General Coverage and Procedures of the RFPA
The RFPA has two basic rules. First, Section 3402 of the RFPA says that no “government authority” can access information contained in the financial records of any “customer” of a “financial institution” unless the financial records are reasonably described and either the customer authorizes the disclosure or the government request takes one of four specified forms. [12 USC 3402] Second, Sections 3403(a) and (b) prohibit a “financial institution” from providing to any “government authority” information contained in the financial records of any “customer” except in accordance with the RFPA, and prohibit a “financial institution” from releasing the financial records of a “customer” until the “government authority” seeking the records certifies in writing to the financial institution that it has complied with the RFPA. [12 USC 3403(a) and (b)]
“Government authority” is defined as “any agency or department of the United States, or any officer, employee, or agent thereof.” [12 USC 3401(3)] Obviously, a state government agency, department, or employee is not within this definition and, therefore, requests from such entities will not be subject to the rules of Sections 3402 and 3403 of the RFPA. However, notice that the definition includes not just federal agencies and departments, but also officers, employees, and agents of federal agencies and departments. That means that requests from these individuals, as well as requests from the agencies or departments themselves, are requests from a “government authority” and are subject to the rules of Sections 3402 and 3403.
“Financial institution” is defined as “any office of a bank, savings bank, card issuer…, industrial loan company, trust company, savings and loan, building and loan, or homestead association (including cooperative banks), credit union, or consumer finance institution, located in any State or territory of the United States, the District of Columbia, Puerto Rico, Guam, American Samoa, or the Virgin Islands.” [12 USC 3401(1)] Most of what you normally think of as “financial institutions” are included in this definition. Note that “card issuers” are also included. The Consumer Credit Protection Act defines “card issuer” as “any person who issues a credit card, or the agent of such person with respect to such card.” [15 USC 1602(o)] “Credit card” is defined by the Consumer Credit Protection Act as “any card, plate, coupon book, or other credit device existing for the purpose of obtaining money, property, labor, or services on credit.” [15 USC 1602(l)]
Finally, “customer” is defined as “any person or authorized representative of that person who utilized or is utilizing any service of a financial institution, or for whom a financial institution is acting or has acted as a fiduciary, in relation to an account maintained in the person’s name.” [12 USC 3401(5)] “Person” is defined as “an individual or a partnership of five or fewer individuals.” [12 USC 3401(4)] So, “customer” only includes individuals, partnerships of five or fewer individuals, and any other sort of entity that is acting as an authorized representative of an individual or partnership of five or fewer individuals. Therefore, a request by a government authority for the records of a corporation is not subject to the RFPA unless the records relate to the corporation in its role as authorized representative of a “person.” Also note that the definition of “customer” includes one who “utilized or is utilizing” (past and present tense) a service or for whom the financial institution “is acting or has acted” as a fiduciary. This means that a person may be a “customer” at a given time even if the person has no current relationship with the financial institution, but had one in the past.
So, assuming we are dealing with a request from a “government authority” directed to a “financial institution” requesting records of a “customer,” the rules of Sections 3402 and 3403 apply. Those rules, again, are that the government is prohibited from access to the records unless the government request reasonably describes the records and either the customer authorizes the disclosure or the request takes one of four specified forms. [12 USC 3402] The financial institution, in turn, is prohibited from providing access to the records except in accordance with the RFPA, and is prohibited from releasing the records until the government authority certifies in writing to the financial institution that it has complied with the applicable provisions of the RFPA. [12 USC 3403(a)] Let’s look more closely at these rules.
Formalities of the government request
First, the government request must reasonably describe the records sought. [12 USC 3402] While the RFPA provides no guidance as to what constitutes a reasonable description, presumably, it should be specific enough for you to know which records the government authority wants.
