What Banks Need to Know in Responding to Subpoenas for Financial Records

As counsel for lenders, I’ve been consulted with and required to opine on a wide range of topics throughout my career.  Specific to financial institutions, lawyers working in our banking law practice group have knowledge of not only the legal process for special assets workouts and the regulations governing commercial and consumer transactions but also the regulatory guidelines governing turnover of sensitive bank data in the discovery process. For instance, what steps must be taken by a bank responding to subpoenas that request private and confidential customer information?  This blog post seeks to ease the learning curve for banks who don’t know how to respond when faced with subpoenas for financial records and takes a close look at (1) who and what the privacy rights the laws are designed to protect, (2) what the governing laws require, and (3) how these laws are implemented when a bank subpoena is received.

Three federal acts are of primary importance for purposes of this blog post. First, the Right to Financial Privacy Act (“RFPA”) affords the right for customers to be informed by the government before obtaining nonpublic information. 12 U.S.C. §§3401-22 (2012). Second, the Gramm-Leach-Bliley Act (“GLBA”) requires financial institutions to safeguard the confidentiality of customer information. 15 U.S.C. § 6801 (1999).  Lastly, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (“Patriot Act”) enacted after the terrorist attacks of September 11, 2001, gives the government permission to obtain personal information about a customer without needing consent from the customer. Pub. L. 107-56, 115 Stat. 272 (codified as amended in scattered sections of 8, 15, 18, 22, 31, 42, 49 and 50 U.S.C.). Furthermore, the Patriot Act also contends that a customer is not entitled to notice if any suspicious activity reports (“SAR”) are made or requested in regard to their account. 31 U.S.C § 5315 (2001).

For more information about SAR, see our blog article: Why and What are Banks Prohibited From Suspicious Activity Reports (SAR) of Fraud by Federal Law?

Right To Privacy

The right to privacy is not found in the Constitution.  The Supreme Court recognized and expanded the right to privacy based on what was found in the “penumbras” of other constitutional rights.  Griswold v. Connecticut, 381 U.S. 479 (1965).  Concerns about financial privacy has increased as data processing has grown and improved.  The Supreme Court recognized these increasing concerns and issued decisions that questioned the privacy protections afforded to financial records.

The Court held that a bank customer does not have a constitutionally protected right of privacy in bank account records.  U.S. v. Miller, 425 U.S. 435 (1976).  Without a right to privacy, the customer lacked standing to challenge the bank’s disclosure to federal authorities.  Id.  That same day, the Court held that a customer’s Fifth Amendment right against self-incrimination does not prevent the attorney from producing financial records, made by an accountant, when summoned by the I.R.S.  Fisher v. United States, 425 U.S. 391 (1976).  Similar to the rationale in Miller, the Court reasoned that there is no constitutionally protected right to privacy in the documents since they were prepared by a third party.  Id.  Congress did not agree with the Court and responded with legislation.

Recently, however, the Court eroded its earlier holding that there is no reasonable expectation to privacy for information entrusted to third parties in the context of cellphone location data. Carpenter v. United States, 138 S. Ct. 2206 (2018). While Carpenter did not directly relate to financial records, it may be a sign that the Court is willing to expand more protection to consumer data in the future.

Governing Law For Helping Ensure Bank Customer Privacy

Congress, over time, has enacted three similar, yet distinguishable acts which pertain to a customer’s right to privacy.  While providing different protections, the acts similarly affect the privacy rights of customers.  Congress responded first with the RFPA in 1978.  12 U.S.C. §§ 3401-22 (2012).  The RFPA protects customer records, maintained by financial institutions, from improper disclosure to officials or agencies of the federal government.  Id. § 3402.  The RFPA prohibits financial institutions from disclosing to the federal government records held without the government first notifying the customer and allowing for a waiting period.  Id. at § 3410.  It is imperative to remember that the RFPA only applies to the federal government; it does not apply to requests made by state or local government and private parties.  Id. § 3401.

