Which law requires all types of financial institutions to protect customers private financial information?
The Right to Financial Privacy Act of 1978 protects the confidentiality of personal financial records by creating a statutory Fourth Amendment protection for bank records. The Act was essentially a reaction to the U.S. Supreme Court’s 1976 ruling in United States v. Miller, where the Court found that bank customers had no legal right to privacy in financial information held by financial institutions. 425 U.S. 435 (1976). Generally, the RFPA requires that federal government agencies provide individuals with a notice and an opportunity to object before a bank or other specified institution can disclose personal financial information to a federal government agency, often for law enforcement purposes. Show
HistoryThe Right to Financial Privacy Act of 1978 was introduced by House Representative John Cavanaugh and 11 other congressmen on June 30, 1977. The bill was the result of privacy risks presented by the increased maintenance and access to customer information at financial institutions. The federal courts did not react to the need of financial privacy protection in the same way as Congress, and the ensuing cases resulted in multiple blows to consumer privacy. For example, in California Bankers Association v. Schultz, the U.S. Supreme Court held that the Constitution did not protect the privacy of personal information in records maintained by business and government. It rejected a challenge by the American Civil Liberties Union and the California Bankers Association against the Bank Secrecy Act of 1970, which requires that financial institutions make and retain microfilm copies of all checks over a specific dollar amount. 31 U.S.C. § 5311-5330. In reality, most banks microfilmed all checks because it was administratively easier. The Supreme Court upheld the Act against arguments that it infringed on constitutionally protected individual privacy because the maintenance of such financial transactions provided a “virtual current biography of the individual customers.” On the same day in 1976, the Supreme Court ruled on two significant cases, prompting Congress to respond via the RFPA. In United States v. Miller, the Supreme Court held that a bank customer does not have a legally recognizable expectation of privacy in records of accounts maintained by a bank. Interestingly enough, this case resulted from suspected tax evasion by a man involved in alcohol distilling. In 1972, a deputy sheriff responded to an informant’s tip and stopped a truck driven by two of the respondent’s (Miller) alleged co-conspirators. The truck contained a distillery apparatus and raw material for whiskey distilling. One month later, a fire erupted in a warehouse rented by Miller, during which the firemen discovered a 7,500-gallon-capacity distillery, 175 gallons of non-tax-paid whiskey, and related paraphernalia. Suspecting tax evasion, the Treasury Department’s Alcohol, Tobacco and Firearms Bureau requested Miller’s account information from his bank, which turned over this information without notifying Miller. Miller asserted that his financial records were private papers, protected by the Fourth Amendment; however, the court disagreed, holding he had no reasonable expectation of privacy. Similarly, in Fisher v. United States, the Supreme Court held that an individual has no Fifth Amendment right to protest an order to his attorney to produce records of his private financial affairs when the records have been made by the individual’s accountant. The Court concluded that when records are developed or maintained during the course of an ordinary business relationship by a person other than the subject of those records, the subject has no expectation of privacy and thus, no constitutional protection. The reaction to the Supreme Court decisions was Congress’ enactment of the RFPA, which was essentially designed to reverse Millerin the context of financial records and provide standing for individuals to complain about the improper release of information about them in records maintained by financial institutions. The originally argued purpose for the RFRA was threefold:
RFPA’s ProvisionsThe RFPA sates that “no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and
The statues requires that the requesting federal government agency must give the customer advance notice of the requested disclosure from the financial institution, thus giving the customer opportunity to challenge the government’s access to the records before the disclosure takes place. The government agency must serve the customer with a copy of its request or order, or mail a copy to the customer on or before the date which it serves the order or delivers or mails the request to the financial institution maintaining the records. The customer then has 10 days from the date of services, or 14 days from the date of mailing, to challenge the requested disclosure. The Act only governs disclosures to the federal government, its officers, agents, agencies, and departments. It does not govern private businesses or state or local government.Furthermore, the law specifies which financial institutions fall under the statute’s requirements. The RFPA defines ‘financial institution’ as any office of a card issuer defined in section 103 of the Consumer Credit Protection Act, which in turn defines the term ‘card issuer’ as essentially any entity that issues a credit card. See 15. U.S.C. §1602(n). Traditional bank credit card issuers are covered by this definition, but the definition also includes retailers and other merchants (such as gasoline companies) that issue their own credit cards, even though these entities are not usually perceived as ‘financial institutions.’ For example, the definition was expanded beginning in July 2002, and now includes many entities that most individuals would not consider ‘financial institutions,’ such as
A point of confusion has been whether the definition includes the issuers of travel and entertainment cards which do not permit customers to defer payment. The case law has yielded mixed results on this issue. It is also important to note that under the RFPA covered customers are individuals or partnerships of 5 or fewer individuals. Corporations, trusts, estates, unincorporated associations such as unions, and large partnerships are not covered by the RFPA. Therefore, the availability of RFPA protection depends on the type of person or entity whose records are sought. Much of the opposition to the RFPA has been by federal law enforcement officials who are concerned that the proposed privacy protections would impede federal authorities in their investigation and prosecution of white-collar and organized crime. However, the RFPA allows financial information to be revealed based on a much weaker showing than the Fourth Amendment requirement of probable cause. The law was weakened in the late 1980s to allow postponement of notice to bank customers in investigations dealing with drug trafficking and espionage, and again by the US Patriot Act to allow disclosure when terrorism is a suspicion. Exceptions to RFPAThere are classes of exceptions in which certain financial records are not protected by the Act. In these situations, disclosure by a financial institution is always permitted, and no authorization, subpoena, or warrant is required.
