(1) acknowledged that such disclosed information is confidential supervisory information under section 36.10 of the Banking Law; and

(2) agreed to abide by, the prohibition on the dissemination of confidential supervisory information contained in subdivision (a) of this section.

(1) immediately notify and inform the Office of the General Counsel of the Department of all relevant facts, including the specific documents and information requested, in a timely manner so that the Department will be able to intervene in the judicial, administrative, or other action if appropriate;

(2) inform the requester of the substance of this Part and the obligation to maintain the confidentiality of the confidential supervisory information described in subdivision (a) of section 7.2 hereof; and

(3) at the appropriate time, inform the court, the tribunal, or other issuing authority, of the substance of section 36.10 of the Banking Law and this Part.

A revised Regulatory Impact Statement, Regulatory Flexibility Analysis, Rural Area Flexibility Analysis and Job Impact Statement are not required for the adoption of Part 7 because the non-substantive revisions to the regulation do not require a change to the previously published Regulatory Impact Statement, Regulatory Flexibility Analysis, Rural Area Flexibility Analysis and Job Impact Statement.

As a rule that requires a RFA, RAFA or JIS, this rule will be initially reviewed in the calendar year 2024, which is no later than the 3rd year after the year in which this rule is being adopted.

The New York State Department of Financial Services (the “Department” or “DFS”) received 5 public comments on its revised proposal of rule 3 NYCRR 7 (“Part 7”) published in the State Register on September 9, 2020. Comments from organizations representing banks, auditors and attorneys generally asked the DFS to: (i) expand the scope and number of exemptions granted by Part 7, (ii) conform the regulation to correlative federal regulations governing confidential supervisory information (“CSI”), and (iii) clarify or remove various provisions the commenters considered ambiguous or cumbersome. These comments sometimes duplicated requests received in response to the original proposal published in the State Register on November 27, 2019. The commenters at times also responded to the first Assessment of Public Comments DFS filed with its revised proposal (“Original APC”). In response, the Department plans to adopt a modified version of Part 7 with incremental changes.

The comments generally praised the Department for its proposal to exempt outside counsel and external auditors from the waiver procedures it presently uses pursuant to New York Banking Law section 36.10 (“NYBL 36.10”) to permit disclosures of CSI by regulated entities. Generally, the commenters sought for Part 7 to have a broader scope of application. Most commenters addressed multiple provisions of the proposed rule and suggested numerous detailed changes. The Department has processed and carefully considered every comment. This summary is intended to provide an overview of the revisions and clarifications the Department has made in response to comments, and, where applicable, the reasons for not making additional revisions or clarifications.

Please note that the Department carefully reviewed regulations concerning CSI issued by the Office of the Comptroller of Currency (the “OCC”) and the Board of Governors of the Federal Reserve System (the “FRB”). The Department did review the FRB’s most recent amendment to its CSI regulation.

Scope of CSI

In the Original APC, the Department noted that all materials it gathers while conducting the supervisory activities are CSI and shall not be disclosed to the public or any other third party. However, documents created by the regulated entity for business purposes, which are in its possession, are not considered CSI. One commenter asked DFS to make these statements explicitly in the text of the regulation. The Department does not think it is necessary as the original clarification is sufficient.

Exemptions for Auditors and Attorneys

Multiple commenters raised objections to the documentation requirements for auditors and attorneys stated in Part 7.2(b). They objected to the requirement of specific language concerning section 36.10 of the Banking Law in a written contract or engagement letter. They also objected to the document destruction requirement upon completion of an engagement. In response, the Department has written a new version of Part 7.2(b) that eliminates these requirements and permits a more flexible approach to protect CSI. The Department believes its new approach is consistent with FRB and OCC standards.

In addition, the Department has written a new Part 7.2(c) to permit auditors to review CSI when they are contemplating new client engagements or the continuation of existing annual audit engagements. Auditors have a due diligence obligation when evaluating new engagements or the continuation of existing engagements, and we now believe a special exemption is appropriate for this purpose.

Service Providers of Outside Counsel and External Auditors

Multiple commenters requested an exemption for the third-party service providers of attorneys and auditors. The Department did not believe such an exemption was necessary.

Disclosure of CSI to Other Governments

Commenters also requested that Part 7 explicitly state that regulated entities are not required to act as intermediaries for the disclosure of CSI sought by other government agencies. Please note that the Department has never required its regulated entities to act as an intermediary with other government agencies. These government agencies may freely make their requests directly to the DFS, and we encourage them to do so. DFS has numerous information sharing agreements with United States and foreign government agencies. The Department does share information with other regulators pursuant to sharing agreements and memoranda of understanding that provide for reciprocal treatment by the other government agency.

Unfortunately, the Department cannot prevent other regulators and government agencies from sending requests directly to regulated entities. Regulated entities should forward these requests to the DFS for processing. Accordingly, DFS cannot insert the explicit statement requested into Part 7.

Two commenters requested that DFS permit the central point of contact (“CPC”) of a regulated entity to approve CSI requests. They assert that a CPC should be authorized to approve disclosure of CSI to other supervisory agencies without any additional DFS review or approval. The Department acknowledges that the new FRB regulation permits CPCs to approve CSI disclosures, but the Department believes relationships with other regulators should be monitored by more senior personnel. Part 7.2(g) makes this explicit.

Subpoenas

One commenter partly objects to the requirements of Part 7.2(e). Part 7.2(e) requires persons and entities to promptly notify the DFS when they are served with a subpoena that demands the production of CSI. The commenter claims that, in certain instances, persons or entities may be prohibited from disclosing the existence of the subpoena and that the regulation should be amended to provide for those instances. The Department will not adopt this request. Please note that the OCC regulation has the same requirement to inform the OCC regarding demands for CSI.

Mergers & Acquisitions

One commenter asked the Department to specify when regulated entities may disclose CSI to potential purchasers seeking to do a merger, acquisition or similar change of control transaction. The commenter opined that an exemption for such disclosures would facilitate due diligence and integration planning.

The Department believes this request is unwise and not consistent with the policy goals of NYBL 36.10. The Department’s position, explained in the Original APC, has not changed. The Department will not create a new exception to cover mergers & acquisitions. In addition, there are no authorizations of this type of disclosure in the CSI regulations of the OCC and the FRB.