A little over twenty years later, the GLBA was adopted.  15 U.S.C. §6801 (2012).  The GLBA informs financial institutions of an “affirmative and continuing obligation” to respect and protect the security, integrity and confidentiality of customer information.  Id.  Under the GLBA, financial institutions must deliver notices to customers regarding the collection and information sharing policies; providing customers with the choice to opt-out if they do not want their information shared with nonaffiliated third parties.  15 U.S.C. § 6802(b), (e) (2012).  The GLBA does not protect the entirety of the customer’s information; limiting only the disclosure of “nonpublic personal information.”  Summarizing the definition, this means any personally identifiable information about a customer, or list of customers, created through the use of personally identifiable information that is not publicly available.  Id. § 6809.  The GLBA, however, only protects privacy relating to consumer transactions; allowing specific exceptions for when a financial institution may share information that the customer cannot choose to opt-out.  Id.  § 6802(e).

Only a few years later, and following the terrorist attacks of September 11, 2001, Congress enacted the Patriot Act.  The Patriot Act contains two key provisions affecting customer privacy and subpoenas.  First, financial institutions are required to report suspicious activities and transactions without notifying the customer.  31 U.S.C. § 5313 (2012).  The Patriot Act expanded who must comply with a SAR by broadly defining financial institution to include more than banks. Financial institutions include insurance companies, businesses engaged in vehicle sales, realtors, travel agents, and casinos.  Id. § 5312.  Second, the Patriot Act permits the government to obtain information from foreign financial institutions through corresponding US affiliate financial institutions.  Id. § 5314.  If a financial institution reports a suspicious transaction, the institution may not notify any parties involved.  This further complies with the RFPA, 12 U.S.C. § 3404, and should not become an issue.  The Patriot Act essentially allows the government to obtain personal information about the customer without the customer’s knowledge and without having any right to inform the customer of such action.

These legislative acts were enacted as the need to govern financial privacy standards developed alongside data and processing technology. Banks are mandated to fight against identity theft, gain a greater understanding of their customers, and protect third-party sharing of sensitive information. For instance, the GLBA provides, “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” 15 U.S.C. § 6801. Other federal, state and local laws may obligate financial institutions to prohibit disclosure or require redaction of confidential information pursuant to the subpoena or otherwise.

In Florida, an objection to a subpoena issued upon a bank must be raised by “motion made promptly and in any event at or before the time specified in the subpoena for compliance therewith.” Fla R. Civ. P. § 1.410(c). Once such motion is made, the court may quash or modify the subpoena if it is unreasonable and oppressive. Id. It is important to note that the court does not usually monitor who and what is being subpoenaed.

The citizens of Florida elected for more protection from governmental intrusion when they approved amendments made to the Florida Constitution. Article 1, Section 23, is an independent, freestanding constitutional provision which declares the fundamental right to privacy. Art I, § 23, Fla. Const. (1980). The Florida Supreme Court has approached the intent of the Florida Constitution and has held that Florida law recognizes a greater protection for an individual’s right of privacy including an individual’s legitimate expectation of privacy in financial institution records.  Winfield v. Division of Pari-Mutuel Wagering, 477 So. 2d 544 (Fla. 1985). However, as has been the norm in much of our legal history, the court was adamant to contend that while the right of privacy afforded to our citizens is greater than that of the US Constitution, a bank cannot be mandated to provide notice to a bank customer pursuant to a subpoena and must instead comply with court orders where a valid objection does not apply. Id.  It seems clear even in Florida, unless a governmental agency is the issuing party, state and local governments along with private citizens may subpoena a customer’s financial information without there being mandated customer notice.

Bank Subpoenas And Governing Law

There is a growing concern among banks that answering a subpoena may violate a privacy provision of one of the governing laws.  The GLBA, unlike the Patriot Act and the RFPA, does not have a safe harbor provision; providing a justification for the concern.  The absence of a safe harbor raises concerns on how the financial institution should proceed.  Under all of the governing laws, the first step upon receiving a subpoena is to determine whether the federal government is involved or not.  With some exceptions, if there is no government involvement than only the GLBA applies, and compliance is likely required as a “judicial process” exception.  15 U.S.C. § 6802(e)(8); Ochoa v. Empresas ICA, S.A.B. de C.V., No. 11-23898-CIV, 2012 WL 326324 (S.D. Fla. 2012).  However, if the government is involved, than the RFPA and the Patriot Act will also apply.

