Managing Confidential Supervisory Information in the M&A Process

Few issues in bank M&A sit as uncomfortably at the intersection of legal obligation and commercial necessity as the management of confidential supervisory information, or CSI. As merger activity resumes and boards weigh strategic transactions with renewed interest, the rules governing what supervisory information a bank may share with a prospective merger partner deserve closer attention than they typically receive.

CSI refers broadly to information prepared by, on behalf of, or for the use of, a federal or state banking regulator in connection with its supervisory responsibilities. Examination reports, supervisory ratings, non-public enforcement actions and internal bank documents discussing any of these items all fall within the definition, though the precise contours vary among the Office of the Comptroller of the Currency, the Federal Reserve and the Federal Deposit Insurance Corp. The agencies treat CSI as the property of the regulator, not of the institution, and unauthorized disclosure can result in civil penalties or even criminal liability.

The M&A Tension
A typical merger agreement requires the target bank to make extensive representations and warranties concerning its regulatory standing, compliance history and financial condition. Many of those representations, if answered candidly, would require the bank to disclose information classified as CSI. At the same time, an acquirer’s diligence team will want to understand the target’s supervisory posture, any outstanding enforcement matters and the substance of recent examination findings before committing capital. The framework places both sides in a difficult position: The target is constrained in what it can share, and the acquirer is limited in what it can learn.

The Fed has been particularly explicit on this point. In a resource publication for community banks, institutions were reminded that they may not share CSI with acquirers or targets without prior approval of the Fed’s general counsel, and that such requests are generally denied “absent very unusual circumstances.” Where a regulatory issue surfaces after signing but before closing, a bank may petition its regulator for permission to disclose, but such requests must be narrowly tailored and are granted only at the agency’s discretion.

Practical Pitfalls for Boards
Directors should be aware of several recurring risk areas. First, if a merger agreement permits the acquirer to place observers at the target’s board and committee meetings during the pendency of a transaction, and if those meetings involve discussion of examination findings or enforcement matters, the presence of non-director observers creates a potential CSI violation. Second, due diligence efforts and integration planning often call for sharing compliance documents and operational assessments that may reference supervisory materials. Deal teams not attuned to the CSI framework may inadvertently include restricted information in data room materials. Third, the definition of CSI extends not only to regulatory documents themselves but to internal bank documents that discuss, summarize or derive from supervisory materials, a scope broader than many executives appreciate.

An Area Ripe for Reform
There is growing recognition that the current CSI framework creates friction difficult to reconcile with the regulatory objective of promoting sound M&A. In a 2020 rulemaking, the Fed received public comments urging it to establish parameters for sharing CSI in the M&A context, with commenters arguing that the prohibition runs counter to regulatory policies and frustrates the ability of acquirers to assess a target’s weaknesses. The Fed declined to adopt that change.

More recently, Fed Vice Chair for Supervision Michelle Bowman has acknowledged that the definition of CSI has become overly broad and has signaled that the Fed is reviewing approaches to create limited-use cases in which CSI could be shared or exempted from current restrictions. Vice Chair Bowman has also observed that expansive CSI designations can limit M&A options and shield supervisory practices from appropriate scrutiny, adding weight to calls for reform.

Whether reform takes the form of a narrow safe harbor for sharing CSI during due diligence, a streamlined approval mechanism for late-stage or distressed transactions, or a recalibration of the CSI definition itself, the direction of the conversation is clear. In the meantime, boards considering a strategic transaction should ensure that legal and compliance teams have identified all CSI within the institution’s records, that appropriate protocols govern the preparation of board materials and data room contents, and that any disclosure of supervisory information to a counterparty is preceded by formal regulatory authorization.

The rules governing CSI are not new, but the consequences of mismanaging them in an active deal environment remain significant, and the case for modernizing them has never been stronger.