Dealing with Confidential Supervisory Information in a Bank Merger or Acquisition
A serious regulatory issue can derail a bank merger or acquisition. Sometimes a bank will begin a transaction with a known, pre-existing regulatory issue, and other times an unanticipated regulatory issue develops during the course of a transaction. Both scenarios present challenges. In either case, the bank must treat the issue with a high degree of sensitivity and avoid any missteps that could cause the transaction to implode, tarnish the bank’s reputation, or expose the bank and its officers and directors to liability or criticism from its regulators.
A bank’s “regulatory issue” and any documents describing it, including the bank’s internal assessments of the issue, may comprise or contain “confidential supervisory information” (“CSI”) and therefore be subject to strict regulatory limitations on disclosure. There is a tension between these limitations and the terms of a typical merger or acquisition agreement: the bank would usually have an obligation under the agreement to fully disclose the issue to the other party to the transaction, but is generally prohibited from doing so under the law. Thus, the bank may find itself in an impossible position - breach the agreement and subject itself to liability and reputational harm or disclose the issue and violate the law.
Banks’ obligations regarding CSI are defined by the regulations of the various federal bank regulatory agencies.  There are subtle but important differences between these agencies’ respective regulations, including in the definition of CSI and to whom and under what circumstances CSI may be disclosed. In general, though, CSI includes reports, records, and other documents prepared by, on behalf of, or for the use of an agency with regulatory or supervisory responsibility over the bank (e.g., the Federal Deposit Insurance Corporation (the “FDIC”), the Board of Governors of the Federal Reserve System or a Federal Reserve Bank (collectively, the “Federal Reserve”), or the Office of the Comptroller of the Currency (the “OCC”)). Examples of CSI include supervisory communications between a bank and its regulator, examination reports, supervisory ratings, non-public enforcement actions, and internal bank documents discussing any of these matters.
Part 309 of the FDIC’s Rules and Regulations (“Part 309”), for example, generally prohibits a state nonmember bank from disclosing CSI other than to its officers, directors, employees, or agents who have a need for the CSI in the performance of their duties.  (The federal bank regulatory agencies take the position that CSI is the exclusive property of the regulator, and therefore, absent an applicable exemption, CSI may not be disclosed without the regulator’s express authorization.) Unauthorized or improper disclosure of CSI could subject the bank and any of its officers, directors, employees, or agents who are involved in the disclosure to adverse supervisory action, including the imposition of civil money penalties, and even criminal penalties. 
Suppose a bank that is negotiating a merger is subject to a memorandum of understanding with its primary federal regulator regarding its compliance with certain consumer laws. The typical merger agreement contains pages of representations and warranties, some of which would require the bank to disclose this information to its prospective merger partner. For example, the agreement may contain representations that the bank is, and has been for a specified period of time, in compliance with all applicable laws, is not subject to any governmental or regulatory proceeding or investigation, and is not subject to any order or agreement that restricts the bank’s business. Any inaccuracy in, or breach of, any representation or warranty could give the other party to the transaction the right to terminate the agreement and subject the bank to liability. A prospective merger partner with experienced advisors will not allow the bank to simply negotiate these representations and warranties out of the agreement. So how should the bank proceed?
First, the agreement should contain a qualification that none of the bank’s representations or warranties will be deemed to be breached, inadequate, or incomplete because of the nondisclosure of CSI. This qualification will help protect the bank from liability for not disclosing its regulatory issue under the agreement. Of course, including this kind of qualification may prompt questions from the other party about the bank’s regulatory status. The bank will not be able to address these questions directly, because of the regulatory limitations on disclosure of CSI, but it might be able to refer the other party to publicly available information that could shed light on the issue. For example, the bank’s quarterly Call Reports filed with its primary federal regulator and its periodic filings with the Securities and Exchange Commission (the “SEC”) (if the bank is an SEC reporting company), as well as any public enforcement actions involving the bank, might all contain relevant information.  But public information will only reveal so much about the regulatory issue at hand. If the other party decides to move forward with the transaction despite the specter of a regulatory issue, it may seek to include various contractual protections in the agreement, in case the issue delays the closing of the transaction or results in a serious problem after the transaction closes. Such protections may include special rights to terminate the agreement, special indemnities and separate escrow funds to support such indemnities, and “break-up fees”.
Additionally, the bank should be sure that the other party’s information rights under the agreement are appropriately limited, so as to avoid any contractual obligation to disclose CSI to the other party during the pendency of the transaction. For example, sometimes a merger or acquisition agreement will permit the other party (for example, where the other party is the acquiror) to have one or more observers present during any of the bank’s board or committee meetings that take place between the time the agreement is signed and the closing of the transaction. It might also require the bank to provide the other party with the same written “board package” that the bank’s directors or committee members receive in connection with any such meeting. In these cases, the agreement should preclude the other party’s observers from attending any portion of any board or committee meeting where CSI is discussed, and should provide that any CSI will be redacted from any written board or committee materials that are provided to the other party’s observers. The bank’s directors, and in particular its chairperson, should be informed of these limitations in advance, so that CSI is not inadvertently disclosed to the other party’s observers at a board or committee meeting.
