New York Department of Financial Services Finalizes Confidential Supervisory Information Regulation

April 21, 2021

Click for PDF

On April 7, 2021, the new regulation of the New York Department of Financial Services (NYDFS) governing confidential supervisory information (CSI) became effective in final form.  NYDFS has thus joined the Board of Governors of the Federal Reserve System (Federal Reserve) in making recent amendments to its approach to CSI.[1]  The final regulation (Final Rule) makes certain improvements over the rule proposal most recently put out by NYDFS in September 2020.  New York now has, for the first time, a CSI regulation in addition to the pre-existing statutory provision, Section 36.10 of the Banking Law.

A. Scope of CSI

The Final Rule defines CSI as “any information that is covered by Section 36.10 of the [New York] Banking Law.”[2]  Section 36.10, in turn, refers to “reports of examinations and investigations [of any NYDFS-supervised institution and affiliates], correspondence and memoranda concerning or arising out of such examination and investigations, including any duly authenticated copy or copies thereof,” and includes any confidential materials shared by NYDFS with any governmental agency or unit.[3]

B. Disclosure to Affiliates

Under Section 36.10 and the Final Rule, the default standard for disclosure of any CSI is the prior written approval of NYDFS.[4]  The Final Rule contains an exception to the prior written approval requirement for disclosure by a NYDFS-regulated entity of CSI to the regulated entity’s affiliates and their directors, officers and employees when “necessary and appropriate for business purposes” and “on the condition that such persons maintain the confidentiality of such information.”[5]

C. Disclosure to Legal Counsel and Independent Auditors

The Final Rule eases current restrictions on NYDFS-regulated entities’ disclosure of CSI to certain advisors.  It provides a “limited exception” for disclosure by such entities to “legal counsel or an independent auditor that has been retained or engaged by such regulated entity pursuant to an engagement letter or written agreement.”[6]

In an improvement from the September 2020 proposal, there is no requirement that the applicable engagement letter or written agreement contain burdensome acknowledgements by the legal counsel or independent auditor, including that the information will be used solely to provide “legal representation or auditing services,” that the information will be disclosed to legal counsel’s or the auditor’s employees, directors, or officers only “to the extent necessary and appropriate for business purposes,” and that legal counsel or the auditor agree “to return or certify the destruction of the confidential supervisory information or, in the case of electronic files, render the files effectively inaccessible through access control measures or other means, at the conclusion of the engagement.”[7]

Rather, all that the Final Rule requires is that legal counsel or independent auditor acknowledge, “in writing,” that any disclosed information is CSI under Section 36.10 of the Banking Law, and agree, “in writing,” to abide by the prohibition on the dissemination of CSI contained in the Final Rule.[8]

Unlike the September 2020 proposal, there is also an exception for “Client Acceptance of New or Continuing Engagement of Independent Auditors.”  Under this exception, a NYDFS-regulated entity may disclose CSI to independent auditors “as part of the independent auditor’s acceptance of a new client engagement or the continuation of an existing annual audit engagement.”  The condition to this exception is that the regulated entity receive the written acknowledgement and agreement from the independent auditor described above.[9]

Unlike the Federal Reserve’s regulation, the Final Rule does not contain an exception for third-party vendors to legal counsel and external auditors, which NYDFS had previously characterized as “broad” and not contained in the OCC’s regulation.[10]

D. Disclosure to Other Regulators

With respect to the disclosure by NYDFS-regulated entities of CSI to other state and federal regulators “having direct supervisory authority over” such regulated entities, the Final Rule requires the prior written approval of both the Senior Deputy Superintendent of NYDFS for Banking and the NYDFS General Counsel, or their respective delegates, prior to disclosure.[11]

E. Duty to Notify NYDFS of Requests for CSI

The Final Rule requires each NYDFS-regulated entity, affiliate of a NYDFS-regulated entity, legal counsel, and independent auditor that is served with a request, subpoena, motion to compel or other judicial or administrative process to provide CSI to notify the NYDFS Office of the General Counsel of the request immediately so that NYDFS will be able to intervene in the action as appropriate.[12]  In addition, the Final Rule mandates that a CSI holder both inform the requester of the substance of the New York regulation and the holder’s obligation to maintain the confidentiality of the CSI, and, “at the appropriate time,” inform the relevant tribunal of the substance of Section 36.10 of the New York Banking Law and the New York regulation.[13]


The Final Rule is a welcome development.  It largely harmonizes the New York CSI rules with federal analogues and should reduce the inefficiencies created by Section 36.10 of the New York Banking Law, particularly for legal counsel and independent auditors.  Outside of the Final Rule’s exceptions, however, the overriding traditional principle of CSI law and regulation – that the regulators consider CSI their property, to be disclosed only upon their specific consent – remains a key feature of the NYDFS regime, and one that can result in severe sanctions if it is ignored.


   [1]   See

   [2]   3 N.Y.C.R.R. § 7.1(a).

   [3]   New York Banking Law, Section 36.10.

   [4]   Id.; 3 N.Y.C.R.R. § 7.2(a).

   [5]   3 N.Y.C.R.R. § 7.2(d).

   [6]   Id. § 7.2(b).

   [7]   3 N.Y.C.R.R. § 7.2(b) (proposed 2020).

   [8]   3 N.Y.C.R.R. § 7.2(b).

   [9]   Id. § 7.2(c).

  [10]   NYS Register, page 12 (Sept. 9, 2020), available at

  [11]   3 N.Y.C.R.R. § 7.2(g).

  [12]   Id. § 7.2(e).

  [13]   Id.

The following Gibson Dunn lawyers assisted in preparing this client update: Arthur Long and Matthew Biben.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Financial Institutions practice group:

Matthew L. Biben – New York (+1 212-351-6300, [email protected])
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, [email protected])
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, [email protected])
M. Kendall Day – Washington, D.C. (+1 202-955-8220, [email protected])
Mylan L. Denerstein – New York (+1 212-351- 3850, [email protected])
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, [email protected])
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Matthew Nunan – London (+44 (0) 20 7071 4201, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, [email protected])

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.