SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background and Policy Objectives

II. Proposed Amendments to 12 CFR Part 309

A. Organization, Scope, and Purpose

B. Disclosure of Information Under the Freedom of Information Act

1. Overview

2. Definitions

3. Making a Records Request to the FDIC Under FOIA

4. FDIC Practices for Processing, Reviewing, and Responding to FOIA Requests

5. Fees for FOIA Requests

6. Dispute Resolution and Administrative Appeals

7. Supplemental Procedures for Confidential Commercial Information

C. Discretionary Disclosure of Confidential Information

1. Overview

2. Purpose, Scope, and General Requirements

3. Definitions

4. The “Good Cause” Standard

5. Procedure for Requesting Discretionary Disclosure

6. Disclosure by the FDIC

7. Disclosure of FDIC Confidential Information by Insured Depository Institutions and Their Parent Holding Companies

a. General Disclosure Authorizations

b. Disclosure of Historical Information

c. Disclosure of Confidential Information by Parent Holding Companies

d. Disclosure of Data for Aggregated Analyses

8. Disclosure of FDIC Confidential Information by Service Providers and Other Persons

D. Disclosure of Confidential Information in Legal Proceedings in Which the FDIC Is Not a Party

1. Overview and Scope

2. Definitions

3. Use and Request of FDIC Information in a Non-Party Legal Proceeding

4. Decisions on Requests

5. Waiver of Requirement for Requests

III. New Part 306 on Service of Process

A. Overview, Purpose, and Scope

B. Definitions

C. Service of Process Requirements and Processes

IV. Technical Amendments to Other Parts of the FDIC's Regulations

V. Expected Effects

A. Scope of Affected Entities

B. Expected Benefits

1. Discretionary Requests To Disclose Confidential Information

2. Other Changes

C. Expected Costs

D. Conclusion

VI. Matters of Regulatory Procedure

A. Regulatory Flexibility Act

B. Paperwork Reduction Act

C. Riegle Community Development and Regulatory Improvement Act

D. Executive Orders 12866 and 14192

I. Background and Policy Objectives

The FDIC's regulations set forth procedures, requirements, and restrictions for the disclosure of information by the FDIC and by other parties, including insured depository institutions, that may be in possession of the FDIC's confidential information. These include rules related to disclosure by the FDIC of information under the Freedom of Information Act (FOIA), disclosure by the FDIC and other parties of information that is confidential and exempt from disclosure under FOIA, and information related to legal proceedings (collectively, the information disclosure regulations). The FDIC has not significantly revised the information disclosure regulations in approximately 30 years. As a result, the FDIC's current information disclosure regulations (1) do not reflect or appropriately accommodate the business relationships and transactions that often give rise to a need by insured depository institutions to disclose the information subject to these provisions; (2) include administrative impediments to disclosing information that are ( printed page 39727) unnecessarily burdensome and may produce inconsistent results; (3) use terms that are outdated or vague; and (4) impose additional restrictions on the disclosure of confidential information by insured depository institutions that are not imposed under information disclosure regulations of the other federal banking agencies.

The proposal seeks to address these and other issues, including by providing flexibility to FDIC-supervised institutions to disclose information they commonly seek to share with certain third parties without prior approval of the FDIC and significantly reorganizing the FDIC's information disclosure regulations.

The FDIC invites comments on all aspects of the proposal, including ways the information disclosure regulations could be revised to further improve their clarity and reduce administrative burden.

II. Proposed Amendments to 12 CFR Part 309

A. Organization, Scope, and Purpose

Part 309 of the FDIC's regulations sets forth the FDIC's policies regarding the information it maintains and the procedures for obtaining access to such information. Part 309 addresses, among other information disclosures, both requests from the public for FDIC information subject to FOIA and requests from insured depository institutions and other parties to disclose FDIC confidential information to third parties or to receive such information from the FDIC. As noted in section I of this Supplemental Information, part 309 has not been significantly amended in approximately 30 years. In that time, through its processing of requests for information under FOIA and its interactions with insured depository institutions and other parties seeking to disclose or receive FDIC confidential information, the FDIC has observed that part 309, both in its structure and content, has led to confusion among stakeholders and does not appropriately balance the need to protect sensitive, confidential information with the benefits of allowing greater transparency and access to information in appropriate circumstances.

To address these concerns and improve the FDIC's information disclosure regulations, the proposal would reorganize part 309 into the following four subparts: (1) subpart A describes general aspects of the regulation, including the rule's scope and organization; (2) subpart B sets forth the FDIC's FOIA policies and procedures; (3) subpart C establishes the FDIC's policies and procedures regarding discretionary disclosures of confidential information exempt from FOIA, including circumstances when an insured depository institution may disclose FDIC confidential information in its possession without the FDIC's prior approval; and (4) subpart D describes the FDIC's policies and procedures regarding disclosure of confidential information in connection with legal proceedings. As discussed later in this Supplemental Information, the FDIC's service of process regulations that currently appear in part 309 would be relocated to proposed part 306.

The following table summarizes the proposal's changes to the content and organization of the FDIC's information disclosure regulations.

In addition, the proposal would make a number of revisions to part 309 that are generally intended to provide greater clarity, simplify administrative processes, and, where appropriate, remove or narrow restrictions on the ability of insured depository institutions to disclose FDIC confidential information to certain third parties. Importantly, while insured depository institutions are typically required to obtain prior approval from the FDIC before disclosing FDIC confidential information under the FDIC's current information disclosure regulations, the proposal would permit insured depository institutions to disclose such information to certain third parties without prior approval for a business purpose, subject to having in place a qualifying confidentiality agreement with each intended recipient. These third parties include, for example, an insured depository institution's legal counsel, majority shareholder, qualifying service providers, and certain potential merger counterparties. In addition, where prior approval from the FDIC would still be required, the proposal would clarify and simplify the standard under which the FDIC may authorize an insured depository institution or other party to disclose FDIC confidential information.

As described in section III of this Supplemental Information, the proposal also would remove the provisions currently in part 309 regarding service of process in a legal proceeding and relocate them to a separate part of the FDIC's regulations, proposed part 306. The FDIC has observed that the service of process provisions bear little relation to the other provisions of part 309 regarding information maintained by the FDIC and the policies and procedures for the disclosure of such information. Relocation of these service of process requirements to a separate part of the FDIC's regulations would improve the clarity of both the service of process requirements and the information disclosure requirements more generally.

Question 1: Does the proposed reorganization of part 309 achieve its intended objectives? If not, how can the structure and organization of part 309 ( printed page 39729) be further improved to enhance the FDIC's disclosure of information regulations? Are there additional structural and organizational changes to the proposal that would help reduce burden?

B. Disclosure of Information Under the Freedom of Information Act

1. Overview

Under the proposal, requirements for parties requesting information from the FDIC under FOIA and the FDIC's processes for reviewing and responding to such requests would be codified at a new subpart B of part 309. Based on the FDIC's experience in processing FOIA requests, the FDIC believes its current requirements for FOIA requests, which are codified at sections 309.3 through 309.5 of part 309, could be clarified to better explain the FDIC's existing processes and improve readability. The proposed rule would also amend certain aspects of the FDIC's FOIA requirements to align them more closely with the applicable statutory requirements.

2. Definitions

Proposed section 309.11 would introduce certain new defined terms that the FDIC believes will help clarify the FDIC's FOIA requirements and better align the terminology used in the regulation with applicable statutory definitions.

Confidential commercial information would mean trade secrets and commercial or financial information obtained by the FDIC from a submitter that may contain material exempt from disclosure under Exemption 4 of FOIA.

Defective request would mean a request that does not reasonably describe the information requested or that does not otherwise comply with the requirements of subpart B of part 309, including those related to fees.

FOIA public liaison would mean the FDIC official responsible for assisting requesters by explaining the FOIA process, providing information on the status of requests, and resolving any disputes.

Submitter would mean any person or entity that provides confidential commercial information to the FDIC. The term “submitter” includes, but is not limited to, corporations, state governments, and foreign governments.

Other terms defined in proposed section 309.11 would have the meaning currently given to them in section 309.5(a) or would include minor modifications to better align with applicable statutory definitions.

Question 2: Do the new defined terms help clarify the FDIC's requirements for FOIA requests? Should the definitions set forth in subpart B be further clarified or revised? If so, how? Should the proposal include any additional defined terms related to FOIA requests?

3. Making a Records Request to the FDIC Under FOIA

Proposed sections 309.12 and 309.13 would describe the requirements for requesting information from the FDIC under FOIA. These proposed sections would be generally consistent with the requirements currently codified at section 309.5 of part 309, with revisions to clarify existing processes, improve readability, and use more modern terminology.

The proposal would make certain changes related to how parties may request information from the FDIC under FOIA. First, section 309.13(c) would provide more explicit guidance on the contents of a records request, including by directing requesters to include details about the records sought so that the FDIC can locate them with a reasonable amount of effort, and stating that requests about very general topics, or those without limitations or dates, are more likely to be viewed as defective requests.

