical issues regarding the design of any new system for enhanced enforcement-related information-sharing among functional regulators. The first is the need to ensure that disclosure is not prohibited or restricted by Federal law and, if authorized, that agency and bank (and other regulated entities') privileges are properly preserved. The second is to recognize that expanded information sharing can raise very sensitive issues regarding the nature and reliability of the information collected and how that information is used, which need to be very carefully considered in the design of an expanded information-sharing system.
Authorized Disclosure and Preservation of Privileges
The ability of the OCC and the other Federal banking agencies to disseminate non-public information to other Federal and State agencies currently is limited by the restrictions contained in certain Federal statutes, and also by the necessity of preserving privileges recognized under Federal statutes and State common law. This non-public information falls into two general categories: privileged and confidential information obtained in the furtherance of the OCC's supervisory and examination authority from organizations that the OCC supervises; and privileged and confidential information internally prepared or generated by the OCC.
Among the Federal statutes that prohibit or restrict the OCC from transferring non-public information are the Trade Secrets Act, the Right to Financial Privacy Act, and the Privacy Act of 1974.8 In the absence of an express statutory exception, these laws prohibit or restrict certain types of non-public information from being shared with other Federal and State agencies. Moreover, even if a statutory exception applies, a number of statutory and common law privileges recognized by the courts and available to the OCC may be waived or destroyed by the unprotected disclosure of privileged information. These include the bank examination privilege,9 the deliberative process privilege, the self-evaluative privilege, and the attorney-client and work product privileges.
Any statutory authorization to share confidential or privileged information with State agencies or other entities needs to appropriately address the foregoing statutory prohibitions as well as ensure protection of all available privileges. Currently, a provision in the Federal Deposit Insurance Act expressly protects transfers of privileged information from, among others, the Federal banking agencies to other Federal government agencies.10 The provision does not address the sharing of privileged materials with State agencies, such as State banking authorities, however. Although GLBA separately provides that information exchanged pursuant to its section 307(c)11 by a Federal banking regulator or a State insurance regulator will not constitute a waiver, or otherwise affect, any privilege to which the information is subject, section 307 pertains only to information regarding transactions or relationships between an insured institution and an affiliated company that is engaged in insurance activities and to certain other information that a banking agency believes is necessary or appropriate for a State insurance regulator to administer State insurance laws. It also does not cover information sharing with the NAIC. Thus, under current law, sharing of confidential or privileged information with State agencies and the NAIC runs the risk of resulting in a loss of protected status to the privileged materials.
It is also essential to protect the privileges that banks may assert over their own information that is in the possession of the Federal banking agencies. Since banks have no discretion as to the information they must disclose to supervising agencies,12 the authority for bank examiners to enter upon bank premises and review all of a bank's books and records is plenary. Thus, self-evaluative, attorney-client and work product communications maintained anywhere in a bank's books and records fall properly within the scope of the banking agencies' examination authority and may be shared with the examining agency by the supervised institution. Such information in the hands of the Federal banking agencies remains privileged because it was obtained through statutory compulsion. Similarly, the sharing of such privileged information among the Federal banking agencies remains protected under 12 U.S.C. Section 1821(t). However, the subsequent sharing of this privileged information with State agencies, without Federal statutory protection, could result in the waiver of a financial institution's privileges. This, in turn, could compromise an institution's legal position and potentially adversely impact its safety and soundness.
- Protect Privacy and Confidentiality by Limiting the Types of Information that Can Be Widely Shared
Information systems obviously create different concerns depending on the level of sensitivity and reliability of the information they contain. In our view, it would be very beneficial to establish a system for sharing and electronic access to information concerning enforcement actions taken by the banking agencies, and comparable enforcement actions taken by other functional regulators. Such a system would enable regulators to identify individuals and entities with records that are relevant when those individuals or entities seek to affiliate with new entities or conduct new types of businesses. In the case of depository institutions, information on final enforcement actions is available to the public pursuant to 12 U.S.C. Section 1818(u), and therefore would not raise confidentiality or privacy concerns.
Sharing non-public information about banks and individuals does raise confidentiality and privacy concerns that are particularly serious, since the information could vary considerably, and may be preliminary or unsubstantiated. All of the Federal banking agencies from time to time receive preliminary information that raises suspicions of illegal activity. Disclosure to other regulators of preliminary suspicions, the reliability of which could vary widely, would raise significant privacy issues, including the dissemination of potentially inaccurate accusations against individuals or institutions that could cause unwarranted harm to the reputation of the individual or the bank. Disclosure of preliminary information also could hamper ongoing investigations by law enforcement agencies or Federal banking agencies and might even expose agencies to potential liability for falsely accusing individuals or institutions.
For example, the SAR system I have described, by definition, contains information about "known or suspected" violations of Federal law and about "suspicious transactions" related to money laundering or violations of the Bank Secrecy Act. By its nature, information reported on a SAR is preliminary or unsubstantiated. We need to be very careful that any new system of information sharing does not taint individuals or entities based upon mere suspicion or allegation.
