Fintech Focus: NYDFS and the Federal Reserve Board Penalize Bank for Unauthorized Disclosures of CSI and Self-Reporting Failures
In coordinated actions, the New York State Department of Financial Services (NYDFS) and the Federal Reserve Board (FRB) fined the Industrial and Commercial Bank of China, Ltd. (ICBC) and its New York branch (Branch, a New York-based subsidiary) $30 million and approximately $2.4 million, respectively. The Branch, which operates under the jurisdiction of both examining authorities, was found to have improperly disclosed confidential supervisory information (CSI), backdated certain books and records, and failed to self-report the impropriety of its books and records when the issue came to light. These coordinated enforcement actions signal the regulators’ interest and seriousness in protecting CSI and emphasize NYDFS’ focus on self-reporting misconduct.
Key Takeaways:
- NYDFS coordinates with federal prudential regulators for enforcement related to banking institutions.
- Maintaining confidentiality of CSI is a significant interest of regulators and disclosure can only be made with approval of the relevant regulatory authority.
- Financial institutions are expected to have policies and procedures in place to properly manage recordkeeping and disclosure of CSI.
- Regulators, particularly NYDFS, have strong expectations for financial institutions to self-report certain conduct.
Governance and Self-Reporting Expectations
Governance and Self-Reporting Expectations
NYDFS has heightened expectations for self-reporting misconduct, which is codified in its regulations. For example, § 300.1(a) of Title 3 of the New York Codes, Rules and Regulations requires immediate reporting (upon discovery) of misconduct relating to “embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct, whether or not a criminal offense, in which any director, trustee, partner, officer, employee (excluding tellers), or agent of such organization is involved.” In this ICBC Consent Order, NYDFS found that the Branch had violated § 300.1(a) because a bank employee backdated signatures on certain client certifications in connection with its Know Your Customer program. Despite the Branch and ICBC representing that the certifications did not become part of the bank client’s files, NYDFS found the action a violation of New York Banking Law § 200-c for failing to maintain appropriate books and records. Furthermore, NYDFS faulted the bank for failing to immediately report this incident upon discovery, when originally flagged to ICBC by one of its employees in 2017. The issue was internally investigated by ICBC and the investigation concluded in April 2017 that the records were in fact backdated. The backdating of the records constitutes a false entry, which NYDFS declared should have been immediately reported. However, ICBC did not report the incident until January 2018. Despite ICBC taking the needed action to investigate the issue, NYDFS, in its Consent Order, emphasizes its expectations regarding immediate self-reporting.
Confidential Supervisory Information
CSI can be broadly defined and varies in its scope across different state and federal regulators. For example, NYDFS defines CSI as any “reports of examinations and investigations [of NYDFS-supervised institution and affiliates], correspondence and memoranda concerning or arising out of such examination and investigations, including duly authenticated copy or copies thereof,” as well as any confidential materials shared by NYDFS with any governmental agency or unit. 3 NYCCR § 7.1(1); New York Banking Law § 36.10. Meanwhile, FRB defines CSI as “information that is or was created or obtained in furtherance of the [Federal Reserve’s] supervisory, investigatory or enforcement activities,” including reports of examination, inspection and visitation, confidential operating and condition reports, supervisory assessments, investigative requests for documents or other information, and supervisory correspondence or other supervisory communications. 12 C.F.R. §§ 261. Regardless of the definition, regulators are the ultimate owners of CSI, meaning a financial institution cannot disclose CSI, even to other government agencies, without the written approval of the governing regulator.
At issue in these consent orders are examination-related documents that generated CSI pursuant to New York Banking Law § 36.10. These CSI materials were not permitted to be disclosed without NYDFS and FRB’s approval. 3 NYCCR § 7.2.; 12 C.F.R. §§ 261.4, 261.20. However, ICBC failed to comply with these requirements when transferring a Branch employee to an overseas affiliate in December 2021. During the transfer, the New York Branch provided CSI to an overseas affiliate, who disclosed the CSI to a foreign regulator while the Branch’s request for authorization to release the CSI was pending or under review with NYDFS, FRB, and the Federal Reserve Bank of New York. The Branch learned of the CSI breach in December 2021, and did not report the breach to NYDFS and FRB until two weeks later. In the resulting Consent Order, FRB emphasized the Branch’s lack of adequate controls related to the use and dissemination of CSI. The NYDFS Consent Order, and similarly the FRB Consent Order, signal the regulators’ seriousness in managing CSI and the applicable expectations for immediate self-reporting of unauthorized disclosures.
In addition to the assessed total fines of $32.4 million, both consent orders require additional remediation efforts. For example, NYDFS and FRB have each imposed additional non-monetary penalties including providing periodic progress reports relating to AML/BSA and CSI compliance programs and establishing and reporting on controls and governance relating to both. The FRB is also requiring the designation of a CSI officer who must be a voting member of the Branch’s risk management committee.
