Is the Bank Secrecy Act Vulnerable to Constitutional Challenge over post January 6th Data Collection?
Recent allegations raise the question of whether the Bank Secrecy Act is ripe for challenge, and may provide the vehicle to do so.
Important caveat: There is limited information available publicly about what banks and law enforcement did post January 6th, or how they operate the Bank Secrecy Act generally. New information may materially change this analysis.
The Federal Government’s use of financial records to attempt to identify suspects and preempt potential violence after the January 6th riots is, to put it mildly, controversial. Based on disclosures made by the House Judiciary Committee’s Select Subcommittee on the Weaponization of the Federal Government (Subcommittee) it appears that after the events of January 6th law enforcement and financial institutions collaborated to search financial records, including credit and debit card transactions and Venmo payments, as well as the notes the customers wrote on Venmo.
These searches were allegedly based on certain broad criteria, including whether they involved merchants that might sell firearms, as well as certain religious and political affiliations and geographic locations. The searches were conducted to identify potential suspects or people who may be planning violence in the future. It is also implied by the evidence released that law enforcement and financial firms have been using, or at least considering using financial surveillance to preempt other crimes, such as mass shootings.
This was and is presumably done under the auspices of the Bank Secrecy Act (BSA) which provides the government with broad powers to access financial records and firms broad powers and protections from liability for sharing records, either at the request of the government or on their own motion via a Suspicious Activity Report (SAR). In theory only records indicating “suspicious” transactions should be shared, but suspicious isn’t meaningfully defined. The Supreme Court has previously upheld the Bank Secrecy Act as constitutional and ruled that customers don’t have a privacy interest in their bank records.
However, I wonder if the current controversy provides an opportunity to challenge the BSA, at least as applied in cases like the current allegations, where financial data isn’t used to support a prosecution of a previously identified suspect, but rather as a dragnet to try to find suspects, perhaps before a crime has even occurred. To be sure, a challenge would not be easy to win, but the current facts as alleged and recent Supreme Court precedent may combine to provide a unique chance.
Below I will discuss some of the reasons why this may be an especially good opportunity to challenge the BSA. First however, I want to throw myself on the mercy of the readership and acknowledge that while I am a lawyer and an active member of a state bar this is meant to be a “quick and dirty” analysis and I am not an expert on litigation procedure or the Fourth Amendment. As such, it won’t cover everything, and I may have missed something important. Constructive feedback is very much appreciated! With that out of the way let’s get going.
Plaintiffs
One advantage of the current situation is that it may be easier to find plaintiffs. Finding plaintiffs in BSA suits is challenging. First, transfers of information like Suspicious Activity Reports are supposed to be kept secret from the target by law. Even the Right to Financial Privacy Act (RFPA), which was passed to provide customers notice of their records being shared with the government and in most cases to be able to challenge the transfer in court, excludes reports made pursuant to the BSA. This means that most targets of SARs likely never know their information was sent to the government, which makes it impossible to be able to sue over it.
Second, while there is one group who learn they were the subject of a SAR, that group is defendants. If the government uses bank records obtained via the BSA in a prosecution the defendant will likely find out about it, but that is a suboptimal place to start from.
The current situation is unique. Due to the Subcommittee’s work, we know of at least some criteria used to identify records the government wanted to obtain. A customer who meets those criteria (and didn’t participate in the attack on the Capitol or another serious violent crime) could potentially argue that they have a reasonable basis to believe their information was shared in violation of the Fourth Amendment.
The Legal Argument
Skipping over other procedural issues let’s assume that ultimately the Supreme Court must look at the legal and constitutional argument that as applied to the current allegations the BSA violates the Constitution. How could that argument be made?
The first challenge the plaintiffs will face is that existing precedent mentioned earlier, especially the 1976 case, United States v. Miller which held that a person lacks a privacy interest in their bank records, either because the person shared those records with others in the course of commerce or because the person doesn’t own the records, the bank does.
