Modernizing Supervisory Information Sharing: A Former Regulator's Perspective

Kayce Seifert is Associate General Counsel at Mercury where she helps the company provide better banking* experiences for ambitious businesses and entrepreneurs through Mercury’s FDIC-insured partners. She has over a decade of experience across fintech, banking, and government including roles at the FDIC, Discover, and Block.

Confidential Supervisory Information (CSI) is one of the most closely guarded features of the U.S. bank regulatory system. Its sanctity preserves candor between supervisors and banks, protects depositor confidence, and prevents sensitive findings from moving markets. But the framework that governs CSI hasn’t kept pace with the realities of modern third-party partnerships, and that gap is now undermining the very outcomes it was designed to protect. 

One overlooked but solvable piece of that puzzle is how banks are allowed to share CSI with their partner companies that help them deliver financial services to the nation’s consumers and businesses.

Today, the process too often resembles a game of charades: A regulator flags a weakness in an exam, but when the bank tries to relay it to their fintech partners or a critical vendor, they can’t say the words—only gesture, hint, and mime. The partner guesses at the fix, piecing together partial signals without ever seeing the full picture. Everyone is straining to play by the rules. But the stakes aren’t laughs around your friend’s living room. Instead, depositor confidence and the stability of the financial system are what’s on the line.

Understandably, this dynamic leaves regulators frustrated, banks cautious, fintechs guessing, and customer experiences compromised. It’s an outcome no one intends and everyone dislikes. CSI frameworks need to be modernized, and soon, so banks, fintech partners, and regulators can continue to protect confidentiality while also allowing the collaboration needed to fix problems quickly and directly. Controlled access, under clear safeguards, would strengthen remediation, improve partnerships, and make the supervisory process itself more effective.

What Exactly Is CSI? And Why Is It So Complicated?

CSI generally refers to information created or collected during the bank supervisory process. This includes reports of examination (ROEs), supervisory ratings, communications between regulators and supervised institutions, and (sometimes) materials derived from those sources. Under the Freedom of Information Act (FOIA), it’s exempt from public disclosure. But FOIA only sets the outer boundary, and each federal regulator fills in the rest through its own rules and internal practices. Each federal banking agency has its own framework of definitions, exceptions, and processes (and it’s a mixed bag on the state level, too).

This is where things start to break down. For example:

• The Federal Reserve defines “CSI” in its regulations, but parallel FDIC regulations don’t contain a definition for the term.

• The OCC, Federal Reserve, FDIC, CFPB, and NCUA each handle CSI sharing and exclusions differently.

• What qualifies as CSI in one context or to one examiner may not be treated the same elsewhere.

If a bank drafts an action plan to respond to a supervisory recommendation, is that CSI? What about notes taken by a bank employee during an exam meeting? It depends not just on the content, but on who wrote it, how it’s used, and which regulator is involved. Federal frameworks even include differences across agencies as to whether and how a bank can share CSI with its own professional service providers, like outside counsel and external auditors. 

This patchworked system makes it hard for compliance teams and legal counsel to act with confidence. And when banks are unsure, they tend to err on the side of not sharing, even when their fintech partners need that information to help fix the very issues an exam identified.

Supervision Without Tailored Transparency Doesn’t Work

Here’s the core problem: Many banks, especially smaller ones, work really closely with their fintech partners to build, operationalize, maintain, and monitor important functions like onboarding, risk monitoring, and transaction screening. When those functions fall short, regulators flag them in exams and expect them to be fixed quickly and completely. But banks are forced to play charades with supervisory findings, resulting in an incomplete picture that compromises the effectiveness and efficiency of remediations. It’s even worse when the rules of the “game” vary dramatically depending on who wrote the rulebook.

A fintech company working with multiple insured depository institutions may be subject to wildly different confidentiality provisions or regulator expectations depending on the bank’s charter, regulator, or even supervisory region. Even when the relevant agency’s regulations are clear that something counts as CSI, banks are often hesitant to use valuable relationship capital to submit a formal request for permission to share.

That means critical exam findings get diluted, paraphrased, or delayed as they work their way through the pantomime of compliance and legal filters required under today’s frameworks. Everyone is operating on partial (or maybe even worse, misinterpreted) information, making the regulatory goals of timely, effective remediation become harder to achieve.

