I. INTRODUCTION
The success of any bank compliance program rests upon the establishment of policies and procedures, following a thorough review of applicable laws and regulations. Just as importantly, however, is how well the bank implements and follows its policies and procedures in actual practice. Assuring that you are complying with the bank’s policies and procedures is often determined pursuant to an “after-the-fact” review of actions taken by bank personnel in connection with specific bank transactions. Unfortunately, documenting any adverse results or criticism of the bank’s compliance practices can come back to haunt the bank if used against the bank in litigation.
To address these concerns, a new Nebraska law (LB 626), which became effective on June 14, 1995, was adopted to protect sensitive bank compliance review documents from being subpoenaed or admissible as evidence in civil litigation cases. The law is designed to allow a bank’s compliance review committee to criticize the bank’s own internal policies, procedures, and operations or compliance with state or federal regulations without fear that such self-critical comments could be used against the bank in litigation. Under the law, internal written reports prepared for or created by a bank’s compliance review committee are held “confidential and are not discoverable or admissible in any civil action arising out of matters evaluated by the compliance review committee”. In effect, a “compliance review” privilege has been established by LB 626. The new provisions provide a framework upon which a bank may establish a compliance review committee to evaluate internal bank practices.
Original bank documents (e.g., loan applications, regulatory reports, internal memos) may still be discoverable and admissible into evidence, but the compilation of information, data, comments or conclusions contained within “written reports prepared for or created by a compliance review committee” are held confidential, unless waived by the bank. Since the objective of any self-critical analysis is to identify compliance weaknesses so that they may be cured or eliminated, Nebraska’s public policy now favors protections that should both encourage and promote compliance reviews.
II. ESTABLISHING COMPLIANCE CONFIDENTIALITY
A. What is Considered “Confidential”?
Section 8-2003 states that a bank’s compliance review documents are confidential and are not discoverable or admissible in evidence in any civil action arising out of matters evaluated by the bank’s compliance review committee. In addition, committee members must treat such documents and committee proceedings as confidential and cannot be forced to testify regarding confidential documents or proceedings in a civil action regarding matters evaluated by the committee. Compliance review documents given to state or federal agencies also remain confidential. Sections 3, 4 and 5 of the bill contain provisions that do not extend confidentiality to information, documents, or records otherwise available from original sources, documents that do not meet the definition of compliance review documents, and information required by law or regulation to be in the possession of a governmental agency to the extent that the law authorizes disclosure.
B. What Institutions are Covered?
Under § 8-2001(1), “depository institution” is defined as a state-chartered or federally-chartered financial institution located in Nebraska that is authorized to maintain deposit accounts. Therefore, the confidentiality of compliance review documents applies only to state and federally-chartered banks and S&Ls located in Nebraska, and does not protect non-depository corporations or affiliates.
C. What is the Definition of a Compliance Review Committee?
Section 8-2001(2) defines “compliance review committee” as an audit, loan review, or compliance committee appointed by the board of directors of a depository institution; or any other person to the extent the person acts in an investigatory capacity at the direction of a compliance review committee.
For purposes of the new law, the term “loan review committee” is further defined in § 8-2001(4) of the law to mean a person or group of persons who, on behalf of a depository institution, reviews loans held by the institution for the purpose of assessing the credit quality of the loans, compliance with the institution’s loan policy, and compliance with applicable laws and regulations.
D. How is a Compliance Review Committee Formed by the Bank?
To ensure the statutory protections for a compliance review committee, the committee must be formally appointed by the depository institution’s board of directors. In addition, for a compliance review committee’s written reports to be eligible for the confidentiality protections given in the law, its functions should be specifically designated to evaluate and seek to improve (a) loan underwriting standards; (b) asset quality; (c) financial reporting to federal or state regulatory agencies; or (d) compliance with federal or state statutory or regulatory requirements. See, §§ 8-2002(1)-(4).
Therefore, the board of director’s minutes should reflect formal appointment of those individuals designated to serve on the compliance review committee and should also specifically note that the committee’s functions are to evaluate and seek to improve one or more of the areas referenced under items (a) through (d) above.
Bank employees, agents, consultants, auditors or other professionals (e.g., attorneys or accountants) who are not members of a compliance review committee, but who perform evaluations at the direction of a compliance review committee, may also create written reports that receive the confidentiality protection of the new law. As such, a written delegation of authority to such persons from the compliance review committee is recommended, even though the statute does not contain such a specific requirement.
E. What are “Compliance Review Documents”?
The definition of compliance review documents includes written reports prepared for or created by a compliance review committee for the purpose of ascertaining compliance with federal or state statutory or regulatory requirements, or for the performance of evaluating and seeking to improve (a) loan underwriting standards; (b) asset quality; or (c) financial reporting to federal or state regulatory agencies. As a result, the analysis of data and deliberations of the compliance review committee should always be reduced to writing in the form of a written report created by the committee or prepared for the committee by any other person at the direction of the committee.
F. What About Independently-Produced Documents?
A compliance review committee should ensure that individuals reviewing written reports prepared by the compliance review committee do not independently produce their own written communication on the subject. Such individuals are not acting at the direction of the compliance review committee and their writings are not privileged.
