Exceptions to the RFPA

This section will review exceptions to the RFPA, or circumstances where all or part of the RFPA does not apply, even though the government request fits within the general coverage of the RFPA. Generally, these exceptions allow disclosure without the government authority having to provide notice to the customer or a certification of compliance to the financial institution. However, in some cases, a certification of compliance is required. The descriptions below note the certification requirement where it exists.

Exception for reporting suspected crimes [Section 3403(c) of the RFPA]

A financial institution may disclose to a government authority that it has information that may be relevant to a possible violation of a statute or regulation. Such a disclosure can be made without obtaining a certification of compliance from the government authority. However, under this exception, the financial institution may only reveal the name or other identifying information of the individual, corporation, or account involved and the nature of the suspected illegal activity. So long as the information disclosed is so limited, the financial institution is protected from liability to the customer under any federal law or regulation or any state constitution, statute, or regulation. [12 USC 3411(c)]

Exception for disclosures necessary to do business with the customer [Sections 3403(d) and 3413(h) of the RFPA]

The RFPA recognizes that a financial institution must be able to disclose certain financial information about a customer to government authorities simply in order to do business with the customer. Therefore, the RFPA does not prohibit a financial institution from providing copies of financial records to any court or government authority in order to: (1) perfect a security interest; (2) prove a claim in bankruptcy; or (3) otherwise collect a debt owing either to the financial institution itself or in its role as a fiduciary. The financial institution may make such disclosures without a certification of compliance from the government authority. [12 USC 3403(d)(1)]

The financial institution is also permitted to initiate contact with a government authority in connection with a government loan, a government loan guaranty, or a government loan insurance agreement. Such contact is permissible when the financial institution is processing an application or default under the program, or administering the program in order to provide the government authority with the necessary record to enable it to carry out its responsibilities under the program. The government authority is permitted subsequent access to records in connection with such a program if the government authority provided the customer with notice of its access rights and provides the financial institution with a certification of compliance. Only one certification is necessary for access during the entire term of the loan, loan guaranty, or loan insurance agreement. The financial institution is required to keep a record of disclosures made in connection with these government loan programs. The record must include the date of the disclosure and the government authority to which it was made. The customer is entitled to inspect the record. [12 USC 3403(d)(2)]

If the government authority requests information in connection with a government loan, loan guaranty, or loan insurance program, only the liability rules, the rule allowing customers to get an injunction against the release of records, and the requirement that the government authority provide a certification of compliance apply. [12 USC 3413(h)(1)(B)] From your point of view, all you need to remember is that you still must obtain a certificate of compliance from the government authority. Since the liability rules still apply in this circumstance, you could be liable to the customer for releasing the records without a certificate of compliance.

Limited information disclosures [Sections 3413(a), (g), and (p) of the RFPA]

Any financial records that do not identify a particular customer may be disclosed without following the procedures of the RFPA. The government authority need not supply the customer with notice, and the financial institution need not obtain a certificate of compliance from the government authority. [12 USC 3413(a)]

Also, if the government request is only for the name, address, account number, and type of account of certain customers, then the notice and customer challenge provisions of the RFPA do not apply. This exception applies if the request is for the name, address, account number, and type of account of any customer or group of customers associated: (1) with a financial transaction or class of financial transactions; or (2) with a foreign country or subdivision thereof in the case of a government authority exercising financial controls over foreign accounts in the U.S. under the Trading With the Enemy Act, the International Emergency Economic Powers Act, or the United Nations Participation Act. [12 USC 3413(g)] To say that the notice and customer challenge provisions of the RFPA do not apply to these sorts of requests means that the government need not send advance notice to the customer before gaining access to the records, and the customer cannot use the challenge procedures in the RFPA to prevent access. However, the government authority must still provide the financial institution with a certificate of compliance.

