In coordinated actions, the New York State Department of Financial Services (NYDFS) and the Federal Reserve Board (FRB) fined the Industrial and Commercial Bank of China, Ltd. (ICBC) and its New York branch (Branch, a New York-based subsidiary) $30 million and approximately $2.4 million, respectively. The Branch, which operates under the jurisdiction of both examining authorities, was found to have improperly disclosed confidential supervisory information (CSI), backdated certain books and records, and failed to self-report the impropriety of its books and records when the issue came to light. These coordinated enforcement actions signal the regulators' interest and seriousness in protecting CSI and emphasize NYDFS' focus on self-reporting misconduct.

Key Takeaways:

  • NYDFS coordinates with federal prudential regulators for enforcement related to banking institutions.
  • Maintaining confidentiality of CSI is a significant interest of regulators and disclosure can only be made with approval of the relevant regulatory authority.
  • Financial institutions are expected to have policies and procedures in place to properly manage recordkeeping and disclosure of CSI.
  • Regulators, particularly NYDFS, have strong expectations for financial institutions to self-report certain conduct. Governance and Self-Reporting Expectations

Governance and Self-Reporting Expectations

NYDFS has heightened expectations for self-reporting misconduct, which is codified in its regulations. For example, § 300.1(a) of Title 3 of the New York Codes, Rules and Regulations requires immediate reporting (upon discovery) of misconduct relating to "embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct, whether or not a criminal offense, in which any director, trustee, partner, officer, employee (excluding tellers), or agent of such organization is involved." In this ICBC Consent Order, NYDFS found that the Branch had violated § 300.1(a) because a bank employee backdated signatures on certain client certifications in connection with its Know Your Customer program. Despite the Branch and ICBC representing that the certifications did not become part of the bank client's files, NYDFS found the action a violation of New York Banking Law § 200-c for failing to maintain appropriate books and records. Furthermore, NYDFS faulted the bank for failing to immediately report this incident upon discovery, when originally flagged to ICBC by one of its employees in 2017. The issue was internally investigated by ICBC and the investigation concluded in April 2017 that the records were in fact backdated. The backdating of the records constitutes a false entry, which NYDFS declared should have been immediately reported. However, ICBC did not report the incident until January 2018. Despite ICBC taking the needed action to investigate the issue, NYDFS, in its Consent Order, emphasizes its expectations regarding immediate self-reporting.

Confidential Supervisory Information

CSI can be broadly defined and varies in its scope across different state and federal regulators. For example, NYDFS defines CSI as any "reports of examinations and investigations [of NYDFS-supervised institution and affiliates], correspondence and memoranda concerning or arising out of such examination and investigations, including duly authenticated copy or copies thereof," as well as any confidential materials shared by NYDFS with any governmental agency or unit. 3 NYCCR § 7.1(1); New York Banking Law § 36.10. Meanwhile, FRB defines CSI as "information that is or was created or obtained in furtherance of the [Federal Reserve's] supervisory, investigatory or enforcement activities," including reports of examination, inspection and visitation, confidential operating and condition reports, supervisory assessments, investigative requests for documents or other information, and supervisory correspondence or other supervisory communications. 12 C.F.R. §§ 261. Regardless of the definition, regulators are the ultimate owners of CSI, meaning a financial institution cannot disclose CSI, even to other government agencies, without the written approval of the governing regulator.

At issue in these consent orders are examination-related documents that generated CSI pursuant to New York Banking Law § 36.10. These CSI materials were not permitted to be disclosed without NYDFS and FRB's approval. 3 NYCCR § 7.2.; 12 C.F.R. §§ 261.4, 261.20. However, ICBC failed to comply with these requirements when transferring a Branch employee to an overseas affiliate in December 2021. During the transfer, the New York Branch provided CSI to an overseas affiliate, who disclosed the CSI to a foreign regulator while the Branch's request for authorization to release the CSI was pending or under review with NYDFS, FRB, and the Federal Reserve Bank of New York. The Branch learned of the CSI breach in December 2021, and did not report the breach to NYDFS and FRB until two weeks later. In the resulting Consent Order, FRB emphasized the Branch's lack of adequate controls related to the use and dissemination of CSI. The NYDFS Consent Order, and similarly the FRB Consent Order, signal the regulators' seriousness in managing CSI and the applicable expectations for immediate self-reporting of unauthorized disclosures.

In addition to the assessed total fines of $32.4 million, both consent orders require additional remediation efforts. For example, NYDFS and FRB have each imposed additional non-monetary penalties including providing periodic progress reports relating to AML/BSA and CSI compliance programs and establishing and reporting on controls and governance relating to both. The FRB is also requiring the designation of a CSI officer who must be a voting member of the Branch's risk management committee.

The Bottom Line

Financial institutions are expected to have policies and procedures, internal controls, and adequate governance surrounding the handling of and protection of CSI, even when dealing with affiliates. Additionally, in its consent order, NYDFS has made it very clear how seriously it takes self-reporting and that, in this instance, waiting two weeks post-discovery of a reportable incident did not meet its "immediate" reporting expectation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Ms Laurel Loomis Rimon
Jenner & Block
1099 New York Avenue, NW
Suite 900
Washington, DC
Tel: 202639 6000
Fax: 202639 6066

© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 -, source Business Briefing