Statement
Of
Gregory T. Nojeim
Legislative Counsel
American Civil Liberties Union
Washington National Office
On
Financial Privacy
and the
Proposed “Know Your Customer” Regulations
Before The
Commercial and Administrative Law Subcommittee of the House of Representatives Committee on the Judiciary
March 4, 1999
Mr. Chairman and Members of the Subcommittee:
I am pleased to testify today before the Commercial and Administrative Law Subcommittee of the House Judiciary Committee on behalf of the American Civil Liberties Union about the privacy implications of the proposed “Know Your Customer” bank regulations. The ACLU is a nation-wide, non-profit, non-partisan organization consisting of over 275,000 members dedicated to protecting the principles of freedom set forth in the Bill of Rights. The ACLU receives no funding from the federal government.
The ACLU believes that the Know Your Customer regulations inappropriately and unnecessarily infringe on the privacy rights of bank customers. The regulations should be withdrawn and Congress should ensure that no remotely similar regulations take their place. But if Congress stops there and fails to repeal or substantially modify the statutory basis for the proposed Know Your Customer regulations, or to strengthen the Right To Financial Privacy Act, it will itself have perpetrated a massive deception on the 100,000 people who spoke out against the Know Your Customer regulation. Customers of financial institutions who are not engaged in illegal activities should have a statutory right to know when personal information about them has moved into the law enforcement world. When it comes to protecting the financial privacy rights of Americans, the buck stops with Congress. Neither the courts, the bankers, nor the bank regulators can do what you must do to protect our privacy.
Today, I will describe the current state of financial privacy and explain how the proposed Know Your Customer regulation would make a bad situation worse. I will close by suggesting the need for statutory changes to enhance financial privacy, and improvements to the Administrative Procedures Act that would enhance privacy and promote public participation in the rulemaking process.
Current Know Your Customer Practices
Most people do not know it, but financial institutions are already required to spy on their customers. Congress authorized the Treasury Department to require them to do so. Congress also insulated financial institutions from civil liability for spying on their customers, and Congress barred financial institutions from telling their customers that their bank had spied on them by reporting their transactions to the federal government. In terms of financial privacy, this is a sorry state of affairs. Properly viewed, the debate about the proposed Know Your Customer regulations is not a debate about whether financial institutions will spy on their customers and report to the government, it is a debate about how such surveillance will be conducted and how intrusive it will be.
The Bank Secrecy Act authorizes the Treasury Department to require financial institutions to maintain records of personal financial transactions that “have a high degree of usefulness in criminal, tax and regulatory investigations and proceedings.” 1 It also authorizes the Treasury Department to require any financial institution to report any “suspicious transaction relevant to a possible violation of law or regulation.” 2 These reports, termed “Suspicious Activity Reports” are filed with the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). 3 Between April 1, 1996 and September 30, 1997, 110,000 such reports were filed, and of those reports, approximately 40% — 48,000 reports, or 130 reports every work day — were filed by financial institutions to comply with the Bank Secrecy Act. 4 Press reports indicate that from 1996 – 1998, 233,000 such reports were filed. 5
This is done secretly, without the consent or knowledge of bank customers, any time a financial institution decides that a transaction is “suspicious.” The Suspicious Activity Reports are made available electronically to every U.S. Attorney’s Office and to 59 law enforcement agencies, including the FBI, Secret Service and Custom Service. 6 No suspicion of crime — probable cause, reasonable grounds to believe, or even mere relevance to an on-going investigation — need be shown by the law enforcement agency to FinCEN before law enforcement accesses the report. No court order, warrant, subpoena or even written law enforcement request showing a need for the information need be prepared and given FinCEN. Instead of using these normal law enforcement tools — often under judicial supervision — many law enforcement agencies use a vacuum cleaner. They suck up everything FinCEN offers by periodically downloading the entire harvest of new information. 7 And they don’t give it back. This tremendous loss of personal privacy occurs daily even without the Know Your Customer regulations in place.
Banks must file Suspicious Activity Reports for many reasons, 8 including whenever they believe transactions 9 aggregating $5,000 or more involve potential money laundering or violations of the Bank Secrecy Act if the financial institution has reason to suspect that:
(i) the transaction involves funds derived from illegal activities or is intended to conceal such funds to evade any law or regulation, including reporting regulations;
(ii) the transaction is designed to evade any Bank Secrecy Act regulation; or
(iii) the transaction has no business or lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the financial institution has no reasonable explanation for the transaction after examining the available facts, including background and possible purpose of the transaction. 10
To the extent known, the financial institution must report personal information about the “suspect.” 11 It must also provide a complete narrative description of the activity it deems suspicious, explain who benefited, and retain for law enforcement any confession, admission, or explanation of the transaction. The financial institution must also “recommend any further investigation that might assist law enforcement authorities.” 12 Financial institutions must also report currency transactions in excess of $10,000 separately to the IRS on Form 4789, the Currency Transaction Report.