Second, the request must either be authorized by the customer or it must take one of four specified forms. [12 USC 3402] A customer authorization, in order to be effective, must be a signed and dated statement which: (1) authorizes disclosure for a period no greater than three months; (2) states that the customer may revoke the authorization at any time before the financial records are disclosed; (3) identifies the financial records which are authorized to be disclosed; (4) specifies the purposes for which, and the government authority to which, the records may be disclosed; and (5) states the customer’s rights under the RFPA. [12 USC 3404(a)]
You are prohibited by Section 3404 of the RFPA from requiring customers to sign an authorization as a condition of doing business with them. [12 USC 3404(b)] Also, you must keep a record of all instances in which the customer’s records are disclosed to a government authority pursuant to the customer’s authorization. The record must include the identity of the government authority to which the disclosure was made. The customer is entitled to obtain a copy of your record, unless the government authority obtains a court order to the contrary. [12 USC 3404(c)] For your own protection, your file should also contain either the original authorization or a copy of it.
If the government authority’s request is not based on a customer authorization, then it must take one of the following four forms: (1) an administrative subpoena or summons; (2) a search warrant; (3) a judicial subpoena; or (4) a formal written request. The RFPA spells out requirements that the government must meet in issuing each of these four items. [12 USC 3402]
Administrative subpoena or summons
First, a government authority may obtain financial records pursuant to an administrative subpoena or summons only if three conditions are met. They are: (1) there is reason to believe that the records sought are relevant to a legitimate law enforcement inquiry; (2) the government authority mails to or serves on the customer a copy of the subpoena or summons, along with a notice that is specified in the RFPA; and (3) a waiting period in which the customer can file an objection to the release of the records has expired or the customer has filed an objection and a court has ordered release of the records in spite of the objection. [12 USC 3405(1), (2), and (3)]
“Law enforcement inquiry” is defined by the RFPA as “a lawful investigation or official proceeding inquiring into a violation of, or failure to comply with, any criminal or civil statute or any regulation, rule, or order issued pursuant thereto.” [12 USC 3401(8)] The RFPA does not provide a definition or an explanation of the term “legitimate,” but presumably, the idea is to require that the investigation actually be conducted for the benefit of the U.S. government and not for a reason such as a personal vendetta of a department official or law enforcement officer. Note that not only must the law enforcement inquiry be “legitimate,” but there must also be reason to believe that the records sought are relevant to the inquiry.
The notice that the government authority is required to send to or serve on the customer, along with a copy of the subpoena or summons, states that the government is seeking records or information held by the financial institution named in the subpoena or summons. The notice states the purpose for which the records are being sought and spells out the procedures the customer should follow in order to object to the release of the records or information, and the time frame in which the customer’s objections must be filed. [12 USC 3405(2)]
The waiting period that must expire before the government can have access to the records is ten days after service if the notice and copy of subpoena or summons was personally served on the customer, or 14 days after mailing if the notice and copies were mailed to the customer. [12 USC 3405(3)] Of course, if the customer follows the procedures for lodging an objection within these time frames, then the government cannot obtain the records until a court has ruled on the customer’s objections. Later in this chapter, we will look more closely at Section 3410 of the RFPA, which specifies the exact procedures a customer must follow and the grounds on which the court must make its decision on whether or not to block the release of the records.
Section 3409 of the RFPA, which we will also discuss in more detail later, provides that, in certain circumstances, a court may permit the government to obtain the records prior to notifying the customer and without going through this waiting period.
Section 3411 of the RFPA requires that a financial institution that receives an administrative summons or subpoena begin assembling the records and be prepared to deliver them to the government authority as soon as the government authority provides the financial institution with the certificate of compliance.
Search warrant
The second form that a government request for records may take is a search warrant. A search warrant must be obtained by the government pursuant to the Federal Rules of Criminal Procedure. [12 USC 3406(a)] Obtaining a search warrant enables the government to obtain the records without advance notice to the customer and without a waiting period. [12 USC 3406(b)] But the government must, within 90 days of serving the search warrant on the financial institution, send a notice and copy of the search warrant to the customer. The notice simply states that records or information concerning the customer’s transactions at the financial institution named in the search warrant were obtained by the agency or department pursuant to the search warrant. It also states that the customer may have rights under the Right To Financial Privacy Act. [12 USC 3406(b)] Unlike the notice accompanying the administrative summons and subpoena, however, this notice does not spell out how the customer can raise any objections to the release of the records.