The Bottom Line
Financial institutions are expected to have policies and procedures, internal controls, and adequate governance surrounding the handling of and protection of CSI, even when dealing with affiliates. Additionally, in its consent order, NYDFS has made it very clear how seriously it takes self-reporting and that, in this instance, waiting two weeks post-discovery of a reportable incident did not meet its “immediate” reporting expectation.
Key Takeaways:
- NYDFS coordinates with federal prudential regulators for enforcement related to banking institutions.
- Maintaining confidentiality of CSI is a significant interest of regulators and disclosure can only be made with approval of the relevant regulatory authority.
- Financial institutions are expected to have policies and procedures in place to properly manage recordkeeping and disclosure of CSI.
- Regulators, particularly NYDFS, have strong expectations for financial institutions to self-report certain conduct.
Governance and Self-Reporting Expectations
Governance and Self-Reporting Expectations
NYDFS has heightened expectations for self-reporting misconduct, which is codified in its regulations. For example, § 300.1(a) of Title 3 of the New York Codes, Rules and Regulations requires immediate reporting (upon discovery) of misconduct relating to “embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct, whether or not a criminal offense, in which any director, trustee, partner, officer, employee (excluding tellers), or agent of such organization is involved.” In this ICBC Consent Order, NYDFS found that the Branch had violated § 300.1(a) because a bank employee backdated signatures on certain client certifications in connection with its Know Your Customer program. Despite the Branch and ICBC representing that the certifications did not become part of the bank client’s files, NYDFS found the action a violation of New York Banking Law § 200-c for failing to maintain appropriate books and records. Furthermore, NYDFS faulted the bank for failing to immediately report this incident upon discovery, when originally flagged to ICBC by one of its employees in 2017. The issue was internally investigated by ICBC and the investigation concluded in April 2017 that the records were in fact backdated. The backdating of the records constitutes a false entry, which NYDFS declared should have been immediately reported. However, ICBC did not report the incident until January 2018. Despite ICBC taking the needed action to investigate the issue, NYDFS, in its Consent Order, emphasizes its expectations regarding immediate self-reporting.
Confidential Supervisory Information
CSI can be broadly defined and varies in its scope across different state and federal regulators. For example, NYDFS defines CSI as any “reports of examinations and investigations [of NYDFS-supervised institution and affiliates], correspondence and memoranda concerning or arising out of such examination and investigations, including duly authenticated copy or copies thereof,” as well as any confidential materials shared by NYDFS with any governmental agency or unit. 3 NYCCR § 7.1(1); New York Banking Law § 36.10. Meanwhile, FRB defines CSI as “information that is or was created or obtained in furtherance of the [Federal Reserve’s] supervisory, investigatory or enforcement activities,” including reports of examination, inspection and visitation, confidential operating and condition reports, supervisory assessments, investigative requests for documents or other information, and supervisory correspondence or other supervisory communications. 12 C.F.R. §§ 261. Regardless of the definition, regulators are the ultimate owners of CSI, meaning a financial institution cannot disclose CSI, even to other government agencies, without the written approval of the governing regulator.
At issue in these consent orders are examination-related documents that generated CSI pursuant to New York Banking Law § 36.10. These CSI materials were not permitted to be disclosed without NYDFS and FRB’s approval. 3 NYCCR § 7.2.; 12 C.F.R. §§ 261.4, 261.20. However, ICBC failed to comply with these requirements when transferring a Branch employee to an overseas affiliate in December 2021. During the transfer, the New York Branch provided CSI to an overseas affiliate, who disclosed the CSI to a foreign regulator while the Branch’s request for authorization to release the CSI was pending or under review with NYDFS, FRB, and the Federal Reserve Bank of New York. The Branch learned of the CSI breach in December 2021, and did not report the breach to NYDFS and FRB until two weeks later. In the resulting Consent Order, FRB emphasized the Branch’s lack of adequate controls related to the use and dissemination of CSI. The NYDFS Consent Order, and similarly the FRB Consent Order, signal the regulators’ seriousness in managing CSI and the applicable expectations for immediate self-reporting of unauthorized disclosures.
In addition to the assessed total fines of $32.4 million, both consent orders require additional remediation efforts. For example, NYDFS and FRB have each imposed additional non-monetary penalties including providing periodic progress reports relating to AML/BSA and CSI compliance programs and establishing and reporting on controls and governance relating to both. The FRB is also requiring the designation of a CSI officer who must be a voting member of the Branch’s risk management committee.
