Right to Financial Privacy Act
Background
The Right to Financial Privacy Act of 1978 was
enacted to provide the financial
records of financial
institution customers a
reasonable amount of
privacy from federal government
scrutiny. The
act, which became
effective in March 1979,
establishes specific
procedures that government
authorities must follow when
requesting a cus-
tomer’s financial
records from a bank or other
financial institution. It also imposes duties and
limitations on financial institutions prior to the
release of information sought by government
agencies. In addition, the act generally
requires
that customers
receive
• A written notice of the federal authority’s intent to
obtain financial
records
• An explanation of the purpose for which the
records are sought
• A statement describing procedures to follow if
the customer does not wish such
records or
information to be made available
Certain exceptions allow for delayed notice or no
customer notice at all.
Prior to passage of the act, bank customers were
not informed that their personal financial
records
were being turned over to a government authority
and could not challenge government access to the
records. In United States v. Miller (425 U.S. 435
(1976)), the
Supreme Court held that because
financial
records are maintained by a financial
institution, the
records belong to the institution
rather than the customer;
therefore, the customer
has no protectable legal
interest in the bank’s
records and cannot limit government access to
those
records. It was principally in response to this
decision that the Right to Financial Privacy Act was
enacted.
Coverage
Coverage under the act specifically extends to
customers of financial institutions. A customer
is defined as any person or authorized
repre-
sentative of that person who uses or has used
any service of a financial institution. The
defini-
tion also includes any person for whom the
finan-
cial institution acts as a
fiduciary. Corporations
and partnerships of six or
more individuals are
not
considered customers for purposes of the
act.
Requirements
To obtain access to, copies of, or information
contained in a customer’s financial
records, a
government
authority, generally, must first obtain
one of the following:
• An authorization, signed and dated by the
customer, that identifies the records, the reasons
the
records are being requested, and the
customer’s rights under the act
• An administrative subpoena or summons
• A search warrant
• A judicial subpoena
• A formal written request by a government agency
(to be used only if no administrative summons or
subpoena authority is available)
A financial institution may not release a custom-
er’s financial
records until the government authority
seeking the
records certifies in writing that it has
complied with the applicable provision of the act. In
addition, the institution must maintain a
record of all
instances in which a customer’s
records are
disclosed to a government authority pursuant to
customer authorization. The
records should include
the date, the name of the government
authority,
and an identification of the
records disclosed.
Generally, the customer has a right to inspect the
records.
Although there are no specific record-retention
requirements in the act, financial institutions should
retain copies of all administrative and judicial
subpoenas,
search warrants, and formal written
requests given to them by federal government
agencies or departments along with the written
certification
required.
A financial institution must begin assembling the
required information upon receipt of the agency’s
summons or subpoena or a judicial subpoena and
must be
prepared to deliver the records upon
receipt of the written certificate of compliance.
Cost Reimbursement
With certain exceptions, government entities must
reimburse financial institutions for the cost of
providing the information. This
reimbursement may
include costs for assembling or providing
records,
reproduction and transportation costs, or any other
costs
reasonably necessary or incurred in gather-
ing and delivering the
requested information. The
Board’s Regulation S establishes rates and the
conditions under which these payments may be
made.
Consumer Compliance Handbook RFPA • 1 (1/06)
Right to Financial Privacy Act
Exceptions to
Notice and Certification Requirements
In general, exceptions to the notice and certifica-
tion
requirements cover situations pertinent to
routine banking business, information
requested by
supervisory agencies, and
requests subject to
other statutory
requirements. Specific exceptions
include
records
• Submitted by financial institutions to any court or
agency when
perfecting a security interest,
proving a claim in
bankruptcy, or collecting a
debt for itself or a fiduciary
• Requested by a supervisory agency in connec-
tion with its
supervisory, regulatory, or monetary
functions (including
regular examinations and
any investigations
relating to consumer
complaints)
• Sought in accordance with procedures autho-
rized by the Internal Revenue Code
(records that
are intended to be accessed by procedures
authorized by the
Tax Reform Act of 1976)
• Required to be reported in accordance with any
federal statute (or rule promulgated
thereunder,
such as the Bank
Secrecy Act)
• Requested by the Government Accountability
Office for an authorized proceeding, investiga-
tion, examination, or audit
directed at a federal
agency
• Subject to a subpoena issued in conjunction with
proceedings
before a grand jury (with the
exception of cost
reimbursement and the
restricted use of grand jury information)
• Requested by a government authority subject to
a lawsuit involving the bank customer (The
records may be obtained under the Federal
Rules of Civil and Criminal
Procedure.)
