With all due respect to noted astrophysicist Stephen Hawking, this blog post will attempt to explain the bank privacy universe in a tiny package. Many tend to think “bank privacy” began with the Gramm-Leach-Bliley Act (“GLB” and technically The Financial Services Modernization Act of 1999). But this perspective misstates the origin of bank privacy and understates its breadth and depth.
Rather bank privacy is genetically coded into the customer relationship and has been since the beginning. Perhaps “privacy” is even the wrong word as “confidential” seems more apt. Protecting bank customer confidences has long been recognized on both state and federal levels, at common law and in numerous statutes pre-dating GLB. For perspective, in 1995 I revised my bank’s deposit agreement and made extensive reference to customer confidentiality and the bank’s information sharing practices, embodying almost all the concepts later enshrined in GLB.
At the federal level, the Fair Credit Reporting Act (“FCRA”) preceded GLB by 30 years. The FCRA, at its core, regulates the collection, use, and sharing of consumer credit information and provides a process to insure information is reported accurately. Shortly thereafter, the U.S. Supreme Court in U.S. v. Miller determined a customer had no 4th Amendment expectation of privacy in bank records holding these documents were not the functional equivalent of a “citizen’s papers” secure from unreasonable search and seizure. The Right to Financial Privacy Act (“RFPA”) was swiftly passed reeling back the breadth of Miller and providing individuals with some degree of federal protection in their bank records including notice of and objection rights to many federal agency subpoenas. More on the full efficacy of the RFPA below, but the fact bank customer records merited so much energy in Washington says something about the sensitivity of the bank-customer relationship.
At the state level, bank customer confidentiality is ancient and well-regarded. Many states enacted their own version of the RFPA. Garnishment, levy and subpoena responses are important bank functions (performed at significant expense with no upside), balancing customer confidentiality with third-party rights to that customer information.
Illinois has long had a financial records confidentiality statute that outlines the circumstances in which banks may and may not share customer information and looks surprisingly similar to the GLB Privacy Rule. It is one of the few statutes I know off the top of my head (205 ILCS 5/48.1 if you are interested).
Missouri bank confidentiality lawyers are well aware of the 1977 Pigg v. Robertson appellate decision wherein a bank was held liable for breaching customer confidences after a bank customer was directed to the bank president’s office, where he encountered an individual he thought could help with a loan request to purchase a parcel of property. The customer “met” with a non-employee, outside bank auditor, and the interloper took the customer’s information for his own use, purchasing the land to the customer’s detriment. The Pigg court noted “counsel inquired whether respondent was familiar with the “rules generally…about the confidential relationships between bank employees and customers.” Respondent replied that he was. However, no attempt was made to enlarge on the inquiry.” Of course not; there was no need to inquire further because everybody knows banks are under a duty to protect customer confidences.
This brings us to GLB. GLB, contrary to popular understanding, is not primarily a privacy statute. GLB’s main purpose was to break down walls between the banking, securities and insurance industries erected in the Great Depression. A secondary purpose was to bolster fair lending. The tertiary purpose was customer privacy. The hallmark of GLB privacy considerations, as detailed in subsequent regulation, are the Privacy Notice and Safeguards Rules.
With regard to the Privacy Notice Rule, all the now familiar privacy concepts are present: definition of non-public personal information (“NPI” since refined to “PII”), notice, consent, transparency, simplicity, expected and allowed uses, opt-out for unexpected uses, and limitations on recipient use.
Similarly, the Safeguards Rule embodies the core, universal data protection principle of a written information security policy naming a responsible employee (reporting to a truly important employee) overseeing constant risk assessment, controls, third parties, education, training, testing, monitoring, auditing and adjusting. But these privacy and data security aspects of GLB were not “designed” (as the FTC now strongly suggests) so much as codification of the organic development of bank confidentiality.
As I noted above, bank confidentiality is enshrined in the customer relationship. Except when it is not. And it frequently is not. You may not realize this, but banks form a bulwark against crimes of all fashion – money-laundering, terrorism, and tax evasion, to name just a few. Succinctly put, if you commit crimes, do not use the banking system. While the RFPA prevents law enforcement from willy-nilly reviewing a customer’s bank records, a counter-series of laws, including the Bank Secrecy Act, several money laundering acts and the PATRIOT Act (collectively “BSA/AML”), require banks to maintain and turnover records, report a variety of transactions (irrespective of apparent criminal behavior) or suspected crimes, block transactions or accounts, prevent account opening or require account closing, ask pointed and detailed questions concerning identity, pry into the affairs of entities, and require significant documentation for transactions. These obligations come with ominous sounding acronyms such as OFAC, SDN, FinCEN, SAR, CTR, KYC, CID, and CDD. This customer information is transmitted to primary bank regulators, law enforcement, the Treasury Department and often to other agencies such as the IRS.
BSA/AML costs are an enormous drain on bank resources (ask a community bank president located near our southern border how much BSA/AML compliance costs and watch the reaction) and are anathema to confidentiality. Now THIS you could call “non-privacy by design.” Further, BSA/AML reporting requirements are spreading well beyond traditional financial services companies – casinos, travel agents, title companies, accountants, law firms. Appropriate BSA/AML compliance is rewarded with safe harbor protection; compliance failure results in head-spinning fines and oversight that make the consequences of the largest data breaches look like a day at the beach.
Speaking of data breaches, I leave you with a comment. One will notice in a review of breach databases (I like the Chronology of Data Breaches at the Privacy Rights Clearinghouse) the usual bank breach reports of lost/stolen computers, employee theft, and ATM skimming, but relatively few reports of massive breaches. Sure, JPMorgan Chase and Citibank were “successfully attacked” in the last five years (@75 million customers of JPMC; 350,000 credit card holders for Citi). While some PII was obtained, the “crown jewels” were not stolen – account numbers, passwords, user ids, SSN, DOB or actual assets. Banks are very good at protecting customer information from attack, particularly attacks launched through customer devices aimed at customer accounts. The reason is clear: confidentiality is a core asset, and protecting confidentiality is fully expected. If you want to effectuate fantastic data security you may want to study how banks do it.