Second, proposed section 309.13(d) would add a new provision to clarify the FDIC's existing practice that individuals requesting records pertaining to themselves must satisfy the identify verification requirements established under 12 CFR 310.4(c), which ensures the FDIC's compliance with the Privacy Act.^[1]

Third, proposed section 309.13(e) would describe requirements for requesting information about third parties ( i.e., about parties other than the requester). Specifically, this paragraph provides that a requester seeking records regarding third parties may receive greater access to requested records by submitting a written authorization by the individual who is the subject of the record. This paragraph also provides that, when requested records concern a deceased individual, a requester must submit proof that the individual is deceased and that the FDIC may require other verification documentation.

4. FDIC Practices for Processing FOIA Requests

Paragraph (d) of section 309.5 of the current rule establishes how the FDIC processes requests for information under FOIA. The proposal would include substantively consistent provisions, with modifications to clarify existing procedures and improve readability.

Proposed section 309.14 would generally replace paragraph 309.5(d) of the current rule and explain how the FDIC processes requests for information. Proposed section 309.14 would also include an updated and more detailed description of how the FDIC conducts multitrack processing and may aggregate certain requests. Proposed section 309.15 would establish how the FDIC conducts expedited processing for certain requests. This section is generally consistent with section 309.5(d)(3) of the current rule, with modifications to clarify existing practices and improve readability. Furthermore, proposed section 309.15 would establish that, in addition to the current rule's eligibility criteria, requests that involve the loss of substantial due process rights or possible questions of federal government integrity may be eligible for expedited processing. Any request for expedited processing would be required to be made concurrently with the initial record request and include a statement explaining the basis for expedited processing.^[2] In addition, proposed section 309.16 would replace paragraph 309.5(j) of the current rule and provide additional detail regarding the circumstances under which the FDIC may consult with, and refer requests to, another agency that may have an interest in a request received by the FDIC.

5. Fees for FOIA Requests

Proposed sections 309.17 through 309.21 would provide a general overview of the fees charged by the FDIC to requesters and how requesters may seek a waiver or reduction of fees. While substantively consistent with section 309.5(f) of the current rule, the proposal would make significant revisions to the fees-related provisions of part 309 to clarify existing procedures and improve readability.

Proposed sections 309.19 and 309.20 explain how the FDIC charges fees to requesters and requests payment, replacing and clarifying section 309.5(f)(1) of the current rule. In particular, proposed section 309.19 clarifies that, if the FDIC notifies a requester of the estimated fee for a request and does not receive a response or request for modification from the requester within thirty calendar days, the request will be closed. Additionally, proposed section 309.19 provides ( printed page 39730) details regarding when advanced payment of fees is required and explains the circumstances in which fees will not be charged, noting that absent unusual or exceptional circumstances, the FDIC will not charge certain fees if the FDIC fails to comply with the time limits in which to respond to a request.

Finally, to promote transparency and better align the information disclosure regulations with applicable statutory requirements, proposed section 309.21 would clarify the factors the FDIC considers when evaluating whether a waiver or reduction of fees may be appropriate on public interest grounds. Providing this information directly in part 309 would help inform requests for a waiver or reduction in fees.

6. Dispute Resolution and Administrative Appeals

Proposed sections 309.22 and 309.23 would describe the processes available to a requester for dispute resolution and administrative appeals of requests for information that have been subject to adverse determinations. These proposed sections are generally consistent with the provisions currently codified at paragraphs (h) and (i) of section 309.5 of part 309, with revisions to clarify existing processes and improve readability. For example, section 309.22 now clarifies that dispute resolution is a voluntary process, and section 309.23 details what constitutes adverse determinations by the FDIC, which may be appealed through the administrative process, and also provides more specific instructions on how and when an appeal must be submitted.

7. Supplemental Procedures for Confidential Commercial Information

Executive Order 12600 requires that agencies subject to FOIA “establish procedures to notify submitters of records containing confidential commercial information . . . when those records are requested” under FOIA, if the agency “determines that it may be required to disclose the records.” ^[3] Proposed section 309.24 would add new supplemental procedures regarding both the submission and disclosure of confidential commercial information to better align the FDIC's information disclosure regulations with this requirement.

First, proposed section 309.24 would clarify the requirements for a party that submits confidential commercial information to the FDIC (for example, confidential commercial information that an insured depository institution may submit in connection with an application to the FDIC) to designate, at the time of submission or thereafter, information the submitter claims could reasonably be expected to cause substantial competitive harm if disclosed. Second, proposed section 309.24 would establish the process by which the FDIC would provide notice to a submitter of confidential commercial information in the event that a FOIA request would seek the disclosure of such information, how a submitter may object to disclosure, and how the FDIC would respond to an objection. If the FDIC were to provide notice to a submitter of a request under FOIA for confidential commercial information, proposed section 309.24 would also require the FDIC to inform the requester that such notice has been made.

Question 3: Do the proposed amendments to subpart B of part 309 help clarify the FDIC's FOIA process?

Question 4: Are there additional revisions that can be made to subpart B of part 309 to clarify the FDIC's FOIA process or reduce administrative burden?

C. Discretionary Disclosure of Confidential Information

1. Overview

Under the proposal, subpart C of part 309 would establish the FDIC's policies and procedures regarding discretionary disclosures of confidential information that is exempt from disclosure under FOIA, replacing most of the provisions of section 309.6 of the current rule. Proposed subpart C would make a number of substantive changes to the current rule, including: (1) significantly expanding the categories of parties with which insured depository institutions and certain other entities can share confidential information without making a request to the FDIC, subject to certain conditions; (2) updating the process by which parties may request disclosure of confidential information to increase flexibility, including by allowing FDIC authorized directors to modify certain requirements and disclose confidential information on their own initiative; and (3) clarifying that the general standard for disclosure under this subpart is “good cause,” as determined by the appropriate authorized director.

These changes are being proposed to reduce or eliminate procedural barriers and inefficiencies that exist under the current rule. The FDIC intends for the proposed rule to streamline disclosures of confidential information, both by the FDIC and by insured depository institutions and other parties with confidential information in their possession, while providing safeguards to ensure that such information remains appropriately protected. Additionally, the proposal would make a number of non-substantive changes to improve the rule's clarity and readability.

2. Purpose, Scope, and General Requirements

Proposed section 309.30 would describe the purpose and scope of subpart C. Proposed sections 309.32 and 309.33 would establish the general prohibition on the disclosure of confidential information, except as permitted under subpart C. Proposed section 309.39 would establish the conditions and limitations that would apply to any disclosure of confidential information under subpart C. With the exception of the clarification of the “good cause” standard in section 309.30, as described in more detail in section II.C.4 of this Supplemental Information, these proposed provisions regarding the regulation's purpose, scope, and general requirements are not intended to substantively modify the FDIC's current information disclosure rules or practices.

The requirements, restrictions, and authorizations of subpart C would apply to all insured depository institutions (as well as other parties) in possession of FDIC confidential information in respect of such FDIC confidential information, regardless of whether the FDIC is the appropriate federal banking agency, as defined in section 3 of the Federal Deposit Insurance Act,^[4] in respect of an insured depository institution. For example, disclosure of FDIC confidential information by an insured depository institution for which the FDIC is not the appropriate federal banking agency must be authorized under subpart C. However, subpart C would neither restrict nor authorize the disclosure by an insured depository institution, including an insured depository institution for which the FDIC is the appropriate federal banking agency, or by any other party, of the confidential information of another federal banking agency or a state banking authority that an insured depository institution may possess. Additionally, the FDIC recognizes there are certain records or information that may be confidential information of both the FDIC and another supervisory agency. In such cases, insured depository institutions would still need to ensure their ongoing compliance with any information disclosure restrictions ( printed page 39731) and data privacy laws to which they may be subject.

Question 5: Should the FDIC provide additional clarity on disclosure of records or information that is confidential information of both the FDIC and another federal or state supervisory agency? If so, what additional clarity would be helpful?

3. Definitions

Proposed section 309.32 would introduce certain new defined terms that the FDIC believes will help clarify the FDIC's disclosure requirements regarding its confidential information.

Affiliate would mean any company that controls, is controlled by, or is under common control with another company as defined in 12 U.S.C. 1841(k).

Authorized director would mean any of the directors of FDIC divisions and offices, or their designees, who have primary responsibility for FDIC records or information; and deputies to the chairperson of the FDIC Board of Directors, to the extent such officials have primary responsibility for FDIC records or information.

Confidential information would mean any FDIC record or other FDIC information in any form that is exempt from disclosure under FOIA, and any information derived from or related to such FDIC record or information. This would include but is not limited to information about FDIC's supervision or resolution of depository institutions and financial companies; information about FDIC's enforcement of laws and regulations; and information about consumer complaints received by the FDIC. Confidential information would not include: (1) documents prepared by or for an insured depository institution, or any other party, for its own business purposes that are in its own possession, even though copies of such documents in the FDIC's possession otherwise would constitute confidential information; or (2) final orders, amendments, or modifications of final orders, or other actions or documents that are specifically required to be published or made available to the public pursuant to 12 U.S.C. 1818(u), the Community Reinvestment Act, or other applicable law.

