Commentary - Right to Financial Privacy Act

THE RIGHT TO FINANCIAL PRIVACY ACT OF 1978

In view of widespread concern resulting from ambiguities and complexities of the Right To Financial Privacy Act of 1978 [12 U.S.C. § 3401 et seq.], hereafter "the RFPA" or "the Act", this advisory and the attached supporting memorandum are issued to answer several of the questions most frequently raised in connection with disclosures of financial information to federal law enforcement authorities^{*}

{* NOTE: Disclosures to state and local law enforcement authorities are not covered by the Act. Further, in addition to the RFPA, financial institutions in states such as California, Illinois, and Maryland should be familiar with the financial privacy laws of their respective states}

I. Records Covered. The RFPA protects financial records, or information known to be derived therefrom, relating only to accounts of individuals and partnerships of five or fewer partners. The RFPA does not protect records relating to accounts of corporations, partnerships of six or more partners, trusts, associations, or other legal entities

Further, even as to financial information relating to accounts of individuals and partnerships of five or fewer partners, not all records are protected by the RFPA. More specifically, to be a protected record, an item must meet all four of the following tests:

(a) it must be held by a specific financial institution;

(b) it must pertain to an individual's (or covered partnership's) utilization of the services of that financial institution;

(d) it must relate to an account in that individual's (or partnership's) true name

Applying the above four tests, therefore, the following items are not covered by the RFPA: forged or counterfeit financial instruments; records relating to an account established under a fictitious name; financial records in the possession of an institution other than the institution at which the person maintains an account (for example, a check or money order cashed for a non-customer); bank surveillance photographs; contents of a safe deposit box sought pursuant to search warrant; or records pertaining to functions that do not involve an account relationship (services not covered by the Act include sales of stock, performance of computer services, and other activities that do not constitute routine banking services)

II. Reporting of Suspected Crimes. The RFPA specifically authorizes financial institutions voluntarily to report suspected crimes to federal law enforcement authorities even though such notification will necessarily involve disclosure of financial information "derived from" protected records. In reporting that a suspected criminal violation has occurred, is occurring, or will occur, a financial institution may disclose the following information to a federal law enforcement agency:

(a) the name(s) and address(es) of the person(s) suspected and his (their) relationship with the financial institution, if any;

(b) the identity of the financial institution(s) or office(s) thereof involved;

(d) the name(s) and address(es) of the account holder(s) and the account number(s) and type(s) of account(s) in which evidence of the suspected offense(s) is located; and

(e) a general description (dates and any suspicious circumstances) of the transaction(s) involved in the suspected offense(s).
Of course, other information not protected by the Act which will assist the law enforcement agency may be freely disclosed.

To illustrate the extent of information which may be disclosed in connection with a financial institution's notification to federal law enforcement authorities of a suspected criminal offense, the following example is provided:

Example: The employing institution, First Financial, suspects one of its tellers, Steve Jones, of taking advantage of his position at First Financial's State Street branch office to embezzle funds from the accounts of six customers, one of which is a corporation, and of depositing the proceeds of these embezzlements in Jones' own account at the State Street office. Under the RFPA, First Financial may report the crime to federal law enforcement authorities providing all pertinent information not covered by the RFPA. In this case, such non-protected information might include records of Jones' shortages and overages as a teller, complete records relating to the corporate account which has been victimized, information from First Financial's employment records pertaining to Jones including such items as his employment application and salary level, information obtained from interviews with other employees of First Financial [if such information is not derived from financial records pertaining to Jones' personal account] which indicates that Jones is living in a style not in keeping with his income as a teller or that Jones engages in suspicious activities while performing his job as teller.

Of course, financial records relating to Jones' personal accounts are protected as are records pertaining to the five accounts of private individuals who are being victimized by Jones' embezzlement. However, even if derived from such protected records, the following information may be reported to federal law enforcement authorities:

(a) Steve Jones' full name and address, the fact that he is employed as a teller at the State Street office, and the fact that he is suspected of embezzlement;

(b) the fact that the suspected offenses all involve transactions occurring at First Financial, State Street office;

(d) the names and addresses of the customers who are the suspected victims of the embezzlements, the fact that they are believed to be victims, the fact that they have accounts at the State Street office, the account numbers of the victims' and Jones' accounts, and the fact that Jones is suspected of depositing embezzled funds in his account;

(e) the dates of the suspicious transactions involving each victim's account and Jones' account together with a description of any circumstances leading to the belief that the withdrawals and deposits in question were part of an embezzlement scheme (for example, inquiries by customer-victims as to specific unexplained debits to their accounts).

