We previously discussed an allegation that Bank of America (BoA) provided the FBI with customer records in response to the January  6^th riot without being asked by the government or the customer granting permission. This possibility was especially troubling because BoA allegedly cast a very wide net of potentially responsive records including people in the DC area around January 6^th and allegedly prioritized those who purchased firearms with BoA cards at some point in the past. As discussed in the previous series, the allegations were not confirmed, and new facts might develop that fundamentally changed the analysis.

Well, that might have happened. On July 12^th the House Judiciary Committee held an FBI oversight hearing. As part of the questioning Rep. Thomas Massie raised the issue of the Bank of America allegations with FBI Director Christopher Wray. (Begins around the 58:30 mark) Massie stated he was in possession of an email that indicated that it was the FBI who provided BoA with specific search topics. Wray refused to provide many specifics but reaffirmed his belief that the records were obtained lawfully.

While facts are still very sparse and nothing is confirmed, let’s for the sake of argument assume it was the FBI who initiated the search. This would be a significant change in terms of what process applies and whether the transfer was legal. Remember that the provision of financial records to the government is governed by the Right to Financial Privacy Act (RFPA). As discussed in the previous series, if a financial institution, on its own initiative, wants to provide the government with records the RFPA limits what sort of information can be provided by the institution and under what circumstances. If, however, it is the federal government that is initiating the request, which seems to be what Rep. Massie is alleging in this case, the RFPA applies in a different way.

Under the RFPA the federal government may generally only request and obtain financial records without customer permission via one of four approved methods. These methods are using an administrative subpoena and summons, a search warrant, a judicial subpoena, and a formal written request.

To obtain a search warrant the federal government must convince a federal judge that there is probable cause that the information being sought relates to a crime. A judicial subpoena may be obtained from a court but the government must have reason to believe that the records are “relevant to a legitimate law enforcement inquiry.” Likewise, an agency with the necessary administrative subpoena power may use it to obtain financial records if, among other things, there is reason to believe the records are “relevant to a legitimate law enforcement inquiry.” Finally, if an agency lacks administrative subpoena power and the agency believes the records are “relevant to a legitimate law enforcement inquiry” it may use a formal written request to obtain the records.

In all cases the customer is supposed to be notified by the government at some point that the records were provided to the government as well as the general nature of the inquiry. In all cases except for a search warrant the customer is supposed to be given notice at or before the time the financial institution is given the request. This is to allow the customer to intervene in court to try to prevent the records from being given to the government.

However, in all cases such notice may be delayed with permission from a court, provided the court finds that the record request is within the agency’s lawful jurisdiction, the records are “relevant to a legitimate law enforcement inquiry,” and that there is a reasonable basis to believe that providing notice would cause harm to a person or interfere with a lawful prosecution. This delay may be extended with court approval, though this provision allows for delayed notice, rather than a lack of notice all together.

Ok, so there must have been a bunch of notices sent out by now and we should have a handle on the scope of information sharing, right? Unfortunately, no. The RFPA also has a list of exceptions to the notice requirements that might swallow the rule. The one that appears most likely to be relevant says the notice requirements don’t apply if all that is requested is the customer’s name, address, account number, and type of account for a customer or “ascertainable group of customers associated with a financial transaction or class of financial transactions.” (12 USC 3413(g))

So, is “purchased a gun and was in DC on these dates” the type of ascertainable group intended to be covered under the law? There is some reason for skepticism. If one looks at the legislative history of the provision (page 226-227 of the attached document below) section 3413(g) (formerly section 1113(g)) was not meant to be a blank check. Rather, it was intended to allow the government to get customer information without notice in cases where the transaction in question “would clearly appear to involve violations of law…” Merely visiting the country’s capital and at some other point in time engaging in constitutionally protected conduct would not seem to fit this expectation. As the district court in Inspector General v. Great Lakes Bancorp noted when looking at the legislative history of section 3413(g), the provision is limited in its scope and is not meant to allow for the government to “transform what was intended to be a one day (sic) casting permit into a license for a full-fledged fishing expedition.”

Of course, there are also other exceptions to the notice requirement, though it is unclear how applicable they would be. For example, under 12 USC 3414(a) the Secret Service can avoid RFPA as part of their protective functions, which might be relevant to preventing a riot but does not seem to apply to subsequent criminal prosecutions. 12 USC 3414(c) also prohibits financial institutions from disclosing that the FBI obtained records under certain circumstances, though that does not appear to apply to the obligation of the government itself to provide notice if necessary.

The exact scope of whose information was shared, how much information was shared, and who initiated the sharing remains murky at best. It will take further oversight, as well as possibly legal action, to provide clarity, but the facts known at the moment raise real doubt about the actions of BoA and/or the FBI. At a minimum, this situation should prompt a reconsideration of whether RFPA is adequate in the modern world. As new facts develop, I will update.

Rfpa Legislative History

6.41MB ∙ PDF file

Download

Download