Parent holding company would mean a company that has control of an insured depository institution. Control for purposes of this subpart C is defined in 12 U.S.C. 1841(a)(2).

Person would mean an individual, or an entity in any form, including a government agency.

Qualifying confidentiality agreement would mean an agreement that: (1) is written; (2) is governed by the laws of the United States or a State of the United States; (3) prohibits the use of the information by the recipient for purposes other than that for which it is provided and provides that the recipient will not further disclose or make public in any manner the information; (4) limits access to the information at a recipient entity to those directors, officers, or employees who have a business need to know the information and are bound by the qualifying confidentiality agreement; and (5) expressly provides that the FDIC is an intended third-party beneficiary of the agreement and is permitted to enforce the terms of the agreement through a civil action filed in the U.S. District Court for the District of Columbia and any other court having jurisdiction and venue over disputes arising from the agreement.

Qualifying service provider would mean an entity that: (1) has a contractual relationship with a depository institution and (2) provides: (A) products or services to the institution that are used in connection with the provision of financial products or services to the depository institution's customers; (B) advisory or consulting services related to the management or operations of the depository institution; or (C) technological infrastructure to the depository institution. This definition would include third party “fintech” companies that provide services used in connection with the provision of financial products or services to customers. The definition is intended to strike a balance by capturing types of service providers with respect to which insured depository institutions have the greatest need to share confidential information, while excluding service providers that are less likely to need confidential information as part of the services provided.

Question 6: Are the proposed defined terms appropriate for the purpose and intent of proposed subpart B? Should the FDIC include any additional defined terms or modify any of the proposed defined terms?

Question 7: Is the proposed definition of confidential information appropriate? Should the definition be revised to broaden or narrow it to appropriately capture the types of FDIC information that should be treated as confidential by insured depository institutions?

Question 8: Is the proposed definition of qualifying confidentiality agreement appropriate? What, if any, additional terms or requirements should the FDIC consider to appropriately protect the integrity of confidential information? For example, should a qualifying confidentiality agreement be required to be governed by U.S. law or include provisions that impose restrictions on how the confidential information is used, require the eventual destruction or return of the confidential information by the recipient, or require the recipient to acknowledge and consent to be subject to the FDIC's regulatory, examination, and enforcement authorities?

Question 9: Is the proposed definition of qualifying service provider appropriate? Should the definition be revised to broaden or narrow it to capture the universe of third parties that insured depository institutions should be able to share information with without requiring FDIC approval?

Proposed section 309.31 would not incorporate any terms currently defined in section 309.2 of part 309.^[5]

4. The “Good Cause” Standard

The proposed rule would substantially clarify the standard under which the FDIC may approve the disclosure of confidential information. Specifically, proposed section 309.35 would establish “good cause” as the general standard for authorizing disclosure of confidential information and provide a non-exhaustive list of factors the authorized director may consider when making a good cause determination. This standard would apply to decisions by the FDIC to disclose confidential information under subpart C—either on its own initiative or in response to a request—and decisions by the FDIC to permit an insured depository institution to disclose to a third party confidential information in the insured depository institution's possession, in those circumstances where such approval would continue to be required.

The factors to be assessed under the good cause standard would include: (1) whether disclosure will serve a legitimate regulatory, supervisory, resolution, or law enforcement purpose; (2) whether there is another source for the confidential information; (3) whether disclosure of the confidential information is unduly burdensome or otherwise may adversely affect or prejudice the FDIC, its mission, or its operations; (4) the scope and nature of the confidential information; (5) the recipient's intended use of the confidential information; (6) whether disclosure is lawful; (7) whether the confidential information includes ( printed page 39732) privileged information, trade secrets, or confidential commercial or financial information; and (8) whether disclosure would present safety and soundness or financial stability risks.

While the good cause standard and associated factors have been established as a matter of internal FDIC practice, they are not currently provided for in the FDIC's information disclosure regulations. The FDIC believes that incorporating the standard and associated factors into part 309 will help promote transparency and consistency in assessing potential disclosures of confidential information, as well as providing prior notice regarding the types of requests for disclosure that may not be authorized.

Question 10: Would the proposal provide sufficient clarity regarding the good cause standard?

Question 11: Should the FDIC consider any other factors when assessing whether there is good cause for disclosure of confidential information? Are any of the proposed factors not appropriate to be considered as part of the good cause standard?

5. Procedure for Requesting Discretionary Disclosure

Proposed section 309.34 would describe the process for an insured depository institution or other party to request discretionary disclosure of confidential information in a manner that is generally consistent with the FDIC's current information disclosure regulations. Proposed section 309.34 would also introduce certain changes to the FDIC's information disclosure regulations that are intended to provide for additional flexibility and streamline the process for requesting discretionary disclosure, where appropriate. First, proposed section 309.34 would expressly permit an authorized director to waive one or more of the generally applicable requirements for requesting a discretionary disclosure. In addition, proposed section 309.34 would also explicitly allow an authorized director to self-initiate the disclosure of confidential information without a request from a third party, provided that, in the authorized director's discretion, the good cause standard in proposed section 309.35 is satisfied.

6. Disclosure by the FDIC

Proposed section 309.36 would provide for the disclosure of confidential information by the FDIC to certain categories of parties that commonly make requests for confidential information. These include: (1) insured depository institutions and their affiliates; (2) federal, state, and foreign financial regulatory and supervisory authorities; (3) civil investigative and criminal law enforcement agencies and authorities; and (4) certain supervised bank service providers, insured depository institutions that receive services from such service providers, and state and federal authorities that supervise financial institutions serviced by such serviced providers. Proposed section 309.36 would also provide for the disclosure of confidential information to any other party and clarify the authority of the FDIC chairperson to authorize the disclosure of confidential information, in both cases subject to the good cause standard.

While proposed section 309.36 is intended generally to conform to the authorizations and requirements currently codified at paragraphs (b)(1) through (b)(6) and (b)(9) of section 309.6 of the current rule, the proposal would make various modifications to improve consistency, eliminate unnecessary barriers to appropriate disclosures, provide transparency, and reflect current practices. In particular, while the FDIC's current information disclosure regulations sometimes apply different and unnecessarily complicated procedural requirements for authorizing the disclosure of confidential information to different categories of parties, the proposed rule would make all disclosures of confidential information made under proposed section 309.36 subject to the good cause standard established at proposed section 309.35. This is intended to promote consistency and transparency relative to the FDIC's current information disclosure regulations.

Other changes from the FDIC's current information disclosure regulations include proposed section 309.36(b), which expressly provides for disclosure by the FDIC to affiliates of insured depository institutions. Under the current rule, such disclosures would be considered disclosures to general third parties and subject to additional requirements that the FDIC does not believe are necessary for ensuring the confidentiality of information.

In addition, proposed section 309.36(c), would provide for disclosures of confidential information typically made by the FDIC to federal and state agencies, subject to the good cause standard. While the current rule provides a non-exhaustive list of specific federal government agencies with which the FDIC will share confidential information, the proposed rule is intended to better reflect the FDIC's general practice to disclose confidential information to any federal or state agency where the good cause standard is satisfied.

Question 12: Is proposed section 309.36(c) sufficiently clear or should the rule more explicitly define the term “federal and state agencies”?

Question 13: What, if any, other revisions should the FDIC consider to clarify the parties to, and circumstances in which, the FDIC could disclose confidential information?

7. Disclosure of FDIC Confidential Information by Insured Depository Institutions and Their Parent Holding Companies

It has long been the FDIC's position that depository institutions should be able to disclose confidential information concerning their institution to certain third parties, such as accountants, legal counsel, certain service providers, and business partners, to the extent there is a necessary or appropriate business purpose for disclosing such information and the confidentiality of the information is maintained. These disclosures—subject to appropriate safeguards—facilitate normal business operations, including regulatory compliance.

