Bank of America, the FBI, and the Question of Financial Privacy (Part 1)
BoA is accused of giving the FBI information on its customers unbidden. Is that legal? Should it be?
Update: The second, third, fourth, and fifth parts of this series are now published.
A recent interim staff report from the majority (Republican) staff of the House Select Subcommittee on the Weaponization of the Federal Government alleges that Bank of America, without being asked or required, provided the FBI with a list of its customers who used a BoA credit or debit card in the Washington DC area from January 5th through January 7th 2021 (around the time of the Capitol Riot) for any purchase and further prioritized customers who had purchased a firearm at any point. This information was reportedly provided to the FBI’s Washington office who then apparently provided portions of the list to field offices based on the residence of the identified customer. It is unclear if the information was ever used by the FBI.
This allegation raises obvious questions. The first of course is: Is it true? This report is a partisan document, but it does name the current and former FBI officials who testified about the receipt of the information, and I am not aware of Bank of America affirming or denying the allegation. Clearly more facts will need to develop but for the sake of argument, let’s assume the allegation is true.
The second question is then, just what did BoA hand over? Did it provide just a list of names and identifying information of BoA’s customers, or did it include any actual financial transaction data? This may seem like a small thing but could be important to the next question: Was this legal?
Recall that under the Right to Financial Privacy Act (RFPA) banks are limited in what information they may share with the federal government and the process by which it must be shared. Recall further that there are some broad exceptions to those limitations, and one of those exceptions may be relevant here.
Under 12 USC 3403(c) a bank can notify the federal government that it has information about a customer that may be relevant to a legal violation. Under this provision the bank cannot be held liable under federal law or any state constitution, law, or regulation. However, the bank may only provide the government with the name and identifying information of the customer and the nature of the suspected legal violation, not the financial records themselves. (see e.g. United States v. Frazin fn.1)
As such, the nature of the information BoA allegedly shared is relevant to whether their action was legal. Just a list of names? Probably covered by the exception. Actual financial records? Probably against the law.
A potentially interesting gray area would be if BoA did in fact prioritize those who purchased firearms and let the FBI know they had done so. Purchasing firearms is not against the law or evidence of a crime. This is especially true if, as alleged, there was no temporal or geographic limit applied by BoA to better tie the action to a potential crime. While telling the FBI “the top X records also purchased a firearm using a BoA card at one point” does not transmit the actual record held by the bank, it does go beyond the disclosure allowed by the exception and provides the FBI with substantive knowledge of the customer’s financial activity of the type the RFPA was meant to protect.
Of course, even if it wasn’t legal the RFPA doesn’t necessarily provide much in the way of relief. A client whose records were improperly revealed is entitled to actual damages, punitive damages if the violation was willful and intentional, and attorney’s fees. They are not however entitled to suppress any evidence in a criminal matter or otherwise prevent the information from being used by the government once it is received.
If the allegations are true and are found to have violated the RFPA it is possible that BoA could be on the hook for punitive damages, since their actions certainly seem to have been willful and intentional, but courts have construed willfulness and intentionality narrowly in the RFPA context, so it is possible that even if BoA, on its own initiative, provided information protected by the RFPA to the FBI it might not be liable for punitive damages.
Whether this would be a just result, again assuming the allegations are true, is debatable. Also debatable is whether BoA should have done what it is accused of doing, even if doing so was legal. These and other questions posed by the report’s allegations will be addressed in a following post.