Compliance Blog

Somewhere in the United States, a phone rings at a credit union. A compliance officer answers it. The voice on the other end says: “This is agent Doe with the U.S. Secret Service – can you send us everything you have on John Smith?”

The compliance officer is uncertain – sure, she knows about TRID, Regulation CC and model bylaws. But can she refuse a request from a federal agent?

The NAFCU compliance team has received this question more than once in recent weeks. If a purported government agent calls the credit union and makes an oral request for a member’s account information, what is required of the credit union? NAFCU has even heard of one instance in which, when the credit union declined to send the information, a purported secret service agent became angry and said that the credit union was in violation of federal law. No compliance professional wants to be on the wrong side of the law, so what does the law actually say on this topic?

First, credit unions should be cautious. As detailed in a previous post in the Compliance Blog, the Financial Crimes Enforcement Network (FinCEN) recently issued an advisory on “imposter scams.” While imposter scams can take on a few different forms, one type of imposter scam involves the criminal impersonating an organization, such as a government agency, in an attempt to coerce or convince the target to provide valuable information. Given that, receiving a call from someone claiming to be a federal agent, and who makes an oral request for the credit union to send account information, should at least put the credit union on alert that an imposter scam could be afoot. A credit union may want to conduct additional investigation to determine if they are dealing with a real federal agent, such as calling the agency at a phone number listed on its government website.

What about when the credit union has verified that they are dealing with an actual federal law enforcement agent? As it turns out, complying with an oral request for a member’s account information could violate federal law.

The Right to Financial Privacy Act (RFPA) (12 U.S.C. 3402) prohibits a credit union from giving a “government authority” access to the financial records of a member, except in a limited set of circumstances.

The act defines the term “government authority” to mean “any agency or department of the United States, or any officer, employee, or agent thereof.” Interestingly, the definition makes no mention of state government, so only federal agencies and departments are included within the scope of the RFPA. Additionally, the act also defines “financial record” broadly to cover “an original of, a copy of, or information known to have been derived from, any record held by a financial institution pertaining to a customer’s relationship with the financial institution” (emphasis added).

Thus, under the RFPA, credit unions are prohibited from providing federal agencies or departments with any records pertaining to the customer’s relationship with the credit union, except in a limited set of circumstances. A government authority may have access to or obtain financial records if:

1. The customer has authorized such disclosure in accordance with 12 U.S.C. 3404;
2. The financial records are disclosed in response to an administrative subpoena or summons which meets the requirements of 12 U.S.C. 3405;
3. The financial records are disclosed in response to a search warrant which meets the requirements of 12 U.S.C. 3406;
4. The financial records are disclosed in response to a judicial subpoena which meets the requirements of 12 U.S.C. 3407; or
5. The financial records are disclosed in response to a formal written request which meets the requirements of 12 U.S.C. 3408.

(emphasis added).

As the list illustrates, all five items listed under 12 U.S.C. 3402 require some type of written document, so an oral request for account information would not suffice.

Each item on the list has a cross-reference to its own statute. This helps reduce ambiguity – rather than being left to guess at whether a certain document amounts to a “formal written request,” for example, the RFPA provides a separate statute that lays out the criteria for each type of document listed.

As another example, 12 U.S.C. 3404 describes the requirements that apply when a member wishes to authorize a government authority to access his or her information. Such an authorization would need to be a signed and dated statement that authorizes disclosure for no more than three months, identifies the records that are authorized to be disclosed, and identifies which government authority the records can be disclosed to, among other things.

A “formal written request,” on the other hand, is covered in 12 U.S.C. 3408, which says that such a request is to be used as a last resort when a summons or subpoena is not available. According to the statute, a copy of the formal written request should be provided to the credit union member, and should include a notice of how the member can seek to block the disclosure of the records.

A credit union that has received a request from a “government authority” may want to review the request and factual circumstances to determine if one of the five exceptions listed in 12 U.S.C. 3402 might apply. Credit unions that violate the RFPA are subject to the civil penalties described in 12 U.S.C. 3417, including possible damages to the member, as well as possible punitive damages, court costs, and attorneys fees.