The Federal Reserve is reviewing its rules under which “confidential supervisory information” can be shared to help banks better coordinate fraud prevention efforts and mitigate the potential for supervisory abuse, Vice Chair for Supervision Michelle Bowman said today.
Currently, labelling information as CSI results in strict restrictions on its disclosure, with banks and bank employees subject to possible criminal penalties for sharing the data. In a speech at a California Bankers Association event, Bowman said banks are liable for sharing CSI related to fraud among themselves even if that information would make them more resilient to emerging fraud risks.
“Likewise, bank regulators dedicate a great deal of time and effort to reviewing bank cyber risk profiles and controls, and yet opportunities for collaboration and sharing can be limited by the fear that sharing CSI could result in criminal penalties,” she said. “These examples demonstrate how expansive the definition of CSI has become. The vague and overbroad definition and interpretation of CSI effectively prohibit constructive speech and information sharing.”
Bowman also said CSI could be used to shield abusive supervisory practices.
“To address these weaknesses, we are reviewing approaches to better define or create circumstances in which CSI can be shared, including through creating limited-use cases exempt from the definition of CSI,” she said.