The “judicial process” exception becomes more muddled when a civil subpoena is involved.  Subpoenas are part of the judicial process, but there is case law that ignores the general exemption under the GLBA for civil suit subpoenas requiring answers, and instead limits the scope of the subpoena.  Landry v. Union Planters Corp., 2003 WL 21355462 (E.D. La. 2003) (limiting the scope of the subpoena to only bind financial data so that the documentation would not constitute nonpublic information).  The uncertainty surrounding the “judicial process” exception is further complicated in the absence of a clear bright-line rule and decisions such as Landry.  Until either Congress or the courts establish a bright-line rule determining whether civil subpoenas fall within the “judicial process” exception, financial institutions are left with uncertainty.  Institutions now have to ascertain whether to challenge the subpoena as too broad or notify the customer; following the process to allow the customer to opt-out of the disclosure.  15 U.S.C. § 6802(b).  Financial institutions are faced with deciding whether to challenge the scope of the subpoena or answer it; knowing that answering it may potentially subject the institution to a lawsuit by the customer for disclosing nonpublic financial information without giving the option to opt out of the disclosure or object to the subpoena.

The RFPA only applies to subpoenas from “any agency or department of the United States, or any officer, employee or agent thereof,” otherwise known as governmental authority.  12 U.S.C. § 3401.  Governmental authority, under the RFPA, is limited only to the federal government.  Private parties or state and local government are not regulated under the RFPA but could be under state law.  See United States v. Zimmerman, 957 F. Supp. 94 (N.D.W. Va. 1997); In re Duque, 177 B.R. 397, 404 (Bankr. S.D. Fla. 1994).  It is limited further by only protecting individuals or partnerships of five or fewer individuals.  12 U.S.C. § 3401(4).

Generally, a financial institution may not release records unless the requesting agency first provides a written certificate of compliance.  32 C.F.R. Part 275 Enclosure 4 (2004).  So long as the bank receives the certificate of compliance, the RFPA provides a safe harbor protection against any wrongful disclosure suits.  12 U.S.C. §3417(c).  There is less angst when the federal government seeks information through a subpoena.  This is because the statute outlines the process clearly and the governmental authority bears the duty to follow the statute or compliance with the subpoena is not necessary.  Id. § 3402.

While financial institutions are required to report suspicious activities without notifying customers, issues can still arise when dealing with a subpoena and a SAR.  An issue can arise when a subpoena specifically asks for, or by virtue of its breadth would encompass, a SAR.  If a SAR is specifically asked for, the simple solution is to send a written objection referring to regulations stating that any SAR is confidential and cannot be released.  See 12 C.F.R. §§ 21.11 (2012), 208.62 (2010), 353 (2012), 563.180 (2013).  Additionally, when a subpoena or discovery request asks for the production of a SAR, the financial institution should contact its primary federal regulatory agency and the Financial Crimes Enforcement Network.  31 C.F.R. § 103.18(e) (2010).  Similar to the RFPA, the Patriot Act provides a safe harbor to protect financial institutions that disclose private customer information.  31 U.S.C. § 5318(g) (2012).  Also identical to the protections of the RFPA, disclosures in response to verbal instructions of government officials are not afforded safe harbor protections.  Lopez v. First Union Nat’l Bank of Fla., 129 F.3d 1186 (11th Cir. 1997).  Consistent with existing laws and regulations, a government official’s verbal instructions do not constitute legal authority.  Id. at 1194.  When applying the Patriot Act to subpoenas, financial institutions should specifically be concerned when a civil subpoena asks for a SAR.

Conclusion: Bank Responding To Subpoenas For Financial Records

Upon receipt of a subpoena, the financial institution should determine if a governmental authority issued the subpoena.  If the federal government issued the subpoena, the RFPA applies.  The burden rests with the government to provide notice to the customer, and to produce a certificate of compliance with RFPA to the institution prior to compliance.  If a local or state authority issues the subpoena then the GLBA applies, and the bank will likely have to answer the subpoena without notifying the customer.  15 U.S.C. § 6802(e)(8).  The GLBA also applies if the subpoena is issued from a private party.  Whether or not notice is required is unclear, but it is unlikely due to the “judicial process” exception.  Often in this situation, the cautious route is the wisest route.  If issued by local or state authority, the bank should seek permission to notify the customer, and provide the customer a reasonable opportunity to file the proper motion to object.  Similarly, if issued by a private party, the bank should request the right to notify the customer and provide the customer a reasonable opportunity to file the proper motion to object.  If, however, the subpoena requests information that may be found within a SAR, the bank cannot comply under the Patriot Act. Lastly, if the subpoena asks for compliance or examination information from the FDIC or state regulators, there is a high likelihood that it is exempt information under federal and state law and it should not be provided.