The Bottom Line
Financial institutions are expected to have policies and procedures, internal controls, and adequate governance surrounding the handling of and protection of CSI, even when dealing with affiliates. Additionally, in its consent order, NYDFS has made it very clear how seriously it takes self-reporting and that, in this instance, waiting two weeks post-discovery of a reportable incident did not meet its “immediate” reporting expectation.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
In coordinated actions, the New York State Department of Financial Services (NYDFS) and the Federal Reserve Board (FRB) fined the Industrial and Commercial Bank of China, Ltd. (ICBC) and its New York branch (Branch, a New York-based subsidiary) $30 million and approximately $2.4 million, respectively. The Branch, which operates under the jurisdiction of both examining authorities, was found to have improperly disclosed confidential supervisory information (CSI), backdated certain books and records, and failed to self-report the impropriety of its books and records when the issue came to light. These coordinated enforcement actions signal the regulators’ interest and seriousness in protecting CSI and emphasize NYDFS’ focus on self-reporting misconduct.
Key Takeaways:
- NYDFS coordinates with federal prudential regulators for enforcement related to banking institutions.
- Maintaining confidentiality of CSI is a significant interest of regulators and disclosure can only be made with approval of the relevant regulatory authority.
- Financial institutions are expected to have policies and procedures in place to properly manage recordkeeping and disclosure of CSI.
- Regulators, particularly NYDFS, have strong expectations for financial institutions to self-report certain conduct.
Governance and Self-Reporting Expectations
Governance and Self-Reporting Expectations
NYDFS has heightened expectations for self-reporting misconduct, which is codified in its regulations. For example, § 300.1(a) of Title 3 of the New York Codes, Rules and Regulations requires immediate reporting (upon discovery) of misconduct relating to “embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct, whether or not a criminal offense, in which any director, trustee, partner, officer, employee (excluding tellers), or agent of such organization is involved.” In this ICBC Consent Order, NYDFS found that the Branch had violated § 300.1(a) because a bank employee backdated signatures on certain client certifications in connection with its Know Your Customer program. Despite the Branch and ICBC representing that the certifications did not become part of the bank client’s files, NYDFS found the action a violation of New York Banking Law § 200-c for failing to maintain appropriate books and records. Furthermore, NYDFS faulted the bank for failing to immediately report this incident upon discovery, when originally flagged to ICBC by one of its employees in 2017. The issue was internally investigated by ICBC and the investigation concluded in April 2017 that the records were in fact backdated. The backdating of the records constitutes a false entry, which NYDFS declared should have been immediately reported. However, ICBC did not report the incident until January 2018. Despite ICBC taking the needed action to investigate the issue, NYDFS, in its Consent Order, emphasizes its expectations regarding immediate self-reporting.
Confidential Supervisory Information
CSI can be broadly defined and varies in its scope across different state and federal regulators. For example, NYDFS defines CSI as any “reports of examinations and investigations [of NYDFS-supervised institution and affiliates], correspondence and memoranda concerning or arising out of such examination and investigations, including duly authenticated copy or copies thereof,” as well as any confidential materials shared by NYDFS with any governmental agency or unit. 3 NYCCR § 7.1(1); New York Banking Law § 36.10. Meanwhile, FRB defines CSI as “information that is or was created or obtained in furtherance of the [Federal Reserve’s] supervisory, investigatory or enforcement activities,” including reports of examination, inspection and visitation, confidential operating and condition reports, supervisory assessments, investigative requests for documents or other information, and supervisory correspondence or other supervisory communications. 12 C.F.R. §§ 261. Regardless of the definition, regulators are the ultimate owners of CSI, meaning a financial institution cannot disclose CSI, even to other government agencies, without the written approval of the governing regulator.
At issue in these consent orders are examination-related documents that generated CSI pursuant to New York Banking Law § 36.10. These CSI materials were not permitted to be disclosed without NYDFS and FRB’s approval. 3 NYCCR § 7.2.; 12 C.F.R. §§ 261.4, 261.20. However, ICBC failed to comply with these requirements when transferring a Branch employee to an overseas affiliate in December 2021. During the transfer, the New York Branch provided CSI to an overseas affiliate, who disclosed the CSI to a foreign regulator while the Branch’s request for authorization to release the CSI was pending or under review with NYDFS, FRB, and the Federal Reserve Bank of New York. The Branch learned of the CSI breach in December 2021, and did not report the breach to NYDFS and FRB until two weeks later. In the resulting Consent Order, FRB emphasized the Branch’s lack of adequate controls related to the use and dissemination of CSI. The NYDFS Consent Order, and similarly the FRB Consent Order, signal the regulators’ seriousness in managing CSI and the applicable expectations for immediate self-reporting of unauthorized disclosures.
In addition to the assessed total fines of $32.4 million, both consent orders require additional remediation efforts. For example, NYDFS and FRB have each imposed additional non-monetary penalties including providing periodic progress reports relating to AML/BSA and CSI compliance programs and establishing and reporting on controls and governance relating to both. The FRB is also requiring the designation of a CSI officer who must be a voting member of the Branch’s risk management committee.