Finally, no part of the RFPA applies to disclosures you make to the Department of Veterans Affairs (VA) of the name and address of any customer. You need not obtain a certificate of compliance, and the VA need not notify the customer. Strictly speaking, a disclosure fits under this exception only if the information is necessary to and is used solely for the purposes of the proper administration of benefits programs under laws administered by the VA. [12 USC 3413(p)(1) and (2)] However, you will have no way of verifying the purposes to which the VA will put the information, so this limitation is meaningless to you. Keep in mind, however, that this exception applies only to the disclosure of customers’ names and addresses, and you are prohibited from disclosing the existence of the VA request or using the request for any purpose other than to supply names and addresses to the VA. [12 USC 3413(p)(2)]

Disclosures to supervisory agencies [Sections 3413(b) and 3413(n) of the RFPA]

“Supervisory agencies” can have access to financial records in the course of their supervisory functions without complying with the requirements of the RFPA. [12 USC 3413(b)] The RFPA says that a “supervisory agency,” with respect to any particular financial institution, holding company, or any subsidiary of a financial institution or holding company, means “…any of the following which has statutory authority to examine the financial condition, business operations, or records or transactions of that institution, holding company, or subsidiary:
  • The Federal Deposit Insurance Corporation;
  • The Bureau of Consumer Financial Protection;
  • The National Credit Union Administration;
  • The Board of Governors of the Federal Reserve System;
  • The Comptroller of the Currency;
  • The Securities and Exchange Commission;
  • The Commodity Futures Trading Commission;
  • The Secretary of the Treasury, with respect to the Bank Secrecy Act and the Currency and Foreign Transactions Reporting Act…; or
  • Any state banking or securities department or agency….”

[12 USC 3401(7)]

In short, the RFPA puts no restrictions on access to financial records for a financial institution’s regulator in the course of the agency’s normal regulatory, supervisory, or monetary functions. The supervisory agency need not notify any customers and the financial institution need not obtain a certificate of compliance from the supervisory agency. Normal regulatory, supervisory, or monetary functions include conservatorship or receivership functions for those agencies that perform those functions. Although the Resolution Trust Corporation is not listed as a supervisory agency, this exception applies to examinations by or disclosures made to it in the course of its conservatorship, receivership, or liquidation functions. [12 USC 3413(n)] This exception is still listed in the statute although the Resolution Trust Company closed and its duties were transferred in 1995.

Incidentally, the provision which creates this exception also exempts from coverage disclosures to a supervisory agency made by: (1) subsidiaries of financial institutions, (2) holding companies or subsidiaries of holding companies, (3) “institution-affiliated parties,” or (4) other persons. [12 USC 3413(b)] This would seem to go without saying, since the RFPA only applies to disclosures of information by financial institutions and does not restrict disclosures by subsidiaries, etc., unless those entities fall within the definition of “financial institution.” Perhaps the intent is to remove any ambiguity as to whether these entities need to worry about Financial Privacy Act liability for disclosures made to a supervisory agency in the course of the agency’s normal duties. In any event, they do not.

Disclosures pursuant to the Internal Revenue Code and other federal statutes and regulations [Sections 3413(c) and (d) of the RFPA]

The RFPA puts no restrictions on the disclosure of financial records in accordance with procedures authorized by the Internal Revenue Code. Section 7609 of the Internal Revenue Code (26 USC 7609) spells out the procedures the Internal Revenue Service (IRS) must follow in issuing a summons to a “third-party record keeper.” Subsection (i) of Section 7609 lists the responsibilities of the “third-party record keeper” (the financial institution) as:
(i) Duty of third-party record keeper and summoned party:
  1. Record keeper must assemble records and be prepared to produce records. On receipt of a summons…, the third-party record keeper shall proceed to assemble the records requested or such portion thereof as the Secretary may prescribe and shall be prepared to produce the records pursuant to the summons on the day on which the records are to be examined.
  2. Secretary may give record keeper a certificate. The Secretary may issue a certificate to the third-party record keeper that the period prescribed for beginning a proceeding to quash a summons has expired and that no such proceeding began within such period or that the taxpayer consents to the examination.

Although the RFPA does not require you to obtain a certificate of compliance from the IRS, paragraph (2), quoted above, suggests that you should attempt to obtain one. A federal court case confirms the advisability of this. The United States Court of Appeals for the Tenth Circuit has held that the exception for release of records pursuant to IRS procedure does not authorize a financial institution to release records without a certificate from the IRS, even if the financial institution is voluntarily cooperating with the IRS. See Neece v. Internal Revenue Service of the United States, 1993 U.S. Dist. LEXIS 11541.

Of course, if you do receive a summons from the IRS, you should begin assembling the records as soon as possible in accordance with paragraph (1).

