Guidelines Regarding the Copying and Removal of Confidential Financial Institution Information
Directors and officers of financial institutions must adhere to the high standards required of fiduciaries. In fulfilling their fiduciary responsibilities to insured depository institutions, directors and officers must at all times act in the best interests of the institution. Effective management and strategic direction of insured depository institutions require that directors and officers be thoroughly informed about the relevant operations of the institution. In performing their official duties, it is essential that directors and officers have access to the institution’s records. At the same time, it is clear that access to the institution’s records is not appropriate in pursuit of the personal interests of those directors and officers. The vast majority of directors and officers of insured depository institutions recognize the important fiduciary responsibilities they hold and adhere to this vital separation between their official duties and personal interests. Further, legal counsel who represent an insured depository institution are reminded that their fiduciary duty legally and ethically obligates them to advance only the interests of the institution.
The Federal Deposit Insurance Corporation (FDIC) has observed that in a limited number of instances directors and officers of troubled or failing financial institutions have made copies of financial institution and supervisory records and removed those copies from the institution’s premises in anticipation of litigation or enforcement activity against them personally. The records have included confidential material such as loan files and other records containing bank customer personally identifiable information, reports of examination and supervisory correspondence, employee records, and suspicious activity reports (SARs). In some instances, the directors or officers were acting on their own volition, and in others, on the advice of counsel. Such material, often stored on unencrypted media, has been placed in unsecured locations such as the homes of directors and officers, public office areas, and offices of counsel.
Directors and officers of troubled or failing financial institutions who remove originals or copies of financial institution records under such circumstances breach their fiduciary duty to the institution. These actions also may violate laws and regulations, constitute an unsafe or unsound banking practice, and violate the financial institution’s information security program. In addition, counsel representing the financial institution who advise the removal of records under such circumstances likewise violate their fiduciary duty to the financial institution. Directors and officers of, and counsel to, federally insured financial institutions are reminded that the FDIC takes seriously the confidentiality of banking, supervisory, and customer information. The FDIC will investigate any activity that appears to violate confidentiality or cause a significant risk of disclosure, and will pursue enforcement actions as appropriate.
Duties of Directors and Officers
As fiduciaries, financial institution directors and officers are obliged to act in the best interests of the institution, free of self-dealing or conflicts of interest. Financial institution directors and officers must not use corporate property or assets for their personal pursuits or advantage. Removing confidential material belonging to the financial institution for personal purposes breaches directors’ and officers’ fiduciary duties.
In addition, various federal laws and regulations govern the treatment of information that financial institutions accumulate during the normal course of business and through interaction with regulators. For example:
FDIC regulations expressly prohibit the disclosure of examination reports and other supervisory correspondence. FDIC reports of examination and other supervisory documentation do not belong to the financial institution, but remain the property of the FDIC. This prohibition protects the confidentiality of the examination process and ensures confidence in the banking system. See 12 C.F.R. § 350.9.
The FDIC and other federal agencies prohibit the disclosure of SARs because they contain information that could be prejudicial or damaging to law enforcement efforts as well as to individuals if made public. See 31 C.F.R. § 1020.320(e) and 12 C.F.R. § 353.3(g).
Federal statutes, including Title V of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, as well as numerous FDIC regulations, require financial institutions to properly safeguard confidential consumer information and to refrain from disclosing personally identifiable information found in many financial institution records unless particular consumer opt-in requirements are met. To that end, financial institutions must implement and strictly follow a comprehensive information security program. The purposes of such a program include ensuring the security and confidentiality of customer information, protecting against any anticipated threats or hazards to the security or integrity of such information, protecting against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer, and ensuring the proper disposal of confidential information. See 12 U.S.C. § 1831p-1; 15 U.S.C. §§ 6801 and 6805(b); and 12 C.F.R. Part 364, App. B.
Federal laws and regulations also establish strict requirements for the exchange of confidential consumer information among affiliated and nonaffiliated entities. See 15 U.S.C. § 6801, et seq.; 15 U.S.C. §1681 et seq.; 12 C.F.R. Parts 332 and 334.
Financial institution records belong exclusively to the financial institution. When the FDIC is appointed receiver following a financial institution’s failure, the receiver as successor to the institution becomes the exclusive owner of the books and records. See 12 U.S.C. § 1821(d)(2). The FDIC as receiver has the unrestricted and sole right to possess and use the books, records, and assets of the failed institution. Personal possession of bank and supervisory materials by a former director or officer, under the circumstances described here, is inconsistent with this unrestricted right.
Removing financial institution and supervisory records (originals or copies, in any media format) for personal use, and transporting or storing the records outside the institution’s secure storage system, creates significant risks of disclosure that could have severe consequences for the financial institution, its directors and officers, and its customers. Such actions can violate the Gramm-Leach-Bliley and Federal Deposit Insurance Acts, among other laws and regulations, and constitute a breach of fiduciary duty and unsafe and unsound banking practices. Directors or officers who undertake such actions subject themselves to potential enforcement action by the FDIC pursuant to Section 8 of the Federal Deposit Insurance Act.
Duties of Counsel
Attorneys who represent an insured depository institution have a fiduciary duty that legally and ethically obligates them to advance the interests of the institution and the institution alone. This has been the subject of prior FDIC guidance. See, Guidelines for Legal Advice to Financial Institution Directors, FIL-15-98 (Reissued), March 17, 1998. “[T]he law firm and its attorneys owe… the duty to exercise the utmost loyalty and fidelity to the bank’s interests.” Id. Further, the “duties owed by lawyers in their representation of insured depository institutions run to the institution, not to the individuals who comprise management of the institution.” Id. Attorneys who represent financial institutions cannot advise directors and officers to take actions that are adverse to the interests of the financial institution or its successor. An attorney who represents the financial institution will be in breach of the attorney’s fiduciary duty to the financial institution if he or she counsels its directors or officers to copy and remove records in order to serve their personal interest. Further, federal law establishes that parties who cause others to violate banking laws and regulations are themselves guilty of those same violations. Thus, financial institution counsel who advise copying and removal of records contrary to the interests of the financial institution may be engaging in violations of law, codes of professional conduct, as well as breaches of fiduciary duty.
The Federal Deposit Insurance Act gives the FDIC the authority to pursue enforcement actions against institution-affiliated parties who participate in conducting the affairs of an insured depository institution and knowingly or recklessly engage in violations of law or breaches of fiduciary duty. The foregoing conduct by counsel for the institution may be sufficient to establish jurisdiction for enforcement actions against them as institution-affiliated parties including civil money penalties, consent orders, or removal and prohibition from the banking industry.
Further, attorneys representing directors or officers must not counsel those directors and officers to copy or remove confidential information or documents in violation of the law or otherwise in breach the directors’ or officers’ fiduciary duties to the institution as described in these Guidelines.
As noted, the FDIC acknowledges that directors and officers need access to financial institution records to carry out their official duties and operate the financial institution as a going concern. However, this need permits access only as necessary for such official purposes while the financial institution remains open. Directors and officers do not have the right to collect financial institution records for their own personal use in anticipation of or following the failure of a financial institution. Former directors and officers may have a legitimate need to access certain limited confidential financial institution records in order to prepare for, or defend against, litigation that may arise following the placement of a financial institution into receivership. The FDIC is willing to address this need, but any such access must be arranged formally, after the financial institution is taken into receivership, and subject to a suitable confidentiality agreement with the FDIC as receiver, or other acceptable assurance of confidentiality such as a protective order.