To briefly explain Miller, after getting a tip from an informant on possible bootlegging and a fire at a warehouse rented by Miller revealing a still and a large amount of untaxed whiskey law enforcement requested Miller’s bank records from his banks via subpoena. Miller sought to have the records suppressed because they weren’t obtained with a warrant, violating the Fourth Amendment. The Supreme Court ruled against Miller, finding that he lacked a privacy interest in his checks, because he shared those with others through commerce. The Court also ruled Miller lacked an interest in the other bank records because they weren’t his papers, they belonged to the bank.
The bad news is that it is not great to have existing Supreme Court precedent on the very topic at issue that goes against you. The good news is that there is a more recent precedent that may provide a roadmap for distinguishing, if not outright overturning Miller.
That case is Carpenter v. United States, a 2018 case where the Court declined to extend Miller and related cases to the context of cell phone tower location tracking. To have the best chance of success the plaintiffs will need to convince the court that the current facts and interests at play are sufficiently different from those in Miller, and close enough to Carpenter, that the Court should distinguish Miller. (There are some other arguments outside the Miller/Carpenter tension that could be made, and we will address them briefly later.)
In Carpenter a 5-4 Court, in an opinion written by Chief Justice Roberts, found that law enforcement accessing cell phone location data was a search for Fourth Amendment purposes and therefore generally required a warrant. The Court ruled that while the cell phone company, not the customer, owned the records, the information they contained was so sensitive and violative of privacy that Fourth Amendment protections needed to apply.
To come to this conclusion the Court held that a person generally has a reasonable expectation of privacy in their movements and cited the ubiquity and necessity of cell phones to function in modern life, with them becoming “a feature of human anatomy” that rarely leaves a person’s side and therefore can create a very robust trail of a person’s movements. The scope of information the records could provide as to one’s location, including the retrospective nature of the records, would allow law enforcement to obtain information it could never obtain by mere observation. The Court also noted how creating these records isn’t voluntary because they are created automatically whenever the phone is on.
Distinguishing Miller
So how could the plaintiffs distinguish Miller? And how could they get the Court to think that Carpenter is a better fit?
First, to distinguish Miller the plaintiffs could argue that unlike Miller, where the financial records were only obtained after a suspect was identified by traditional law enforcement techniques, the current situation is more like a dragnet, where law enforcement uses broad criteria to sweep in the records of many innocent people without necessarily finding a legitimate suspect. What’s more, the criteria law enforcement used touched on highly sensitive information like a customer’s speech, religion, location, political affiliation, and use of Second Amendment rights. It is possible that the search was so overinclusive as to be an unreasonable search under the Fourth Amendment.
The plaintiffs could also argue that in Miller the financial records were necessary to prove the allegations Miller was accused of, since they were financial crimes. In the present case, the records are primarily used to build a pool of suspects for non-financial crimes.
Finally, plaintiffs could argue that at least Miller’s records were obtained via subpoena. In the present case it appears that financial firms collaborated with law enforcement before any requests were formally made and then the information was conveyed via SAR. This process prevented any outside check or review prior to the information being turned over.
Of course, the main effort should be to persuade a court that the sharing of Jan. 6 information is more like Carpenter than Miller; it may not be enough to just distinguish Miller. Plaintiffs will need to convince the Court that the Fourth Amendment should apply in this case. To follow Carpenter plaintiffs will need to show that they have a reasonable expectation of privacy, that the information in the records is highly sensitive, and that its creation is necessary and inevitable as a condition of modern life. There are good arguments for this.
Privacy
First, American law creates a reasonable expectation of privacy, and to some degree ownership, in one’s financial records.
The Right to Financial Privacy Act places at least some restrictions on the government’s access of financial records and the ability of financial firms to share such records with the government. While there are so many exceptions, they arguably swallow the rule, the RFPA at least shows a legislative policy that people have a privacy interest in their records not being shared with the government without process.
Other federal laws like Gramm-Leach-Bliley require financial firms to safeguard a customer’s sensitive data and govern how that data can be used and shared. If that data is illegally accessed by a third party due to the firm’s negligence, or misused by the firm itself, the government will punish the firm.