The RFPA also does not apply to records or information required to be reported under any other federal statutes or regulations. [12 USC 3413(d)] This includes, for example, currency transaction reports that you might have to make under the Bank Secrecy Act. (For details on currency transaction reporting, see the chapter in this manual on the Reporting and Record-Keeping Requirements of the Department of Treasury.) Following the procedures of those statutes or regulations excuses you from having to obtain a certificate of compliance from the government authority.

Disclosures in proceedings to which both the government authority and the customer are parties [Sections 3413(e) and (f) of the RFPA]

The RFPA does not apply to any disclosures you make to a government authority under the Federal Rules of Criminal Procedure or the Federal Rules of Civil Procedure (or other comparable rules) in connection with litigation to which both the government authority and the customer are parties. [12 USC 3413(e)] The request from the government authority will usually take the form of a subpoena, and the subpoena will state the name of the case. From that, you can determine the parties to the litigation.

The RFPA also does not apply to requests from a government authority in connection with administrative proceedings to which both the government authority and the customer are parties. [12 USC 3413(f)] The request must take the form of an administrative subpoena issued by an administrative law judge. Again, the subpoena should show the names of the parties to the proceeding and you should check the subpoena for the names of the government authority and the customer.

In both of these cases, the government authority need not supply notice to the customer, and you need not obtain a certificate of compliance from the government authority.

Disclosures in connection with investigations directed at the financial institution itself or at a noncustomer entity [Section 3413(h)(1) of the RFPA]

The RFPA applies in only a limited way to requests for financial records where the investigation is directed either at a financial institution or at an entity that does not meet the definition of “customer.” Again, we are still talking about a request for the records of a “customer,” so the request is within the general coverage of the RFPA. But, when the investigation that generates the request is directed at a financial institution or a noncustomer entity, this exception applies.

In this sort of situation, the only parts of the RFPA which apply are the liability rules, the rule allowing customers to get an injunction against the release of records, and the requirement that the government authority provide a certification of compliance. [12 USC 3413(h)(1)] From your point of view, all you need to remember is that you still must obtain a certificate of compliance from the government authority. Since the liability rules still apply in this circumstance, you could be liable to the customer for releasing the records without a certificate of compliance.

Disclosures in connection with grand jury proceedings [Sections 3413(i) and 3420 of the RFPA]

The RFPA has limited applicability to subpoenas or court orders issued in connection with proceedings before a grand jury. Only the cost reimbursement provisions and the rules limiting government use of the information apply. This means that if you are served with a subpoena or court order issued in connection with a grand jury proceeding, you do not need to obtain a certificate of compliance before releasing the records. Also, the government authority does not need to notify the customer. [12 USC 3413(i)]

There are also restrictions on your ability to notify the customer about the subpoena. First, the court issuing the order or subpoena has the authority to order you to not notify your customer of the existence of the subpoena or the information that has been furnished to the grand jury. In order to make such an order, the court must follow the rules of Section 3409 for delaying notice that we described earlier. [12 USC 3413(i)] Second, even without a court order, you are prohibited from notifying the person if the investigation has to do with: (1) a crime against a financial institution or a supervisory agency; (2) a crime involving a violation of the Controlled Substance Act; the Controlled Substances Import and Export Act; Section 1956 or 1957 of Title 18; Sections 5313, 5316, and 5324 of Title 31; or Section 6050I of the Internal Revenue Code of 1986; or (3) a conspiracy to commit any of these crimes. [12 USC 3420(b)(1)] In such a case, the government and the court need not follow the Section 3409 procedures; you are simply prohibited from notifying the person.

You should examine the subpoena or court order closely in order to determine whether it was issued in connection with grand jury proceedings. You can usually determine this from the heading of the document. If you cannot and the government authority is claiming the document is in connection with grand jury proceedings, you should investigate further, perhaps by contacting the clerk of court that issued the document. Remember that the government authority does not need to supply you with a certificate of compliance, and so you will not be able to invoke the liability shield by claiming good faith reliance on a certificate of compliance. You should also be able to determine from the subpoena the nature of the crimes being investigated in order to decide whether you are prohibited from notifying your customer.

Disclosures to the General Accounting Office (GAO) [Section 3413(j) of the RFPA]

No part of the RFPA applies when the request is from the GAO in connection with an authorized proceeding, investigation, examination, or audit directed at a government authority. [12 USC 3413(j)] Again, we are talking about the release of “customer” records to a government authority (the GAO), so the request fits within the general coverage of the RFPA. But, where the GAO’s investigation is directed at a government authority, the RFPA does not apply. You do not need to obtain a certificate of compliance.

