Compliance Blog

Sep 09, 2020
Categories: Privacy Privacy

We Don’t Need No Stinkin’ Warrant: RFPA Exceptions

In my last blog, I described how the Right to Financial Privacy Act (RFPA) prohibits a credit union from providing a member’s account information to a federal law enforcement agent if there is no written document – such as a warrant, subpoena, or formal written request – instructing the credit union to hand it over. However, like any good financial regulation, the RFPA contains a number of exceptions and caveats. A credit union may want to become acquainted with those exceptions before refusing to hand over information or telling a federal agent to “come back with a warrant.” 

The SAR Exception

One important exception is how the RFPA interacts with the requirements for Suspicious Activity Reports (SARs). Section 748.1 of the NCUA regulations and FinCEN guidance require credit unions to provide SAR-related information and documents without a written request or legal process. Section 748.1(c)(3), which discusses record retention for SARs, states that “[a] credit union must make all supporting documentation available to appropriate law enforcement authorities and its regulatory supervisory authority upon request” (emphasis added). 

FinCEN guidance states:

“The Right to Financial Privacy Act (RFPA) generally prohibits financial institutions from disclosing a customer’s financial records to a Government agency without service of legal process, notice to the customer and an opportunity to challenge the disclosure.

However, no such requirement applies… when FinCEN or an appropriate law enforcement or supervisory agency requests either a copy of a SAR or supporting documentation underlying the SAR.

With respect to supporting documentation, rules under the BSA state explicitly that financial institutions must retain copies of supporting documentation, that supporting documentation is “deemed to have been filed with” the SAR, and that financial institutions must provide supporting documentation upon request. FinCEN has interpreted these regulations under the BSA as requiring a financial institution to provide supporting documentation even in the absence of legal process. FinCEN understands that this is in accord with the RFPA, which states that nothing in the act “authorize(s) the withholding of financial records or information required to be reported in accordance with any Federal statute or rule promulgated thereunder.”

(emphasis added, footnotes omitted).

As the quote illustrates, FinCEN has interpreted SARs requirements as providing an exception to the RFPA. Credit unions are required to provide supporting documentation to FinCEN or other appropriate law enforcement or supervisory agencies, upon request. No warrant, subpoena, or other document described in 12 U.S.C. 3402 is required when SAR documentation is requested.

What other agencies would be deemed an “appropriate law enforcement agency”? Footnote 79 in the FFIEC’s BSA/AML Examination Manual’s SAR Overview provides:

“Examples of agencies to which a SAR or the information contained therein could be provided include: the criminal investigative services of the armed forces; the Bureau of Alcohol, Tobacco, and Firearms; an attorney general, district attorney, or state’s attorney at the state or local level; the Drug Enforcement Administration; the Federal Bureau of Investigation; the Internal Revenue Service or tax enforcement agencies at the state level; the Office of Foreign Assets Control; a state or local police department; a United States Attorney’s Office; Immigration and Customs Enforcement; the U.S. Postal Inspection Service; and the U.S. Secret Service…”

It should be mentioned, however, that the SAR exception is limited to information within the SAR and supporting documents. Information about a member that is not part of the SAR or supporting documents may still be covered by the RFPA and therefore disclosure could be prohibited absent one of the written documents listed in 12 U.S.C. 3402 or the exceptions discussed below.

Voluntary Reporting of Violations

Aside from SARs, there are also some exceptions for when a credit union wishes to inform a federal agency of a possible violation of the law. Section 3403(c) provides that nothing in the RFPA will prohibit a credit union from notifying a government authority that the credit union has information that may be relevant to a possible violation of any statute or regulation. If a credit union wishes to inform a government authority that it has such information, the statute notes that the information the credit union provides “…may include only the name or other identifying information concerning any individual, corporation, or account involved in and the nature of any suspected illegal activity….”

Other Exceptions

Section 3413 of the RFPA provides a list of other exceptions in which disclosure will be permitted. These exceptions include:

  • Disclosure to any supervisory agency in the exercise of its supervisory, regulatory or monetary functions, including an examination. (12 U.S.C. 3413(b))
  • Disclosure of information that is not identifiable as belonging to a particular credit union member (12 U.S.C. 3413(a));
  • Disclosure pursuant to the Internal Revenue Code or IRS rules (12 U.S.C. 3413(c) and (d));
  • Disclosure pursuant to the Federal Rules of Criminal Procedure (12 U.S.C. 3413(e));
  • Disclosure when only the name, address, account number and type of account of a member is sought as part of a legitimate law enforcement investigation in certain limited circumstances (12 U.S.C. 3413(g));
  • Disclosure when the federal agency is considering the member for a government loan, loan guaranty, or loan insurance program (12 U.S.C. 3413(h)(1)(B));
  • Disclosure of the name and address of a member to the Department of Veterans Affairs for the proper administration of a benefits program (12 U.S.C. 3413(p));
  • Disclosure to the Federal Reserve or FHFA in exercise of their authority to extend credit (12 U.S.C. 3413(m) and (o));
  • Disclosure to the CFPB (whether for an examination or in exercise of its duties) (12 U.S.C. 3413(r)).

Additionally, 12 U.S.C. 3414 provides a few more exceptions, which apply when information is sought relating to counter-intelligence activities, analysis relating to international terrorism, or the protective functions of the U.S. Secret Service. However, the statute also notes that when those exceptions are invoked, the government authority must provide the credit union with a written certificate of compliance with the RFPA, as described in 12 U.S.C. 3403(b).

As the list above illustrates, there are a variety of exceptions to the RFPA in which a credit union will be permitted to disclose information to a federal agency without a warrant, subpoena, or other written order. Many of those exceptions do not relate to criminal investigations of the member, but rather focus on the agency’s supervisory functions or administration of a benefit or loan program. Some of the exceptions limit the information provided to just a member’s name and address, whereas others require the federal agency to provide a written certificate of RFPA compliance before the credit union is required to hand over the information. Credit unions that receive requests from federal agencies and agents will want to familiarize themselves with the various RFPA exceptions, and possibly consult with counsel, when determining if they are required to comply with a request for information from a federal agency.

Save on Online Compliance Training

Save $250 on Compliance Training for your entire staff

Use CODE SUMMER by 9/18/2020 to get $250 off our Online Compliance Training Subscription

About the Author

Nick St. John, NCCO, NCBSO, Director of Regulatory Compliance, NAFCU

Nick St. John, Regulatory Compliance Counsel, NAFCUNick St. John, was named Director of Regulatory Compliance in August 2022. In this role, Nick helps credit unions with a variety of compliance issues.

Read full bio