More questions about Credit Card MCCs for gun stores
Since Visa, Mastercard, and AMEX announced they would be adopting Merchant Category Codes (MCCs) for gun shops there have been a lot of questions. One question is what is the purpose of this? Another is how is this going to work. Is the goal to have banks serve as an early warning system or is this just meant to collect more evidence after a crime is committed? Are banks going to preemptively report information to law enforcement or will law enforcement have to request information? And finally, what law governs the information exchange?
The first question seems easy enough to answer. In an article in American Banker Hudson Munoz, the VP for public relations at Amalgamated Bank, frames the benefit as allowing banks to detect “suspicious transaction patterns” that may indicate straw purchasing (someone who can buy a gun buying one on behalf of someone who can’t) or “stockpiling” weapons and ammo, which has occurred before some mass shootings, and alert law enforcement. But how likely is that?
In the same article Munoz talks about how the MCC doesn’t cover the universe of stores that sell guns (for example, Walmart or large sporting goods stores wouldn’t be covered) or allow the bank to see what the customer actually purchased. A large purchase at a gun store could be a gun, or it could be whatever else the store sells, the bank won’t know. Likewise, buying a bunch of guns at a Walmart or (maybe) Cabela’s will not be tagged with the MCC. If the goal is to allow banks to know with any precision whether suspicious activity is occurring MCCs are both over-and under-inclusive.
But now banks and credit card companies will have the information, so what do they do with it? The article takes as given that the Bank Secrecy Act (BSA) would require, or at least permit, banks to file Suspicious Activity Reports (SARs) with FinCEN. Munoz asserts that while most purchases would not trigger the bank to file a SAR, “the purchase of multiple guns at an unusual time and location might trigger a SAR.”
One question that immediately comes to mind is that, given the acknowledged limits of the MCC, where the bank will not know what was purchased, how could a bank determine that multiple guns were purchased? The second is what is an “unusual time” to buy a gun? How will a bank know that?
A deeper question however is what the laws governing this are, and how they apply. It is true that the BSA requires banks to file SARs, but there are also some limits to the information banks may share with third-parties, including law enforcement, and there may be constitutional questions posed by this situation. There may also be possible limits at the state level that could influence what information is collected in the first place. How these laws apply and interact with each other could have important implications for bank compliance and consumer privacy. To be clear, what follows is not an exhaustive analysis, but rather an attempt at issue spotting.
Relevant Federal Laws
The BSA is not the only law governing how banks share information with the government. Several other laws, including the Right to Financial Privacy Act (RFPA) and the Gramm-Leach-Bliley Act (GLBA) affect how banks can share information with the government.
The RFPA creates a general prohibition on federal authorities accessing bank customer records without either customer consent or the government complying with certain processes. (12 USC 3402). This means that the government needs to formally request a record via certain approved processes in order to obtain it, rather than either informally requesting it or the bank providing it on its own initiative. However, this prohibition is subject to several important exceptions. One exception is that banks and their employees are permitted to notify the government that they have information of suspected illegal activity. This provision also broadly immunizes banks and their employees from liability for sharing this information with law enforcement. (12 USC 3403(c)).
The RFPA also includes an exception for information required to be reported under law or rule (12 USC 3413(e)) and as the Electronic Privacy Information Center points out, this arguably effectively swallows the rule because of the BSA.
The BSA requires banks to submit SARs under certain circumstances, most relevant here likely being transactions of $5000.00 or more that “has no business or apparent lawful purpose,” is not the sort the customer is expected to engage in, and the bank has no reasonable explanation after examining the facts and circumstances of the transaction. (31 CFR 1020.320(a)(2)(iii))
While it is theoretically possible that a bank could identify a suspicious transaction meeting this criterion based on a gun store MCC code, it would seem to be a high hill to climb. Is a customer purchasing $5000.00 worth of something from a gun store (the bank knows not what) that has no apparent lawful purpose? Isn’t buying legal items a sufficient lawful purpose? If the first purchase a customer makes from a merchant with a gun store MCC is over $5000 is there no reasonable explanation? It is possible to imagine a scenario where there is no reasonable explanation, but how many false positives and negatives will there be?
The BSA also permits banks to submit SARs for any transaction that “is relevant to the possible violation of any law or regulation…” (31 CFR 1020.320(a)(1)). Presumably this is the justification that will be used more frequently to file SARs. But is this the type of information Congress intended to be reported?
Remember, the MCC information is extremely noisy. It doesn’t tell the bank what is being purchased, it misses a lot of gun purchases, it sweeps in a lot of non-gun purchases. All it tells you is that a customer bought something at a certain store, a store that is presumably in compliance with all the regulations surrounding being a gun store (or else they wouldn’t be in business).
