If you have recently received a subpoena from a government agency investigating a customer’s financial dealings, you are not alone. As the alarm and uncertainty of the COVID-19 pandemic finally begin to calm, audits and investigations concerning the use of funds from pandemic relief initiatives such as the Paycheck Protection Program, Main Street Lending Program, and others are in full swing, sometimes followed by civil and criminal charges.
Once you have established that the subpoena is legitimate, what do you do with it? Banks are accustomed to cooperating with government requests and investigations, but banks are limited in what customer information they can disclose (even to the government) without following the proper procedures – namely, those established by the Right to Financial Privacy Act (RFPA).
What Is the Right to Financial Privacy Act?
RFPA protects bank customers from federal government intrusion by requiring that federal agencies follow a certain process to obtain customers’ financial records. Note that while RFPA does not apply to requests by state and local government agencies, many states have enacted similar customer notice requirements.
RFPA is limited, however, in that it only covers records of individuals and partnerships of five or fewer individuals. Under RFPA’s definitions, “customer” does not include corporations, partnerships of six or more individuals, trusts, associations, or other legal entities. While not specifically mentioned in RFPA or accompanying guidance, courts have held that LLCs are also not covered customers.
What Is the Process?
A federal agency may obtain a customer’s records if it can present written authorization from the customer that satisfies certain statutory requirements. Otherwise, RFPA requires the federal government to follow procedural and documentation requirements, such as notifying the customer and providing them with a copy of the request. These requirements vary based on the type of request. The requesting agency is also required to provide the bank with a written certification confirming the agency has indeed complied with RFPA’s requirements. The bank is then permitted to rely on the written certification in good faith and disclose the requested records.
If records are erroneously disclosed, the impacted customer may collect civil penalties from the bank and the relevant agency, including: $100 (without regard to the volume of the records involved), any actual damages, punitive damages (in cases of willful or intentional violations), and attorney’s fees and court costs.
Are There Exceptions?
RFPA prescribes certain circumstances in which the bank can disclose customer financial records without confirming compliance with the customer notice and/or certification requirements or when specific alternative procedures apply. These circumstances include (but are not limited to):
- Requests for financial records that cannot be identified with a particular customer.
- Disclosure of limited information to notify a federal authority of a possible violation of law.
- Records necessary for a bank to perfect a security interest, provide a claim in bankruptcy, collect a debt, or process an application with regard to a federal loan or loan guarantee.
- Requests by the bank’s federal regulators in the course of their supervisory, regulatory, or monetary functions.
- Certain requests made in connection with the administration of, or lawful examinations and investigations relating to, government loan programs and loan guarantees.
- Disclosures specifically authorized by the Internal Revenue Code.
- Disclosures the bank is otherwise required to make under applicable federal statutes and rules, such as the Bank Secrecy Act.
- Disclosures made to the Board of Governors of the Federal Reserve System, a Federal Reserve Bank, the Federal Housing Finance Agency or a federal home loan bank in connection with their authority to extend credit to the bank.
- Requests under Federal Rules of Civil or Criminal Procedure in connection with litigation to which the federal agency and the customer are parties.
- Subpoenas or court orders issued in conjunction with proceedings before a grand jury.
This is only a brief summary of RFPA’s very detailed and situation-specific requirements. In the event a request for customer information from a federal agency is received, the bank should review both the request and RFPA carefully to confirm the appropriate procedure has been followed or verify a valid exception/ alternative procedure exists. Note that records of entities not covered by RFPA may still contain customer information that is covered.
If the bank believes it has covered customer information that is responsive to a government request, but the appropriate procedure has not been followed (or exception identified), that information should be withheld until the question of RFPA’s applicability is resolved. In doing so, the bank should be transparent and forthcoming with the requesting agency about why it is withholding the customer’s information, giving the agency an opportunity to address the matter.