The proposed rule would make significant changes to the requirements and restrictions regarding the disclosure of confidential information by insured depository institutions and certain other entities that may be in possession of confidential information. The requirements and restrictions that are presently applicable to the disclosure of confidential information by insured depository institutions are provided for at section 309.6(b)(7). Under section 309.6(b)(7), with the limited exception of the disclosure of certain examination materials to a parent holding company, any disclosure by an insured depository institution of confidential information in its possession requires the prior approval of the appropriate FDIC director. The FDIC's experience in implementing section 309.6(b)(7) has been that many types of requests from insured depository institutions are routinely approved. Requiring the FDIC's prior approval in these cases is time consuming, imposes unnecessary administrative burdens on insured depository institutions, and appears to serve no significant policy or other objectives. The FDIC is also aware that the broad restrictions on disclosure of confidential information under section 309.6(b)(7) may impose particular burdens for insured depository institutions in the context of their relationships with certain third-party service providers and other business partners. Furthermore, the FDIC's ( printed page 39733) broadly expansive requirement for prior approval for the disclosure of confidential information by insured depository institutions is not consistent with the information disclosure rules of other federal bank regulators, which allow for disclosure without prior approval in some instances.^[6]

a. General Disclosure Authorizations

Consequently, while the current rule requires that insured depository institutions make a request and obtain FDIC authorization prior to disclosing confidential information to other parties in almost all circumstances, the proposed rule would enable insured depository institutions and certain other entities to disclose confidential information without prior approval from the FDIC in certain circumstances, subject to certain conditions. Disclosure of such confidential information without a request to the FDIC would not compromise safety and soundness and will, among other things, reduce burden, facilitate regulatory compliance, and improve efficiencies—including between an institution and third parties that have business relationships with the institution. The proposed rule would establish safeguards to help ensure the confidential information is adequately protected (and not used for impermissible purposes) by the recipient(s) of such information. In some circumstances, these safeguards include requiring recipients to have agreed to a qualifying confidentiality agreement. In addition, insured depository institutions may only share confidential information without FDIC approval if sharing is “necessary or appropriate for business purposes,” meaning it must be in furtherance of specific objectives related to the insured depository institution's business.

In other circumstances, such as disclosure of certain confidential information by an insured depository institution to its affiliates and to directors, officers, and employees of its affiliates, no qualifying confidentiality agreement would typically be required. These changes are intended to reduce the burdens and detailed processes in the current rule to permit a more streamlined flow of confidential information between insured depository institutions and other parties when necessary or appropriate for business purposes. The proposed rule would also retain the authority of the FDIC to authorize disclosure of confidential information in other circumstances, subject to the good cause standard.

In general, proposed section 309.37(a) would allow insured depository institutions to disclose confidential information to certain persons where necessary or appropriate for business purposes without making a request to the FDIC. In circumstances where disclosure of confidential information to a party would be neither necessary nor appropriate for a business purpose, such disclosure would not be authorized under proposed section 309.37(a).

Proposed paragraphs (a)(1)(i) and (ii) of section 309.37 would allow insured depository institutions to disclose, without prior approval of the FDIC, confidential information to (1) the insured depository institution's own directors, officers, or employees (as permitted under the current rule); and (2) the insured depository institution's affiliates and the directors, officers, or employees of the insured depository institution's affiliates. The FDIC has observed that requests for disclosing confidential information to affiliates are typically necessary or appropriate for business purposes. Furthermore, the FDIC routinely approves requests to disclose confidential information to affiliates under the current rule and has not observed that such disclosures present risks to the integrity of its confidential information. Accordingly, the FDIC believes that permitting such disclosures to take place without the FDIC's prior approval will reduce administrative burden for insured depository institutions and permit a more efficient sharing of information between insured depository institutions and affiliates when necessary or appropriate for business purposes.

Subject to entering into a qualifying confidentiality agreement with the intended recipient of the confidential information, proposed paragraphs (a)(1)(iii) through (vi) of section 309.37 would allow insured depository institutions to disclose confidential information, without the prior approval of the FDIC, to: (1) their external legal counsel, accountant, or auditor; (2) a shareholder of the insured depository institution that owns over 50 percent of the voting stock of the insured depository institution; (3) qualifying service providers, as defined in section II.C.3. of this Supplemental Information; and (4) individuals to whom an offer of employment has been made to serve as a senior executive officer, as defined in 12 CFR 303.101, of the insured depository institution. As with the disclosures that would be permitted under paragraphs (a)(1)(i) and (ii), the disclosures that would be permitted under paragraphs (a)(1)(iii) through (vi) are intended to reduce administrative burdens on insured depository institutions in connection with disclosure of confidential information to those parties where circumstances giving rise to a necessary or appropriate business purpose for such disclosure would be expected to regularly arise.

In addition, proposed section 309.37(a)(1)(vii) would allow insured depository institutions to disclose confidential information to directors, officers, employees, affiliates, auditors, and legal counsel of an insured depository institution that is a potential merger counterparty. Such authorization would be limited to three potential counterparties over a five-year period and subject to certain other conditions. These restrictions, however, would not apply where there is a written agreement to enter into a merger or similar transaction in place between the insured depository institution and any counterparty.

The FDIC regularly receives requests from insured depository institutions to disclose confidential information in the context of a merger transaction and recognizes that such information can be highly relevant for potential merger counterparties. The FDIC believes that, subject to certain conditions, permitting insured depository institutions to disclose confidential information to potential merger counterparties that are themselves insured depository institutions should help facilitate these transactions without presenting undue risk of inappropriate disclosure of confidential information. The FDIC notes, however, that access to the confidential information contemplated to be disclosed under section 309.37(a)(1)(vii) is not intended to replace a potential counterparty's due diligence for such transactions.

Under the proposal, confidential information that is shared under paragraphs (a)(1)(iii) through (vii) of section 309.37 would be subject to the requirement that, prior to or concurrently with any such disclosure, the insured depository institution must enter into a qualifying confidentiality agreement with the intended recipient of the information. The requirements for a qualifying confidentiality agreement are described in section II.C.3 of this Supplemental Information.

Question 14: Does the proposal appropriately identify the types of parties to, and circumstances in which, ( printed page 39734) an insured depository institution should be permitted to share confidential information without the prior approval of the FDIC? Are there additional parties or circumstances in respect of which an insured depository institution should be permitted to share confidential information without the prior approval of the FDIC? If so, please explain why the benefits of permitting greater information sharing with such parties and in those circumstances would outweigh the costs associated with the risk of inappropriate disclosure of confidential information. Are there any parties listed in section 309.37(a) of the proposal that should be removed or narrowed?

Question 15: Would the safeguards to be introduced under the proposal sufficiently mitigate the risk of inappropriate disclosure of confidential information? Should the FDIC consider any additional safeguards? For example, should insured depository institutions be required to maintain a written record of disclosures of confidential information and the legal basis for such disclosures? If so, should this requirement be applicable to any disclosure or only in respect of disclosures to certain recipients (e.g., disclosures to qualifying service providers)?

Question 16: Should different types of confidential information be subject to more stringent safeguards than those contemplated under the proposal?

b. Disclosure of Historical Information

Proposed section 309.37(b) would allow insured depository institutions to disclose confidential information if at least twenty-five years have elapsed since that confidential information was created, unless otherwise notified by the FDIC, and any such disclosure maintains compliance with privacy and trade secret laws. The FDIC believes that the justifications for maintaining the confidentiality of information would generally be diminished after twenty-five years. Such information may still be of value, however, for research, analytical, and other purposes. Accordingly, the FDIC believes it is appropriate to allow for the disclosure of such information without the prior approval of the FDIC.

Question 17: Would this proposed authorization to disclose historical information be of value?

Question 18: Is twenty-five years the appropriate amount of time required to have passed to permit the disclosure of historical confidential information? If not, what other time period would be more appropriate?

Question 19: What, if any, safeguards, should the FDIC require in respect of the disclosure of historical confidential information? Are there any types of historical confidential information in respect of which FDIC approval is required prior to disclosure?

c. Disclosure of Confidential Information by Parent Holding Companies

The proposed rule would permit a parent holding company of an insured depository institution that is lawfully in possession of the FDIC's confidential information to disclose such confidential information, without the prior approval of the FDIC, to the same extent and subject to the same conditions, and to the same categories of recipients, as an insured depository institution could disclose confidential information under sections 309.37(a) or 309.37(b). This would allow the parent holding company to, for example, disclose FDIC confidential information to its affiliates, lawyers, auditors, accountants, and qualifying service providers of the parent holding company, when necessary or appropriate for business purposes, without a request to the FDIC. This provision is intended to maintain consistency with the proposed insured depository institution sharing provisions and would similarly reduce unnecessary procedural hurdles for the disclosure of this information by parent holding companies in these circumstances.

d. Disclosure of Data for Aggregated Analyses

The FDIC recognizes there may be value in third party entities being able to receive certain FDIC confidential information on an aggregated basis from multiple insured depository institutions in order to provide transparency with respect to, and facilitate analysis of, the supervisory process, without requiring preapproval from the FDIC. Such third parties could include, for example, law firms or nonpartisan nonprofit banking trade associations. The FDIC seeks comments on the extent to which this is an appropriate purpose to permit disclosure of confidential information and how the FDIC might implement such an approach.

Question 20: To what extent should the FDIC permit sharing confidential information with additional third parties for purposes of aggregating information across insured depository institutions? To what type(s) of entities should the FDIC consider allowing access to such information? What safeguards, if any, should the FDIC consider to help ensure such information sharing would not raise antitrust or other concerns?

Question 21: If the FDIC were to permit FDIC-supervised institutions to share confidential information with organizations for these purposes, should the FDIC place limits on the types and nature of information that may be shared? Should the FDIC consider different types of limits or requirements depending on the type of entity receiving the information?

Q uestion 22: Should the FDIC take any steps to mitigate the risk that the identity of a specific institution that is the subject of the information can be reverse engineered, and if so how?

