Citibank, the FBI, and the Question of Financial Privacy
Some quick thoughts now that Citibank has been subpoenaed as part of the investigation of banks sharing client information with law enforcement.
As previously discussed, the House Judiciary Committee’s Select Subcommittee on the Weaponization of the Federal Government has been investigating banks’ sharing of consumer information with law enforcement – voluntarily -- in the wake of the January 6th riots. Initially the focus was on Bank of America and whether BoA initiated the transfer of information or was responding to law enforcement requests. The order of operations mattered because the Right to Financial Privacy Act (RFPA), the law that is supposed to govern the provision of financial records to law enforcement, has different requirements depending on whether the bank or law enforcement is the initiator.
As part of this investigation the Committee recently announced that it was subpoenaing records from Citibank due to the bank’s alleged noncompliance with the committee’s voluntary requests. As part of the letter accompanying the subpoena the committee included a redacted screenshot of a January 29th 2001 email from someone at the FBI to what appears to be a number of employees of large banks and other financial institutions. In the email the FBI official proposes a meeting to discuss how the institutions and FBI can “best approach information sharing, both strategic and operational, related to the Capitol Riots.”
This effort to collaborate on data sharing introduces several possibilities that Congress should investigate.
The most obvious one, which the letter accompanying the subpoena raises, is that the administration was working with financial services firms to access information without having to go through legal processes, such as those stipulated by the RFPA.
Of course, as discussed previously, the RFPA contains numerous exceptions and exemptions to the limits it places on data sharing and the requirements that customers whose data is provided to law enforcement are notified. As such, it may be more likely that, to the extent there was collaboration it was aimed not at avoiding the RFPA per se, but rather at structuring the data transfer to fit within an exception.
It is worth discovering whether the financial services firms themselves helped this occur. Did the firms’ lawyers and data experts provide their expertise to help the FBI ask for things, or in such a way that the RFPA didn’t apply or didn’t apply as fully as if the FBI had simply asked directly?
Conversely, it is also worth asking whether there was any strong-arming of the financial services firms by the government to extract maximum compliance with a minimum of hassle. Banks and other financial services firms are subject to such broad and all-encompassing regulation, and in many cases supervision, that they must stay on their regulators’ good side or face punishment through process. Was this specter held over the heads of the firms?
The possible collaboration (or collusion) between the financial services firms and the FBI raises a broader question about whether the assumptions that undergirded the RFPA still hold. The RFPA appears to assume a relationship between firms and federal law enforcement that, while not necessarily adversarial, is at least arms-length and transactional. Discreet requests are made, or the firm notifies law enforcement of the existence of specific records that appear to indicate criminal activity. There isn’t an ongoing and free-floating relationship. If law enforcement and firms instead have a collaborative (or collusive) relationship where they work together ex ante to craft how data is shared, the purpose of the RFPA may be frustrated.
This isn’t to say that a desire to help law enforcement in this circumstance wouldn’t be understandable. The January 6th riot was a serious crime. But Congress understood that serious crimes can occur when it recognized the importance of some degree of financial privacy and adopted processes to protect that privacy by passing the RFPA.
Congress needs to continue its investigation into how potentially millions of innocent Americans had their records provided to federal law enforcement based on attenuated links and constitutionally protected behavior. In doing so it must consider whether financial firms and law enforcement, the two groups whom the RFPA is meant to limit, have adopted a collaborative posture as a default, and if that collaboration is subverting the intent of the RFPA. If so, at a minimum the RFPA should be reformed to reflect this reality.