It isn’t just liability either. Section 1033 of Dodd-Frank grants consumers data access rights to certain records held by a financial firm. The Consumer Financial Protection Bureau has proposed a rule based on this provision that would require covered firms to make their covered records available to the customer or their agent, with an eye to facilitating greater competition by making it easier for customers to switch providers.
The way the law treats consumer financial records not only shows that the government thinks consumer financial privacy is important, but also that the records a financial firm creates aren’t like other records. It would be odd for the government to punish a firm who suffered a breach of its own information or used its own information to increase profits, or make the firm share information with its rivals to its detriment. Yet this is done as a matter of course in the financial space because we recognized how sensitive that information is for customers and have given them an enhanced interest in the records made about them.
Further, banks and other financial firms trumpet how secure they are, priming customers to expect their data to be private. Yes, there is no doubt fine print in the privacy statements explaining how it will be shared and is at risk, but the message firms are trying to have stuck in people’s heads is that their data is safe.
Sensitivity
Arguing that financial information is sensitive is probably the easiest part of a plaintiff’s argument. Americans’ lives are written in their bank records. What makes the data sensitive is also what made it attractive to law enforcement in the current case, it can provide a very rich, though not perfect, portrayal of a person’s life, interests, beliefs, health, and yes, location. In fact, in his dissent in Carpenter, Justice Kennedy noted that financial records were if anything more sensitive than the cell cite location data at issue because unlike that data financial records could reveal not just location but the person’s medical history, sexual orientation, friends and family.
Justice Kennedy was exactly right. The data at issue in the current situation related to Jan. 6 is potentially far more sensitive than what was at stake in Carpenter. Banks and the government allegedly sought to use financial data to identify people with certain political and religious beliefs, who engaged in certain constitutionally protected activities like buying a firearm (or at least something at a store affiliated with firearms) or participating in a political rally, and who were in certain locations at certain times. In using these broad criteria, they almost certainly swept in far more innocent people who had the intimate details of their lives exposed to the government than guilty parties.
Further, like the information in Carpenter bank records are retrospective in nature, allowing law enforcement to not just observe a person in public at a given moment, but pour over the history of their lives for years. In fact, the law requires the banks preserve records for a period of years to ensure they are available for law enforcement to access.
Finally, the fact that technology makes these records relatively easy to access, and query, and the fact that the firms, rather than the government pay for their upkeep and complying with the law, means it allows for a scope and persistence of surveillance that was unthinkable in the past. The police at the time of Miller had to reckon with resource limitations far greater than those currently faced by law enforcement, limiting the use of financial surveillance as a tool.
Necessity
The next question will be whether it is necessary to make such records, or if people choose to do so, and therefore could choose not to. Here the plaintiffs can point out that to engage in the modern economy one must interact with a financial intermediary who will create the type of records at issue and be bound to provide them to law enforcement. Living by cash alone simply isn’t possible unless one is willing to separate from mainstream society.
Living by cash alone also isn’t safe, economically, or physically. Electronic finance via intermediaries is frequently safer, often due to public policy. Card transactions have certain fraud protections. Bank deposits have insurance. Wires provided by the Federal Reserve are faster, cheaper, and more secure than moving large amounts of money around via truck. The government makes electronic finance safer than cash; can it then hold that against people when it comes to privacy?
It isn’t just economic safety though. Not carrying cash makes one less attractive to potential muggers. It is not surprising that cannabis firms who face impediments to bank accounts cite safety as a major reason they should get access.
Under the law financial firms must create and maintain certain records, so people can’t “shop around” to find the most privacy friendly, at least vis-à-vis the government, bank, or credit card. The reality is that if one wishes to engage with the modern economy, one must leave a copious stream of records currently accessible to the government without Fourth Amendment protections.
Other Arguments
The plaintiffs could also consider arguing that the government’s actions in this case impeded other constitutional rights. It is alleged that the government and banks used terms relating to political and religious activities and gun ownership, and asked for messages created by customers, rather than just the financial firms, in other words their speech, to be searched. It may be worth considering an argument that this activity could chill other constitutionally protected activities.