Question 23: To what extent should such organizations be able to make public disclosures on the basis of aggregated information that has been derived from FDIC confidential information? What, if any, risks may be posed by inaccuracies in such public disclosures, and what, if any, requirements should the FDIC consider to mitigate such risks?

8. Disclosure of FDIC Confidential Information by Service Providers and Other Persons

The FDIC has observed that third-party service providers that are subject to examination by the FDIC (FDIC-examined service providers) may be in possession of confidential information that could be relevant to their insured depository institution partners. Accordingly, proposed section 309.37(e) would allow FDIC-examined service providers in possession of confidential information to share such confidential information with insured depository institutions to which they are providing services without the prior approval of the FDIC, subject to certain limitations. As with other disclosures of confidential information that would be permitted without the prior approval of the FDIC, the disclosure of confidential information by these service providers to their insured depository institution partners would only be permitted when necessary or appropriate for a business purpose. Such service providers would also need to have in place a qualifying confidentiality agreement with the intended recipient of the information.

The FDIC is not, at present, proposing to permit an FDIC-examined service provider to disclose confidential information without the prior approval of the FDIC to parties other than an insured depository institution that is an existing partner. The FDIC recognizes, however, that there may be benefits to facilitating greater disclosure of confidential information by FDIC- ( printed page 39735) examined service providers to other parties—for example, insured depository institutions that are evaluating whether to enter into a business partnership with such a service provider and seeks comment on whether expanding this provision would be appropriate.

Question 24: Should an FDIC-examined service provider be permitted to share confidential information with insured depository institutions that are potential partners? If so, what conditions or safeguards should apply to such arrangements? Should an FDIC-examined service provider be permitted to share confidential information with any other type of parties?

Finally, proposed section 309.38 would provide for disclosures by other parties that may have confidential information in their possession. Consistent with section 309.6(b)(7)(ii) of the current rule, such disclosures would be subject to the prior approval of the FDIC. The proposed rule, however, would simplify the requirements for such disclosures, including by eliminating the requirement that such approval be preceded by a written request for disclosure. Under certain exigent circumstances, such as a significant financial crisis, a written request may neither be timely nor necessary.

Question 25: Would the proposed amendments clarify and streamline the process for requesting discretionary disclosure of FDIC confidential information?

Question 26: What are the advantages and disadvantages of permitting FDIC-supervised institutions to disclose confidential information to the categories of third parties identified in the proposed rule? Should these provisions apply to other categories of third parties and, if so, why? If the FDIC were to extend the applicability of these provisions to other third parties, are there additional requirements that should apply and, if so, to what type of information sharing arrangements?

D. Disclosure of Confidential Information in Legal Proceedings in Which the FDIC Is Not a Party

1. Overview and Scope

Parties in litigation not involving the FDIC may at times believe the FDIC is in possession of information that is relevant to their litigation. Requirements and restrictions applicable to the disclosure of FDIC information in legal proceedings in which the FDIC is not a party ( i.e., legal proceedings that do not involve the FDIC or any of its directors, officers, or employees as a party) are currently provided for at section 309.6(b)(8) of part 309. The proposal would reorganize these provisions into a new subpart D of part 309. The procedure for requests, as provided in subpart D, is intended to promote cooperation between the FDIC and parties or other persons seeking FDIC information for use in a non-party legal proceeding; allow the FDIC to responsibly manage the burden on its staff and resources in searching for, reviewing, and producing FDIC information; and avoid expensive and time-consuming disputes over FDIC information. While the FDIC intends for subpart D generally to be consistent the requirements and restrictions of current section 309.6(b)(8), the proposed rule would introduce revisions to provide greater transparency and clarity, as well as certain substantive changes described below in sections II.D.2 through II.D.5 of this Supplemental Information.

Question 27: Does proposed subpart D provide sufficient clarity with respect to the requirements and restrictions applicable to the disclosure of FDIC information in legal proceedings in which the FDIC is not a party? What, if any, changes should the FDIC consider in respect of proposed subpart D?

2. Definitions

Proposed section 309.51 would introduce certain new defined terms that the FDIC believes will help clarify the FDIC's requirements and restrictions regarding disclosure of its information in legal proceedings in which the FDIC is not a party.

Access to FDIC documents or property would mean to produce, provide, or allow examination of FDIC documents or property.

Discovery demand would mean a subpoena, court order, request for production of documents, interrogatories, notice of deposition, motion to compel, or other notice or order in a legal proceeding requiring the FDIC or any other person in possession, custody, or control of FDIC information to provide FDIC information for use or possible use in the legal proceeding.

FDIC documents or property would mean documents, electronically stored information, tangible things, and premises that are owned by or were created by the FDIC except documents or property of a depository institution or financial company in FDIC receivership or conservatorship that the FDIC has transferred to the custody of a contractor, servicer, acquiring institution, bridge bank or other successor institution, or other third party in the course of the FDIC's depository institution or financial company resolution activities.

FDIC information would mean any FDIC documents, property, or FDIC testimony.

FDIC testimony would mean testimony by a current or former director, officer, employee, agent, or contractor of the FDIC concerning: (1) FDIC documents or property; or (2) knowledge or experience acquired, or communications or activities engaged in, as part of their official duties or otherwise related thereto or because of their official status while such individuals were employed by or acted as agent, contractor, or otherwise on behalf of the FDIC.

Legal proceeding would mean a judicial or administrative adjudication, action, case, matter, hearing, trial, arbitration, formal inquiry, formal investigation, or similar proceeding initiated before or subject to a court, agency or agency members, commission, board, grand jury, arbitrator, administrative law judge, hearing officer, or other authorized official or body, whether criminal, civil, or administrative in nature, under federal, state, local, or foreign law.

Non-party legal proceeding would mean a legal proceeding in which neither the FDIC (in the capacity to which the process is directed) nor an FDIC director, officer, or employee (in the capacity to which the process is directed) is a party.

Party would mean a person that is asserting claims or defending against claims in a legal proceeding. This would not include a person who intervenes, joins, or appears in a legal proceeding for a limited or special purpose, such as to contest a subpoena or seek a protective order in non-party discovery.

Person would mean an individual or an entity in any form, including a governmental organization.

Request would mean a written statement in which a party or other person involved in a legal proceeding asks the FDIC to provide or authorize access to FDIC documents or property or authorize FDIC testimony for use in a legal proceeding.

Testimony would mean a sworn or unsworn statement made by an individual for use or possible use by a party in a legal proceeding. Testimony may include, but is not limited to, live statements at a deposition, hearing, trial, or interview in person or by audio or visual communication; written or recorded responses to questions; or an affidavit, declaration, sworn statement, certification, or attestation.

Use, with respect to FDIC information provided in accordance with subpart D, ( printed page 39736) would mean that, subject to conditions and limitations required by the FDIC general counsel or designee, authorized parties or other persons involved in a legal proceeding may disclose FDIC information in the legal proceeding in the same manner and with the same protections as information obtained in discovery in the legal proceeding.

Proposed section 309.51 would not incorporate any terms currently defined in section 309.2 of part 309.

3. Use and Request of FDIC Information in a Non-Party Legal Proceeding

Proposed sections 309.52 and 309.53 would provide for the general prohibition on the use of FDIC information in non-party legal proceedings without express authorization by the FDIC general counsel or designee and describe when and how to submit a request for FDIC information in a non-party legal proceeding, including the content that should be included in a request. Consistent with the current rule, a party would be required to make such a request prior to seeking FDIC information by means of a subpoena or other discovery demand. While the FDIC believes proposed sections 309.52 and 309.53 to be significantly simplified and clarified relative to the current rule, these proposed sections are not intended to introduce any substantive changes to current regulatory requirements or practices.

4. Decisions on Requests

Proposed section 309.54 would establish the process by which the FDIC general counsel or designee would consider and reach a determination on requests for FDIC information submitted under subpart D. While generally consistent with the current rule and existing FDIC practice, proposed section 309.54 would provide for greater transparency by identifying the factors that the FDIC general counsel or designee would consider when evaluating requests. These include (1) the contents of the request; (2) whether confidential, personal, commercial, or supervisory information is being requested and, if so, the risk that such information could be publicly disclosed; (3) whether fulfilling all or part of the request will materially interfere with the FDIC's operations; and (4) the public interest. Providing for these considerations directly in section 309.54 would help to inform the content of such requests.

Proposed section 309.54 would also provide requesters an avenue to seek reconsideration of the FDIC general counsel's decision within ten business days after the date of the written decision. After receipt of a request for reconsideration, the FDIC general counsel would have ten business days to review and decide on the request. A denial of such a request would be considered a final decision and would exhaust the requesting party's administrative remedies with respect to the request for FDIC information, thereby permitting such party to seek judicial review of such a final decision under the Administrative Procedure Act.^[7]

5. Waiver of Requirement for Requests

Proposed section 309.55 would introduce the authority of the FDIC general counsel or designee to waive the request process otherwise provided for in subpart D. The FDIC believes that the introduction of such waiver authority will provide flexibility to both the FDIC general counsel and prospective requesters in circumstances where the request process is unviable, unnecessary, or otherwise unduly burdensome.