The report may also include the financial institution's analysis of the information described above together with an analysis of the significance of the suspected offense. While the general description and analysis of suspicious transactions may not be so detailed as to eliminate any need for law enforcement access to actual records, it should be sufficient to enable federal authorities (1) to reasonably describe records needed in the investigation, (2) to determine that there is reason to believe such records are relevant to a legitimate law enforcement inquiry. Once provided with sufficient information to comply with these two requirements of the RFPA, federal authorities can proceed to obtain access to records pursuant to the procedures set out by the Act.

III. Non-Coercive Access Mechanisms. The RFPA establishes several procedures by which federal law enforcement authorities may request access to protected financial records. These non-coercive access mechanisms include: (a) Customer-Authorized Access

(authorized by 12 U.S.C. § 3404); (b) Formal Written Requests (authorized by 12 U.S.C. § 3408); (c) Requests for Account Information (authorized by 12 U.S.C. § 3413(g)); (d) Legal Entity Target Exception (authorized by 12 U.S.C. § 3413(h)); Foreign Intelligence Exception (authorized by 12 U.S.C. § 3414(a)); and Emergency Access (authorized by 12 U.S.C. § 3414(b)). As the statutory citations indicate, each of these access mechanisms is explicitly and unambiguously established by the RFPA and each requires the government authority seeking records to certify that it is in compliance with the RFPA. Financial institutions may, therefore, freely disclose records pursuant to these non-coercive mechanisms relying upon the government's certificate of compliance.

With respect to certificates of compliance, financial institutions are under no obligation to look behind the face of the certificate to determine whether it is defective in some respect. If there is any defect in the government's request, the responsibility is that of the government; the financial institution is protected from any possible civil liability under the RFPA by the certificate of compliance.

While these "request" mechanisms are not judicially enforceable, it appears to be the intent of the RFPA that financial institutions comply with proper requests for records. Further, with respect to the Foreign Intelligence Exception, financial institutions are expressly prohibited from notifying the customer of requests for disclosure to the government; this rule of confidentiality is absolute.

IV. Grand Jury Subpoenas. Federal grand jury subpoenas and court orders issued to enforce such subpoenas are specifically exempt from the RFPA. This means that the customer notice, certificate of compliance and civil liability provisions of the Act do not apply to disclosures made pursuant to federal grand jury subpoenas.

Further, the legislative history of RFPA explains why grand jury subpoenas were excepted from the customer notice and challenge provisions of the RFPA: "... grand juries are protected by rules keeping their proceedings secret. Expanded notice and challenge rights might diminish grand jury secrecy and threaten the privacy of individuals being investigated." The Supreme Court has cited five purposes served by the rule of grand jury secrecy: "(1) To prevent the escape of those whose indictment may be contemplated; (2) to insure the utmost freedom to the grand jury in its deliberations, and to prevent persons subject to indictment or their friends from importuning the grand jurors; (3) to prevent subordination of perjury or tampering with the witnessess who may testify before the grand jury ... ; (4) to encourage free and untrammeled disclosures by persons who have information with respect to crimes; (5) to protect [an] innocent accused who is exonerated from disclosure of the fact that he has been under investigation ... " ( United States v. Proctor and Gamble, 356 U.S. 677 (1958)). Because the RFPA does not contemplate customer notice in connection with grand jury subpoenas, and in view of the substantial reasons supporting the policy of grand jury secrecy, any financial institution inclined to treat a grand jury subpoena on other than a confidential basis should first discuss its plans with the government attorney responsible for the grand jury investigation involved.

V. The Intent of Congress. The chief sponsor of the RFPA stated during debate on the bill that the purpose of the Act was to "create a delicate balance" between law enforcement and privacy interests. For this balance to be realized, both federal law enforcement authorities and financial institutions must comply with all provisions of the Act as each provision was enacted to fulfill a particular purpose.

The Bank Secrecy Act of 1970 required financial institutions to preserve copies of financial records which have a "high degree of usefulness in criminal and tax investigations." The 95th Congress could have repealed the Bank Secrecy Act but instead chose to enact the RFPA regulating access to records. By seeking to balance privacy interests against law enforcement needs, and particularly by establishing the non-coercive access mechanisms and exceptions of the RFPA, the Congress recognized the continued importance of law enforcement investigations into organized crime and racketeering, narcotics trafficking, public corruption, fraud against the government and other complex criminal activities which frequently require access to financial records. Financial institutions should be aware of the

background and thrust of the RFPA when acting upon government-initiated legal process for disclosure of financial records.

Top