Bank of America, the FBI, and the Question of Financial Privacy (Part 3)
What reforms, if any, could Congress pursue to address concerns raised by the allegations against Bank of America?
In the previous two posts I discussed the allegations leveled against Bank of America in the recent majority (Republican) interim staff report of the House Select Subcommittee on the Weaponization of the Federal Government. In the report several current or former members of law enforcement describe Bank of America proactively disclosing to the FBI information regarding some BoA customers who used their BoA credit or debit cards in the Washington DC area between January 5th and 7th (covering the period of the Capital Riot). There are further allegations that BoA prioritized customers who had also purchased a firearm using a BoA card. There is inconsistency as to what other screening criteria BoA used if any, whether any purchase in the DC area was enough to get on BoA’s list and whether gun purchases needed to be recent. There is also a lack of clarity as to exactly what information BoA allegedly provided to the FBI.
As you can probably tell from all the caveats above, it is unclear to what extent, if any, the allegations against BoA are true. There is little hard data currently available, and it is possible reality is materially different from the allegation in the report. However, if the allegation is even in the ballpark, it is a potentially serious matter that raises important questions of law, policy, and morality. The previous posts made a start at those discussions. This post will continue, looking at some potential reform efforts that may be warranted if the allegation is even somewhat true. As before, we will assume the allegation is true for the sake of discussion.
To know what needs to be reformed we need to first assess what went wrong. Recall that the Right to Financial Privacy Act (RFPA) creates a general prohibition against federal government authorities accessing someone’s financial records and financial services firms providing them without going through an appropriate legal process. Recall further that the RFPA has a series of exceptions that arguably swallow the rule. The most relevant one for our purposes is found at 12 USC 3403(c). This provision allows banks to notify law enforcement that they have records that may be relevant to a violation of law and regulation. Under the exception the bank may not provide the information in the record but may identify the person or entity involved in the suspected activity and the nature of the suspected illegal activity.
12 USC 3403(c) provides banks with broad immunity against liability for disclosing information pursuant to the exception. What it does not appear to provide for is any sort of evaluation of how reasonable the bank’s disclosure was given the circumstances. Yes, if the bank provides a customer record to law enforcement they lose immunity, but the statute makes no requirement on its face that the bank’s identification of a customer to law enforcement was at all reasonable.
Courts are mixed as to whether there must be any individualized suspicion on the part of the bank that the customer they are flagging for law enforcement committed a crime. For example, a trial court argued that RFPA only requires individualized suspicion of a customer on the part of the bank if the bank was proactively volunteering information to law enforcement, as opposed to responding to questions from law enforcement. Conversely, another trial court in Rufra v. U.S. Bancorp (2006 WL 2178278) argues that no such individualized suspicion of a customer was necessary if the bank believed the records themselves might be relevant.
In both cases the customers were mistakenly identified as potential bank robbers. In both cases bank employees initially identified the customer as having a physical resemblance to the robber, though in both cases the employees recanted their view prior to the information being disclosed. In both cases there was something concrete that tied a specific customer to the crime, even if the identification was ultimately wrong. The banks didn’t give the FBI the records of every customer who came in that day, or whose height roughly matched the robber’s.
Contrast this with the allegation that BoA identified customers to the FBI based on location and past legal commercial activity. This information is likely to be much noisier than even a mistaken visual identification. It is also not tied to any specifically identifiable customer. Instead, using coarse metrics the bank can identify and mis-identify customers in bulk.
This potential for mass identification makes the question of whether the bank needs to have an individualized suspicion, or at least a reasonable basis, for voluntarily flagging customers for law enforcement even more important. Currently the RFPA is at best ambiguous on the question. As such, amending the law may be appropriate.
How to amend the law is a more challenging question. As the court in Rufra notes, (footnote 1) requiring individualized suspicion from a bank raises many challenges. Who needs to have the suspicion? Would any employee suffice or must it be bank management? How long must the suspicion exist for? Etc.
Conversely, should the law really be so lax that a bank could identify customers on nothing more than being in the wrong place (especially if “place” is one of the largest metro areas in the country) and engaging in a particular type of legal transaction? How is that consistent with the concept of financial privacy, which the RFPA was intended to protect, albeit in a non-absolute way?
Congress should consider whether a bank should have to have a reasonable basis for voluntarily identifying customers to law enforcement. Such a basis would not necessarily require individualized suspicion but could consider the reasonableness of the criteria and the related risk of false positives that are likely to occur based on the bank’s screening criteria.
Congress should also consider whether the penalties on banks that violate RFPA are insufficient to deter improper disclosure by banks. Increasing penalties and making it easier for customers to obtain punitive damages would change banks’ calculations, especially in cases where the bank knowingly overshares, like what BoA is accused of doing.
Of course, Congress could also remove the 12 USC 3403(c) exception so banks could not volunteer information and federal law enforcement would have to follow the RFPA process. This would no doubt be opposed by law enforcement, and not without reason. There would no doubt be a reduction in information provided. However, given how noisy the information BoA allegedly provided likely was it is questionable how much useful information would be lost and how much information law enforcement couldn’t otherwise obtain by following RFPA’s modest requirements.
The idea that law enforcement’s convenience should not trump privacy, and that due process should be required before access is granted permeates this country’s history. Until the Court reverses itself and finds a constitutional right to financial privacy it will fall to Congress to strike the right balance. This is what RFPA sought to do, but if the allegations against BoA are close to accurate it would be further evidence that the balance is off. That the Capital Riot was a serious crime is not in dispute, but serious crimes do not and should not serve to erase privacy and due process. Congress needs to adapt our privacy protection mechanisms to the modern world, and this is an area that merits significant consideration.
I know I said this post would deal with other outlying questions but it is long enough already, so those questions will have to wait for the next post.