If you have recently received a subpoena from a government agency investigating a customer’s financial dealings, you are not alone. As the alarm and uncertainty of the COVID-19 pandemic finally begin to calm, audits and investigations concerning the use of funds from pandemic relief initiatives such as the Paycheck Protection Program, Main Street Lending Program, and others are in full swing, sometimes followed by civil and criminal charges.
Once you have established that the subpoena is legitimate, what do you do with it? Banks are accustomed to cooperating with government requests and investigations, but banks are limited in what customer information they can disclose (even to the government) without following the proper procedures – namely, those established by the Right to Financial Privacy Act (RFPA).
RFPA protects bank customers from federal government intrusion by requiring that federal agencies follow a certain process to obtain customers’ financial records. Note that while RFPA does not apply to requests by state and local government agencies, many states have enacted similar customer notice requirements.
RFPA is limited, however, in that it only covers records of individuals and partnerships of five or fewer individuals. Under RFPA’s definitions, “customer” does not include corporations, partnerships of six or more individuals, trusts, associations, or other legal entities. While not specifically mentioned in RFPA or accompanying guidance, courts have held that LLCs are also not covered customers.
A federal agency may obtain a customer’s records if it can present written authorization from the customer that satisfies certain statutory requirements. Otherwise, RFPA requires the federal government to follow procedural and documentation requirements, such as notifying the customer and providing them with a copy of the request. These requirements vary based on the type of request. The requesting agency is also required to provide the bank with a written certification confirming the agency has indeed complied with RFPA’s requirements. The bank is then permitted to rely on the written certification in good faith and disclose the requested records.
If records are erroneously disclosed, the impacted customer may collect civil penalties from the bank and the relevant agency, including: $100 (without regard to the volume of the records involved), any actual damages, punitive damages (in cases of willful or intentional violations), and attorney’s fees and court costs.
RFPA prescribes certain circumstances in which the bank can disclose customer financial records without confirming compliance with the customer notice and/or certification requirements or when specific alternative procedures apply. These circumstances include (but are not limited to):
This is only a brief summary of RFPA’s very detailed and situation-specific requirements. In the event a request for customer information from a federal agency is received, the bank should review both the request and RFPA carefully to confirm the appropriate procedure has been followed or verify a valid exception/ alternative procedure exists. Note that records of entities not covered by RFPA may still contain customer information that is covered.
If the bank believes it has covered customer information that is responsive to a government request, but the appropriate procedure has not been followed (or exception identified), that information should be withheld until the question of RFPA’s applicability is resolved. In doing so, the bank should be transparent and forthcoming with the requesting agency about why it is withholding the customer’s information, giving the agency an opportunity to address the matter.