A regulatory issue that develops during the regulatory approval process for a transaction presents even thornier concerns. A typical merger or acquisition agreement contains various pre-closing covenants - commitments of each party to do or refrain from doing certain things during the pendency of the transaction. Among these covenants is usually an undertaking to inform the other party of significant matters that arise between the time when the agreement is signed and the closing of the transaction. In addition, as part of and as a condition to closing the transaction, the parties typically certify to each other in writing that their respective representations and warranties in the agreement are true and correct as of the time of closing. A bank with a regulatory issue may not be able to satisfy these covenants or give this certification due to the regulatory limitations on disclosure of CSI, and therefore may find itself in breach of covenant under the agreement or unable to satisfy all of the conditions in the agreement to closing the transaction. In the context of a stock transaction, particularly one involving a publicly traded bank, the possibility of stockholder litigation in the event that the transaction falls through can make the situation especially worrisome for the parties’ respective boards and management.
Further, a serious regulatory issue that develops between the signing of the agreement and the closing of the transaction is likely to at least delay receipt of the necessary regulatory approvals for the transaction, sometimes indefinitely. Bank regulators generally will not approve a merger or acquisition where a party to the transaction has a significant, unresolved regulatory issue. Where multiple regulatory approvals are required, often the other regulatory agencies involved will wait for the surviving institution’s primary federal regulator to issue its approval of the transaction before issuing their approvals, which can also extend the timeline for the transaction. These delays can jeopardize the transaction. In particular, a typical merger or acquisition agreement will fix an outside date - often 12 months or so after the date when the agreement is signed - after which either party can terminate the agreement without penalty if the transaction has not closed.
A bank that develops a regulatory issue after signing a merger or acquisition agreement but before the transaction closes may wish to petition its regulator to allow the bank to provide some information about the issue to the other party to the transaction, in order to preserve the relationship and keep the transaction moving forward. Under Part 309, for example, such a request must be made in writing and specify, with reasonable particularity, the CSI that the bank wishes to disclose and the bank’s interest in disclosing the CSI.  The bank’s request may be granted, in the FDIC’s discretion, for “good cause”.  Regulators do not routinely accommodate these requests.  Any such request should be specific and narrowly tailored to the circumstances to maximize the bank’s chances of the request being granted. Without permission from its regulator to disclose the issue, the bank and its counsel will be in the awkward position of having to deflect questions from the other party about why regulatory approvals have not been granted within the expected timeline.
A regulatory issue can be a major impediment to completing a successful bank merger or acquisition. It can significantly delay (and even prevent) receipt of necessary regulatory approvals for the transaction, lead to contractual liabilities and reputational harm, and strain the parties’ relationship. At a minimum, it puts the affected bank and its management in a difficult and uncomfortable position. To avoid a potentially damaging outcome, banks should conduct comprehensive due diligence on their potential merger or acquisition targets, as well as self-assessments of their own regulatory status, before beginning a transaction. The parties should also approach their regulators on an informal basis to “vet” the transaction in advance. If possible, it may also be helpful to begin the transaction process just after one or more of the parties complete a successful examination cycle, so that party has relative confidence that its regulatory status will not be an impediment to closing the transaction. Once the agreement is signed, regulatory applications are filed, and the pending transaction is made public, the parties’ options for effectively dealing with a regulatory issue become more limited.
 See 12 C.F.R. § 309.1 et seq. (the FDIC’s CSI regulations); 12 C.F.R. § 261.1 et seq. (the Board of Governors of the Federal Reserve System’s CSI regulations); and 12 C.F.R. 4.31 et seq. (the OCC’s CSI regulations). In the case of a state bank, there may also be state statutes and regulations applicable to treatment of the bank’s CSI. Under Massachusetts law, for example, all records of investigations and reports of examinations by the Massachusetts Commissioner of Banks (the “Commissioner”), including workpapers, information derived from such reports or responses to such reports, and any copies of such records in the possession of any bank under the supervision of the Commissioner, are considered confidential and privileged communications. See M.G.L. ch. 167 § 2. The Massachusetts Division of Banks (the “Division”) takes the position that any bank supervised by the Commissioner must notify the Division’s Legal Unit immediately if the bank receives any requests for any such materials. See Massachusetts Division of Banks Regulatory Bulletin 1.1-105, Confidentiality of Reports of Examination and Related Materials.
 See 12 C.F.R. § 309.6(a) and (b).
The federal bank regulatory agencies have indicated that any person who discloses or uses CSI except as expressly permitted by the appropriate federal bank regulatory agency or as provided in such agency’s regulations may be subject to the criminal penalties provided under 18 U.S.C. § 641, which criminalizes theft of records belonging to any agency of the United States. See FDIC FIL-13-2005, Interagency Advisory on the Confidentiality of the Supervisory Rating and Other Nonpublic Supervisory Information.
 In 2005, the federal bank regulatory agencies jointly issued guidance that emphasizes banks’ obligation to keep CSI confidential and directs banks that receive requests for CSI from third parties to refer the requester to publicly available information in lieu of disclosing any CSI, including Call Reports, SEC filings, and any publicly available enforcement proceedings against the bank. See FDIC FIL-13-2005, supra note 4.
 See 12 C.F.R. 309.6(b)(7).
 See Id.
 See, e.g., FedLinks, Confidential Supervisory Information (Aug. 2016), available at https://www.kansascityfed.org/~/media/files/publicat/banking/guidance/fedlinks_bulletin_confidential_supervisory_information.pdf (stating that “[i]nstitutions may not share CSI with acquirers or targets in merger or acquisition transactions without prior approval of the Board’s general counsel, and it is the Board’s policy that disclosure requests in these contexts are denied absent very unusual circumstances.”) (emphasis added).
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.