Conclusion

The RFPA is a very complicated piece of legislation and, therefore, we thought it would be helpful to put together a summary of your responsibilities under the RFPA.

First, remember that you are required to maintain records of the disclosures made to government authorities in connection with government loan programs and pursuant to customer authorizations.

Second, if you are presented with a request for financial records, you should follow these steps:

  • Determine whether the request is within the general coverage of the RFPA

    Determine whether the request is coming from an entity within the definition of "government authority" and whether the request is for records of a "customer."

  • If the request is outside the general coverage of the RFPA

    Determine whether there are any state law consequences of releasing the customer records before doing so.

  • If the request is within the general coverage of the RFPA

    Either: (a) obtain a certificate of compliance from the government authority; or (b) determine which exception situation applies which justifies releasing the records without a certificate of compliance. In either case, you should inspect the documents by which the request is made (and the certificate of compliance if you obtain one) and look for irregularities.

  • If you decide to release the records

    Begin keeping track of costs directly incurred in finding, reproducing, and transporting the records so you will be able to present an itemized bill to the government authority for reimbursement.

Third, be sure to comply with any "gag orders" a court may issue to you in connection with records requests. "Gag orders" are orders the court issues prohibiting you from disclosing to your customer the fact that records have been requested or obtained by the government authority. You should instruct employees about the existence and importance of gag orders.

Throughout the RFPA portion of this chapter, we have made references to state financial privacy laws and how you should take those laws into consideration when faced with a records request that is outside the general coverage of the RFPA. A number of states have enacted their own financial privacy laws that generally deal with records requests which are not subject to the RFPA, such as requests from state government authorities or private entities. Also, state laws arising from court cases suggest that there may be an implied agreement between a financial institution and its customers that the customer's financial records will be kept confidential. Release of the records, under this theory, constitutes a breach of that agreement by the financial institution.

It is beyond the scope of this manual to give the details of all of the state financial privacy laws, or review the breach of contract theory in depth. However, we urge you to explore this with your counsel in the event you receive a records request which might be subject to state law. We do not want to leave you with the impression that because a request is outside the scope of the RFPA, it is completely unregulated.

Finally, you can find the Financial Privacy Act in the U.S. Code at 12 USC 3401 et seq. Regulation S, the cost-reimbursement regulation, can be found at 12 CFR 219.1 et seq.