Financial Services Industry Group Update: $30M Fine Issued to NY Bank for Misuse of Confidential Information: What Happened?

The New York Department of Financial Services imposed a $30 million penalty on the New York branch of a foreign bank. The fine had nothing to do with employment discrimination or wage-and-hour issues—but it was the outcome of an internal transfer of a single New York-based employee to an overseas affiliate, and is a lesson in how financial services clients are at risk of penalties going far beyond those that are normally imposed by employment law regulators.

By Philip M. Berkowitz | March 13, 2024

Employment lawyers know that juries can issue substantial awards in whistleblower, discrimination, harassment and other retaliation cases—particularly when these cases are brought under state or local statutes that, unlike Title VII or the ADEA, impose no caps on damages.

But juries and courts are not the only entities that can impose penalties on companies for inappropriate employment practices. Government entities that regulate the financial services industry have authority to issue substantial penalties, which may even include shutting down the company’s business, whether temporarily or otherwise.

On Jan. 19, 2024, the New York Department of Financial Services (DFS) imposed a $30 million penalty on the New York branch of a foreign bank. The fine had nothing to do with employment discrimination or wage-and-hour issues—but it was the outcome of an internal transfer of a single New York-based employee to an overseas affiliate, and is a lesson in how financial services clients are at risk of penalties going far beyond those that are normally imposed by employment law regulators such as the EEOC and NLRB.

What happened? The New York branch’s affiliate had requested that, before effectuating the transfer, the branch provide the affiliate with documentation regarding the employee’s involvement in any internal investigations of regulatory or disciplinary matters. The branch provided the documents and the affiliate, in turn, provided them to its own local regulator.

What could be wrong with an innocuous request like this, which likely was compelled by the overseas entity’s need to conduct due diligence of the transferring employee?

Confidential Supervisory Information

The answer is that, in the view of the DFS, providing this information violated the New York Banking Law, which prohibits a financial services institution from releasing to any third-party documents reflecting reports of examinations and investigations, and any related documents. This information is called Confidential Supervisory Information (CSI). And every general counsel of every financial services organization is aware that releasing this information—again, in some cases, even to their own external counsel—can result in significant regulatory scrutiny and penalties.

The New York law is not the only law recognizing the confidentiality of documents of this nature. The Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), as well as DFS, have similar rules on what constitutes CSI, but unfortunately inconsistent rules as to whether, and in what circumstances, a regulated entity may reveal CSI to their external counsel.

The Bank Examiner’s Privilege

CSI may also be protected by the common law bank examination privilege. “Stated broadly, the bank examination privilege is a qualified privilege that protects communications between banks and their examiners in order to preserve absolute candor essential to the effective supervision of banks.” The privilege “arises out of the practical need for openness and honesty between bank examiners and the banks they regulate, and is intended to protect the integrity of the regulatory process by privileging such communications” (Wultz v. Bank of China, 61 F.Supp.3d 272, 281-83 (S.D.N.Y.2013) (citations and quotations omitted).

The bank examination privilege belongs solely to the banking regulatory entities. If documents requested in civil litigation discovery fall within the privilege, a court can only override the privilege if the requesting party demonstrates “good cause”—i.e., that it is necessary to promote the paramount interest of the government in having justice done between litigants, or to shed light on alleged government malfeasance, or in other circumstances when the public’s interest in effective government would be furthered by disclosure.

Think of the implications of this rule. Entities subject to it cannot release these internal documents, in many cases, to anyone without the permission of the regulator. This includes responding to subpoenas or discovery requests, and in some cases, even providing documents to their attorneys to assist them in assessing liability in any given situation, or, in the case identified above, to their affiliated entity or another regulator.

So if you are defending a financial services company subject to this rule in a discrimination or whistleblower claim, and if the employee engaged in conduct that resulted in the employer being subject to an investigation or examination—and if the employer shared the information with the regulator, because it deemed the conduct to be so serious that it required disclosure—as counsel, your access to the documents provided to the regulator, and the regulator’s responses and investigation, could be off limits.

And if you receive a discovery request, and if CSI might be responsive to the request, you must not disclose it without seeking the affirmative request of the regulator.

Suspicious Activity Reports

Let us take this one step further. Let us suppose you are representing a financial services company in a whistleblower lawsuit. The employer fired the whistleblower because she engaged in inappropriate behavior. In fact, the employer found the conduct so troubling that it filed a report with the Financial Crimes Enforcement Network (FinCEN), a division of the U.S. Treasury.

Why file such a report? Because federal law requires it. When a financial services company learns of suspicious conduct that might signal criminal activity (e.g., money laundering, tax evasion), it must, within 30 days of detecting that conduct, file a suspicious activity report (SAR) with FinCEN.

Of course, in defending the whistleblower claim, you would love to site to the SAR to demonstrate the seriousness with which your client took the matter, and the seriously inappropriate nature of the plaintiff’s conduct. But if you did, you would be violating federal law, which prohibits disclosure of a SAR except in very limited circumstances. 12 CFR §21.11(k). Indeed, informing the subject of the SAR of the SAR and its filing is itself a violation of the law. 31 U.S.C. §5318(g)(2)(A).

The fine against the foreign bank that DFS sanctioned was also predicated on a senior employee’s backdating of certain internal control documents, which was revealed to DFS by an internal employee whistleblower. If the bank had filed a SAR when it discovered this conduct, the bank could not site to the SAR filing as a defense, although it could cite to the underlying conduct.

Conclusion

Lawyers who represent financial services companies need to understand the special rules that apply to their clients, and by extension to the lawyers who represent them. We must be aware that those clients expect us to safeguard their CSI, and to be familiar with the rules concerning information that is communicated between these clients and their regulators. Failing to have these rules in mind may not only cause damage to the client vis-à-vis its regulator—it may also cause embarrassment and worse to the lawyers to fail to take these into account in providing legal advice.

Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm’s U.S. international employment law and financial services practices.

Reprinted with permission from the March 13, 2024, edition of the New York Law Journal©  2024 ALM Global, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.