For Meaningful Reform to Take Root, Regulators Must Exit the Shadows

Steve Gannon is a banking and securities lawyer who is a partner at Davis Wright Tremaine LLP. Steve has held general counsel positions at major banks and broker dealers and comments frequently on bank policy matters.

Graham Steele is an expert on financial regulation and financial institutions, with experience working at the highest levels of law and policy in Washington, D.C. He has served in senior roles at the U.S. Department of the Treasury, the United States Senate Committee on Banking, Housing & Urban Affairs, and in business and legal academia.

Meg Tahyar is head of Davis Polk’s Financial Institutions practice and a member of its Fintech team. She provides strategic bank and financial regulatory advice to many of the largest U.S. and non-U.S. financial institutions, regional banks, fintechs, cryptocurrency exchanges and other digital assets companies.

Transparency is the hallmark of democratic government. Justice Louis Brandeis expressed best the consensus American view: “Sunlight is said to be the best of disinfectants.”¹ But transparency is in tension with the culture of supervision within the banking agencies. The three authors, who usually do not find themselves in agreement and typically have very different policy perspectives, have found common ground in how the extremes of this culture of secrecy, which is not supported in the law, leads to concerns about accountability, capture, and complacency.

Information as Property

The core problem is that banking supervisors almost never have to show their work, because according to the accepted thinking, the analyses supporting their decisions are confidential supervisory information, known more popularly as “CSI.” Moreover, not only are staff at banking agencies allowed to keep CSI secret, if banks or others disclose it without permission they have, according to the agencies, committed felony property theft.²  

There are two problems with this long-standing point of view: It is both bad law and bad policy.

Like all myths, the origins of “CSI-disclosure-as-a-crime” must be viewed through the mists of time. There is a long history of bank regulators considering examination reports to be the property of the government.³ But the authority for such an assertion is far less clear.

During the 1960s, the culture of secrecy ran head-on into the Freedom of Information Act (FOIA). Because the public now had access to a broad swath of government records, banking regulators had to craft an exception to their new disclosure obligations to avoid producing confidential materials. Thus, Exemption 8 was added to FOIA, expanding protections for regulatory information far beyond traditional exam reports.⁴  

The initial FOIA regulations promulgated in 1967 by each of the three federal banking agencies, the Federal Reserve, the OCC and the FDIC, were passed with no preamble and no proposal. They appeared, like Athena from the head of Zeus, in final form.⁵ Each of them contained a bare and unexplained assertion that the examination report, made available by the agency to the bank, is the “property” of the agencies. The original rules did not expand the property assertion to all CSI and there was, at that time, no citation to any criminal statute.⁶ The first reference to a federal criminal law appeared in 1974, when the OCC declared, without explanation, that unauthorized disclosures of bank examination reports “may be subject to the penalties provided in 18 U.S.C. 641.”⁷ Moreover, the agencies have since expanded their self-declared property right in CSI to include everything under Exemption 8. As a result, by regulation, the banking agencies have created a felony by regulatory cross-reference covering an ever-expanding body of information.⁸  

Property No Longer

For decades, the banking regulators have been able to rely upon this regulatory sleight of hand to threaten banks and their employees with felony criminal sanctions if any part of the wide-ranging materials in Exemption 8 were, without permission, disclosed to the public, to Congress, to trade associations, to academics, or to any other person. The threat of criminal sanctions creates a level of uncertainty, and quite frankly fear, that stifles open debate. Putting aside for the moment whether it is appropriate for a regulator to create a felony by regulatory fiat,⁹ whether 18 U.S.C. § 641 provides support for the secrecy of the vast swath of materials in Exemption 8 hinges entirely on whether such information amounts to the “property” of the government. A recent line of cases makes it clear that it is not. 

