More thoughts on the use of MCCs for law enforcement tracking
Preventing violence is laudable, but is this likely to be an appropriate, or useful, method?
Caveat: As before, we have very limited information available. New information may significantly change this analysis.
Last week the House Judiciary Committee’s Subcommittee on the Weaponization of the Federal Government (the Subcommittee) released a letter that detailed an alleged government effort to have private financial institutions such as banks conduct searches of their data to help law enforcement look for suspicious transactions. One government request to the financial institutions leverage a method proposed by KeyBank to use search terms that included Merchant Category Codes (MCCs) for sporting goods stores and sporting and recreational goods and keywords such as Dick’s Sporting Goods and Cabela’s to identify certain purchases as potentially suspicious. We previously discussed the fact that some of the MCCs listed in a KeyBank slide shared by the committee that were suggested as search criteria for identifying potential active shooters were not listed publicly, including by KeyBank. This raises the question of what type of data financial firms were and are collecting without customers knowing it. But it is worth zooming out a bit to discuss the further implications of using MCCs, and financial transactions generally, as a tool of law enforcement surveillance.
Legal State of Play
As discussed previously, the general federal legal framework for federal agencies to obtain financial records is very permissive, at least in practice. Yes, laws like the Right to Financial Privacy Act (RFPA) purport to protect financial records from being obtained by federal law enforcement without some process, but between that laws copious exceptions and exclusions and the broad sweep of the Bank Secrecy Act (BSA) federal law enforcement and banks can share at least some data on customers without much impediment almost all of the time. Even if a bank or the government does violate the law the ability of the customer to get a remedy is limited, and evidence obtained in violation of the RFPA is not excluded from a criminal trial.
However, there have been efforts to limit the supply of private transaction information to law enforcement at the state level. After it was announced that credit card companies would be adopting a MCC for gun stores several states, including Florida, Montana, and West Virginia prohibited the use of that MCC. While states can’t prevent banks from complying with federal information sharing requirements, and probably can’t prohibit them from engaging in voluntary activity explicitly enabled in federal statute, the use of MCCs does not fall into this category. This resulted in credit card companies “pausing” the roll out of the gun store MCC.
Of course, sauce for the goose is sauce for the gander and California has recently mandated the use of the gun store MCC. This move was justified by its proponents explicitly as a tool of surveillance to try and prevent violence. And as we learned last week, at least KeyBank was using proprietary MCCs for arms manufacturers before the rollout of the gun store MCC, so it is possible that banks have been using their own firearms related MCCs for some time.
The California law shows some of the problems with trying to use MCCs as a tool to preempt violence. The law requires that “firearm merchants,” defined as stores where the highest sales value in California is or is expected to be firearms, accessories, or ammunition, be identified with the MCC. While this would likely include specialist gun shops, it is unclear if this would include stores like Cabela’s, who sell a lot of guns and ammo, but also a lot of bass boats and pellet grills. It also doesn’t tell the credit card company or bank what was purchased at a retailer, so the data is likely to remain extremely noisy.
The Current Allegations
This brings us back to the Subcommittee’s letter. The KeyBank slide discusses a way the bank proposes to detect potential “active shooters.” It appears that this is not the only way the bank discusses this, since it is identified as “Methodology 2.” It also appears this is a more restrictive methodology than some others the bank discusses because it is identified as having a narrow focus.
Without having access to the entire deck we don’t know what other methods were discussed or if this is all there is to the methodology. Based on what is available the methodology appears to rely on a combination of using MCCs to populate the universe of searchable transactions, then a list of keywords that must be included in the transaction, with the keywords listed being retailers who sell things that are at least somewhat related to firearms. The slide notes that the list of keywords is not exhaustive. Finally, there are activity thresholds that need to be met over a 60-day lookback for a red flag to be triggered. The thresholds relate to the number of transactions and merchants, the amount of money spent, and the ratio of transactions and money spent on the flagged MCCs versus the customer’s overall activity.
The Problem with MCCs and Preemptive Law Enforcement
First, to give KeyBank credit, this is clearly much more restrictive than the idea that any purchase at a store that may sell guns is an automatic flag. However, it does highlight the problem with using MCCs as a tool of preemptive law enforcement.
