In the previous blog post I discussed the allegations made in a majority (Republican) interim staff report of the House Select Subcommittee on the Weaponization of the Federal Government that alleges that Bank of America, without being asked or required, provided the FBI with a list of its customers who used a BoA credit or debit card in the Washington DC area between January 5th and 7^th 2021 (covering the time of the Capitol Riot). The report further alleges that BoA prioritized customers who had ever used a BoA card to buy a firearm. We further discussed whether such an action would be legal under federal law, with the answer potentially depending on the scope of information BoA provided.

The discussion didn’t touch on some other obvious and important questions. Among those questions is why did BoA (allegedly) do it and is that ok? This post will at least make an initial attempt at discussing those issues.

First an important preliminary matter – as discussed previously, it is not clear whether BoA did what the report accuses it of doing. It is possible the facts are materially different and our knowledge of what happened will likely be updated over time. That said, as before, we are going to assume the allegations are true for the purpose of discussion.

Why would BoA do what it is accused of doing?

Why BoA would share information with the FBI in the wake of the Capitol Riot seems obvious. A serious crime occurred and BoA, by virtue of its position as a bank, may have had information relevant to bringing those responsible to justice that it wanted to share. The ability of banks to have the same power as the man on the street to alert law enforcement to a potential crime was one reason why  12 US 3403(c) provides an exception to the general requirement that banks cannot share customer information with federal law enforcement absent appropriate legal process.

But Bank of America is different from the man on the street in many ways. One is that BoA is a highly regulated entity that is dependent on staying in the good graces of government regulators. As Prof. George Mocsary and I discuss in an amicus brief, bank regulators have a host of subtle ways they can hurt banks if they are displeased with them. As Prof. Nicholas Parrillo points out, because banks are basically incapable of perfectly following the multitudinous and complex rules that govern banking, they rely on having a positive relationship with their regulators to prevent those regulators from going too hard on them when the inevitable mistake occurs.

This may present a reason why BoA would do what it is accused of doing. By being seen as proactively supporting law enforcement in this case BoA may have hoped to garner political capital with law enforcement and the new administration. Alternatively, BoA may have feared that a lack of proactive assistance would be held against it later.

This unique relationship with regulators need not be the only reason. If the allegation against BoA is true it could have been motivated by outrage at the riot, hostility towards Trump supporters, or any number of other factors, but BoA does have a unique set of regulatory incentives that could encourage proactive disclosure.

Is it ok?

But is what BoA allegedly did ok? Remember, according to the allegation made in the report BoA didn’t just come upon this information, it queried and collated its records and then provided information (whether just names or actual records is unclear) to law enforcement unbidden.

One could argue that BoA proactively checking their records after seeing a serious crime to see if their customers were at the scene is akin to a citizen realizing they had a relevant document in their file at home, checking through their files, and then calling the police. Would that be objectionable?

But BoA isn’t just a normal man on the street, it is one of the largest and most important banks in the world. It and its peer institutions are essential conduits through which people get to engage with the modern economy. By necessity BoA and similar firms collect massive amounts of information that provide intimate knowledge about their customers’ lives. If we care about the concept of privacy, can we really analogize banks to average people?

One further difference is that unlike a random person on the street, customers have a relationship with their bank and their bank makes promises to them, such as keeping their money and their data secure. To be sure, a reasonable person should expect that a bank would share their data when legally required, but should they expect the bank to proactively and aggressively share their data, without even being asked?

Of course, if the customer is engaged in obviously suspicious activity maybe they should expect the bank to share the data proactively, even if not required by law. But if the allegation in the report is true BoA did not limit their sharing to obviously suspicious activity. Is this consistent with the customer expectations that BoA tried to create? 

Even if one doesn’t believe there is anything morally suspect with a bank volunteering information per se, would it matter how many false positives there were, since each of those false positives reflected a customer who was not involved in a crime but now is under federal scrutiny? This is where the suitability of BoA’s alleged disclosures becomes relevant. If BoA realized it had information highly likely to prove relevant to a legitimate investigation its preemptive disclosure could arguably be more justified than if the bank did a poorly tailored data-dump.

Conversely, if BoA intentionally provided law enforcement with an excess of records and flagged specific ones based on criteria that doesn’t closely relate to the potential crime but could reflect a possible animus on BoA’s part, wouldn’t any potential argument that BoA’s actions were appropriate become less viable?

The witnesses cited in the report differ somewhat on what filters they believe were used by BoA when collating data, with one witness saying any purchase in the DC area would trigger BoA flagging the account while another implies there were some limits on the type of purchases that would count (such as plane tickets or hotel rooms). Certainly, if it is the former, but even if it is closer to the latter wouldn’t this be overinclusive, potentially massively so? Is this BoA identifying specific information that is reasonably related to a crime, or doing a dragnet to provide the FBI with all the information that might possibly be relevant, even if it was clearly excessive?

The issue becomes even more  problematic if, as alleged, BoA flagged certain customers as priorities for the FBI because they purchased a firearm. Here again there is a potential discrepancy in what is being alleged. One witness cited by the report says that any firearm purchase at any time would have been enough for BoA to flag the customer. Another references some time constraints, though this witness also admits to not knowing the exact criteria used.

If true, this calls into question whether purchasing a firearm is an appropriate criterion for the bank to use when assessing whether it has records relevant to a crime, especially if there is no temporal or geographic restriction. Being near the scene of a crime is one thing, even if that data is likely incredibly noisy and overinclusive. Engaging in constitutionally protected activity at some point and location in the past is another. Further, it is unclear how BoA would know whether anyone actually purchased a firearm, so the data may be even less of a fit for its stated purpose.

Of course, assuming the general allegation in the report is true it is still possible that BoA used other, more obviously relatable criteria (e.g., a donation to the Proud Boys) to screen the information they provided to the FBI so they didn’t just identify everyone in the DC area for three days in January who also purchased a firearm. Still, BoA taking it upon itself to turn over the names of its customers and potentially highlighting certain customers based on lawful conduct without a direct connection to the crime in question could strain the notion that the bank was acting reasonably.

The debate over financial privacy  isn’t new and permeated the discussion around the Right to Financial Privacy Act where Congress sought to balance the legitimate needs of law enforcement with the privacy interests of Americans. However, as Nicholas Anthony at Cato demonstrates, the actual protection provided by the RFPA was always sparse and has eroded over time as more financial transactions become digital. It is simple enough for law enforcement to obtain financial records. Is it appropriate for banks to volunteer them en mass, especially if the bank’s disclosure is dramatically overinclusive?

Because the Supreme Court declined to find a Fourth Amendment right in bank records it falls to Congress through statutes and the firms themselves to draw lines. This episode, if true, does raise the question whether RFPA is adequate and whether, at a minimum, some sort of reasonableness standard should apply to bank disclosures in order to be protected under the RFPA’s immunity provisions.

The next post will discuss that issue as well as some other outlying questions, such as what this incident may mean for banks going forward.