In a unanimous opinion delivered by Justice Kagan, the U.S. Supreme Court in Kelly v. United States drew a sharp distinction between the government’s role as a regulator exercising “traditional police powers” and its role “as property holder” – concluding that only the latter is protected under federal fraud statutes.¹⁰ Further, the Court held that, if the object of a fraud was not traditional property, then any “incidental” effects on property are insufficient to support wire fraud liability. While not all of us agree with the outcome in Kelly, the law is now clear, and the banking agencies must change their treatment of CSI accordingly. 

Indeed, subsequent to Kelly the government changed its position as to what constitutes “property.”¹¹ In the year before Kelly was decided, the Second Circuit had held that certain confidential regulatory information was government property under federal fraud and conversion statutes.¹² However, as a result of Kelly the Solicitor General told the Second Circuit that the confidential information did not constitute “property” or a “thing of value” under federal law. The Second Circuit agreed with that confession of error, holding that, in light of Kelly, the prosecution was invalid.¹³  

In a similar, and particularly relevant case, the government acknowledged that one type of bank CSI (a living will) was not a “thing of value” under 18 U.S.C. § 641.¹⁴ The district court in that case concluded that an FDIC employee who stole copies of bank resolution plans had not deprived the agency of “anything other than the thumb drives on which they were stored” – meaning the plans themselves were not government property with independent value.¹⁵ After the Supreme Court’s decision in Kelly, the prosecution reached the same conclusion and moved to dismiss the case.¹⁶

The Case for Change

For decades, bank regulators were able to impose strict requirements around the disclosure of examination related materials so that only they could decide when and how they could be disclosed. Banks could not even use them in the most logical places, such as in connection with the due diligence of a bank in an M&A context, replying to another regulator’s inquiry or – most importantly – defending themselves against charges of regulatory non-compliance.¹⁷ Not even the Treasury Secretary has access to these materials unless the privilege is waived or a special arrangement is put in place.

This secrecy has created a fundamental, and still unresolved, problem. How can Congress and the public know whether supervision has succeeded, or failed, or more likely what its strengths and weaknesses are if the materials remain secret? 

Of course, confidentiality has an important role to play. No responsible banking organization would object to the maintenance of confidentiality for purposes of maintaining trade secrets, for national security reasons or that which is not required to be disclosed under the securities laws. However, CSI was and is used regularly as a shield to protect not the regulated party, but the supervisory staff. Is the supervisory staff cognitively captured, as some have asserted, or do they use the shield of confidentiality to pursue their own political and social goals as others have asserted? Behind the CSI curtain, regulatory mistakes and successes, correct and incorrect analysis, or even heroism and misconduct stay unknown, thus damaging supervisory accountability. 

In short, the actual consequence of the overuse of CSI has been “[i]gnorance. The financial system bellows out extraordinary amounts of information, but some of the most important types of information are obscured from any kind of public consumption.”¹⁸ CSI, as it is practiced, has become the antithesis of American transparency, accountability, and fairness. The 2023 bank failures brought these issues into stark relief, with many legitimate questions being raised about the focus and rigor of bank supervision. It does not have to be this way. Having more open and honest dialogue will push supervisors to show their work, and to shake off decades of seeming complacency. That is, ending the culture of silence will be good for the public, the financial sector, and the agencies alike. 

Conclusion

CSI practices can be reformed to ensure that appropriate confidences are maintained. Among many changes that should occur in CSI reform, we believe that one can happen immediately – all three federal banking regulators should announce that in light of Kelly,¹⁹ which is binding law, they will no longer consider CSI to be their property and will no longer pursue criminal cases against banks and bankers for disclosing it.²⁰ We hope that this recommendation, which can be immediately implemented, might be the start of a broader conversation about the role of transparency in the bank supervisory process more generally. Of course, we three authors might find ourselves with opposite policy views at that time.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

^[1] L. Brandeis, “What Publicity Can Do”, Harper’s Weekly (Dec. 20, 1913).

^[2] The authors wish to thank law clerk Tyler Corkedale for his assistance.

