Bankers Must Stay on Top of Financial Privacy Laws
March 29, 2012
By: Craig N. Johnson
Denver Business Journal
Maintaining the confidentiality of a customer’s financial information has long been a hallmark of the banking industry. The right to financial privacy, however, is not absolute, and increasingly banks are receiving requests for information about their customers to assist with law enforcement. Because there may be serious penalties for unauthorized disclosure of customer information, it is critical that banks have a solid understanding of their obligations under applicable state and federal laws, and that customers understand their bank’s obligations as well.
Federal Law Considerations
The most important federal statute dealing with the disclosure of customer information is the Right to Financial Privacy Act (RFPA), which was adopted in 1978. This statute generally requires the government to provide customers notice and the right to challenge requests for their financial records, and protects banks from liability for providing such records, which should be provided only if the procedural requirements of RFPA are followed. However, there are a number of nuances and exceptions within the statutory framework.
For example, RFPA applies only to requests for financial records by federal authorities; it does not apply to requests by state agencies, businesses or individual persons. Requests for documents as part of the bank’s regulatory review are not subject to RFPA, nor are requests for certain agencies that have adopted their own rules, such as the Internal Revenue Service. Finally, as indicated, RFPA does not apply to requests made by private litigants, even in federal court.
The definition of “financial records” subject to RFPA is broad, and includes not only originals and copies of documents provided by a customer, but also information derived from any record held by a bank pertaining to the customer’s banking relationship. However, records that do not identify a particular customer are not subject to RFPA.
Further, RFPA does not apply to all bank customers. Only individuals or partnerships of five or fewer individuals are subject to protection under RFPA. Thus, in responding to a request, a bank must consider not only who is requesting the information, but also the customer that is the subject of the request.
It is also important to consider the form of the request, as RFPA includes different requirements for administrative subpoenas or summonses, judicial subpoenas, search warrants and other types of requests by federal agencies.
For example, RFPA generally requires that the government serve a copy of the request to the customer before delivering it to the bank. The customer then has 10 to 14 days within which to challenge the disclosure. If a customer objects to the request, the bank cannot produce the documents until the objection is resolved.
However, certain types of requests are exempt from this prior notice requirement, such as grand jury subpoenas. Similarly, notice of a search warrant is given to the customer after the fact, and the customer has no right to challenge the warrant.
The government may also obtain an order delaying notification to the customer where there is a risk of endangerment or intimidation of a person, or a risk of flight or destruction of evidence. While the bank will generally be notified of any orders limiting notice to the customer, it is important for the bank to communicate with the requesting agency to ensure that all such requirements are known and complied with.
Although RFPA requires the government, not the bank, to notify customers of a request for financial records, the bank should communicate with its client (where permitted to do so) to avoid the inadvertent production of records where the customer has not notified the bank of its objection.
Finally, before providing documents, the bank must receive a “certificate of compliance” from the requesting agency, which verifies that the government has complied with its obligations under RFPA. A bank is generally insulated from liability for disclosing documents in good faith reliance on such a certificate.
State Privacy Law Considerations
Unlike many states, Colorado has not adopted a financial privacy act. However, Colorado courts have long recognized a right to financial privacy. Generally, this extends to information a bank maintains about its customers, including account and other personal information. Nevertheless, the reported cases provide banks little guidance when responding to a request for information from state law enforcement authorities.
Fortunately, section 11-105-110 of the Colorado Revised Statutes provides a “safe harbor” for banks disclosing financial records of a customer in certain situations. Under this statute, a bank is not liable for disclosing its customers’ financial information pursuant to lawful notice, a subpoena, a search warrant, a grand jury subpoena, a written request or “other process issued by any governmental authority or by a court.”
For a bank to avoid liability under this statute, it must ensure that the request (1) is initiated by a legitimate governmental authority and (2) is in writing. The safe harbor provision does not apply to verbal requests for customer information.
Unlike the RFPA, Colorado’s safe harbor statute does not require that the customer be provided notice of the governmental request. However, banks should provide notice of such a request to their customers unless prohibited from doing so, as in the case of a grand jury subpoena. Providing notice to customers provides them the opportunity to object to from the request. More importantly, prior notice avoids the “surprise” of finding out that records have been produced without the customer’s knowledge, which may expose the bank to civil money penalties or other liability.
This Article is published for general information, not to provide specific legal advice. The application of any matter discussed in this article to anyone's particular situation requires knowledge and analysis of the specific facts involved.
Copyright © 2012 Fairfield and Woods, P.C., ALL RIGHTS RESERVED.
Comments or inquiries may be directed to:
Craig N. Johnson