On July 24, the Consumer Financial Protection Bureau published Circular 2024-04, warning employers that forcing employees to sign broad confidentiality or nondisclosure agreements may violate the whistleblower protections of the Consumer Financial Protection Act of 2010. In doing so, the CFPB joins a host of other federal agencies, including the U.S. Securities Exchange and Commission and Commodity Futures Trading Commission, that have expressed similar concerns and brought enforcement actions against employers for violating whistleblower protections afforded under federal laws and regulations.

Myriad laws protect whistleblowers and provide incentives for employees to report suspected wrongful conduct. In the consumer finance arena, the CFPA provides incentives for certain whistleblower activity and protects whistleblowers from retaliation for reporting suspected violations of consumer financial laws, either internally or externally, to a government agency such as the CFPB.

Specifically, Section 1057 of the CFPA provides that covered persons and service providers are prohibited from retaliating against an employee for providing or attempting to provide information to the CFPB or other government authorities or law enforcement agencies regarding a suspected violation of any law subject to the CFPB’s jurisdiction.¹

In the recent circular, the CFPB acknowledged that employers may have legitimate reasons for requiring employees to sign confidentiality agreements, such as protecting trade secrets or other proprietary information. However, confidentiality agreements must be worded so that an employee could not reasonably believe they are prohibited from providing information to government employees or would be sued or discriminated against for doing so.

The CFPB warned that agreements that do not contain an express exception for exercising whistleblower rights are problematic. Even lawful agreements may be found unlawful if they could be interpreted as attempting to intimidate an employee. One such example given by the CFPB is requiring an employee to sign a confidentiality agreement in connection with an internal investigation or after being notified of potential misconduct. In other words, the circumstance or context within which an employee is required to sign a confidentiality agreement may matter. In addition, including a provision that threatens to sue the employee for violating the agreement could, depending upon the circumstances, be interpreted as threatening retaliation for whistleblowing.

Last year, the National Labor Relations Board issued a similar warning in its McLaren McComb decision.²The NLRB found that a confidentiality provision in a severance agreement was unlawful, in part, because it was not narrowly tailored to the employer’s non-public proprietary or trade secret information and did not make clear that the employees had the right to disclose information to Board investigators. The general counsel for the NLRB subsequently issued guidance stating that confidentiality provisions that do not prohibit employees from exercising their rights under the National Labor Relations Act or communicating with the agency, a union or other third parties “that are narrowly tailored to restrict the dissemination of proprietary or trade secret information for a period of time based on legitimate business justifications may be considered lawful.”³

The SEC fined an investment firm $10 million in January for violating whistleblower protections of the Securities Exchange Act of 1934 by requiring employees to sign confidentiality and non-disclosure agreements that did not contain an express disclaimer for reporting suspected unlawful activity to the SEC. That was one of several enforcement actions the SEC brought against companies for similar conduct, including an action against a private company that resulted in a $225,000 fine even though there was no evidence that an employee had been dissuaded from reporting suspected illegal activity because of the confidentiality agreement.

In June, the Commodity Futures Trading Commission settled an enforcement action against a company that addressed, among other things, the company’s employment and separation agreements that contained broad non-disclosure provisions prohibiting employees from sharing the company’s confidential information with third parties.⁴ The company’s agreements did not contain an exception for information provided to federal regulators or law enforcement.

The CFPB’s recent circular is yet another reminder that employers should make sure the confidentiality provisions in their agreements (employment, severance, non-disclosure, etc.) are narrowly tailored to specific types of information, like proprietary information and trade secrets; have a reasonable time period; and contain a properly drafted carveout for whistleblower activity. Employers should also adopt, publish and enforce a whistleblower policy.

The information in this article is provided for general information purposes only and does not constitute legal advice or an opinion of any kind. You should consult with legal counsel for advice on your institution’s specific legal issues.