The Right to Financial Privacy Act
- IRS Seeks "John Doe" Summonses for Tax Evaders:The Washington Post reportsthat he Internal Revenue Service asked seven District Courts to allow "John Doe" summonses to obtain records of credit card transactions. The IRS, attempting to track down tax evaders' hidden assets offshore, went to court seeking access to credit card records held by more than 40 hotels, airlines and car-rental companies. The agency is seeking to identify holders of MasterCards issued by banks in tax-haven countries such as Antigua, Barbuda, the Bahamas and the Cayman Islands. The IRS suspects a number of Americans have moved substantial sums to offshore banks, not only to evade U.S. taxes or IRS collection efforts but also as part of bankruptcy fraud and possibly money-laundering schemes. (August 30, 2002).
- RFPA amended due to the USA Patriot Act of 2001:Section 358 of the U.S. Patriot Act amendedthe RFPA to permit the disclosure of financial information to any intelligence or counterintelligence agency in any investigation related to international terrorism. (October, 2001)
The Right to Financial Privacy Act of 1978 protects the confidentiality of personal financial records by creating a statutory Fourth Amendment protection for bank records. The Act was essentially a reaction to the U.S. Supreme Court's 1976 ruling in
United States v. Miller, where the Court found that bank customers had no legal right to privacy in financial information held by financial institutions. 425 U.S. 435 (1976). Generally, the RFPA requires that federal government agencies provide individuals with a notice and an opportunity to object before a bank or other specified institution can disclose personal financial information to a federal government agency, often for law enforcement purposes.
- Right to Financial Privacy Act, 12 U.S.C. §§ 3401-342.
- United States v. Miller, 425 U.S. 435 (1976).
The Right to Financial Privacy Act of 1978 was introduced by House Representative John Cavanaugh and 11 other congressmen on June 30, 1977. The bill was the result of privacy risks presented by the increased maintenance and access to customer information at financial institutions.
The federal courts did not react to the need of financial privacy protection in the same way as Congress, and the ensuing cases resulted in multiple blows to consumer privacy. For example, in California Bankers Association v. Schultz, the U.S. Supreme Court held that the Constitution did not protect the privacy of personal information in records maintained by business and government. It rejected a challenge by the American Civil Liberties Union and the California Bankers Association against the Bank Secrecy Act of 1970, which requires that financial institutions make and retain microfilm copies of all checks over a specific dollar amount. 31 U.S.C. § 5311-5330. In reality, most banks microfilmed all checks because it was administratively easier. The Supreme Court upheld the Act against arguments that it infringed on constitutionally protected individual privacy because the maintenance of such financial transactions provided a "virtual current biography of the individual customers."
On the same day in 1976, the Supreme Court ruled on two significant cases, prompting Congress to respond via the RFPA. In United States v. Miller, the Supreme Court held that a bank customer does not have a legally recognizable expectation of privacy in records of accounts maintained by a bank. Interestingly enough, this case resulted from suspected tax evasion by a man involved in alcohol distilling. In 1972, a deputy sheriff responded to an informant's tip and stopped a truck driven by two of the respondent's (Miller) alleged co-conspirators. The truck contained a distillery apparatus and raw material for whiskey distilling. One month later, a fire erupted in a warehouse rented by Miller, during which the firemen discovered a 7,500-gallon-capacity distillery, 175 gallons of non-tax-paid whiskey, and related paraphernalia. Suspecting tax evasion, the Treasury Department's Alcohol, Tobacco and Firearms Bureau requested Miller's account information from his bank, which turned over this information without notifying Miller. Miller asserted that his financial records were private papers, protected by the Fourth Amendment; however, the court disagreed, holding he had no reasonable expectation of privacy. Similarly, in Fisher v. United States, the Supreme Court held that an individual has no Fifth Amendment right to protest an order to his attorney to produce records of his private financial affairs when the records have been made by the individual's accountant. The Court concluded that when records are developed or maintained during the course of an ordinary business relationship by a person other than the subject of those records, the subject has no expectation of privacy and thus, no constitutional protection.
The reaction to the Supreme Court decisions was Congress' enactment of the RFPA, which was essentially designed to reverse Millerin the context of financial records and provide standing for individuals to complain about the improper release of information about them in records maintained by financial institutions.
The originally argued purpose for the RFRA was threefold:
- Require that customers be notified before disclosure of their records to the government;
- Give customers standing to challenge release of their records to the government; and
- Require government agencies to produce an audit trail documenting the disclosure of customer info to the government, as well as any interagency transfer of info.
The RFPA sates that "no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described" and
- the customer authorizes access;
- there is an appropriate administrative subpoena or summons;
- there is a qualified search warrant;
- there is an appropriate judicial subpoena; or
- there is an appropriate written request from an authorized government authority.
