Confidential Supervisory Information in M&A
Brought to you by Hunton & Williams LLP
All of us have heard the horror stories about banks announcing a merger or acquisition, only to have the deal languish for months awaiting regulatory approval or, even worse, having the deal break apart because of a regulatory issue.
Sometimes the issues only become apparent after regulatory approval applications are filed. Since the financial crisis, some regulators have used the applications review process as a “second look” at the parties involved. This is especially true if the transaction would result in an institution that will cross a supervisory threshold (whether $50 billion, $10 billion, or $1 billion in assets), or if a protest is filed in response to the transaction.
But sometimes the issues would be readily apparent if all relevant information regarding the parties could be freely shared during due diligence. Unfortunately, applicable law imposes restrictions on the ability to share confidential supervisory information (CSI) during the due diligence process. In this article, I’ll describe what CSI is and the limits on sharing it, as well as some alternatives to allow parties to move forward without it.
What Is CSI?
The definition of CSI and the rules regarding its disclosure vary between each federal and state regulatory agency. But generally, CSI includes any information that is prepared by, on behalf of, or for the use of, a federal or state regulator, including information in any way related to any examination, inspection or visitation of a bank, its holding company or its subsidiaries or affiliates. CSI generally includes documents prepared by the regulator or by the examined entity relating to the regulator’s supervision of that entity. Some examples of CSI include exam and inspection reports, supervisory ratings, non public enforcement actions and commitment letters, such as a memorandum of understanding or board resolutions adopted to address supervisory concerns, as well as any related communications with a regulator and progress reports required by an enforcement action.
What Is Not Confidential Supervisory Information?
Certain regulatory actions must be disclosed under applicable law. These include cease and desist orders (or related consent orders), prompt corrective action directives, termination of FDIC insurance, removal or suspension of an institution affiliated party, civil money penalties and any written agreement for which a violation may be enforced by the federal regulator, unless that regulator determines that publication would be contrary to the public interest. Each federal regulatory authority maintains a website at which this information and the relevant documents may be obtained.
Who Can Give Approval to Disclose CSI?
The regulators take the position that all CSI, whether prepared by the regulator or the bank, is the property of the regulator, not the bank. As such, CSI may only be disclosed with the prior written approval of the regulator, and each of the federal regulators have adopted regulations setting forth procedures for how to request disclosure of CSI.
What About Sharing CSI in Mergers or Acquisitions?
While there are some exceptions to the general rule that a bank can’t disclose CSI, including permitting disclosures to directors, officers, employees, auditors and, in some instances, legal counsel, almost all regulators take the position that a bank can’t share CSI with acquirers or targets in merger or acquisition transactions without prior approval. Further, some regulators, including the Federal Reserve, take the position that disclosure requests in these contexts are denied absent unusual circumstances.
This is a very different stance from other highly sensitive information, such as a consumer’s nonpublic personal information, which may be disclosed in connection with a proposed merger or acquisition.
What Are the Risks of Failing to Comply?
Failure to comply with regulator requirements regarding CSI can be a violation of law and could subject a person or entity to supervisory action, including the imposition of civil money penalties. In some instances, disclosure of CSI could also expose a person to criminal penalties.
So How Do the Parties Work Around This?
While CSI itself can’t be shared, other reports likely address criticisms arising in an examination. Under generally accepted accounting principles, the bank’s audit will likely describe any informal administrative action to which the bank is subject, and if the bank is a public company, its securities filings will likely describe administrative proceedings and any progress in complying with them. But if a bank is acquiring a bank in troubled condition, there is likely no substitute for seeing the administrative action to which the bank is subject. In that instance, the parties should build into their timetable the request for obtaining that information from the relevant regulator.