RFPA and Suspicious Activity ReportsUnder 12 U.S.C. §3403(c), financial institutions and their employees have complete immunity from civil liability for the reporting of known or suspected criminal offenses or suspicious activity by filing a Suspicious Activity Report (SAR) with the Financial Crimes Enforcement Network (FinCEN), part of the Department of Treasury. This reporting system evolved in 1992 when Congress amended the Bank Secrecy Act to authorize the Treasury Department to adopt the SAR requirements, through the Annunzio-Wylie Anti-Money Laundering Act. Title XV. P.L. 102-550, 106 Stat. 4044, 4059. Essentially, this amendment gave the Treasury Department the power to require reporting of any “suspicious transaction relevant to a possible violation of law or regulation.” 31 U.S.C. § 5318(g)(1). The RFPA contains a large loophole, which is to accommodate financial institution reporting under the Bank Secrecy Act. 12 U.S.C. § 3413(d). Though RFPA contemplates that notice will be given to customers when financial records are transferred from one federal agency to another, notice is not given to customers when SARs are furnished by FinCEN to law enforcement officials. The obligation to report personal financial information on a SAR is easily triggered. Essentially, a financial institution must file a SAR, if any of the following information is discovered:
“Transactions” include any deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond or other investment security, or any other payment through the financial institution. A Suspicious Activity Report can be viewed at http://www.treas.gov/fincen/forms.html#90 As mentioned, the definition of a “financial institution” now includes many entities most individuals would not consider as financial institutions, including the casinos, and the U.S. Postal Service. However, these entities are required to report any suspicious activity involving at least $5,000. Thus, gamblers visiting a casino may encounter some difficulties. Additionally, each person engaged in a trade or business, who in the course of that trade or business, receives more than $10,000 cash in one transaction or in two or more related transactions must file a Form 8300 with FinCEN. 31. U.S.C. §5332. This is a very broad requirement, so that many different entities are subject to this regulation. For example, if you purchase jewelry in cash for over $10, 000, a report will be filed on you, even if such activity is not suspicious. For a copy of the form, see http://www.fincen.gov/reg_bsaforms.html
RFPA and State LawThe RFPA does not apply to request for orders for information by state and local government entities. While, the Act does not contain explicit provisions regarding its effect on state law, the legislative history of the RFPA indicates that Congress intended to regulate access to customer records by federal agencies and departments only, without precluding states from regulating access of state and local agencies to such records. The following states contain virtually the same protections as the RFPA, applicable to their state and local governments: Alabama, Alaska, Connecticut, Illinois, Louisiana, Maine, Maryland, New Hampshire, North Carolina, North Dakota, Oklahoma, Oregon, Utah, and Vermont. Both Florida and Massachusetts provide additional customer protections for financial electronic transfer systems (Fla. Stat. Ann § 659.062; Mass. Gen. Laws Ann. Ch. 167B, §7-16), while Minnesota requires the quarterly disclosure of all account information to the local government regarding any non-custodial parent owing child support. Minn. Stat. Ann. § 13B.06. California however simply provides that a bank customer is entitled to a ten-day notice before a state investigator can obtain the customer’s financial records. Cal. Govt. Code § 7460. Relevant Cases
|