Section 3409, in addition to providing a procedure for delaying notice after an administrative subpoena or summons, also allows for delaying the sending of the notice following the service of a search warrant. If the government obtains such a delay, the court must also issue an order prohibiting the financial institution from disclosing that records have been obtained or that a search warrant has been served. [12 USC 3406(c)] In other words, if the court issues an order delaying the notice which the government must send to or serve on the customer, then you are prohibited from notifying your customer of the government request for the records. We will look at Section 3409 in more detail later to see what the government’s grounds for obtaining such an order must be.
Judicial subpoena
The third form that a government request for records may take is a judicial subpoena, or a subpoena issued by a court. (Administrative subpoenas are issued by the administrative agency itself.) There are three conditions that must be met before a government authority can obtain a customer’s financial records by way of a judicial subpoena. They are: (1) the subpoena must be authorized by law and there must be reason to believe that the records sought are relevant to a legitimate law enforcement inquiry; (2) the government authority must send to or serve on the customer a copy of the subpoena and a notice; and (3) a waiting period in which the customer can object to the release of the records must have expired or else the customer has followed the procedures for objecting and a court has ordered release of the records in spite of the objection. [12 USC 3407(1), (2), and (3)]
The first condition—that the subpoena be authorized by law and that there be reason to believe that the records sought are relevant to a legitimate law enforcement inquiry—is similar to the condition imposed on an administrative summons and subpoena. The difference is that a judicial subpoena must be authorized by law. The RFPA does not include a similar requirement for an administrative subpoena or summons. According to one authority, this additional reference does not imply an additional requirement on judicial subpoenas. It simply reflects the general rule that the RFPA itself does not authorize access to records, but only provides a procedure for using requests and orders authorized by other statutes or regulations. [Fischer, The Law of Financial Privacy, Warren, Gorham, and Lamont (1983), pp. 2 - 34.] In other words, all this provision is saying is that some law other than the RFPA must authorize the issuance of the subpoena.
The notice that the government authority must send to or serve upon the customer, along with a copy of the judicial subpoena, is very similar to the notice required with an administrative summons or subpoena. It notifies the customer that records or information concerning the customer’s transactions with the financial institution are being sought by the government authority, and states the purpose for which the records are being sought. The notice also spells out the procedures the customer must follow in order to object to the request and prevent release of the records. [12 USC 3407(2)]
The waiting periods for judicial subpoenas are identical to those for administrative summons and subpoenas. They are ten days after service, if the notice and copy of the subpoena are personally served on the customer, and 14 days after mailing, if the notice and copy are mailed to the customer. [12 USC 3407(3)]
As with an administrative summons and subpoena, Section 3411 of the RFPA requires that a financial institution that receives a judicial subpoena begin assembling the records and be prepared to deliver them to the government authority as soon as the government authority provides the financial institution with the certificate of compliance. [12 USC 3411]
Formal written request
The fourth and final form that a government request for financial records can take is that of a “formal written request.” A formal written request is available to a government authority if five conditions are met. They are: (1) the government authority lacks the authority to issue an administrative summons or subpoena to obtain the records; (2) such a request is authorized by regulations issued by the head of the agency or department; (3) there is reason to believe that the records sought are relevant to a legitimate law enforcement inquiry; (4) the government authority serves on or mails to the customer a copy of the formal written request, along with a notice specified in the RFPA; and (5) a waiting period in which the customer can object to the release of the records has expired, or the customer has followed the procedures for objecting and a court has ordered the release of the records in spite of the objection. [12 USC 3408(1) – (4)]
The first two conditions—that the government authority lacks administrative summons or subpoena power and that the head of the government authority issue regulations authorizing formal written requests—indicate that Congress intended to give those government authorities a means of obtaining records short of judicial subpoena or search warrant. For an example of regulations issued by an agency head to authorize the agency to use formal written requests, see the Treasury Department regulations at 31 CFR Part 14.