The Bottom Line
Financial institutions are expected to have policies and procedures, internal controls, and adequate governance surrounding the handling of and protection of CSI, even when dealing with affiliates. Additionally, in its consent order, NYDFS has made it very clear how seriously it takes self-reporting and that, in this instance, waiting two weeks post-discovery of a reportable incident did not meet its “immediate” reporting expectation.
Key Takeaways:
- NYDFS coordinates with federal prudential regulators for enforcement related to banking institutions.
- Maintaining confidentiality of CSI is a significant interest of regulators and disclosure can only be made with approval of the relevant regulatory authority.
- Financial institutions are expected to have policies and procedures in place to properly manage recordkeeping and disclosure of CSI.
- Regulators, particularly NYDFS, have strong expectations for financial institutions to self-report certain conduct.
Governance and Self-Reporting Expectations
Governance and Self-Reporting Expectations
NYDFS has heightened expectations for self-reporting misconduct, which is codified in its regulations. For example, § 300.1(a) of Title 3 of the New York Codes, Rules and Regulations requires immediate reporting (upon discovery) of misconduct relating to “embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct, whether or not a criminal offense, in which any director, trustee, partner, officer, employee (excluding tellers), or agent of such organization is involved.” In this ICBC Consent Order, NYDFS found that the Branch had violated § 300.1(a) because a bank employee backdated signatures on certain client certifications in connection with its Know Your Customer program. Despite the Branch and ICBC representing that the certifications did not become part of the bank client’s files, NYDFS found the action a violation of New York Banking Law § 200-c for failing to maintain appropriate books and records. Furthermore, NYDFS faulted the bank for failing to immediately report this incident upon discovery, when originally flagged to ICBC by one of its employees in 2017. The issue was internally investigated by ICBC and the investigation concluded in April 2017 that the records were in fact backdated. The backdating of the records constitutes a false entry, which NYDFS declared should have been immediately reported. However, ICBC did not report the incident until January 2018. Despite ICBC taking the needed action to investigate the issue, NYDFS, in its Consent Order, emphasizes its expectations regarding immediate self-reporting.
Confidential Supervisory Information
CSI can be broadly defined and varies in its scope across different state and federal regulators. For example, NYDFS defines CSI as any “reports of examinations and investigations [of NYDFS-supervised institution and affiliates], correspondence and memoranda concerning or arising out of such examination and investigations, including duly authenticated copy or copies thereof,” as well as any confidential materials shared by NYDFS with any governmental agency or unit. 3 NYCCR § 7.1(1); New York Banking Law § 36.10. Meanwhile, FRB defines CSI as “information that is or was created or obtained in furtherance of the [Federal Reserve’s] supervisory, investigatory or enforcement activities,” including reports of examination, inspection and visitation, confidential operating and condition reports, supervisory assessments, investigative requests for documents or other information, and supervisory correspondence or other supervisory communications. 12 C.F.R. §§ 261. Regardless of the definition, regulators are the ultimate owners of CSI, meaning a financial institution cannot disclose CSI, even to other government agencies, without the written approval of the governing regulator.
At issue in these consent orders are examination-related documents that generated CSI pursuant to New York Banking Law § 36.10. These CSI materials were not permitted to be disclosed without NYDFS and FRB’s approval. 3 NYCCR § 7.2.; 12 C.F.R. §§ 261.4, 261.20. However, ICBC failed to comply with these requirements when transferring a Branch employee to an overseas affiliate in December 2021. During the transfer, the New York Branch provided CSI to an overseas affiliate, who disclosed the CSI to a foreign regulator while the Branch’s request for authorization to release the CSI was pending or under review with NYDFS, FRB, and the Federal Reserve Bank of New York. The Branch learned of the CSI breach in December 2021, and did not report the breach to NYDFS and FRB until two weeks later. In the resulting Consent Order, FRB emphasized the Branch’s lack of adequate controls related to the use and dissemination of CSI. The NYDFS Consent Order, and similarly the FRB Consent Order, signal the regulators’ seriousness in managing CSI and the applicable expectations for immediate self-reporting of unauthorized disclosures.
In addition to the assessed total fines of $32.4 million, both consent orders require additional remediation efforts. For example, NYDFS and FRB have each imposed additional non-monetary penalties including providing periodic progress reports relating to AML/BSA and CSI compliance programs and establishing and reporting on controls and governance relating to both. The FRB is also requiring the designation of a CSI officer who must be a voting member of the Branch’s risk management committee.
The Bottom Line
Financial institutions are expected to have policies and procedures, internal controls, and adequate governance surrounding the handling of and protection of CSI, even when dealing with affiliates. Additionally, in its consent order, NYDFS has made it very clear how seriously it takes self-reporting and that, in this instance, waiting two weeks post-discovery of a reportable incident did not meet its “immediate” reporting expectation.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026