III. New Part 306 on Service of Process

A. Overview, Purpose, and Scope

The FDIC's service of process provisions are currently codified at 12 CFR 309.7. The FDIC has observed that such provisions could benefit from further clarity through various revisions and the use of defined terms. The FDIC also believes that the current placement of its service of process provisions in part 309 may be potentially confusing to stakeholders, because the service of process provisions bear little relation to the processes and requirements for seeking disclosure of confidential information pursuant to part 309.

To address these concerns, the proposal would recodify the FDIC's legal service provisions as a separate part of the FDIC's regulations, 12 CFR part 306. The proposal also would introduce new provisions and defined terms to clarify ambiguities observed in the FDIC's current service of process provisions.

Specifically, the proposal would clarify that part 306 applies to services of process directed to any of the following parties, whether or not as a party to a legal proceeding: (1) the FDIC; (2) any FDIC director, officer, or employee in an official capacity; (3) any FDIC director, officer, or employee in an individual capacity for an act or omission occurring in connection with one's duties performed on behalf of the FDIC (regardless of whether the individual also is served process in an official capacity); and (4) the FDIC and any FDIC director, officer, or employee in connection with process in a non-party proceeding requiring, generally, testimony related to FDIC duties or knowledge acquired while performing such duties or production of documents or information in the possession of the FDIC.

Question 28: Does the proposal help to clarify the scope of application of the FDIC's legal service provisions? Are there any revisions that could be made to improve the clarity of proposed scope?

B. Definitions

Section 306.2 of the proposed rule would introduce defined terms specifically related to service of process intended to help address areas of potential ambiguity in the current regulation. Proposed section 306.2 would include the following defined terms:

FDIC's agent for service of process would mean a person authorized by the FDIC to accept delivery of process on behalf of the FDIC in any capacity or on behalf of an FDIC director, officer, or employee in their official capacity and includes:

• The FDIC's executive secretary or designee at FDIC, 550 17th Street, NW, Washington, DC 20429; and
• The FDIC's agent for of process at the appropriate geographic area, as listed on the FDIC's website.

Legal proceeding would mean a judicial or administrative adjudication, action, case, matter, hearing, trial, arbitration, formal inquiry, formal investigation, or similar proceeding initiated before or subject to a court, agency or agency members, commission, board, grand jury, arbitrator, administrative law judge, hearing officer, or other authorized official or body, whether criminal, civil, or administrative in nature, under federal, state, local, or foreign law.

Party would mean a person that is asserting claims or defending against claims in a legal proceeding. Party would not include a person who intervenes, joins, or appears in a legal proceeding for a limited or special purpose, such as to contest a subpoena or seek a protective order in non-party discovery.

Person would mean an individual or an entity in any form, including a governmental organization.

Process would mean a summons, complaint, pleading, motion, subpoena, writ, discovery demand, or other notice or order issued in a legal proceeding and required to be served upon a ( printed page 39737) person. Process includes both physical documents and electronic documents to the extent authorized by the law applicable to the legal proceeding.

Serve or service would mean delivery of process in accordance with the rules applicable to the particular jurisdiction, type of legal proceeding, stage of the legal proceeding, and type of process. The applicable rules may specify methods for delivery of process; persons or representatives authorized to accept delivery; delivery to multiple recipients; time limitations for effecting service; and other requirements.

Question 29: Would the definitions provided under proposed section 306.2 help to address areas of ambiguity in the FDIC's current service of process provisions? Are there additional defined terms that should be included? If so, what are they, and how would they help to address an ambiguity under the current service of process provisions?

C. Service of Process Requirements and Processes

Proposed section 306.3 would describe the procedures to serve process on the FDIC, an FDIC director, officer, or employee in an official capacity, and the procedures to service process on an FDIC director, officer, or employee in an individual capacity. Relative to the current service of process provisions in 12 CFR 309.7, proposed section 306.3 would clarify the service procedures by providing, in a more organized and streamlined format, details on how and whom to serve at the FDIC, as well as a listing of the FDIC's agents for service of process, by geographic area. When serving a director, officer, or employee in an individual capacity, section 306.3(b) would provide that service of process must be made to the United States as well as the officer or employee, and requires a copy of such service of process to be sent to an FDIC agent for service of process. This provision would help to ensure the FDIC remains apprised of process served on its directors, officers, or employees that may require disclosure of the FDIC's confidential information.

Question 30: Would proposed section 306.3 improve the clarity of the FDIC's current service of process provisions under section 309.7? Are there additional revisions that could be made to address areas of ambiguity in the current rule?

IV. Technical Amendments to Other Parts of the FDIC's Regulations

Certain sections of parts 303, 327, and 337 of the FDIC's regulations include cross-references to various provisions of part 309. If part 309 is amended as proposed, these references would refer to sections of part 309 that either no longer exist or have been recodified at a different section of part 309. The proposal would, therefore, amend those sections of parts 303, 327, and 337 to incorporate references to the appropriate sections of part 309, as would be amended under the proposal.

V. Expected Effects

The proposed rule would revise the FDIC's regulations related to the processing of FDIC records under FOIA, as well as the FDIC's restrictions on the disclosure of confidential information not subject to release under FOIA (confidential information). Specifically, the proposed rule would authorize insured depository institutions, their bank holding companies, and certain other entities to share confidential information with certain parties enumerated in the rule for business purposes without the prior approval of the FDIC. The proposed rule would also relocate the FDIC's procedures on the service of process to a new part 306.

This section summarizes the analysis performed by the FDIC to estimate the economic impact of the proposed rule. For this purpose, the FDIC compares estimated economic outcomes under the proposed rule to outcomes under a baseline that resembles a world in which the proposed rule is not promulgated.

A. Scope of Affected Entities

The proposed rule would generally apply to any person that possesses or comes to possess confidential information; however, the FDIC expects that the typical holder of such information would be an insured depository institution or an insured depository institution holding company. As of the quarter ending December 31, 2025, the FDIC insured 4,345 depository institutions ^[8] and there were 3,600 active holding companies according to FR Y-9C and FR Y-9SP filings.^[9] The proposed rule would also impact FDIC-examined service providers, of which there are 108 as of May 2026.

Certain provisions of the proposed rule would apply to any person that files a FOIA request with the FDIC or serves legal process on the FDIC. The FDIC received 1,536 FOIA requests in the fiscal year ending September 30, 2025.^[10] The FDIC is unable to estimate the number of persons that may be involved in litigation that requires service of process on the FDIC.^[11]

Finally, the proposed rule would apply to any insured depository institution that would seek to disclose certain confidential information to certain categories of third-party recipients without prior authorization from the FDIC. To estimate this population, the FDIC reviewed requests to disclose confidential information that it received pursuant to part 309 over approximately the past ten years. Based on a review of internal FDIC data, the FDIC received approximately 2,900 requests between the second quarter of 2016 and the second quarter of 2026, for an average of approximately 300 requests per year. Under a conservative assumption that each request is made by a unique institution, this provision of the proposed rule would affect nearly 300 insured depository institutions each year.

B. Expected Benefits

If finalized, the proposed rule would update and clarify the FDIC's regulations regarding the process for submitting FOIA requests, the service of process on the FDIC, as well as the disclosure of FDIC records and other confidential information. The FDIC expects considerable benefits would relate to the proposed changes to part 309 that would allow insured depository institutions to disclose confidential information to certain third parties in certain circumstances without seeking prior FDIC approval. The proposed rule's other changes to the FDIC's regulations would also produce benefits, such as improved ease of use and enhanced understanding by the public.

1. Discretionary Requests To Disclose Confidential Information

Certain benefits of the proposed rule would accrue to insured depository institutions seeking to share confidential information with third parties for business purposes. Presently and under the baseline, for an insured depository institution to disclose confidential information to a prospective recipient who is not a director, officer, or employee of the insured depository institution, the insured depository institution must seek the prior approval of the FDIC. Thus, ( printed page 39738) whenever an insured depository institution wishes to share confidential information with a prospective recipient such as an accountant, auditor, consultant, or other service provider, it must first submit a written request to the FDIC that describes the information to be shared, the prospective recipient's interest in the information, and the prospective recipient's relationship to the insured depository institution that is requesting to disclose the information.^[12] Preparing such a request entails a meaningful degree of time and effort by an insured depository institution's directors, officers, and/or employees. Beyond this direct burden—estimated below in section V.C of this Supplemental Information—the insured depository institution must then wait for a decision on its request, which impedes the institution's ability to promptly communicate necessary information to third parties.

Under the proposed rule, insured depository institutions would be authorized to disclose confidential information without prior FDIC approval to certain categories of third-party recipients—such as affiliates; external legal counsel, accountants, and auditors; shareholders holding more than 50 percent of the institution's voting stock; service providers; and potential senior executive officers to whom an offer of employment has been made—where necessary or appropriate to meet a business purpose and if they comply with certain confidentiality safeguards (as applicable). Insured depository institutions would also be authorized to disclose confidential information to directors, officers, employees, affiliates, auditors, and legal counsel of a potential counterparty with which the institution is contemplating a merger or other transaction,^[13] subject to certain limitations. Finally, insured depository institutions generally would be authorized to disclose confidential information after twenty-five years has elapsed since its creation.

