Confidentiality

Obligations

Describe the private banking confidentiality obligations.

US federal law does not provide the type of strict confidentiality (data protection and financial privacy) found in many other countries. Two federal statutes provide a lower level of protection.

The Right to Financial Privacy Act of 1978 (RFPA) applies to US government requests for financial records for most customers (ie, individuals, but not necessarily all companies or partnerships) of banks, among other institutions. The RFPA provides mechanisms to disclose such records to government authorities, provided that the financial institution complies with certain notice procedures to customers (if applicable), among other requirements. Certain exceptions may apply that allow for the disclosure of financial records in connection with law enforcement activities and private parties may be able to subpoena financial records in the context of private litigation, depending on the nature of the dispute and subject to a court’s determination.

In addition, the Gramm-Leach-Bliley Act (GLBA) prohibits financial institutions (including banks and investment advisers) from disclosing non-public personal information about a consumer to non-affiliated third parties, unless the institution satisfies various notice and opt-out requirements or an exception applies. Even if a financial institution does not disclose non-public personal information, notice must be given at the time the customer relationship is established and annually thereafter if there has been a change to the policies and practices since the last notice. Furthermore, federal regulations require notice to customers and provide opt-out opportunities in situations involving marketing among affiliates.

State constitutions or statutes may provide more confidentiality beyond what federal law provides (eg, Florida has a state constitutional right to privacy that includes financial privacy), but, as a general matter, they do not restrict the ability to obtain financial information in civil or criminal proceedings. State common law, contractual obligations and industry practice also generally prevent a financial institution from disclosing confidential customer information to unaffiliated third parties absent customer consent, a court or administrative order, or a clear legal authorisation to do so (eg, disclosure of confidential information that is necessary to pursue a legal claim against a customer in a court).

Scope

What information and documents are within the scope of confidentiality?

The RFPA covers financial records: an original or copy of, or information known to have been derived from, any record held by a financial institution pertaining to a customer’s relationship with the financial institution.

Under GLBA, non-public personal information includes any information that is not publicly available, for instance, information that a consumer provides to a financial institution to obtain a financial product or service; results from a transaction between a consumer and the institution involving a financial product or service; or a financial institution otherwise obtains about a customer by providing a financial product or service.

Expectations and limitations

What are the exceptions and limitations to the duty of confidentiality?

Exceptions to the RFPA include, among others, when a financial institution submits financial records for bank supervisory or regulatory purposes, or in accordance with federal statutes (eg, the BSA), by court order, judicial or administrative subpoena, or when requested by a government authority subject to a lawsuit involving the customer.

The GLBA includes certain exceptions to a customer’s right to opt out, including when (i) the customer receives initial notice that a non-affiliated third party will perform services for the financial institution and that third party is prohibited by contract from using or disclosing the information outside of the specified purposes of the contract; (ii) disclosure is necessary to effect a transaction authorised or requested by the customer; (iii) a financial institution seeks to protect a customer against actual or potential fraud, or gives the information to its attorneys, accountants or regulators; or (iv) disclosure is to comply with federal or state laws or other legal requirements or to comply with authorised civil, criminal, or regulatory investigations or subpoenas or to respond to judicial process or government regulatory authorities. The BSA provides a safe harbour for financial institutions and their employees in connection with a good faith SAR filing.

Breach

What is the liability for breach of confidentiality?

A customer may collect civil penalties from any government agency or department that obtains, or financial institutions or their employees who disclose, information in violation of the RFPA. Penalties can include actual damages, court costs and reasonable attorneys’ fees, as well as punitive damages for wilful or intentional violations. However, a financial institution that relies in good faith on a federal agency or department’s certification may not be held liable to a customer for the disclosure of financial records.

Under the GLBA, civil and criminal penalties (including fines and imprisonment for five to 10 years) may be imposed on the institution as well as its officers and directors through actions by prosecutors and regulatory authorities. Additionally, sanctions may be imposed including, for banks, the termination of FDIC deposit insurance, as well as removal of the financial institution’s management, and potentially barring those individuals from working in the banking industry. There is generally no private right of action available under the GLBA. See question 38 for a discussion of the liability standards that would apply to other breaches of a duty of confidentiality involving a financial institution or its employees (eg, breaches involving contract liability).