Disclosures to the Department of the Treasury, the Social Security Administration, and the Railroad Retirement Board [Section 3413(k) of the RFPA]

The RFPA does not apply to disclosures to the government authorities listed in the heading above, so long as the disclosure is limited to the customer’s name and address and so long as the information disclosed is necessary to and used solely for the administration of certain provisions of the U.S. Code. [12 USC 3413(k)(1)] If the request is from the Treasury, the information must be for the administration of Section 1441 of the Internal Revenue Code, which deals with the withholding of tax from payments made to nonresident aliens. If the request is from the Social Security Administration, the information must be for the administration of Title II of the Social Security Act, which deals with federal old-age, survivors, and disability insurance benefits. If the request is from the Railroad Retirement Board, the information must be for the administration of the Railroad Retirement Act of 1974, which deals with railroad retirement benefits. [12 USC 3413(k)(1)]

Of course, you will be unable to know with any certainty whether the government authority needs the information for the administration of the particular U.S. Code provision or not, nor will you be able to know whether the government authority will use the information solely for that purpose. So, those conditions on the release of information are meaningless to you. Therefore, this rule appears to authorize you to release customers’ names and addresses to any of these three agencies without any conditions at all. You will not need a certificate of compliance nor will the agency be required to notify the customer.

You should note, however, that this authorization extends only to the release of the customers’ names and addresses and no further. Any additional information you release must be after receipt of a certificate of compliance, or after you have determined that some other exception applies.

This section of the RFPA also states, rather oddly, that a request under this section “…shall be barred from redisclosure by the financial institution.” [12 USC 3413(k)(3)] We are not sure of the exact meaning of this provision, but our guess is that it is intended to prevent you from notifying your customer that a request under this section has been made. To be safe, you should take measures to make sure that you do not reveal the information to anyone.

Disclosure of information relating to financial institution insider crimes and violations of the Bank Secrecy Act [Section 3413(l) of the RFPA]

No part of the RFPA applies to the disclosure to certain agencies of certain customers’ financial records that are relevant to a possible violation of financial institution insider laws or the Bank Secrecy Act. The agencies to which a disclosure under this section can be made are the Attorney General of the U.S., state law enforcement agencies or, in the case of a possible violation of the Bank Secrecy Act, the Secretary of the Treasury. The customers whose records may be disclosed under this authority are officers, directors, employees, or controlling shareholders of the financial institution. The records of any “major borrower” from the institution may also be disclosed under this section if there is reason to believe that the borrower may be acting “in concert” with the officer, director, employee, or controlling shareholder. [12 USC 3413(l)] The sorts of insider laws that this section refers to include “any law relating to crimes against financial institutions or supervisory agencies by directors, officers, employees, or controlling shareholders of, or by borrowers from, financial institutions….” The term “controlling shareholder” is defined in subparagraphs (A) and (B) of Section 2(a)(2) of the Bank Holding Company Act of 1956 [12 USC 1841(a)(2)(A) and (B)] and subparagraphs (A) and (B) of Section 408(a)(2) of the National Housing Act [12 USC 1730a(a)(2)(A) and (B)].

So, again, no part of the RFPA applies to disclosures of the financial records of these insiders or major borrowers when the disclosure is made to the Attorney General of the U.S., a state law enforcement agency, or the Secretary of the Treasury if there is reason to believe the financial records are relevant to a possible violation by the insider or major borrower of insider laws or the Bank Secrecy Act. This means you need not obtain a certificate of compliance prior to releasing the records, and the government authority need not notify the customer. [12 USC 3413(l)]

Requests from government intelligence agencies and the Secret Service [Section 3414(a) of the RFPA]

Only certain parts of the RFPA apply to requests from government intelligence agencies and the Secret Service. The provisions of the RFPA which do apply are the cost-reimbursement provisions, the liability provisions, the injunctive-relief provisions, and provisions requiring the agencies to make reports to Congress on the number of RFPA requests they make each year. Otherwise, the RFPA does not apply to these requests. [12 USC 3414(a)]

Specifically, the exception applies to requests from a government authority that is authorized to conduct foreign counter- or foreign positive-intelligence activities when the government authority’s request is for purposes of conducting those activities. It also applies to requests from the Secret Service when the request is for the purpose of conducting its protective functions. Finally, it applies to a government authority authorized to conduct investigations of, or intelligence or counterintelligence analyses related to, international terrorism for the purpose of conducting such investigations or analyses. [12 USC 3414(a)]

