Ask the Guru: Is it Legal to Share Exam Findings?

Hey Guru!

We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we share this critical information with you without getting into legal trouble?

Thanks for the question, here is where this issue is coming from. The front cover of all examinations contains the following verbiage:

“The report is the property of the FDIC, and is furnished to the bank examined for their confidential use. Under no circumstances shall the registrant, or any of its directors, officers, or employees disclose or make public in any manner the report or any portion thereof.”

It goes on to say that doing so would violate Part 309 of the FDIC Rules and Regulations.

FDIC 12 CFR Part 309 is titled “Disclosure of Information”, which governs information the FDIC maintains on all financial institutions (including examination reports), and the procedures for obtaining access to such information. Subsection 309.6 (a) states:

“…no person shall disclose or permit the disclosure of any exempt records, or information contained therein, to any persons other than those officers, directors, employees, or agents of the Corporation who have a need for such records in the performance of their official duties.” (Emphasis added)

I have always taken the opinion that if we are contracted to assist in the remediation of examination findings, we are considered an “agent” (acting on behalf of the institution) and require the examination report or the information contained therein, in order to perform our “official duties”. Of course as their agent, we are now bound by Part 309 and restricted from any further sharing of the information.

One additional thought… It’s important to see examination findings in the context of the entire report as opposed to simply being restated or copy/pasted. There are several reasons for this, primarily because often we can derive additional meaning from the broader context, allowing us to “connect the dots” between separate findings. Also because sometimes we can get additional clarity by reading “between the lines” of the report. For example, we recently assisted a customer with a finding to “Improve the Pandemic Plan within the BCP Plan”.

They went on to state that “Management should establish a clear action plan…for Pandemic.” Taken out of context, this would seem to indicate examiners wanted additional general recovery procedures in case of Pandemic. But they went on to mention “key personnel” and “employee training”, and so taken in the broader context what they were really looking for was a succession plan. Because the finding never specifically mentioned a succession plan, we may have gone in a different direction if not for seeing the entire report.

Hope this gives you a little insight into this Part 309 issue. Feel free to reach out any time with other compliance questions!