For example, a loan officer who is not a member of the compliance review committee takes notes at a “loan status” meeting of the committee where a loan is reviewed for compliance. The notes are subsequently placed in memo form into the individual loan file. In this example, the loan officer is not acting at the direction of the compliance review committee, and the notes or resulting memo are not protected from discovery and are admissible into evidence at trial.
G. How Should Compliance Review Committee Members Treat Compliance Review Documents?
According to § 8-2003(1), compliance review committee members are to treat compliance review documents and all proceedings of the compliance review committee as confidential. Committee members cannot be compelled to testify regarding confidential documents or proceedings in civil actions stemming from matters evaluated by the committee. Note that information, documents, or records otherwise available from original sources are not immune from discovery and admissibility in evidence just because they were evaluated by the committee. In other words, if the documents are not compliance review documents, discoverability and admissibility are not limited. (See also, §§ 8-2004 and 8-2005).
H. May Federal or State Regulators Obtain Compliance Review Documents? If so, How are the Documents Treated?
Section 8-2003(2) states that compliance review documents delivered to a federal or state governmental agency remain confidential. If any information is required by law or regulation to be maintained by or provided to a governmental agency, the confidentiality provisions do not apply when the law expressly allows for disclosure of the information. (See, § 8-2004). In addition, § 8-2005 of the bill allows for a depository institution’s primary state or federal regulator to obtain compliance review documents.
III. FUNCTIONS OF THE COMPLIANCE REVIEW COMMITTEE
The Nebraska law specifically states that the act applies to compliance review committees whose functions are to evaluate and seek to improve loan underwriting standards, asset quality, financial reporting to federal or state statutory or regulatory agencies, or compliance with federal or state statutory or regulatory requirements. Thus, a particular law or regulation does not need to be the basis for the evaluation if the subject matter consists of loan underwriting standards, asset quality, or financial reporting to a federal or state regulatory agency.
The phrase “evaluate and seek to improve” necessarily implies after the fact consideration of compliance. As a result, the compliance privilege does not protect contemplated future actions that are not related to improvements in present compliance conditions.
For example, an individual loan application would not be protected by this privilege in a lawsuit alleging discrimination on a prohibited basis, even if the loan application were considered by a compliance review committee in evaluating the credit granting process. Only the discussions and conclusions contained within written reports prepared for or created by the committee would be protected in this example.
Documents evidencing the initial loan decision would not, in the normal lending process, be construed as confidential nor are original documents protected as confidential merely because they are reviewed or mentioned in a compliance review document.
While some bankers may focus the use of the privilege in the context of complying with banking regulations, the law is drafted broadly enough to allow a bank to rely on the compliance confidentiality provisions to protect any self-evaluations performed in the areas of compliance with labor, safety, copyright, securities laws, or any other federal or state law or regulation.
IV. WAIVER OF PRIVILEGE BY TRANSFER OR PUBLICATION OF COMPLIANCE REVIEW DOCUMENTS
As previously discussed, some documents reviewed by or written reports generated by a compliance review committee may be later provided to regulators or may be later published as required by law. The law specifically provides that confidentiality remains while compliance review documents are in the hands of regulators, to the extent that their disclosure is not expressly authorized by applicable law. It is obvious however, that some documents will be publicly released and will not retain confidentiality (e.g., call reports). Once released for publication, confidentiality has been expressly waived. Not so clear may be those occasions when a compliance review document is transferred or released to another entity, such as the bank’s holding company or a bank affiliate, although there is some basis to support continued confidentiality. In the case of transfer or release to any unrelated person or entity, the question of the retention of confidentiality depends upon to whom the information was released. As an example, there are specific rules regarding privileged information transferred to one’s own legal counsel as opposed to members of the general public.
V. CONCLUSION
In order to provide your bank with the maximum protection in implementing the compliance confidentiality allowed by law, you must follow the following minimum standards:
1. The bank's board of directors must formally appoint any compliance review committees (which may by definition include audit, loan review, or compliance committees). Any individual acting in an investigatory capacity to assist the compliance review committee should be designated and directed to act on behalf of the committee by the committee itself. A bank should have procedures in place for documenting that employees or other third parties are truly acting at the direction of a compliance review committee.
2. All information reviewed by compliance review committees (and persons designated and directed to act on their behalf) must consist of “after the fact” analysis, should relate to the bank’s activities alone, and should involve evaluating and seeking to improve: loan underwriting standards; asset quality; financial reporting to federal and state regulatory agencies; or compliance with federal or state statutory or regulatory requirements.
3. Compliance review documents should not be distributed to outside auditors or other outside third parties not designated as members of the compliance review committee or not acting at the direction of the committee. In many cases, such publication of documents may constitute a waiver of confidentiality. Also, keep in mind that individuals who are not designated as members of the compliance review committee or who are not acting at the direction of the committee, but who are performing self-evaluative reviews nonetheless, may be producing notes or memos containing self-evaluative material that are not contemplated as confidential under the provisions of the law.
4. The bank should require, by policy, that compliance review documents be maintained as confidential records, and that examination and distribution of such records be limited only to those persons who have the ability and authority to enforce and improve the activities and practices that have been the subject of the compliance review committee’s evaluation.
Prior to embarking on a program of self-evaluation, the bank may wish to follow the steps outlined above, in addition to reviewing §§ 8-2001 to 8-2005, to avail itself of the protection of compliance confidentiality.