FinCEN cites “the ‘natural hesitancy’ of organizations to track the relationship between the volume of reported information and the opening of particular cases” 13 to justify the lack of adequate reporting on the usefulness of this massive surveillance system in obtaining money laundering convictions. However, it appears that the Suspicious Activity Reporting System may be reporting more information than even law enforcement wants. 14
The Know Your Customer Regulations
On December 7, 1998, the Comptroller of the Currency, 15 the Office of Thrift Supervision, 16 the Federal Reserve Board 17 and the Federal Deposit Insurance Corporation 18 published proposed “Know Your Customer” regulations. These regulations would worsen the already sad state of financial privacy. The regulations would require banks and thrift institutions to:
(i) identify their customers;
(ii) determine the sources of funds for each customer;
(iii) determine the “normal and expected” transactions of each customer;
(iv) monitor each customer’s account activity and measure it against historical patterns; and
(v) report to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) any transactions that are “suspicious” because they do not conform to historical patterns.
In short, the proposed Know Your Customer regulations are a law enforcement profiling scheme. 19 Financial institutions would create customer profiles and monitor customer transactions to determine which transactions do not fit the profile and are therefore suspicious, and report those transactions to the government. To meet the command that the financial institution determine the sources of each customer’s funds, the financial institution would have to compile the equivalent of a dossier on each customer. The product of the profile — in the form of a Suspicious Activity Report — would be sent to the Treasury Department’s FinCEN. As is the practice today, FinCEN would evaluate the report and affirmatively send it to the Attorney General when there is “reason to believe that the records may be relevant” to a crime, and passively allow law enforcement access to the records regardless of its assessment of whether the SAR reflects evidence of crime.
Under these regulations, same bank teller who smiles at the end of the banking transaction and says “have a nice day” could also be charged and trained to investigate the customer’s sources of funds. Officials of financial institutions would do the work of law enforcement more than ever before. Their mission would be not only to conduct banking operations, but also to spy on their customers and the sources of their funds, and report to the government. The proposed Know Your Customer regulations are calculated to further enlist banks in the fight against money laundering — the process of disposing of the proceeds of illegal activity including drug sales. They would turn normal law enforcement practices up side down. Everyone is presumed suspicious since for each customer, intrusion is the norm, not the exception, because their banking practices must be profiled and their sources of funds ascertained.
Implementation of the Proposed Know Your Customer Regulation Would Further Diminish Financial Privacy
The proposed Know Your Customer regulations were issued to help financial institutions determine when to report to the government transactions of their customers by filing Suspicious Activity Reports. Financial institution regulators have said that implementation of the Know Your Customer regulations would do little more than formalize the Know Your Customer programs that financial institutions have “voluntarily” adopted under pressure from their regulators. 20 To the extent this statement is correct, it exposes the damage to financial privacy that has already been done. At the same time, though, the FDIC admitted that the proposed regulations would require financial institutions to gather information about customers that could be abused and must be safeguarded, and felt compelled to caution banks to collect only the information necessary to comply with its intrusive regulation. 21 We believe the proposed regulations would make several significant changes in current banking practices that would further diminish financial privacy interests.
First, no banking regulation now requires that banks profile their customers and many if not most of the Know Your Customer programs banks have voluntarily adopted do not require customer profiling. To profile a customer, banks would have to ascertain the sources of funds for each customer and determine their normal and expected transactions. In the case of businesses, banks would be required to ascertain the type of the business in which the corporation, partnership, or sole proprietor engages.
Though regulators characterize this information as essential to determine whether a customer’s actual use of the account conforms to what was expected when the account was opened, the proposed regulations do not tell financial institutions how to make this assessment. Financial institutions will in many cases feel compelled to conduct their own investigations, and thus further violate their customer’s interests in financial privacy. Ascertaining the source of funds is a qualitative, not a quantitative process, and it is one many financial institutions do not undertake. Current law and current regulations do not require that banks pry into the source of funds of their customers on a blanket basis, or the nature of their businesses. This in and of itself is detrimental to customer privacy.
Second, financial institutions are not currently required to search specifically for suspicious transactions, but rather only to report transactions that come to their attention and appear to be suspicious. The proposed Know Your Customer regulation would require such searching.
Third, financial institutions would have to monitor all transactions, not just large cash transactions and attempts to “smurf.” (i.e., the practice of splitting a large transaction into many separate transactions to evade reporting requirements.) Every transaction would have to be monitored to determine whether it falls outside of the usual and expected transactions for a particular category of customer.
Fourth, many financial institutions would inquire of their customers about transactions that do not fit the customer’s profile. What business is it of the banker that a large deposit from a particular customer resulted from a gift instead of from a job? No teller wants to be in the position of asking the customer where the money came from, and being answered with the sad, tight-lipped, reply that the customer’s father passed away and left money to the customer.
