Financial Privacy, Reporting Requirements Under the Bank Secrecy Act

Statement
of
Gregory T. Nojeim,
Legislative Counsel

American Civil Liberties Union
Washington National Office

on

Financial Privacy,
Reporting Requirements Under the Bank Secrecy Act
And the “Know Your Customer” Regulations

Before The

House Banking Committee Subcommittees on General Oversight and Investigations, and Financial Institutions and Consumer Credit

April 20, 1999
 

Chairwoman Roukma, Chairman King and Members of the Subcommittees:

I am pleased to testify today before the House Banking Committee Subcommittees on General Oversight and Investigations and Financial Institutions and Consumer Credit for the American Civil Liberties Union. The ACLU is a nation-wide, non-profit, non-partisan organization consisting of over 275,000 members dedicated to protecting the principles of freedom set forth in the Bill of Rights. These hearings on financial privacy and the reporting requirements under the Bank Secrecy Act are important to millions of Americans all over the country.

We testified on March 4 before the Judiciary Committee’s Subcommittee on Commercial and Administrative Law to register our concerns about the proposed “Know Your Customer” regulations. There was overwhelming public opposition to those regulations. As a result, the regulations were withdrawn.

Despite the fact that those regulations have been withdrawn, the practices that were at issue are still in place because financial institutions have been coerced by the Treasury Department to put them in place on a “voluntary” basis. Now that everyone is aware of the overwhelming public opposition to these practices, it is time for Congress to step forward and prohibit those practices. Moreover, Congress should review the underlying statutory scheme with an eye toward limiting intrusive reporting requirements to focus on true criminal activity and increasing privacy for all customers in bank transactions.

Today, I will describe the withdrawn “Know Your Customer” regulations, the similar practices already in place at banks, and the Suspicious Activity Reporting requirements that spawned these practices. I will explain how Congress in 1970 gave bank regulators a “blank check” to compromise customer privacy, and I will point out what regulators have done with that broad authority. I will close by suggesting the need for a statutory scheme to enhance financial privacy.

 
The Proposed “Know Your Customer” Regulations
On December 7, 1998, the Comptroller of the Currency,1 the Office of Thrift Supervision2, the Federal Reserve Board3 and the Federal Deposit Insurance Corporation4 published proposed “Know Your Customer” regulations. Ostensibly, these regulations would have required banks and thrift institutions to:

1. identify their customers; 
2. determine the sources of funds for each customer; 
3. determine the “normal and expected” transactions of each customer; 
4. monitor each customer’s account activity and measure it against historical patterns; and 
5. report to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) any transactions that are “suspicious” because they do not conform to historical patterns.

Over 250,000 comments were submitted to financial institution regulators in opposition to the proposed regulations. Slightly more than 100 comments favoring the regulations were submitted. Most of those who submitted comments decried “Know Your Customer” as a massive invasion of financial privacy. Late last month, the proposed regulations were withdrawn as regulators and bankers feared that the very integrity of the banking system would be threatened if they were put in place.

 
Current “Know Your Customer” Practices
Ironically, withdrawal of the regulations does not mean that the public is safe from privacy intrusions. According to a survey by the American Bankers Association, 86% of responding banks already had “Know Your Customer” programs or policies in place as of 1990. The Federal Reserve has made it clear that banks should “voluntarily” adopt Know Your Customer programs, even though they are not required to do so:

 
“Even though not presently required by regulation or statute, it is imperative that financial institutions adopt ‘know your customer’ guidelines or procedures to ensure immediate detection and identification of suspicious activity at the institution.”

* * *

“An integral part of an effective ‘know your customer’ policy is a comprehensive knowledge of the transactions carried out by the customers of the institution. Therefore, it is necessary that the ‘know your customer’ procedures established by the institution allow for the collection of sufficient information to develop a ‘customer profile.’

* * *

“Internal systems should then be developed for monitoring transactions to determine if transactions occur which are inconsistent with the ‘customer profile.’5
[Emphasis supplied.] The Federal Reserve enforces this imperative by examining for Know Your Customer programs.6 Other financial institution regulators examine for similar programs.

 
“Suspicious” Activity Reporting
The current Know Your Customer practices are viewed by bank regulators as necessary for financial institutions to meet the Suspicious Activity Reporting requirements that the regulators have put in place. The obligation to report personal financial information on Suspicious Activity Reports7 is easily triggered. Such reports must be filed whenever a financial institution believes that cash and/or non-cash transactions8 aggregating $5,000 or more are “relevant to a possible violation of law or regulation” such as the Bank Secrecy Act and the laws against money laundering.9

How does a bank determine whether a transaction is “suspicious” and must be reported? The regulation tells the banker to report transactions conducted through the financial institution which meet the monetary threshold whenever the financial institution “has reason to suspect” that:

1. The transaction involves funds derived from illegal activities or is intended to conceal such funds to evade any law or regulation, including reporting regulations; 
2. The transaction is designed to evade any Bank Secrecy Act regulation; or  
3. The transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts, including background and possible purpose of the transaction. 10

This is an extraordinarily broad reporting requirement. Every $5,000 transaction that a financial institution has reason to suspect is unusual for a particular customer must be reported to the government whenever the financial institution knows of no reasonable explanation for the transaction based on available facts.