The statues requires that the requesting federal government agency must give the customer advance notice of the requested disclosure from the financial institution, thus giving the customer opportunity to challenge the government's access to the records before the disclosure takes place. The government agency must serve the customer with a copy of its request or order, or mail a copy to the customer on or before the date which it serves the order or delivers or mails the request to the financial institution maintaining the records. The customer then has 10 days from the date of services, or 14 days from the date of mailing, to challenge the requested disclosure.
The Act only governs disclosures to the federal government, its officers, agents, agencies, and departments. It does not govern private businesses or state or local government.Furthermore, the law specifies which financial institutions fall under the statute's requirements. The RFPA defines 'financial institution' as any office of a card issuer defined in section 103 of the Consumer Credit Protection Act, which in turn defines the term 'card issuer' as essentially any entity that issues a credit card. See 15. U.S.C. §1602(n). Traditional bank credit card issuers are covered by this definition, but the definition also includes retailers and other merchants (such as gasoline companies) that issue their own credit cards, even though these entities are not usually perceived as 'financial institutions.' For example, the definition was expanded beginning in July 2002, and now includes many entities that most individuals would not consider 'financial institutions,' such as
- Depository institution (banks, thrifts, credit unions)
- Money services business
- Money order issuers, sellers and redeemers
- Travelers check issuers, sellers and redeemers
- U.S. Postal Service
- Securities and futures industries
- Futures commission merchants
- Commodity trading advisor
- Casino and card clubs
A point of confusion has been whether the definition includes the issuers of travel and entertainment cards which do not permit customers to defer payment. The case law has yielded mixed results on this issue.
It is also important to note that under the RFPA covered customers are individuals or partnerships of 5 or fewer individuals. Corporations, trusts, estates, unincorporated associations such as unions, and large partnerships are not covered by the RFPA. Therefore, the availability of RFPA protection depends on the type of person or entity whose records are sought.
Much of the opposition to the RFPA has been by federal law enforcement officials who are concerned that the proposed privacy protections would impede federal authorities in their investigation and prosecution of white-collar and organized crime. However, the RFPA allows financial information to be revealed based on a much weaker showing than the Fourth Amendment requirement of probable cause. The law was weakened in the late 1980s to allow postponement of notice to bank customers in investigations dealing with drug trafficking and espionage, and again by the US Patriot Act to allow disclosure when terrorism is a suspicion.
There are classes of exceptions in which certain financial records are not protected by the Act. In these situations, disclosure by a financial institution is always permitted, and no authorization, subpoena, or warrant is required.
- Class 1: Disclosures that do not identify a particular customer. Example: Federal department seeks records regarding the employee benefit plans maintained by a national bank. See, Donovan v. National Bank of Alaska, 696 F.2d 678 (9th Cir. 1983).
- Class 2: Disclosures in the financial institutions interest, including perfection of security interests, government loans, loan guaranties and loan insurance, as well as disclosures that are relevant to possible violations of the law. Note that disclosure to a law enforcement is permissible but this disclosure is limited to the name of the account holder and "the nature of any suspected illegal activity." 12 U.S.C. §3403(c). Example: A federal government agency requests the release of financial records to prove a bankruptcy claim.
- Class 3: Disclosures in connection with supervisory investigations and proceedings. When a supervisory agency investigates a financial institution, the rights of customers are not at stake, and therefore such disclosures are permissible under the Act. Example: The Securities and Exchange Commissions wishes to investigate suspicious business operations of a national bank.
- Class 4: Disclosures under the tax privacy provisions. Example: The IRS may obtain information from a bank about a customer without the use of a summons or notice because the Internal Revenue Codes has its own individual privacy protections.
- Class 5: Disclosures pursuant to other federal statutes or rules, administrative or judicial proceedings, and legitimate functions of supervisory agencies. Example: The Act permits disclosures to a government agency under the Federal Rules of Civil Procedure because civil litigation already involves the right of notice before records are disclosed.
- Class 6: Emergency disclosures and disclosure to federal agencies charged with foreign intelligence or counter intelligence or other national security protective functions. Example: A bank may disclose customer records to a federal agency if the customer is suspected of terrorist action.
Under 12 U.S.C. §3403(c), financial institutions and their employees have complete immunity from civil liability for the reporting of known or suspected criminal offenses or suspicious activity by filing a Suspicious Activity Report (SAR) with the Financial Crimes Enforcement Network (FinCEN), part of the Department of Treasury. This reporting system evolved in 1992 when Congress amended the Bank Secrecy Act to authorize the Treasury Department to adopt the SAR requirements, through the Annunzio-Wylie Anti-Money Laundering Act. Title XV. P.L. 102-550, 106 Stat. 4044, 4059. Essentially, this amendment gave the Treasury Department the power to require reporting of any "suspicious transaction relevant to a possible violation of law or regulation." 31 U.S.C. § 5318(g)(1). The RFPA contains a large loophole, which is to accommodate financial institution reporting under the Bank Secrecy Act. 12 U.S.C. § 3413(d). Though RFPA contemplates that notice will be given to customers when financial records are transferred from one federal agency to another, notice is not given to customers when SARs are furnished by FinCEN to law enforcement officials.
