12 CFR § 1233.3 - Reporting.
(a) Timeframe for reporting.
(1) A regulated entity shall submit to the Director a timely written report upon discovery by the regulated entity that it has purchased or sold a fraudulent loan or financial instrument, or suspects a possible fraud relating to the purchase or sale of any loan or financial instrument.
(2) In addition to submitting a report in accordance with paragraph (a)(1) of this section, in any situation that would have a significant impact on the regulated entity, the regulated entity shall immediately report any fraud or possible fraud to the Director by telephone or electronic communication.
(b) Format for reporting.
(1) The report shall be in such format and shall be filed in accordance with such procedures that the Director may prescribe.
(2) The Director may require a regulated entity to provide such additional or continuing information relating to such fraud or possible fraud that the Director deems appropriate.
(3) A regulated entity may satisfy the reporting requirements of this section by submitting the required information on a form or in another format used by any other regulatory agency, provided it has first obtained the prior written approval of the Director.
(c) Retention of records. A regulated entity or entity-affiliated party shall maintain a copy of any report submitted to the Director and the original or business record equivalent of any supporting documentation for a period of five years from the date of submission.
(d) Nondisclosure.
(1) A regulated entity or entity-affiliated party may not disclose to any person that it has submitted a report to the Director pursuant to this section, unless it has first obtained the prior written approval of the Director.
(2) The restriction in paragraph (d)(1) of this section does not prohibit a regulated entity from—
(i) Disclosing or reporting such fraud or possible fraud pursuant to legal requirements, including reporting to appropriate law enforcement or other governmental authorities; or
(ii) Taking any legal or business action it may deem appropriate, including any action involving the party or parties connected with the fraud or possible fraud.
(e) No waiver of privilege. A regulated entity does not waive any privilege it may possess under any applicable law as a consequence of reporting fraud or possible fraud under this part.