The proposed rule would also provide parent holding companies of insured depository institutions with similar authority to disclose confidential information. This authority would be available for the same categories of recipient for the holding company as provided in section 309.37(a) for insured depository institutions. In addition, the proposed rule would provide service providers subject to FDIC examination with a limited authority to disclose confidential information to their insured depository institution partners.

Of the approximately 2,900 requests to disclose confidential information received by the FDIC between the second quarter of 2016 and the second quarter of 2026, the FDIC estimates 655 would no longer be needed under the proposed rule.^[14] However, the number of requests not needed under the proposed rule may be greater than 665, because the FDIC's review may not have identified every request that would no longer be required.

The reduced volume of disclosure requests, representing approximately 69 fewer requests per year, would result in cost savings for insured depository institutions and their parent holding companies. The FDIC estimates that this reduction equates to an annual savings of at least $19,807, or about $290 per request.^[15] In addition, there may be instances in which insured depository institutions have a need to share confidential information with certain third parties but choose not to due to the process for obtaining FDIC prior approval, but would share such information under the proposed rule. For this reason and others, the amount of savings may be greater than estimated given that the number of requests no longer needed under the proposed rule may be greater than estimated.

The figures above do not reflect the indirect benefits that may be realized from the proposed rule, namely that insured depository institutions would no longer be required to await the FDIC's approval before disclosing confidential information to certain entities, a process that can take up to two weeks on average. During this time, institutions currently are unable to promptly share confidential information that may be needed to inform critical, time-sensitive business decisions. Under the proposed rule, the delay associated with the current part 309 process would be eliminated for an estimated 23 percent of disclosure requests that would no longer require prior FDIC approval.^[16] The FDIC does not have the data necessary to quantify the benefits of this aspect of the proposed rule, however, they could be substantial depending on the business purpose for the disclosure.^[17]

Additionally, the ability to share confidential information with certain potential senior executive officers to whom an offer of employment has been made could benefit both an insured depository institution and prospective officer by improving the ability of each party to make a more fully informed employment decision. Separately, the ability to share confidential information with a potential counterparty to a merger or other transaction would facilitate more robust due diligence.

In aggregate, the changes under the proposed rule could produce considerable efficiencies for insured depository institutions and related entities. Although the FDIC does not have the necessary data to quantify ( printed page 39739) these benefits, the FDIC believes these efficiencies would be meaningful.

2. Other Changes

The proposed rule also updates and clarifies the FDIC's regulations governing its handling of requests under FOIA. Under the proposed rule, several provisions would be revised to more clearly describe the documents the FDIC makes available to the public and the process for submitting FOIA requests. The proposed rule also would add provisions describing the FDIC's administrative appeals process under FOIA and supplemental procedures for the submission and disclosure of confidential commercial information. In particular, the latter provision would require entities submitting confidential commercial information to the FDIC to designate the portions of its submissions that it considers to be protected from disclosure under Exemption 4 of FOIA, and provides that such protection would ordinarily expire 10 years from the date of submission unless the submitter requests and provides justification for a longer designation period. This provision would also provide submitters of confidential commercial information with notice and an opportunity to object when the FDIC determines that it may need to disclose that information.

To the extent the improved clarity of the FDIC's FOIA regulations facilitates the submission of complete and compliant FOIA requests, it may expedite the FDIC's processing of such requests, resulting in more prompt disclosure of responsive information. The proposed changes may also reduce the costs of preparing and submitting FOIA requests, thereby reducing an impediment to submitting a request. These benefits, in turn, may support a more informed public as well as improved accountability and transparency with respect to the FDIC's operations. Each of these outcomes would advance the public policy of openness that underlies the FOIA.

Additionally, the proposed rule would relocate the FDIC's service of process provisions from part 309 to a new part 306, because the service of process provisions are generally unrelated to those regarding the disclosure of information. The proposed rule would clarify the procedures to serve process on the FDIC in any capacity or an FDIC director, officer, or employee in their official capacity or otherwise in connection with acts or omissions occurring in connection with their FDIC duties. For example, the proposed rule would identify the FDIC's executive secretary or designee as agents for service and would emphasize that service of process must be effected in accordance with the rules of the applicable jurisdiction in which the legal proceeding is taking place. The FDIC does not have the necessary information to quantify the effects of this aspect of the proposed rule on insured depository institutions, but expects the changes would improve the clarity and efficiency of the FDIC's service of process procedures.

In general, the proposed rule, if finalized, would clarify aspects of the FDIC's information disclosure regulations that are ambiguous, codify current practices to improve the public's understanding of the FDIC's information sharing processes, and harmonize the FDIC's regulations with those of the other federal banking agencies to the extent appropriate. In doing so, the proposed rule, if finalized, would enhance the public's understanding of the FDIC's information disclosure processes and improve the public's ability to engage and interface with those processes.

C. Expected Costs

The proposed rule would provide insured depository institutions with additional latitude to disclose confidential information when doing so is necessary and appropriate for a business purpose, and would require insured depository institutions disclosing confidential information to certain recipients to enter into a qualifying confidentiality agreement with the prospective recipient prior to or concurrent with the disclosure of such information. For purposes of the proposed rule, a “qualifying confidentiality agreement” is one that includes the provisions set forth in the proposed definition for this term. In addition, for an insured depository institution to disclose confidential information to a potential counterparty in a merger transaction,^[18] the proposed rule would require a written waiver from the counterparty of any claims against the FDIC arising from the confidential information. Finally, a party that wishes to use confidential information in a legal proceeding to which the FDIC is not a party must submit a request to the FDIC general counsel or designee.

The FDIC expects that any costs associated with the proposal would be small. First, while part 309 currently does not require an insured depository institution to enter into a confidentiality agreement to obtain authorization to disclose confidential information, as a matter of practice the FDIC routinely imposes such a requirement as a condition of its authorization. Accordingly, the requirement to enter into a confidentiality agreement typically would not represent a new cost for insured depository institutions relative to the baseline.^[19]

Second, the FDIC expects that there would be only minimal costs associated with requiring merger counterparties receiving confidential information to submit a written waiver of any claims against the FDIC that may otherwise arise from receipt of confidential information. There were 110 voluntary mergers per year on average between insured depository institutions over the three-year period ending December 31, 2025.^[20] If each merger involved three potential counterparties ^[21] for whom a written waiver was submitted, then 330 waivers per year would have been submitted if the proposed rule had been in place, at an estimated cost of only about $180 per waiver submission.^[22] The proposed rule also could increase the risk that confidential information may be disclosed to unintended recipients not authorized to receive such information. However, the FDIC does not expect this risk to increase materially as a result of the proposal. The FDIC's longstanding practice has been to routinely approve the types of disclosures that would no longer require prior FDIC authorization under the proposed rule. Moreover, while the proposed rule would facilitate more ( printed page 39740) timely disclosure of confidential information, the persons authorized to receive such information under the proposed rule typically have significant connections to the insured depository institution making the disclosure and an interest in protecting confidential information regarding the institution. To share confidential information with persons who typically have less of an interest in or incentive to protect confidential information regarding an insured depository institution, the proposal would continue to require the FDIC's prior approval.

Finally, the proposal would generally remove restrictions on the disclosure of confidential information more than 25 years after its creation or last modification. This provision could help mitigate other costs associated with the proposal. This proposed change would recognize that the passage of time tends to diminish the need to maintain the confidentiality of sensitive information, under most circumstances.

D. Conclusion

Given the economic effects discussed in section V.A through V.C of this Supplemental Information, the FDIC expects that the benefits of the proposed rule would justify its costs.

The FDIC invites comments on all aspects of the supporting information provided in the Expected Effects section. The FDIC is particularly interested in comments on any material economic effects that the agency has not identified.

VI. Matters of Regulatory Procedure

A. Regulatory Flexibility Act

The Regulatory Flexibility Act (RFA) generally requires an agency, in connection with a proposed rule, to prepare and make available for public comment an initial regulatory flexibility analysis that describes the impact of the proposed rule on small entities.^[23] However, an initial regulatory flexibility analysis is not required if the agency certifies that the proposed rule would not, if promulgated, have a significant economic impact on a substantial number of small entities. The Small Business Administration (SBA) has defined “small entities” to include banking organizations with total assets of less than or equal to $850 million.^[24] As detailed in the following statement of factual basis, the FDIC certifies that the proposed rule would not, if promulgated, have a significant economic impact on a substantial number of small entities.

Generally, the FDIC considers a significant economic impact to be a quantified effect in excess of 5 percent of total annual salaries and benefits or 2.5 percent of total noninterest expenses. To estimate the economic impact of the proposed rule on each small entity, the FDIC compares expected outcomes under the proposed rule to expected outcomes under a baseline absent the proposed rule.