Many, if not most, innocent $5,000 transactions meet this requirement. This is clear for two reasons: (i) for most customers, a $5,000 transaction is “unusual;” and (ii) most financial institutions do not “know” of an explanation for most of the $5,000 transactions conducted through them. Between April 1, 1996 and September 30, 1997, 110,000 such reports were filed,11 and of those reports, approximately 40%12 — 48,000 reports, or nearly 200 reports every work day — were filed by financial institutions to comply with the Suspicious Activity Reporting requirements. Large financial transactions can mark important milestones in lives of some people. They may accompany graduation from college, purchase of a first automobile, a marriage, or the death of a loved one. In most cases, they are none of the business of the federal government, regardless of whether a banker “knows” of a reason for the transaction.

The reports filed under this broad requirement are extraordinarily invasive. To the extent known, the financial institution must report personal information about the “suspect,” including her Social Security Number, date of birth, occupation and home and work phone numbers.13 It must also provide a complete narrative description of the activity it deems suspicious, explain who benefited, how much and how they benefited, and retain for law enforcement any confession, admission, or explanation of the transaction. It must explain why any information about the customer or the transaction has been excluded from the report, and must explain why. The financial institution must also “recommend any further investigation that might assist law enforcement authorities.”14 Financial institutions must also report currency transactions in excess of $10,000 separately to the IRS on Form 4789, the Currency Transaction Report.15

These invasive reports are widely disseminated to law enforcement. They are filed with the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) which makes them available electronically to every U.S. Attorney’s Office and to 59 law enforcement agencies, including the FBI, Secret Service and Custom Service.16 No suspicion of crime — probable cause, reasonable grounds to believe, or even mere relevance to an on-going investigation — need be shown by the law enforcement agency to FinCEN before law enforcement accesses the report. No court order, warrant, subpoena or even written law enforcement request showing a need for the information need be prepared and given FinCEN.

Instead of using these normal law enforcement tools — often under judicial supervision — many law enforcement agencies use a vacuum cleaner approach. They suck up everything FinCEN offers by periodically downloading the entire harvest of new information.17 The information can be maintained indefinitely by FinCEN for whatever purposes may be made of it in the future, even if no law enforcement agency uses it in connection with a criminal investigation and even if the statute of limitations on any such investigation has lapsed. This tremendous loss of personal privacy occurs daily and in secret, without the consent or knowledge of bank customers.

There is little doubt that some law enforcement officials will argue that the massive invasion of customer privacy represented by these reporting requirements is counterbalanced by law enforcement needs. They will identify instances in which Suspicious Activity Reports were filed and notorious criminals arrested. They would be able to make the same argument, and identify even more cases to support the argument, if the courts permitted law enforcement to secretly search the financial records in every person’s home without authorization or probable cause. Though those records today are maintained at financial institutions, the privacy interest in them remains.

FinCEN cites “the ‘natural hesitancy’ of organizations to track the relationship between the volume of reported information and the opening of particular cases”18 to justify the lack of comprehensive statistical reporting on the usefulness of this extensive surveillance system in obtaining money laundering convictions. Banks apparently do not think it is particularly useful. According to the Money Laundering Deterrence and Bank Secrecy Act survey conducted by the American Bankers Association, only 7% of the 548 responding banks could identify even one prosecution that resulted from their filing either a Suspicious Activity Report or a Currency Transaction Report. It is likely that the Suspicious Activity Reporting system may be reporting more information than even law enforcement wants.19

The entire premise of the Suspicious Activity Reporting regulation — that everyone must be surveilled in case someone is involved in crime — is inconsistent with customer privacy. Every fisherman knows that if you cast a net 100,000 times, you’re bound to catch a few big fish, and a lot of small fry. The regulation itself should be withdrawn and Congress itself should step in to protect customer privacy. Neither the courts nor the financial institutions themselves are doing the job.

