As used in this subpart:

Confidential regulatory information means any record, data, or report, including but not limited to examination reports, or any part thereof, that is non-public, privileged or otherwise not intended for public disclosure which is in the possession or control of a financial regulatory agency and which contains information regarding members of a Bank or financial institutions with which a Bank has had or contemplates having transactions under the Bank Act.

Financial regulatory agency means any of the following:

(1) The Department of the Treasury, including the Comptroller of the Currency;

(2) The Board of Governors of the Federal Reserve System;

(3) The National Credit Union Administration; or

(4) The Federal Deposit Insurance Corporation.

Third party means any person or entity except a director, officer, employee or agent of either:

(1) A Bank in possession of any particular confidential regulatory information; or

(2) The financial regulatory agency that supplied the particular confidential regulatory information to such Bank.

This subpart governs the procedure by which a Bank will request and receive confidential regulatory information pursuant to section 22 of the Bank Act (12 U.S.C. 1442).

A Bank shall make all requests for confidential regulatory information to a financial regulatory agency, or to a regional office of such agency if mutually agreeable, in accordance with the procedures contained in this subpart as well as any procedures of general applicability for requesting information promulgated by such financial regulatory agency. This subpart and its procedures may be supplemented by a confidentiality agreement between a Bank and a financial regulatory agency.

A request by a Bank to a financial regulatory agency for confidential regulatory information shall be made in writing or by such other means as may be agreed upon between the Bank and the financial regulatory agency. The request shall reference section 22 of the Bank Act (12 U.S.C. 1442), as amended, and this regulation, and shall describe the confidential regulatory information requested and identify its intended use pursuant to the Bank Act. The request shall be signed or otherwise made by any duly authorized Bank officer or employee.

Each Bank shall:

(a) Store all identified confidential regulatory information in secure storage areas or filing cabinets or other secured facilities generally used by such Bank and limit access thereto in the same manner as it maintains the confidentiality of its own members' privileged or non-public information;

(b) Have in place a written set of procedures and policies designed to ensure the confidentiality of confidential regulatory information in its possession; and

(c) Establish an internal review of its procedures for storing confidential regulatory information and maintaining its confidentiality, as a part of its internal audit process.

Each Bank shall ensure that access to the confidential regulatory information stored at its facility is limited to those with a need to know such information and that employees with access maintain the confidentiality of the confidential regulatory information in accordance with the Bank's own procedures for maintaining the confidentiality of its members' privileged or non-public information.

(a) General. In the event a Bank receives a request for confidential regulatory information in its possession from any third party, the Bank shall forward such request to the financial regulatory agency from which the confidential regulatory information was obtained.

(b) Subpoena. In the event a Bank receives a subpoena for confidential regulatory information issued by a Federal, state or local government department, agency, court or bureau, the Bank shall give timely written notice of such subpoena to the financial regulatory agency from which the confidential regulatory information was obtained, unless such notice is prohibited by applicable law. Except as limited in this subpart, the Bank may disclose confidential regulatory information pursuant to the subpoena, after giving timely written notice, when:

(1) The financial regulatory agency gives written approval to the disclosure; or

(2) A binding order to produce the confidential regulatory information has become final with all rights of appeal either exhausted or lapsed.

(c) Nondisclosure to third parties. Except as provided in paragraph (b) of this section, a Bank shall not disclose confidential regulatory information to any third party. A Bank shall refer all third party requests for such confidential regulatory information to the financial regulatory agency that released the confidential regulatory information to the Bank.

(d) Disclosure to FHFA. (1) Neither this subpart nor any confidentiality agreement executed between a Bank and a financial regulatory agency shall prevent a Bank from disclosing confidential regulatory information in its possession to FHFA whenever disclosure is necessary to accomplish FHFA's supervision of Bank membership applications or Bank director eligibility issues, or disclosing any confidential regulatory information in its possession if such disclosure is made pursuant to an audit conducted pursuant to § 1271.19 or section 20 of the Bank Act (12 U.S.C. 1440).

(2) FHFA shall keep all confidential regulatory information received under this paragraph (d) in strict confidence.

Nothing in this subpart shall preclude a Bank from arranging with any financial regulatory agency to transmit or allow access to confidential regulatory information with the consent of such agency by means of an electronic computer system. Any such arrangement shall ensure the security of the computerized data stored in a Bank's computer and restrict access to such data in order to preserve confidentiality in a manner agreed upon by the Bank and the financial regulatory agency.