This isn’t to say that there may not be transactions that in retrospect were evidence of an impending crime, but rather to question how well banks will be able to distinguish between someone stockpiling weapons in advance of a crime versus someone buying an expensive rifle at one store and an expensive scope and rings at another because they got a slightly better deal. Is that purchase pattern evidence of a violation of law? Is it evidence a crime is going to be committed? Can a bank form a reasonable belief based on MCC data that this transaction is relevant to a potential crime If not, is this the type of data that must (or can) be supplied under the BSA, or does it fall outside of that scope, where the RFPA becomes more relevant?
Finally, if the BSA does allow reports under such nebulous conditions does it pose constitutional issues? There are two potential arguments I can see where a policy requiring or allowing banks to report “suspicious” transactions to the government might present constitutional issues. I’m not saying the Supreme Court would embrace these arguments, but I don’t think they are frivolous either.
One argument that could be attempted is to argue that as applied in this context mandatory SAR reporting using the gun store MCC violates a constitutional privacy interest. To be sure, the Court has previously held that there is no constitutionally protected privacy interest in bank records and upheld the constitutionality of the BSA reporting requirements. However, there is an argument that this type of reporting is both so invasive to the customer and so limited in legitimate value that it could trigger a constitutional concern.
It is worth noting that two of the Justices who upheld the constitutionality of the BSA and constituted the margin of victory expressed concern that BSA reporting could be sufficiently invasive to pose constitutional concern, but that since the relevant regulation at the time only required reports for transactions over $10,000 in 1974 (about $60,000 today), which is a very large amount of money, the privacy concerns weren’t fatal. However, they noted that if there was a “significant extension” of the reporting requirements that might be another matter.
Would mandatory reporting of purchases from gun stores under 31 CFR 1020.320(2)(iii) count as such a significant extension? It would seem to depend on how reasonably the basis for the reports were. If banks could refine their reporting such that they weren’t wildly over-inclusive that might be one thing. But if instead reports were over-inclusive and primarily driven by being attached to a legal merchant who sells a constitutionally protected product (among other things) maybe it is?
Of course, banks arguably aren’t required to report suspicious transaction under 31 CFR 1020.320(a)(1), rather they are permitted to. This might moot any argument that the BSA as applied under these circumstances is unconstitutional, because arguably it isn’t the government requiring disclosure, but banks voluntarily doing so. But if banks are not required by law to report does the RFPA exemption still apply? Presumably they could still rely on the 12 USC 3403(c) exception, but that information is more limited than a SAR report.
There is also a possible argument that banks proactively providing and the government accepting this information, without a warrant or some other process, could unduly burden Second Amendment rights because it will make people less likely to engage in constitutionally protected activity (buying firearms) with very limited legitimate benefit since the MCC data is so noisy that its ability to actually prevent criminal activity is dubious.
Whether the Supreme Court would either argument is unknown, and I wouldn’t wager much money on it, but it isn’t outside the realm of possibility either.
What might the states do?
Under current law once a bank has information it can generally share at least some of it with law enforcement if there is a belief it relates to a possible crime. But what information must a bank or credit card company collect, and could state law influence that?
Banks and Credit Card system operators are required to maintain certain records of transactions under federal law. However, they are not required to adopt a given MCC. As such, it may be possible for states to try to use consumer privacy law to prohibit the use of the firearms MCC in their states on the grounds that it is unduly intrusive and burdens a constitutional right. Presumably this would take the form of prohibiting gun stores within the state from being assigned the MCC code, since that has the most concrete geographic nexus to the state. Conversely, some states may try to prevent their citizens from having their records tagged with that code, but if a citizen does business with an out of state or national bank or shopped at a gun store in another state the home state may not have jurisdiction.
Such an attempt would be consistent with the recent statements by a collection of Republican State Attorney’s General, where they promised they would “marshal the full scope of our lawful authority to protect our citizens and consumers from unlawful attempts to undermine their constitutional rights.”
Potentially relevant is that the GLBA, which governs credit card and bank customer privacy at the federal level, explicitly serves at a floor, not a ceiling, in terms of consumer protection. State privacy laws that are more protective, as determined by the Federal Trade Commission, will supersede the GLBA. (15 USC 6807(b)). The current FTC is likely not a sympathetic audience for this argument, but that could always change in a different administration.
Conversely, the RFPA does not apply to state law enforcement agencies, so states that want to order banks they have jurisdiction over to turn over transactions with the gun store MCC code will likely be able to do so absent the Supreme Court finding some constitutional protection for that information.
Of course, if you want to do a find/replace of “abortion” for “guns” in this article much of the analysis above, except the parts related to a federally constitutionally protected transaction, might still apply. The use of MCCs for gun shops could start a series of escalating skirmishes in the culture wars.
How this will all play out, especially given that interstate nature of banking and credit, remains to be seen. What does seem clear is that it will not go quietly.