One major problem is that the data is going to be overinclusive. The MCCs queried include pawn shops, sporting goods stores, recreation services, miscellaneous and specialty shops (which includes gun stores, but also many other types of stores), and durable goods not otherwise classified. Many, many things are sold at these stores that have nothing to do with firearms. Recall that what is described in the slide is the “narrow focus” method, and even here the results are likely to include a massive number of false positives.
This problem is pointed to by proponents of the gun store MCC as a way to clean up the universe of data, but as we have discussed previously, you would still have the Cabela’s problem. If the MCC includes Cabela’s and similar stores it will sweep in a lot of bass boat and pellet grill purchases. If it doesn’t it will miss a lot of gun sales.
The overinclusion problem is also seen in the keywords (really a list of merchants) KeyBank identifies. While some keywords are clearly linked to firearms and ammunition sales (e.g. Aimsurplus or Freedom Munitions) others are much more generic, like Cabela’s or Bass Pro Shop. Some are related to guns in a general sense but do not facilitate the direct sale of firearms (e.g. AR15.com, a message board that sells memberships and where members can sell guns to each other but does not sell guns itself). Some relate to firearms accessories that don’t seem typical in an active shooter situation (e.g. B&T Industries, who make bipods and rests for precision shooters). Some aren’t related to guns at all, like karambit.com, who make knives.
It is likely that the keywords, which are non-exhaustive, are a combination of assuming a profile of a potential shooter and being prophylactically overinclusive. Still, this broad sweep will make the data noisier and less useful.
Finally, KeyBank’s method required that the purchases meet certain thresholds over a rolling sixty-day period. These include the customer needing to use five or more merchants included in the dataset, spend at least $2500 in aggregate, the number of transactions be over half of the total transaction and account for over half of the spending on the card.
This criterion is also clearly over- and under-inclusive. A person could buy everything they need to commit a horrible act of violence from one merchant, and for far less than $2500. Conversely, it is easy to spend over $2500 on firearms and accessories without buying huge amounts of anything. A good bolt action hunting rifle and scope can easily surpass $2500. A customer buying from multiple vendors may simply be searching for good deals. And if a customer is otherwise frugal with their credit usage, or uses this particular card only for these purchases, large spends at flagged merchants (including merchants who sell many things other than guns) may easily surpass half the total spend, without signifying anything sinister.
Still, an argument could be made that the data being noisy is a price worth paying if the method is effective at stopping violence, which is a clearly worthy goal. However, there are other reasons to be skeptical. First, noisy data means that FinCEN, who presumably would receive the report, would have potentially hundreds of thousands if not millions of additional reports dumped on it, into a system that is already overburdened. In FY 2019 over 20 million suspicious activity reports were filed. An admittedly small study by the Bank Policy Institute found that only 4% of reports resulted in any law enforcement follow up.
There is also the problem of time. The method described in the KeyBank slide requires a sixty-day lookback. How useful will data that is potentially two months old when law enforcement first gets it be in preventing eminent violence? The data may be interesting after a crime is committed, but will likely also be redundant of other, more direct evidence. However, if the bank were to reduce its lookback window it would flag even more innocent people.
Finally, there is the problem of privacy. If all that mattered was usefulness to law enforcement, we would outlaw curtains because they impede police’s ability to see if you are committing a crime in your home. Thankfully, we, including most law enforcement officers, don’t take that position. We need to balance the usefulness of the information with the legitimate privacy interests of citizens. This is even more important if the activity being focused on relates to core individual rights.
While firearms are the most prominent issue raised in the letter, there are also allegations that religious and political purchases could have been flagged. And there is no reason to believe this tactic would need to stop at those topics. What could be done with gun stores could just as easily be done with abortion clinics. It isn’t that this information couldn’t lead to a legitimate law enforcement benefit in theory, but that the cost in terms of false positives, chilling constitutionally protected activities, and violating citizens privacy is almost certainly too high.
If the cost is too high, the next question is what can be done about it. That will be the topic of the next post.