The other conditions placed on formal written requests are identical to those placed on administrative and judicial subpoenas. The notice that must be mailed to or served upon the customer states that records or information concerning the customer’s transactions at the financial institution are being sought and the purpose for which they are being sought. It also recites the procedure the customer must follow to raise an objection to and prevent the release of the records. [12 USC 3408(4)(A)] The waiting periods are ten days following service, if the notice and copy were personally served on the customer, and 14 days after mailing, if the notice and copy were mailed to the customer. [12 USC 3408(4)(B)]
Section 3409, delayed notice
Section 3409 provides a way for the government authority to delay giving the notices required by the rules we’ve just been reviewing. You can imagine circumstances in which the government might want to delay such notice. Section 3409 says that the government authority can apply to a court for such a delay, and the judge or magistrate can grant the delay if the court finds that: (1) the investigation being conducted is within the lawful jurisdiction of the government authority seeking the financial records; (2) there is reason to believe that the records being sought are relevant to a legitimate law enforcement inquiry; and (3) there is reason to believe that giving the notice as normally required will result in: (a) endangering the life or physical safety of any person; (b) flight from prosecution; (c) destruction of or tampering with evidence; (d) intimidation of witnesses; or (e) otherwise seriously jeopardizing an investigation or official proceeding or unduly delaying a trial or ongoing official proceeding to the same extent as (a) through (d) would. [12 USC 3409(a)(1) – (3)]
An order granting such a delay is effective for 90 days. [12 USC 3409(b)(1)] However, the court can make the delay indefinite if the government authority requesting the delay is one which exercises financial controls over foreign accounts in the U.S. under the Trading With the Enemy Act, the International Emergency Economic Powers Act, or the United Nations Participation Act, and the court finds that there is reason to believe that the notice may endanger the lives or physical safety of a customer or group of customers or any person or group of persons associated with a customer. [12 USC 3409(b)(1)]
Extensions beyond the 90-day period may be granted on the same grounds as the original delay. An extension lasts for an additional 90 days. [12 USC 3409(b)(2)]
If the court enters an order delaying notice, it must also enter an order prohibiting the financial institution from disclosing that records have been obtained, that a request for records has been made, or that a search warrant has been executed. [12 USC 3409(b)(1)]
Once the delay period expires, the government authority must send to the customer a copy of the process or request (subpoena, summons, formal written request, or search warrant) served on the financial institution along with a notice. The notice must state that records concerning the customer’s transactions with the named financial institution were obtained by the government authority on a specified date. The notice must also state that the notice of the request for records was delayed and the reason for the delay. Finally, the notice must state the purpose of the investigation or official proceeding for which the records were requested. [12 USC 3409(b)(3)]
Courts granting delays in notification pursuant to Section 3409 must retain all papers filed in connection with the delay order. Customers are entitled to see these papers, unless the court makes the same findings required originally for the delayed notice. [12 USC 3409(d)]
Section 3401, customer challenges
As we have seen, some of the notices which the government authority is required to send to the customer spell out the procedures the customer is to follow in filing an objection to the release of the records. Those procedures are listed in Section 3410 of the RFPA. [12 USC 3410]
These procedures will only apply when the government’s request takes the form of an administrative summons or subpoena, a judicial subpoena, or a formal written request. [12 USC 3410(b)] The other two forms of records requests—customer authorizations and search warrants—do not require prior notice to the customer and, consequently, provide no opportunity for the customer to object to the release of the records.