Fifth, all of the financial institutions that do not now have in place a Know Your Customer program would be required to adopt one under the proposed regulations. In fact, the FDIC views the proposed regulation as a way to “level the playing field” between institutions that do not have Know Your Customer Programs and those that do. 22
Sixth, the proposed regulations would require financial institutions to determine the “true identity” of their customers, and their sources of funds. Instead of merely ascertaining the identity of the person opening the account, they would have to list all those who benefit from an account, including clients of financial advisors, trust beneficiaries, and those who have a beneficial interest in an escrow account. Financial institutions would be put in the position of determining the sources of funds for people with whom they have no banking relationship.
Finally, more, not fewer, Suspicious Activity Reports would be filed with the government’s FinCEN if the Know Your Customer regulation was adopted. We believe this because one of the stated objectives of the proposal is to increase reporting of suspicious activity. 23 In addition, whenever a transaction is unusual for a particular customer, financial institutions will tend to err on the side of reporting in part because it is easier, and less embarrassing to the financial institution, to report the customer to the government than it is to inquire of the customer about the transaction.
Financial institutions would be required to report transactions that are not “normal and expected” for a particular customer, according to that customer’s profile. As many have already pointed out, many “unusual” transactions for a particular customer are in fact quite usual and ought not be reported as “suspicious” to the federal government. Whether it is an inheritance, a law suit settlement, an automobile purchase or the payment of college tuition, large transactions may be uncommon for a particular customer. He or she should not have to explain the transaction to their banker to avoid the filing of a Suspicious Activity Report. Many small businesses also have large “unusual” transactions, such as receiving a retainer fee or paying for equipment. These concerns are amplified because if the customer’s explanation of the transaction does not sufficiently allay the suspicion of the banker, the customer’s explanation must be flagged in the Suspicious Activity Report and a record made available to law enforcement.
The proposed Know Your Customer regulations cannot be fixed and should be withdrawn. The entire premise of the regulation is inconsistent with customer privacy. Moreover, Congress should step in to protect customer privacy because financial institutions are not doing the job.
Bank Privacy Policies and Practices
The privacy policies that have been voluntarily adopted by banks are woefully inadequate. They do not explain the circumstances under which banks report financial transactions to the federal government as “suspicious,” even though some of that information is in the public domain. They do not even advise customers of the number of Suspicious Activity Reports the bank sent to the federal government in the last year, and the number of their customers they reported as “suspects.” Instead, customers are given only a soothing assurance that the bank believes that customer financial privacy is important, but that the bank will share personal financial information in many circumstances, and will provide sensitive customer information to “regulatory authorities and law enforcement officials in accordance with applicable law” as Chase Manhattan puts it. I have attached a few bank privacy policies.
We are particularly concerned about the reactions of the financial institutions to the proposed Know Your Customer regulations. Most of the early comments from financial institutions and their trade associations did not sufficiently take into account the effect on financial privacy that the proposed regulations would have. Instead of saying from the start that the proposed regulations damage financial privacy and should be withdrawn, most argued that the proposed regulations should be applied to more entities — such as mutual funds and credit unions — so that banks would not face a competitive disadvantage. This is not a pro-privacy position.
Congressional Role In Protecting Financial Privacy
The institution best positioned to protect financial privacy is the Congress. The Supreme Court ruled in United States v. Miller, 425 U.S. 435 (1976) that individuals do not have a “reasonable expectation of privacy” under the Fourth Amendment in financial records pertaining to them but maintained by a bank in the normal course of business. See also California Bankers Assoc. v. Shulz, 416 U.S. 21 (1974) (upholding the then limited reporting requirements of the Bank Secrecy Act. ACLU was a plaintiff in this case).
In response to these Supreme Court rulings, Congress enacted the Right to Financial Privacy Act. 24 But it is clear that the right to financial privacy that was created is riddled with loopholes, including one very large loophole to accommodate financial institution reporting under the Bank Secrecy Act. 25 Though the Right to Financial Privacy Act contemplates that notice will be given customers when financial records are transferred from one federal agency to another 26 notice is not given when Suspicious Activity Reports are furnished by FinCEN to law enforcement officials.
Members of Congress could take a number of steps to enhance financial privacy:
First, Congress should refrain from urging bank regulators to issue Know Your Customer regulations, and from creating more incentives for financial institutions to file more Suspicious Activity Reports. Section 8 of H.R. 4005, “The Money Laundering Deterrence Act of 1998” which passed the House of Representatives last year on a voice vote under a suspension of the rules would have required bank regulators to issue Know Your Customer regulations within four months. Similarly, Section 1408 of S.5, the “Drug-Free Century Act” now pending in the Senate, would express the Sense of Congress that Know Your Customer regulations should be expedited. Section 1403 of S. 5 would expand to contracts and other legally enforceable agreements the safe harbor provisions of the Bank Secrecy Act, thus stimulating more Suspicious Activity Reports.