The proposed rule would apply to all FDIC-insured institutions, parent holding companies of insured depository institutions, persons and entities requesting information from the FDIC under FOIA, persons and entities requesting information from the FDIC in connection with legal proceedings, and persons and entities serving legal process on the FDIC. As of the quarter ending December 31, 2025, the FDIC insures 4,345 depository institutions, of which 2,996 are small.^[25] In addition, 3,600 holding companies were active as of December 31, 2025 and filed a Y-9C or Y-9SP.^[26] Of these, 2,253 are small entities for purposes of RFA.^[27] The FDIC does not possess the data to estimate the population of the persons and entities other than insured depository institutions that are potentially affected by the proposed rule. However, the FDIC reviewed a random sample of 50 discretionary disclosure requests (requests) received over the last ten years from a full population of 1,262 DDRs. Of these requests, 19 were made by banks, 17 by government entities, and two by law and accounting firms, neither of which was a small entity. For 12 requests, it was not possible based on the data drawn to identify who made the request.

For the 31 requests that were potentially made by small entities (19 banks and 12 unknown), 12 were identified as being made by large banks, leaving an upper bound of 19 possible requests by small entities in the sample of 50, a proportion of 38 percent. Extrapolating this to the full population of 1262 requests over ten years gives an upper-bound estimate of 48 for the annual number of requests from small entities.^[28]

The largest effect of this rule on small entities is likely to be a reduction in the number of requests made by small insured depository institutions due to the change in regulation. Of the 19 requests submitted by potential small entities that were reviewed for this analysis, the FDIC estimates that eight would be rendered unnecessary by the proposed rule, a proportion of 42.1 percent. Applying this to the upper bound estimate (48 annual requests) yields an upper bound reduction of approximately 20 requests from small entities, so that at most 20 small entities will be affected each year. The FDIC does not consider 20 to be a substantial number of small entities, even under the extremely conservative assumption that making a single request in a year constitutes a significant economic impact.

The other effects of the rule which could impact small entities that are not contingent on filing a request are: (1) the benefit from reduced uncertainty about the FDIC's regulations governing disclosure of information; and (2) the potential risk of increased unauthorized sharing of confidential information. As discussed above, neither of these effects are material, particularly for small entities.

Based on the preceding statement of factual basis, the FDIC certifies that the proposed rule will not, if promulgated, have a significant economic impact on a substantial number of small entities. Accordingly, an initial regulatory flexibility analysis is not required.^[29]

The FDIC invites comments on all aspects of the supporting information provided in this RFA section. The FDIC is particularly interested in comments on any significant effects on small entities that the agency has not identified.

B. Paperwork Reduction Act

This notice of proposed rulemaking has been reviewed for compliance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.). In accordance with the PRA, the FDIC may not conduct or sponsor, and an organization is not required to respond to, an information collection unless the information collection displays a currently valid Office of Management and Budget (OMB) control number. The ( printed page 39741) FDIC has reviewed the notice of proposed rulemaking and determined that it would introduce new information collection requirements pursuant to the PRA. The FDIC is seeking a new control number for these information collection requirements and will submit them to OMB for review and approval.

Proposed Information Collection:

Title: Disclosure of Information.

OMB Control No.: 3064-NEW.

Type of Review: Regular.

Affected Public: Businesses or other for-profit.

Description: The proposed rule would update, clarify, and supplement the FDIC's regulations regarding the disclosure of confidential information by the FDIC and other parties. The information collection requirements in the proposed rule are as follows:

Section 309.34 would require requests for discretionary disclosure of confidential information to be submitted to the FDIC.

Section 309.37(a)(1)(vii)(C) would require potential counterparties to submit a written waiver to the FDIC.

Section 309.52(b) and (c) and section 309.53 would require a party in a legal proceeding, or any person substantially involved in the legal proceeding, to submit a request to the FDIC general counsel or designee.

Comments are invited on:

(a) Whether the collection of information is necessary for the proper performance of the FDIC's functions, including whether the information has practical utility;

(b) The accuracy of the estimate of the burden of the information collection, including the validity of the methodology and assumptions used;

(c) Ways to enhance the quality, utility, and clarity of the information to be collected; and

(d) Ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology.

All comments will become a matter of public record. Comments on aspects of this proposed rule that may affect reporting, recordkeeping, or disclosure requirements and burden estimates should be sent to the address listed in the ADDRESSES section. Written comments and recommendations for this information collection also should be sent within 60 days of publication of this document to www.reginfo.gov/​public/​do/​PRAMain. Find this particular information collection by selecting “Currently under 60-day Review—Open for Public Comments” or by using the search function.

C. Riegle Community Development and Regulatory Improvement Act

Pursuant to section 302(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 (RCDRIA),^[30] in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on insured depository institutions, each Federal banking agency must consider, consistent with principles of safety and soundness and the public interest, any administrative burdens that such regulations would place on affected depository institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of such regulations. In addition, section 302(b) of the RCDRIA requires new regulations and amendments to regulations that impose additional reporting, disclosures, or other new requirements on insured depository institutions generally to take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form. The FDIC invites comments that further will inform its consideration of the RCDRIA.^[31]

D. Plain Language

Section 722 of the Gramm-Leach-Bliley Act ^[32] requires the Federal banking agencies to use plain language in all proposed and final rulemakings published in the Federal Register after January 1, 2000. The FDIC sought to present the proposed rule in a simple and straightforward manner. The FDIC invites your comments on how to make this proposal easier to understand. For example:

• Has the FDIC organized the material to suit your needs? If not, how could the material be better organized?
• Are the requirements in the proposed rule clearly stated? If not, how could the proposed rule be stated more clearly?
• Does the proposed rule contain language or jargon that is unclear? If so, which language requires clarification?
• Would a different format (grouping and order of sections, use of headings, paragraphing) make the rule easier to understand?
• What else could the FDIC do to make the proposed rule easier to understand?

E. Executive Orders 12866 and 14192

Executive Order 12866, as amended, directs agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is ( printed page 39742) necessary, to select regulatory approaches that maximize net benefits. This proposed rule was drafted and reviewed in accordance with Executive Order 12866. Within OMB, the Office of Information and Regulatory Affairs (OIRA) has determined that this rulemaking is not a “significant regulatory action” for the purposes of Executive Order 12866.

Executive Order 14192, titled “Unleashing Prosperity Through Deregulation,” was issued on January 31, 2025. Section 3(a) of Executive Order 14192 requires an agency, unless prohibited by law, to identify at least ten existing regulations to be repealed when the agency publicly proposes for notice and comment or otherwise promulgates a new regulation. In furtherance of this standard, section 3(c) of Executive Order 14192 requires that the new incremental costs associated with new regulations shall, to the extent permitted by law, be offset by the elimination of existing costs associated with at least ten prior regulations. This proposed rule, if finalized as proposed, is expected to be a deregulatory action under Executive Order 14192.

Authority and Issuance

For the reasons set forth in the preamble, the Federal Deposit Insurance Corporation proposes to amend 12 CFR chapter III as follows:

1. The authority citation for part 303 continues to read as follows:

Authority: 12 U.S.C. 378, 1464, 1813, 1815, 1817, 1818, 1819(a) (Seventh and Tenth), 1820, 1823, 1828, 1829, 1831a, 1831e, 1831 o, 1831p-1, 1831w, 1835a, 1843(l), 3104, 3105, 3108, 3207, 5414, 5415, and 15 U.S.C. 1601-1607.

2. Amend § 303.8(a) by, in the last sentence, removing “in accordance with § 309.5(f) of this chapter” and adding “in accordance with § 309.18(c) of this chapter” in its place.

3. Amend § 303.41(b) by, in the last sentence, removing “; see § 309.4(a) and (b) of this chapter for availability”.

4. Amend § 303.60 by removing “; see § 309.4(a) and (b) of this chapter for availability”.

5. Amend § 303.62(b)(3) by, in the last sentence, removing “; see § 309.4(a) and (b) of this chapter for availability”.

6. Add part 306 to read as follows:

7. Revise part 309 to read as follows:

8. The authority citation for part 327 continues to read as follows:

Authority: 12 U.S.C. 1813, 1815, 1817-19, 1821, 1823.

9. Amend § 327.4(d) by removing “exempt information within the scope of § 309.5(g)(8) of this chapter” and adding “confidential information as defined at § 309.31 of this chapter” and by removing “the disclosure restrictions set out at § 309.6 of this chapter” and adding “the disclosure restrictions set out at § 309.32 of this chapter”.

10. The authority citation for part 337 continues to read as follows:

Authority: 12 U.S.C. 375a(4), 375b, 1463, 1464, 1468, 1816, 1818(a), 1818(b), 1819, 1820(d), 1821(f), 1828(j)(2), 1831, 1831f, 1831g, 5412.

11. Amend § 337.12(b)(3)(ii) by removing “(copies of which are available at the addresses specified in § 309.4 of this chapter)”.

[FR Doc. 2026-13123 Filed 6-29-26; 8:45 am]

BILLING CODE 6714-01-P