Plaintiffs could also argue that federal law in effect gives them an ownership right in their financial data. The laws discussed above that give rise to an expectation of privacy also give customers certain ownership-like rights and treat financial firms as less than pure owners of the data. As discussed below, the law has changed in this regard since Miller, and this might help swing over at least one justice who dissented in Carpenter.
These arguments would be outside the Carpenter road map. But that may be a good thing because Carpenter was a close case and the textualist wing of the Supreme Court were the dissenters.
Headwinds
A successful challenge is by no means certain. Plaintiffs will face serious headwinds. One of the most obvious is that the textualist wing of the Supreme Court disagreed with the holding in Carpenter. The primary reason is that they reject the formulation of the Fourth Amendment as a right to privacy. Instead, they believe the Fourth Amendment provides a right to not have one’s home, papers, and effects ransacked. Yes, this has a benefit for privacy, but what matters is ownership. To the dissenters it is hard to see how a person has a protectable interest in someone else’s records.
However, not all is lost. Justice Gorsuch is no fan of Miller, and his dissent lays out an alternative method of getting to the Fourth Amendment that could be relevant here. Gorsuch, like the other dissenters, believes that the Fourth Amendment is about ownership, not a general expectation of privacy. To Gorsuch the question is whether something is “yours under law.” However, he does not believe that total or exclusive ownership is necessary.
Instead, Gorsuch believes that law can grant sufficient ownership rights in others’ records to prompt Fourth Amendment protection. In his Carpenter dissent he points to federal law that gives customers certain rights over cell-site location and limits the ability of the cell-phone company to use or share the data.
This sounds like how federal law treats customer financial records, even going so far as to require certain firms to make certain data available to their competition if requested by the customer. Of course, the law may cut both ways. The Right to Financial Privacy Act for example explicitly permits things like SARs, and while the law has expanded consumers’ interest in the privacy of their financial records against private actors since Miller was decided, it has eroded it against the government. On the other hand, Gorsuch might argue that the Government can’t slice the salami that finely, and that once the law grants someone a certain type of interest in an item, the constitutional protection is inseparable from that interest.
The Circumstances around the Request
Another impediment is the reality that the requests at issue arose to respond to the extremely serious crimes of Jan. 6 and to prevent violence at the presidential inauguration or other types of extreme violence like mass shootings and terrorist events. Preventing events like these is a legitimate role of government.
This reality may make it hard for the Court to second guess the likely claim from law enforcement that even if these inquiries weren’t terribly useful, the tools law enforcement used are too important to be taken away. The argument will be made that requiring a warrant would delay things too much and prevent serious crimes from being interdicted.
That claim should not go untested. We don’t know how quickly the government tends to react to a SAR, or how many SARs are useful, or really anything about the effectiveness of this system. Just because it is possible using the BSA in this manner could prevent serious crimes, that doesn’t make it plausible. And it is prevention on which the government’s argument must rest. If the government is investigating a crime that has already occurred a warrant should be no impediment.
Beyond the practical, there is also an important philosophical reason to be skeptical of the government’s likely necessity argument. While it is undeniable that law enforcement was responding to serious threats, that is not a blank check. The Bill of Rights is intended to protect people against government excesses, and it is in the face of serious threats that those excesses are most likely to occur. If the American people would prefer to tilt the balance in favor of government power, they could amend the Constitution to modify or remove the Fourth Amendment. They haven’t done so.
Further, as the Chief Justice notes in Carpenter, there are certain exceptions to the Fourth Amendment’s warrant requirement for exigent circumstances. While one hopes these exceptions do not swallow the rule, it is at least unlikely those exceptions would cover the type of wide-ranging collection of customers’ data based on broad terms currently alleged.
Conclusion
The allegations of government surveillance are troubling, as is the lack of protection for consumers’ financial privacy. The current situation may present a unique opportunity to challenge the BSA and restore at least some strictures around the government’s access to some of the most sensitive data around. If nothing else, it might force the Court to reevaluate its holding in Miller considering the reality of the modern economy. Whether it will be attempted, and whether any attempt will work, remains to be seen, but it might be worth a try. If nothing else, raising more awareness of how the system currently operates will help voters and Congress make more informed policy choices.