On the other hand, sharing non-public information after an agency has formally determined to initiate an action, has gathered its supporting documentation, and has issued a Notice of Charges, reduces the risks to confidentiality and privacy. If such non-public information were shared only with other Federal and State agencies, this information would remain outside of the public arena. At the same time, since Notices of Charges are fully developed and based on an agency's extensive investigation, they can safely be viewed as relevant by other agencies with a supervisory or law enforcement interest in the individual or institution.
For these reasons, we respectfully urge that legislation focus on enhancing the availability to relevant Federal and State agencies (and the NAIC on behalf of State insurance supervisors) of information regarding final enforcement and disciplinary actions. If information availability were to be expanded beyond those actions, we would urge that it focus on formally commenced enforcement actions by the participating Federal and State agencies. Such a system would be very useful to functional regulators and would not present the information reliability and privacy issues that would arise if broader categories of unsubstantiated information were included.
This approach also would make it unnecessary to create any new governmental entity to manage information sharing among functional regulators. A meaningful level of information exchange already exists among Federal financial institutions regulators and State regulators, though the information is not as complete or as readily accessible as is desirable. In our view, the current systems represent a good starting point, and Congress could direct the relevant agencies to build on what currently exists, to create a linked system containing public information on enforcement actions taken, with the limited addition of non-public information concerning the issuance of Notices of Charges (or comparable actions), as I have described, and with provision for the role of the NAIC on behalf of the State insurance supervisors in that process. That directive, coupled with the necessary protections to preserve privileges and ensure that confidentiality and privacy are protected, would be a significant aid to cooperative law enforcement among Federal and State regulators of financial services providers, and would not require the creation of any new bureaucracy to oversee this activity. This would be more effective, in our view, than creating a new organization, such as a new body within of the Federal Financial Institutions Examination Council, to assume and manage this function.
Madam Chair, Mr. Chairman, and members of the Subcommittees, let me state again the appreciation of the OCC that the Subcommittees are addressing these issues. You have identified an important area, where enhanced information sharing between functional regulators can enhance the integrity of the industries that we regulate. Many of the issues in this area can be quite complex, and we would be happy to work with the Subcommittees and their staff to provide technical assistance as you prepare specific legislative proposals.
I would be happy to answer your questions.
1 The OCC has similar agreements to refer potential violations of law with the Department of Labor for potential violations of ERISA, and the Federal Elections Commission for potential violations of Federal elections law.
6 Consistent with OCC regulations on the sharing of non-public supervisory information, the OCC has entered into a number of information sharing agreements with other Federal and State agencies. In 1984, the Federal banking agencies entered into a Joint Statement of Policy on the Interagency Exchange of Supervisory Information to share certain confidential or privileged supervisory information, and to make this agreement to share information with State insurance regulators that I have previously described, the OCC will notify the State insurance regulator of any enforcement action it takes against a national bank that has a resident insurance license in that state if the action relates to activities the insurance regulator supervises or has the authority to examine, or if the activity at issue poses a material risk to the operations or financial condition of a regulated entity that the insurance regulator supervises. Likewise, the State insurance regulator will notify the OCC of any enforcement action it takes, or that it knows has been taken by another State insurance regulator, against a regulated entity that the OCC supervises or that poses a material risk to the operations or financial condition of a regulated entity that the OCC has the authority to examine.
In addition, information reported on the Suspicious Activity Reports (SARs) electronic database is available to Federal law enforcement agencies, the Federal banking agencies, and to State law enforcement and bank supervisory authorities. A SAR is a standardized form for reporting certain illegal or suspicious activities. Depository institutions, including national banks, State-chartered banks, Federal and State-chartered thrifts, and Federal credit unions, are required to file SARs when they detect a known or suspected violation of Federal law, a suspicious transaction related to a money laundering activity, or a violation of the Bank Secrecy Act.7 Thus, the principal purpose of the SARs database is to catalog for criminal law enforcement authorities any suspicious activity and possible illegal conduct being perpetrated against, or utilizing, financial institutions. SARs are filed with the Financial Crimes Enforcement Network of the Department of the Treasury (FinCEN) and maintained in an electronic database. FinCEN is a co-owner of the database with the Federal banking agencies, and maintains and manages the SAR database pursuant to an agreement with the OCC, the Federal Reserve, the FDIC, the OTS, and the NCUA. That agreement permits FinCEN to share access to the database with other Federal and State law enforcement agencies and regulators upon securing a written commitment to maintain confidentiality of the information and to safeguard its use. In general, the SAR system is used to provide leads for law enforcement agencies and for banking agencies to identify situations that may warrant initiation of formal enforcement actions to remove and prohibit individual from banking.
7 See, e.g., 12 C.F.R. 21.11 (OCC regulation prescribing SAR filing requirements). The Bank Secrecy Act authorizes the Secretary of the Treasury to require "any financial institution, and any director, officer, employee, or agent of a financial institution, to report any suspicious transaction relevant to a possible violation of law or regulation." 31 U.S.C. 5318(g). The term "financial institution" is broadly defined in that law to include a wide variety of persons and entities whose business involves monetary transactions. See 31 U.S.C. 5312(a) (definition of "financial institution").
10 12 U.S.C. 1821(t). The agencies covered by this protection are the OCC, the Federal Reserve, the FDIC, the OTS, the Farm Credit Administration, the Farm Credit System Insurance Corporation, the NCUA, and the General Accounting Office.