• Information Date:
  • Agreement Agency:
    Consumer Financial Protection Bureau (CFPB)
  • Standard Number:

Memorandum of understanding concerning the sharing
of information between the consumer financal protection
bureau and the occupational safety and health administration

I. Introduction and Purpose

This Memorandum of Understanding (MOU) is entered into between the Consumer Financial Protection Bureau (Bureau) and the Department of Labor’s Occupational Safety and Health Administration (OSHA) (collectively, Parties, and individually, a Party). This MOU sets forth the agreement between the Parties with respect to the sharing and treatment of Non-public Information, defined below, shared in connection with their respective responsibilities under Section 1057 of the Consumer Financial Protection Act (CFPA), 12 U.S.C. § 5567; the Bureau’s confidentiality regulations, 12 C.F.R. Part 1070 et seq.; OSHA’s regulations implementing procedures for handling complaints under Section 1057, 29 C.F.R. Part 1985 et seq.; the Sarbanes-Oxley Act, 18 U.S.C. § 1514A and implementing regulations at 29 C.F.R. Part 1980 et seq.; and other applicable law.

Section 1057 of the CFPA establishes protections for employees performing tasks related to the offering or provision of a consumer financial product or service who, among other things, report information to the Bureau relating to activity the employees reasonably believe to be a violation of the CFPA or other laws administered by the Bureau. 12 U.S.C. § 5567(a), (b). Section 1057 further provides that the Secretary of Labor shall receive, investigate, and adjudicate complaints made by employees who have been discriminated against in violation of this provision. Id. at 5567(c). Responsibility for this process has been delegated from the Secretary of Labor to OSHA.

In the course of conducting their respective responsibilities under Section 1057, the Sarbanes-Oxley Act, or other applicable law, OSHA and the Bureau may need to request or share Non-public Information with each other, and OSHA may at times need to request or obtain the Bureau’s Non-public information from third parties, such as financial institutions or complainants. The Parties agree that exchanges of such Non-public Information may occur where consistent with applicable law and as set forth in this MOU.

II. Coordination

OSHA and the CFPB agree to use best efforts to cooperate in cases of alleged discrimination under Section 1057 of the CFPA.

III. Non-public Information

  1. Non-public Information shall be all information in any form (including oral) that the providing Party (Provider) shares with the other Party (Recipient), including information derived therefrom, unless the Provider expressly consents or designates the information as publicly available.

    Non-public Information shall include information belonging to the Bureau (such as, but not limited to, the Bureau’s Confidential Supervisory Information) that is obtained by OSHA from a third party, such as a financial institution or complainant. For purposes of this MOU, Non-public information shall include information defined as confidential information at 12 CFR § 1070.2(f) and any information clearly identified as Bureau information. For purposes of this MOU, the Bureau will be considered the “Provider” of such information, even if OSHA obtained it from a third party.

  2. The Recipient will maintain the confidentiality of all Non-public Information obtained pursuant to this MOU and will use Non-public Information received pursuant to this MOU only for purposes authorized by law.

  3. Except as expressly permitted in this MOU, Non-public Information may not be shared outside of the Recipient without the prior written permission of the Provider.

  4. All Non-public Information provided by the Provider to the Recipient remains the record or property of the Provider. The Recipient, in storing and using the Non-public Information will maintain the identity of the source to the extent practicable.

  5. The Recipient agrees to establish and maintain such safeguards as are necessary and appropriate to protect the confidentiality of the Non-public Information, including any derived information, subject to this MOU. These safeguards include:

    1. restricting access to the Non-public Information to only those employees who have a bona fide need for such information to carry out the responsibilities of the Recipient in connection with Section 1057 of the CFPA or other applicable law;

    2. informing those persons who are provided access to such Non-public Information of their responsibilities under this MOU and applicable law;

    3. establishing appropriate administrative, technical, and physical safeguards for maintaining the confidentiality, data security, and integrity of the Nonpublic Information in accordance with standards applicable to federal agencies; and,

    4. to the extent that the Non-public Information is personally identifiable information1 or is information subject to the Privacy Act of I 974, 5 U.S.C. § 552a, ensuring that the Non-public Information is also protected as required by the Privacy Act and applicable information security standards.

  6. The Recipient may share Non-public Information it receives or has received from the Provider that is subject to this MOU with its contractors but only if the contractor is obligated by the terms of its contract with the Recipient (including any corresponding confidentiality agreement) to (i) safeguard the Non-public Information as described in this MOU; (ii) return, or certify to the Recipient, the destruction of all copies of the Non-public Information at the conclusion of its engagement with the Recipient; (iii) not use the Non-public Information for any purpose other than in connection with its engagement with the Recipient; and (iv) not disclose the Non-public Information outside of the contractor (other than to the Recipient) without the prior written approval of the Provider.