This isn’t theoretical. It’s an operational reality for banks and fintechs across the system.

A Framework That Protects and Enables

Confidentiality isn’t the problem. In fact, strong confidentiality and the protection of sensitive information impacting financial stability are both part of the solution. 

We need a framework for today’s banking ecosystem that enables information to flow when it supports supervisory outcomes, without undermining the protections and depositor confidence that CSI’s general exemption from public disclosure is meant to preserve.

That framework already exists in pieces. Regulators routinely allow exceptions to CSI protections for law enforcement, courts, and affiliated entities. Some even allow limited sharing with external parties without prior written approval, depending on the purpose and recipient. But fintech partnerships—a core part of the modern banking ecosystem—are nowhere to be found in most agency frameworks.

There’s no reason for that gap to persist. We can fill it without new legislation or dramatic rulemaking.

What Regulatory Modernization Looks Like

Here’s how we can fix the CSI problem without compromising what it protects:

1. Align on Shared Definitions and Common Interpretations

Regulators should align around a clear, functional definition of CSI; one that distinguishes between supervisory material and routine bank business documents, and one that clearly articulates what is, and isn’t, covered. That includes consistent treatment of remediation plans, internal board materials, and third-party communications.

2. Set Clear Exceptions for Fintech Partners

CSI frameworks should explicitly allow sharing with fintech partners when:

• The partner is contractually responsible for remediation;

• Appropriate confidentiality agreements are in place;

• The information is limited to what’s necessary to perform the task; and

• The partner agrees to direct regulatory inquiry during a partner bank’s exam, if requested.

This is not a blank check. It’s a structure for controlled, purpose-limited sharing that enhances oversight, rather than avoiding it.

3. Issue Policy Statements and Examiner Discretion

Agencies can issue policy statements clarifying how existing authorities should be interpreted. They can also empower field offices and exam teams to approve information sharing under defined circumstances, especially when it directly supports resolution of a supervisory finding. This encourages flexibility and accountability where it’s most needed.

4. Lean on Contractual Protections as the Foundation

Banks and fintechs should be expected to adopt contractual terms that align with supervisory confidentiality standards. These should include general prohibitions on competitive misuse of exam-related information, agreement from the bank to follow available supervisory processes to pursue tailored CSI sharing permissions, and commitment by the fintech partner to implement time-limited retention policies and access controls.

If regulators are confident that the partners receiving CSI are subject to meaningful restrictions, they can approve exceptions more comfortably and more quickly.

Modernizing CSI Sharing Can Expand the Regulatory Perimeter

Organizations like the Independent Community Bankers of America (ICBA), Bank Policy Institute (BPI) and the American Bankers Association (ABA) have highlighted the need for stronger regulatory visibility into fintechs that play critical roles in bank operations. Commentators often point to the Bank Service Company Act (BSCA) as a tool for extending direct supervisory authority. But leveraging the BSCA at scale would require significant expansion of supervisory capacity.

Reforming CSI sharing frameworks offers a complementary and more actionable path. By creating a clear, consistent process for supervised banks to involve their fintech partners—under robust confidentiality protections—we can help regulators engage the full compliance stack today, without compromising the supervisory process or overextending limited resources.

CSI Sharing Reform Isn’t About Transparency. It’s About Function.

The point of CSI sharing restrictions isn’t secrecy for secrecy’s sake. The general prohibitions against public disclosure of supervisory information exist to protect the integrity of the supervisory process, ensure financial stability, and maintain depositors’ confidence in the nation’s banks. But when rules meant to facilitate that process end up obstructing it, it’s time to adapt. A system where exam findings and regulator recommendations are played out like charades is neither efficient nor safe, and everyone knows it.

Regulators, banks, and partners all want the same thing: a safe, compliant, well-supervised financial system. That system needs rules that protect confidentiality and enable coordination. It’s time to update CSI sharing for today’s banking ecosystem.

*Mercury is a financial technology company, not a bank. Banking services provided through Choice Financial Group, Column N.A., and Evolve Bank & Trust; Members FDIC.

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].