Protecting Customer Financial Records

Summary

An investigation by the U.S. House of Representatives Committee on the Judiciary and the Select Subcommittee on the Weaponization of the Federal Government has concluded in a report that following the events of January 6, 2021, financial institutions, including Office of the Comptroller of the Currency (OCC)-regulated financial institutions (banks), coordinated with federal law enforcement to surveil and share the private financial information of persons engaged in transactions commonly associated with certain political affiliations-specifically targeting individuals associated with conservatism and the political right.¹ The authors of the report note that the conclusions of the investigation raise serious concerns and doubts about financial institutions' commitment to respecting Americans' privacy rights and fundamental civil liberties.

More recently, Executive Order 14331, "Guaranteeing Fair Banking for All Americans," notes that "[s]ome financial institutions participated in Government-directed surveillance programs targeting persons participating in activities and causes commonly associated with conservatism and the political right following the events that occurred at or near the United States Capitol on January 6, 2021. The Federal Government suggested that such institutions flag individuals who made transactions related to companies like 'Cabela's' and 'Bass Pro Shop' or who made peer-to-peer payments that involved terms like 'Trump' or 'MAGA,' even though there was no specific evidence tying those individuals to criminal conduct."

The OCC is issuing this bulletin to remind banks of their legal obligations to protect their customers' financial records unless disclosure is required by law under the Right to Financial Privacy Act (RFPA) and the proper usage of Suspicious Activity Reports (SARs).

Highlights

• Banks are reminded of their legal obligations to protect their customers' financial information, even if that information is requested by government agencies.
• Banks should ensure compliance with the RFPA before disclosing a customer's financial records.
• Banks are also reminded to ensure the proper use of voluntary SAR filings.
• Banks should review Executive Order 14331 and, if necessary, adjust their policies and procedures.

Right to Financial Privacy

Under the Right to Financial Privacy Act (RFPA), 12 USC §§ 3401-3423, financial institutions are prohibited from providing any government authority access to a customer's financial records except in limited circumstances. Specifically, a financial institution generally may not release a customer's financial records unless the government authority certifies in writing that it has complied with its obligations under the RFPA. To secure those records, the government authority must obtain one of the following: (1) an authorization by the customer, (2) an administrative subpoena or summons, (3) a search warrant, (4) a judicial subpoena, or (5) a formal written request from a government agency if no administrative summons or subpoena authority is available. The RFPA also generally requires that the customer receive written notice of the government's intent to acquire financial records, an explanation of the purpose of the request, and a statement regarding steps the customer may follow to protect the information. Certain exceptions may alter these notice and certification requirements.²

As the RFPA makes clear, financial institutions are required to protect their customers' financial information, even if that information is requested by government agencies. Banks should ensure compliance with the RFPA before disclosing their customers' financial records.

Suspicious Activity Reports

A bank is required to file a SAR generally within 30 calendar days after the date of initial detection of facts that may constitute a basis for filing a SAR. A basis for filing a SAR includes circumstances where a bank detects any known or suspected federal criminal violation, or pattern of criminal violations, committed or attempted against the bank or involving a transaction or transactions conducted through the bank that meets certain thresholds, and where the bank believes that it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the bank was used to facilitate a criminal transaction.³

A bank, on a voluntary basis, may also file a SAR with respect to any suspicious transaction that it believes is relevant to the possible violation of any law or regulation but whose reporting is not required by 12 CFR Part 21 and 31 CFR Chapter X.⁴ However, banks are reminded that they should not use voluntary SARs as a pretext to improperly disclose customers' financial information or evade the RFPA. A bank should only submit a voluntary SAR where it identifies concrete suspicious activity, such as activity that could form the basis for filing a SAR except that it is under the applicable threshold.

Conclusion

Banks should review Executive Order 14331 and, if necessary, adjust their policies and procedures accordingly, including with respect to the fact that "[i]t is the policy of the United States that no American should be denied access to financial services because of their constitutionally or statutorily protected beliefs, affiliations, or political views, and to ensure that politicized or unlawful debanking is not used as a tool to inhibit such beliefs, affiliations, or political views.".⁵

Further Information

Please contact the OCC's Chief Counsel's Office at (202) 649-5490.

Jonathan V. Gould
Comptroller of the Currency