What regulatory carve-outs must banking NDAs include?

Banking NDAs must allow disclosure to prudential regulators (OCC, FDIC, Federal Reserve), state banking regulators, and examiners conducting safety and soundness reviews. These carve-outs cannot be negotiated away.

How do BSA/AML requirements affect banking NDAs?

NDAs cannot restrict a bank's ability to file Suspicious Activity Reports (SARs), comply with Currency Transaction Reports (CTRs), or cooperate with FinCEN inquiries. Any attempt to limit BSA/AML compliance is void as against public policy.

What OCC guidance applies to bank vendor NDAs?

OCC Bulletin 2013-29 on Third-Party Relationships requires banks to include specific contractual provisions including right-to-audit, subcontracting controls, and contingency planning in vendor agreements. NDAs should align with these requirements.

Can banking NDAs restrict customer data sharing?

Yes, but with limitations. Banks must comply with GLBA privacy requirements, and NDAs should define permitted uses of customer information. However, regulatory examination of customer information cannot be restricted.

Banking Partnership NDA | Bank-Vendor Relationships

⚠️

Critical: Regulatory Examination Rights Cannot Be Restricted

Any NDA provision that restricts a bank's ability to provide information to prudential regulators (OCC, FDIC, Federal Reserve, state banking regulators) during examinations is void and unenforceable. This template includes required carve-outs, but verify with your compliance team.

🔒 Key Provisions for Banking NDAs

Regulatory Examination Carve-out

Explicit permission for disclosure to OCC, FDIC, Federal Reserve, CFPB, state banking regulators, and their authorized representatives during examinations. This is non-negotiable.
BSA/AML Compliance

Carve-out for filing SARs, CTRs, and other BSA-required reports. Prohibition on any provision that could be construed as tipping off or impeding AML compliance.
OCC Vendor Management

Align with OCC Bulletin 2013-29 requirements including right-to-audit, subcontractor controls, business continuity provisions, and performance monitoring.
Customer Data Limitations

Define permitted uses of customer information consistent with GLBA and bank privacy policies. Address data minimization and return/destruction requirements.
Subcontracting Controls

Require bank consent for subcontracting. Flow-down of confidentiality obligations and right-to-audit for material subcontractors.
Incident Response

Define breach notification timelines, cooperation requirements, and regulatory reporting obligations for security incidents involving confidential information.

Regulatory Framework

Key regulators and their confidentiality implications

OCC (National Banks)

Primary prudential regulator for national banks and federal savings associations.

OCC Bulletin 2013-29 vendor management
Examination access requirements
Safety and soundness considerations

FDIC (State Banks)

Insures deposits and examines state-chartered banks not in the Federal Reserve System.

Third-party risk management guidance
Examination coordination
Deposit insurance implications

Federal Reserve

Supervises bank holding companies and state-chartered member banks.

SR Letters on vendor management
Consolidated supervision
Holding company considerations

State Banking Regulators

Primary regulators for state-chartered banks with varying examination authority.

State-specific confidentiality laws
Multi-state coordination
Licensing considerations

📋 OCC Vendor Management Alignment

OCC Bulletin 2013-29 establishes expectations for managing third-party relationships. Banking NDAs should align with these requirements.

Right-to-Audit

Include contractual right to audit the vendor's controls, including security practices and compliance with agreement terms.
Subcontracting

Require notification and consent for material subcontracting. Ensure confidentiality flows down to subcontractors.
Business Continuity

Address contingency planning for vendor failure, including data access and transition assistance provisions.
Performance Monitoring

Enable ongoing monitoring of vendor compliance with confidentiality and other contractual obligations.

⚠️ Consult Bank Regulatory Counsel

Banking relationships involve complex regulatory requirements that vary by charter type, size, and business activities. This template addresses common issues but should be reviewed by counsel familiar with your specific regulatory environment. Banks should coordinate with their compliance departments before executing vendor NDAs.