 See, e.g., 12 C.F.R. § 4.37(b)(1)(ii). This has led to both a power imbalance and a culture of fear, especially around those agencies that claim that the sharing of CSI, even within a bank, is limited by the concept of “business necessity.”

^[3] The authors have traced the assertion that bank examination reports are the property of the regulators to at least 1943, though they suspect it goes back further than that. See, e.g., 8 Fed. Reg. 6015 (May 11, 1943). As noted by Peter Conti-Brown and Sean Vanetta in their tour de force history of banking supervision, “Private Finance, Public Power: A History of Bank Supervision in America,” bank examination reports were not even shared with banks until 1916, and even then only in summary part. Id. at Para. 127. We suspect that this fact may explain the view that the examination report is the property of the agencies.

^[4]  5 U.S.C. § 552(b)(8) (exempting from production matters that are “contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.”)

^[5]  See 32 Fed. Reg. 9516 (July 1, 1967); 32 Fed. Reg. 9513 (July 1, 1967); 32 Fed. Reg. 9638 (July 4, 1967).

^[6]  See former 12 C.F.R. § 261.6(b); 12 C.F.R. § 4.18(c); 12 C.F.R. § 309.1(c)(1)(ii).

^[7] See 39 Fed. Reg. 3815 (Jan. 30, 1974).

^[8] Under 18 U.S.C. § 641 it is a felony, to steal or knowingly convert “any record, voucher, money or thing of value of the United States or a department or agency thereof ….”

^[9] The Supreme Court has consistently and roundly condemned the use of prosecutorial fiat to confect crimes from equivocal language. See, e.g., Dubin v. United States, 599 U.S. 110 (2023) (Sotomayor, J.). This should be taken into account by banking agencies to the extent they are reviewing their rules, pursuant to an OMB directive, to identify instances in which criminal referrals may be made by the agency. Attempts to criminalize the use of CSI is an “expansion of federal criminal prosecution in the absence of a clear statement from Congress.” Cleveland v. United States, 531 U.S. 12, 24 (2000) (Ginsburg, J.). And, it sidesteps the Supreme Court’s instructions that “ambiguity in construing a criminal statute should be resolved in favor of lenity.” Rewis v. United States, 401 U.S. 808, 812 (1971) (Marshall, J.)

^[10] 590 U.S. 391, 401 (2020).

^[11] See United States v. Blaszczak, 56 F.4th 230, 236 (2d Cir. 2022); United States v. Aytes, No. 19-3981, Dkt. No. 70 (2d Cir. Apr. 13, 2021).

^[12] United States v. Blaszczak, 947 F. 3d 19 (2d Cir. 2019).

^[13] See United States v. Blaszczak, 56 F.4^th 230, 243 (2022). Interestingly, this conclusion was reached after a jury trial in which the defendant had lost. It is an extraordinary event for the Solicitor General to confess error and drop a prosecution at that point.

^[14] See Aytes, No. 19-3981, Dkt. No. 70 (2d Cir. Apr. 13, 2021).

^[15] United States v. Aytes, No. 18 CR 132(SJ) (RLM), 2019 WL 5579485 (E.D.N.Y. Oct. 29, 2019).

^[16]  There are other criminal statutes under which the agencies can more appropriately prosecute the rare rogue supervisor. See, e.g., 18 U.S.C. § 1906.

^[17]  CSI secrecy combined with the near impossibility of succeeding on a supervisory appeal, J.A. Hill, “When Bank Examiners Get It Wrong,” 92 Wash. U. Law Rev. 1101 (2015), completes the hermetic seal insulating regulators from accountability.

^[18]  P. Conti-Brown, “The curse of confidential supervisory information,” Brookings (Dec. 20, 2019).

^[19]  We note, as well, the existence of Trump EO 14294 on decriminalization, while noting that not all of the authors agree with every word in that EO and that the concept of whether an independent agency must comply with an EO remains controversial.

^[20]  See OCC Bull. 2025-13, Guidance on Referrals for Potential Criminal Enforcement: Notice (June 23, 2025).

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].