  7. Unless prohibited by law, the Recipient shall:

    1. promptly notify the Provider in writing of any legally enforceable demand or request from a third party for Non-public Information of the Provider (including but not limited to, a subpoena, court order, request pursuant to the Freedom of Information Act, or a request by the U.S. Government Accountability Office);

    2. provide a copy of the request or demand to the Provider for its consideration and, where appropriate or required, advise the requester of such action; provide the Provider a reasonable opportunity to respond to the demand or request prior to complying with the demand or request; and assert on behalf of the Provider all such reasonable and appropriate legal exemptions or privileges that the Provider may request be asserted on its behalf;

      1. in the case of a request made pursuant to the Freedom of Information Act, the Privacy Act, or state analogue, the Recipient will also advise the requester that: (1) the information sought may not be disclosed insofar as it is the property of the Provider; and (2) any request for the disclosure of such information is properly directed to the Provider pursuant to its applicable rules and regulations;

    3. consent to application by the Provider to intervene in any related action for the purpose of asserting and preserving any claims of privilege or confidentiality with respect to the Provider's Non-public Information;

    4. not grant any demand or request for the Provider’s Non-public Information or furnish it to any third party without the prior written approval of the Provider; and

    5. if directed to do so by the Provider, transfer the request or demand to the Provider for its consideration and advise the requester of such action.

  8. Nothing in this MOU shall prevent a Party from complying with a legally valid and enforceable subpoena, or United States federal court order compelling production of the Provider's Non-public Information or, if compliance is deemed compulsory, a request or demand from a duly authorized committee of the United States Senate or House of Representatives. To the extent permitted by law, the Recipient will advise the Provider of such a request, demand, or order as promptly as is reasonably possible and consult with the Provider on the response before complying with the request, demand, or order. Recipient shall use its best efforts to ensure that the requestor secures an appropriate protective order or, if the requestor is a legislative body, use its best efforts to obtain the commitment or agreement of the legislative body that it will maintain the confidentiality of the information.

  9. The Parties agree that sharing of Non-public Information will not constitute either public disclosure or a waiver of confidentiality or of any applicable privileges and does not waive or alter any provisions of any applicable laws relating to Non-public Information. The Parties expressly reserve all evidentiary privileges and immunities applicable to the Non-public Information.

IV. General Terms

  1. Effective Date, Termination, and Amendments. This MOU is effective on the date by which both Parties have signed the MOU and remains effective for five years following the date of execution, unless either Party provides written notice of its intent to terminate this MOU prior to the five year termination. On an annual recurring basis from the date of execution, the CFPB and OSHA will evaluate the continuation of this MOU. If neither OSHA nor the CFPB objects to the continuation of this MOU in writing by notifying the other party of its objection, this MOU shall remain in effect for another year. Following the termination of this MOU, all obligations undertaken by either Party regarding Non-public Information shall survive and continue. The Parties may from time to time amend this MOU in writing and such amendments, when executed by both Parties, shall then become a part of the MOU.
  2. Signature. This MOU may be executed in separate counterparts, each of which when executed and delivered shall be deemed an original, and all of which taken together shall constitute one and the same MOU.
  3. Points of contact. As soon as practicable after execution of this MOU, each Party will advise the other of the name, title, and contact information for the appropriate official(s) to contact for purposes of notice under the MOU. This contact information will be updated as appropriate.
  4. Records. Each Party is solely responsible for all records in their possession that were received or created as a result of this MOU. The Parties will identify, manage, and dispose of those records in accordance with their own National Archives (NARA)-approved records schedule.
  5. Funds. Nothing in this MOU obligates current or future funds of either Party, and each Party is responsible for any costs it incurs in performing the roles and responsibilities described in this MOU. All activities undertaken pursuant to this MOU are subject to the availability of personnel, resources, and funds.
  6. Governing law. This MOU shall be governed by the laws of the United States of America.
  7. Effect of MOU. No provision of this MOU is intended to and may not be construed to limit or otherwise affect the authority of the Parties to administer, implement, or enforce any provision of law governing the Parties' respective authorities or responsibilities. This MOU is not intended to, and does not, alter, waive, or compromise the discretion of either Party to determine the information it will share. This MOU is an internal Government agreement and is not intended to confer any right upon any private person. This MOU represents the broad outline of the Parties' intent to collaborate in areas of mutual interest to the CFPB and OSHA.
  8. Whistleblower protections. These provisions are consistent with and do not supersede, conflict with, or otherwise alter the employee obligations, rights or liabilities created by existing statute or Executive Order relating to (1) classified information, (2) communications to Congress, (3) the reporting to an Inspector General of a violation of any law, rule, or regulation, or mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety, or (4) any other whistleblower protection. The definitions, requirements, obligations, rights, sanctions, and liabilities created by controlling Executive Orders and statutory provisions are incorporated into this Agreement and are controlling.



David Uejio

Acting Director

Consumer Financial Protection Bureau

Date: 8/20/2021



James (Jim) Frederick

Acting Assistant Secretary

Occupational Safety and Health Administration

Date: 6/30/2021

1 Personally identifiable information refers to information that can be used to distinguish or trace an individual’s identity (such as their name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual (such as date and place of birth, mother’s maiden name, etc.), including without limitation any information so designated by the Provider of the information.