The obligation to report personal financial information on a SAR is easily triggered. Essentially, a financial institution must file a SAR, if any of the following information is discovered:
- Any kind of insider abuse of a financial institution, involving any amount;
- Federal crimes against, or involving transactions conducted through, a financial institution that the financial institution detects and that involve at least $5,000 if a suspect can be identified, or at least $25,000 regardless of whether a suspect can be identified;
- Transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect involve funds from illegal activities or are structured to attempt to hide those funds;
- Transactions of at least $5,000 that the institution knows, suspects or has reason to suspect are designed to evade any regulations promulgated under the Bankruptcy Secrecy Act; or
- Transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect have no business or apparent lawful purpose or are not the sort in which the particular customer would normally be expected to engage and for which the institution knows of no reasonable explanation after due investigation.
"Transactions" include any deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond or other investment security, or any other payment through the financial institution.
A Suspicious Activity Report can be viewed at http://www.treas.gov/fincen/forms.html#90
As mentioned, the definition of a "financial institution" now includes many entities most individuals would not consider as financial institutions, including the casinos, and the U.S. Postal Service. However, these entities are required to report any suspicious activity involving at least $5,000. Thus, gamblers visiting a casino may encounter some difficulties.
Additionally, each person engaged in a trade or business, who in the course of that trade or business, receives more than $10,000 cash in one transaction or in two or more related transactions must file a Form 8300 with FinCEN. 31. U.S.C. §5332. This is a very broad requirement, so that many different entities are subject to this regulation. For example, if you purchase jewelry in cash for over $10, 000, a report will be filed on you, even if such activity is not suspicious. For a copy of the form, see http://www.fincen.gov/reg_bsaforms.html
- Joint Comments on Suspicious Activity Reports, EPIC, Free Congress Foundation, Privacy Times.
- Report on Financial Privacy, Law Enforcement, and Terrorism, Task Force on Information Exchange and Financial Privacy, Prosperity Institute, March 25, 2002.
The RFPA does not apply to request for orders for information by state and local government entities. While, the Act does not contain explicit provisions regarding its effect on state law, the legislative history of the RFPA indicates that Congress intended to regulate access to customer records by federal agencies and departments only, without precluding states from regulating access of state and local agencies to such records.
The following states contain virtually the same protections as the RFPA, applicable to their state and local governments: Alabama, Alaska, Connecticut, Illinois, Louisiana, Maine, Maryland, New Hampshire, North Carolina, North Dakota, Oklahoma, Oregon, Utah, and Vermont. Both Florida and Massachusetts provide additional customer protections for financial electronic transfer systems (Fla. Stat. Ann § 659.062; Mass. Gen. Laws Ann. Ch. 167B, §7-16), while Minnesota requires the quarterly disclosure of all account information to the local government regarding any non-custodial parent owing child support. Minn. Stat. Ann. § 13B.06. California however simply provides that a bank customer is entitled to a ten-day notice before a state investigator can obtain the customer's financial records. Cal. Govt. Code § 7460.
- United States v. Miller , 425 U.S. 435 (1976): Supreme Court found that bank customers had no legal right to privacy in financial information held by financial institutions, which led to the RFPA.
- California Bankers Association v. Schultz, 416 US 21 (1974): U.S. Supreme Court held that the Constitution did not protect the privacy of personal information in records maintained by business and government.
- Fisher v. United States , 425 U.S. 391 (1976): , the Supreme Court held that an individual has no Fifth Amendment right to protest an order to his attorney to produce records of his private financial affairs when the records have been made by the individual's accountant.
- United States v. MacKay, 608 F.2d 830 (10th Circ 1979): RFPA does not apply to IRS summons.
- Anderson v. La Junta State Bank , US App. LEXIS 12345 (10th Cir. 1997): Oral disclosure by bank violates RFPA.
- United States v. Wilson, 571 F. Supp. 1417 (S.D.N.Y. 1983): Court discussed the substantive standards for disclosure under act, and explained that it grants bank customers only limited right to challenge subpoenas served by federal agencies on banks and other financial institutions.
- Lopez v. First Union National Bank of Florida , 129 F.3d 1186 (11th Cir. 1997): Disclosure pursuant to a seizure warrant is permissible, but disclosure to verbal instructions," is not, because government-officials verbal instructions do not constitute other legal authority.
- Shannon McCaffrey, Patriot Act has curbed civil liberties, raised security costs for some, Knight Ridder Newspapers, September 7, 2003.
- L. Richard Fischer, The Law of Financial Privacy, Vol 1, A.S. Pratt & Sons. (2002).
- K. Agle, Bankers: Unsung Hereos in the War Against Crime: Suspicious Acitivity Reporting, (2000)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,