First, the customer must act within certain time periods. If notice of the records request was personally served on the customer, then the time period is ten days from the day of service. If the notice was mailed, the time period is 14 days from the day of mailing. [12 USC 3410(a)]
Within those time frames, the customer must file with the appropriate court either: (1) a motion to quash (annul or set aside) the administrative summons or subpoena or the judicial subpoena; or (2) an application to enjoin (forbid) the government authority from obtaining the records pursuant to a formal written request. [12 USC 3410(a)] The “appropriate court” is the court listed in the customer notice in the case of an administrative summons or a formal written request. In the case of a judicial summons, the appropriate court is the court that issued the summons. [12 USC 3410(a)] The customer’s motion or application must contain a sworn statement stating: (1) that the person making the motion or application is a customer of the financial institution to which the government authority’s request is directed; and (2) the reasons why the customer does not believe that the financial records which the government requested are relevant to the legitimate law enforcement inquiry stated by the government authority in its notice, or that there has not been substantial compliance with the provisions of the RFPA. [12 USC 3410(a)(1) and (2)] The customer must also serve the motion or application on the government authority seeking the records. [12 USC 3410(a)]
Once the customer has filed the motion or application, the court must decide whether the customer has met the requirements for filing, namely, whether the time limits have been met and whether the customer’s sworn statements are in order. If so, the court must order the government to respond. [12 USC 3410(b)] The court may then make its decision based on these initial filings, or it can order further proceedings. In order for the court to decide for the customer, it must find: (1) that the customer is the customer of the financial institution to whom the requested records pertain; and (2) either that there is not a demonstrable reason to believe that the law enforcement inquiry is legitimate and a reasonable belief that the records sought are relevant to that inquiry, or that there has not been substantial compliance with the provisions of the RFPA. [12 USC 3410(c)] In order for the court to decide for the government authority, it must find either: (1) that the customer is not the customer to whom the financial records sought pertain; or (2) that there is a demonstrable reason to believe that the law enforcement inquiry is legitimate and a reasonable belief that the records sought are relevant to that inquiry. [12 USC 3410(c)]
If the court finds for the customer, it must order the summons or subpoena quashed or enjoin the government authority’s formal written request. [12 USC 3410(c)] If the court finds for the government authority, it must order the summons or subpoena to be enforced. [12 USC 3410(c)] If the government’s request took the form of a formal written request, the court cannot order it to be enforced since formal written requests are not enforceable under the law. However, the financial institution is free to comply with the request once the court has found for the government without fear of liability to the customer.
A customer whose motion or application is denied cannot immediately appeal. The customer’s right to appeal does not arise until after a final order is issued in a legal proceeding resulting from the request for records, or until the government authority decides not to initiate a legal proceeding against the customer. [12 USC 3410(d)] The government authority is required to notify the customer when it decides not to initiate a legal proceeding against the customer in connection with the records, so that the customer can then appeal the disclosure. [12 USC 3410(d)] If the government authority has not made a decision on whether to initiate a proceeding within 180 days of the denial of the customer’s original objection to disclosure, the government authority must certify to the court that no such determination has been made. [12 USC 3410(d)] The court can then require the government authority to periodically make additional certifications until either the customer receives notice that no proceeding will be initiated, or until a proceeding is initiated. [12 USC 3410(d)]
The procedures spelled out by Section 3410 are the exclusive means for a customer to oppose disclosure of the records. [12 USC 3410(e)] Also, Section 3410 only deals with a customer’s rights to object to disclosure. It does not affect any rights the financial institution might have to object to the disclosure, nor does it entitle the customer to assert any rights of the financial institution. [12 USC 3410(f)]
That takes us through the first basic rule of the RFPA—the procedures the government must follow in obtaining financial records. We can now move on to the second basic rule—the financial institution’s responsibilities.
Requirement that financial institution obtain government certificate
This is the second basic rule of the RFPA. The crucial element for you to remember is the requirement that you obtain a written certification from the government authority prior to releasing the records. [12 USC 3411(b)] The RFPA does not specify any formal requirements for this certification. However, it should probably identify the government authority making the records request and should probably be signed by the government authority if the authority is an individual, or by a responsible representative of the government authority if the authority is an agency or department. The certification must have a statement to the effect that the government authority has complied with the applicable provisions of the RFPA. [12 USC 3411(b)]
As we will see when we look at the liability provisions of the RFPA, the liability shield of the RFPA is based on the financial institution’s “good faith reliance” on the government authority’s certification of compliance. This means that the financial institution cannot blindly rely on a certification for protection under the RFPA. If something is clearly improper about the records request or the certification and the impropriety is conspicuous enough that the financial institution should have detected it, the presence of a certification of compliance will not protect the financial institution. This means that you should probably make a careful inspection of the form by which the request is made (subpoena, summons, search warrant, etc.) looking, simply, for anything that does not make sense. If there is any doubt about a particular document, you should ask the government authority to clear up the problem, although you are probably not required to do any independent investigating yourself into the propriety of the request or the certification.
Most of the exception situations we will be looking at below do away with the requirement that the government authority supply a certification of compliance. However, some of them retain that requirement. Therefore, you should note carefully those situations that still require the certification of compliance.