The exception does place three restrictions on the financial institution’s compliance with the request. The first is that the institution must obtain a certificate of compliance from the agency. The certificate must be signed by a supervisory official of a rank designated by the head of the government authority. [12 USC 3414(a)(2)] The second restriction is that the financial institution and any officers, employees, or agents of the institution are prohibited from disclosing to anyone that one of these agencies has obtained records. [12 USC 3414(a)(3)]

The third restriction is that if the request is from the Federal Bureau of Investigation (FBI), the financial institution must comply if it obtains a certificate from the Director of the FBI or from someone designated by the Director that states that the records are sought for foreign counter intelligence purposes. [12 USC 3414(a)(5)(A)] This particular provision has two interesting twists. First, it requires financial institutions to comply with formal written requests from the FBI when the agency delivers the proper certification. Ordinarily, formal written requests are not legally enforceable and the institution has the option of complying or not complying. Second, this provision requires financial institutions to disclose records of both a customer and an “entity” upon receiving a proper request and certification from the FBI. The term “entity” is not defined by the RFPA, but seems to include all sorts of customers not within the definition of “customer” under the RFPA—in other words, corporations and partnerships of more than five individuals. These two twists seem to put this provision beyond the general scope of the RFPA, in that it requires disclosure in circumstances where the rest of the RFPA does not and requires disclosure of records otherwise outside the coverage of the RFPA.

Requests from the Securities and Exchange Commission [Section 3422 of the RFPA]

Section 3422 of the RFPA provides that the RFPA will apply to the Securities and Exchange Commission (SEC), except as provided in the Securities Exchange Act of 1934. [12 USC 3422] The Securities Exchange Act of 1934 says that the RFPA will apply to the SEC except in three areas. The three areas are: (1) a slightly different procedure is available to the SEC when it wants to delay notification to the customer of a request for records; (2) slightly different penalties apply to the SEC if it obtains records in violation of the delay procedures; and (3) slightly different rules apply to the SEC governing the transfer of records to other government authorities.

None of these variations has any impact on financial institutions or on how financial institutions respond to records requests from the SEC.

Disclosures to Federal Reserve Board, Federal Reserve Banks, Federal Housing Finance Board, and Federal Home Loan Banks [Sections 3413(m) and 3413(o) of the RFPA]

Nothing in the RFPA applies to examinations by or disclosures to any of the following in connection with credit extensions made by the following: (1) the Board of Governors of the Federal Reserve System; (2) Federal Reserve Banks; (3) the Federal Housing Finance Board; and (4) any Federal Home Loan Banks. [12 USC 3413(m) and (o)] In other words, when a financial institution borrows money from one of these agencies, it need not worry about any disclosures of information it might make being subject to the RFPA.

Emergency access [Section 3414(b) of the RFPA]

If a government authority determines that a delay in obtaining access to financial records would create imminent danger of: (1) physical injury to any person; (2) serious property damage; or (3) flight to avoid prosecution, then the RFPA provides for immediate access to the records for the government authority. In order to take advantage of this access, the government authority must provide the financial institution with a certificate of compliance signed by a supervisory official of a rank designated by the head of the government authority. [12 USC 3414(b)(2)] The government authority must also, within five days of gaining access to the records, file with an appropriate court a sworn statement of a supervisory official of a rank designated by the head of the government authority stating the grounds for the emergency access. [12 USC 3414(b)(3)] As soon as practicable after the government authority gains access to the records, it must serve on or mail to the customer a copy of its request and a notice. The notice informs the customer that the records were accessed, the reason for the inquiry, and the grounds for emergency access. [12 USC 3409(c)] However, the government authority can delay sending this notice if it follows the procedures of Section 3409 of the RFPA.

All you need to remember about emergency access is that you need a certificate of compliance from the government authority. The rest of the burden is on the government authority—to make the determination that emergency access is necessary, to file the sworn statement, and to send the subsequent notice to the customer.

Requests from the Bureau of Consumer Financial Protection [Section 3413(r) of the RFPA]

Nothing in the RFPA applies to examinations by or disclosures to the Bureau of Consumer Financial Protection (CFPB) of financial records or information in the exercise of the CFPB's authority. [12 USC 3413(r)]