The act also allows financial institutions to
• Release records that are not individually identifi-
able with a particular customer
• Notify law enforcement officials if it has informa-
tion
relevant to a violation of the law
Exceptions to Notice Requirements
But Not to Certification Requirements
In certain cases, the act does not require the
customer to be notified of the
request but still
requires the federal agency requesting the informa-
tion to certify in writing that it has complied with all
applicable provisions of the act. Exceptions to the
notice provisions include
• Instances in which a financial institution, rather
than a
customer, is being investigated
2 (1/06) • RFPA Consumer Compliance Handbook
• Requests for records incidental to the process-
ing of a government loan, loan
guaranty, loan
insurance
agreement, or default on a government-
guaranteed or
government-insured loan (In this
case, the federal agency must give the loan
applicant a notice of the government’s rights to
access financial
records when the customer
initially applies for the loan. The financial
institu-
tion is then
required to keep a record of all
disclosures made to government authorities, and
the customer is entitled to inspect this
record.)
• Instances in which the government is engaging
in authorized
foreign intelligence activities or the
Secret Service is carrying out its protective
functions
Although the Securities and Exchange Commis-
sion is
covered by the act, it can obtain customer
records from an institution without prior notice to the
customer by obtaining an
order from a U.S. district
court. The agency must,
however, provide the
certificate of compliance to the institution along
with the court
order prohibiting disclosure of the
fact that the documents have been obtained. The
court
order will set a delay-of-notification date, after
which the customer will be notified by the institution
that the SEC has obtained his or her
records.
Delayed-Notice Requirements
Under certain circumstances, a government entity
may
request a court order delaying the customer
notice for up to ninety days. This delay may be
granted if the court finds that earlier notice would
result in endangering the life or physical safety of
any person, flight from prosecution, destruction of
or tampering with evidence, or intimidation of
potential witnesses or would otherwise seriously
jeopardize or unduly delay an investigation, trial, or
official proceeding. Delayed notice of up to ninety
days is also allowed for
search warrants.
Civil Liability
A customer may collect civil penalties from any
government agency or department that obtains, or
any financial institution or employee of the
institu-
tion who discloses, information in violation of the
act. These penalties include (1) actual damages,
(2) $100, regardless of the volume of records
involved, (3) court costs and
reasonable attorney’s
fees, and (4) such punitive damages as the court
may allow for willful or intentional violations. An
action may be brought up to
three years after the
date of the violation or the date the violation was
discovered. A financial institution that relies in good
faith on a federal agency’s certification may not be
held liable to a customer for the
disclosure of
financial
records.
Right to Financial Privacy Act
Examination Procedures
1. Determine if the financial institution has received
any
requests for customer financial records
covered by the act since the most recent
compliance examination. If no
requests have
been
received, determine if the institution is
aware of its responsibilities under the act. If
requests have been received, complete the
remaining procedures.
2. Determine if the financial institution has estab-
lished
procedures and internal controls for
fulfilling
requests by government authorities for
consumer financial
records that are adequate to
ensure that all requests are handled in compli-
ance with the act.
3. Determine if the financial institution provides
customers’ financial
records to government
authorities only after
receiving the written certi-
fication
required by the act.
4. Determine if the financial institution’s internal
procedures require that the institution refrain
from requiring a customer’s authorization for
disclosure of financial records as a condition of
doing business.
5. Determine if the financial institution keeps
appropriate
records of those instances in which
a customer’s financial
records are disclosed to
a government authority upon authorization by
the
customer, including a copy of the request
and the identity of the government
authority.
Determine if the institution provides customers a
copy of the
records upon request (unless a
court
order blocking access has been
obtained).
6. Determine if the financial institution maintains
appropriate
records of all disclosures of a
customer’s
records made to a government
authority in connection with a government loan,
guaranty, or insurance program. Determine if
the institution allows customers to examine
these
records upon request.
Consumer Compliance Handbook RFPA • 3 (1/06)
Right to Financial Privacy Act
Examination Checklist
1. Has the financial institution received any requests for customer financial
records covered by the Right to Financial Privacy Act since the last
examination?
Yes No
If it has, answer questions 2–7.
2. Has the financial institution, in compliance with the act, established
procedures for fulfilling requests by government authorities for customers’
financial
records? Yes No
3. Does the financial institution have adequate internal controls in place to ensure
that all
requests are handled in compliance with the act? Yes No
4. As required by section 1103(b) of the act, does the financial institution provide
customers’ financial
records to government authorities only after receiving the
written certification
required by the act? Yes No
5. Does the financial institution refrain from requiring a customer’s authorization
for
disclosure of financial records as a condition of doing business?
(§
1104(b)) Yes No
6. Does the financial institution maintain records of all disclosures of customer
records made to a government authority in connection with a government loan,
guaranty, or insurance program? (§ 1113(h)(6)) Yes No
a. Does the financial institution allow customers to examine these records
upon
request? Yes No
7. Does the financial institution keep adequate records of those instances in
which a customer’s financial
records are disclosed to a government authority
upon authorization by the
customer, including a copy of the request and the
identity of the government authority? (§
1104(c)) Yes No
a. Does the financial institution allow customers to examine these records
upon
request (unless blocked by a court order)? Yes No
Each question 2–7 answered ‘‘no’’ requires an explanation of how the financial
institution intends to comply with the
requirements of the act.
Consumer Compliance Handbook RFPA • 5 (1/06)