While we believe that the Bank Secrecy Act should be repealed (we challenged it in court under the Fourth, Fifth and First Amendments), Congress could take a number of steps short of repealing the Bank Secrecy Act to protect customer privacy.
Sunshine might go a long way toward protecting the privacy of the customers of financial institutions. At present, officials of financial institutions find themselves between a rock and a soft place. The “rock” is the threat of massive sanctions and penalties for violating the Bank Secrecy Act by failing to file a Suspicious Activity Report, or failing to have in place procedures calculated to facilitate the filing of such reports. The “soft place” is the safe harbor afforded financial institutions for reporting as suspicious the financial transactions of their customers, 27 together with the statutory assurance that their customers will never know that their bank reported their transactions to the government.
Thus, financial institutions have every incentive to report anything out of the ordinary as “suspicious” and little disincentive to refrain from inundating FinCEN with reports about their customers’ perfectly legal, but unusual, transactions. Worse still, FinCEN retains all the reports, as may the law enforcement entities that download its data. 28 Congress should level the playing field. It should require that Suspicious Activity Reports that are not acted on (i.e. are not the subject of a criminal investigation) within one year of filing be sent to the “suspect” to whom they pertain, unless law enforcement can show a continuing need for the information as a result of an ongoing criminal investigation.
Congress should also examine amending the Right to Financial Privacy Act to ensure that the privacy and notice it promises become more the rule, not the exception.
Changes the Administrative Procedures Act
It is within the jurisdiction of this Subcommittee to consider changes in the Administrative Procedures Act that would further open the process of rulemaking to public comment, and would ensure that everything possible is done to protect the privacy of the people who have to live under administrative rules.
Massive public outrage brought home to the bank regulators and to members of Congress the danger to privacy posed by the Know Your Customer proposed regulations. To a large extent, the public learned about the proposed rules through the Internet. Most of the comments received from the public were submitted by e-mail. People in a sense “voted” on the regulations by pointing and clicking, and they took the time to explain their vote to the regulators. Though staff were inundated with comments, FDIC Chairperson Donna A. Tanoue was quoted as saying about the importance of receiving e-mail comments, “I believe it is the only way to go for the future. … The FDIC would encourage it.” 29
Yet, the Administrative Procedures Act only requires that comments be written, and does not specify how they can be conveyed. In this particular rulemaking, the NPR issued by the Federal Reserve Board invited only hand delivered and mailed-in comments. The Comptroller of the Currency, the Office of Thrift Supervision and the Federal Deposit Insurance Corporation invited comments by hand delivery, mail, fax and e-mail.. The Act should be amended — or an appropriate administrative order issued — to require agencies to allow comment by all of these means, including e-mail.
Many angry comments were sent by e-mail. It is quite likely that many people who commented did not realize that their comments would be made part of a public record and could be posted to the Internet, as is the practice of some agencies. The APA should be amended, or an appropriate administrative order issued, to ensure that an adequate notice is given so that those who comment know the extent to which their comments may be publicized.
By statutory mandate, executive order, or administrative rule, agencies evaluate the extent to which proposed regulations have an economic impact on small entities, impose record keeping requirements, and constitute an unfunded mandate to the states. However, nothing 30 requires agencies — or preferably a separate agency in the federal government — to consider the privacy implications of proposed regulations.
The Administrative Procedures Act should be amended to require such a privacy assessment. It would include an evaluation of the extent to which the proposed rule would result in the dissemination of personally identifiable information without the consent or knowledge of the person to whom the information pertains, and of less invasive policy alternatives that could achieve substantially the same results without the same effect on personal privacy. The evaluation could be premised on the notion that a loss of personal privacy is a potential “cost” associated with new regulatory regimes. We believe that this assessment should be conducted by an independent body answerable to Congress. The person assessing the privacy effects of a proposed regulation ought not be answerable to the agency that proposed the privacy violation. To borrow a phrase from Bruce Phillips, the head of Canada’s privacy commission, this body could become the “pinch hitter for the little guy.”
Conclusion
The biggest privacy problem with the Know Your Customer regulations is the law on which they are based. Implementing the proposed regulations would make worse a bad situation in terms of financial privacy. We believe that Justice Douglas got it right when he said, in disputing the justification for the record keeping requirements of the Bank Secrecy Act, that those records will be useful in criminal, tax and regulatory proceedings, that:
It would be highly useful to governmental espionage to have like … reports from all our bookstores,
Related Issues
Stay Informed
Every month, you'll receive regular roundups of the most important civil rights and civil liberties developments. Remember: a well-informed citizenry is the best defense against tyranny.