 
Bank Privacy Policies and Practices
The privacy policies that have been voluntarily adopted by financial institutions are not an adequate substitute for protective federal legislation. They do not address the privacy issues raised above. As a general rule, they do not even inform customers of the circumstances under which financial institutions must report financial transactions to the federal government as “suspicious,” even though much of that information is in the public domain. They do not advise customers of the number of Suspicious Activity Reports the bank sent to the federal government in the last year and the number of their customers they reported as “suspects.” They do not tell the customer whether the bank has a “Know Your Customer” program in place. They are unenforceable by the customer and fail to include penalties for financial institution conduct that violates the privacy policy. Instead, customers are given only a soothing assurance that the financial institution believes that customer financial privacy is important, but that it will share personal financial information in many circumstances. Customers are vaguely apprised that customer information will be provided to “regulatory authorities and law enforcement officials in accordance with applicable law” as Chase Manhattan puts it. I have attached a few bank privacy policies.

We are particularly concerned about the reactions of the financial institutions to the proposed Know Your Customer regulations. Most of the early comments from financial institutions and their trade associations did not sufficiently take into account the effect on financial privacy that the proposed regulations would have. Instead of saying from the start that the proposed regulations damage financial privacy and should be withdrawn, most argued that the proposed regulations should be applied to more entities — such as mutual funds and credit unions — so that banks would not face a competitive disadvantage. This is not a pro-privacy position.

As a result, ACLU has launched an internet-based “Know Your Banker” campaign. People who visit our web site at /privacy/financial.html are urged to write a letter to their banker about financial privacy. They are encouraged to pose two questions. Does the financial institution have a “Know Your Customer” program in place, even though no federal regulation requires such a program? How many times in the last year did the financial institution report a customer to the government as a “suspect” on a suspicious activity form? Privacy is service financial institutions offer their customers. Customers have a right to know about that service. Financial institutions should be encouraged to compete for customers by offering better privacy service. Accordingly, we intend to publish the information we receive from the campaign and to the extent possible, name the banks that offer better privacy services. We have encouraged other interested organizations to adopt “Know Your Banker” campaigns.

 
Congressional Activities With Respect To Financial Privacy
The institution best positioned to protect financial privacy is the Congress. The Supreme Court ruled in United States v. Miller, 425 U.S. 435 (1976) that individuals do not have a “reasonable expectation of privacy” under the Fourth Amendment in financial records pertaining to them but maintained by a bank in the normal course of business. See also California Bankers Assoc. v. Shultz, 416 U.S. 21 (1974) (upholding the then limited reporting requirements of the Bank Secrecy Act. ACLU was a plaintiff in this case).

Unfortunately, with limited exceptions including the Right to Financial Privacy Act20 enacted in 1978 in response to these court rulings, Congress has consistently limited rather than expanded financial privacy. Indeed, one might rightfully conclude that in recent years, much more attention has been paid to efficiency in reporting and in expanding law enforcement use and access to that which is reported, than to protecting the privacy of the underlying personal transactions, and ensuring that information about innocent transactions is not turned over to the government. The time has come to reassess this course.

In 1992 Congress amended the Bank Secrecy Act to authorize the Treasury Department to adopt the Suspicious Activity Reporting requirements.21 In essence, it gave the Treasury Department a blank check to require reporting of any “suspicious transaction relevant to a possible violation of law or regulation.”22 At the same time, Congress completely insulated financial institutions from civil liability for reporting their customers as “suspects” to the government, and Congress barred financial institutions from telling their customers that their bank had spied on them by reporting their transactions.

The Right to Financial Privacy Act is riddled with loopholes, including one very large loophole to accommodate financial institution reporting under the Bank Secrecy Act.23 Though the Right to Financial Privacy Act contemplates that notice will be given customers when financial records are transferred from one federal agency to another24 notice is not given when Suspicious Activity Reports are furnished by FinCEN to law enforcement officials. In terms of financial privacy, this is a sorry state of affairs.

Members of Congress could take a number of steps to enhance financial privacy:

First, instead of urging bank regulators to issue Know Your Customer regulations, creating more incentives for financial institutions to file more Suspicious Activity Reports25 and extending Suspicious Activity Reporting requirements to more businesses, Congress should legislate to ensure that “Know Your Customer” is excised once and for all from all Bank Secrecy Act compliance manuals and procedures.

Second, while we believe that the Bank Secrecy Act should be repealed (we challenged it in court under the Fourth, Fifth and First Amendments), Congress could take a number of steps short of repeal that would protect financial privacy. It could repeal only the Suspicious Activity Reporting requirements that were enacted only a few years ago. These are the requirements that spawned the “Know Your Customer” programs that banks now have in place, and the unworkable, intrusive, and overly broad Suspicious Activity Reporting regulations in the Code of Federal Regulations.

Third, alternatively, Congress should require that Suspicious Activity Reports be sent to the innocent “suspect” to whom they pertain unless the report is used in a criminal investigation within one year of filing. At present, bankers find themselves between a rock and a soft place. The “rock” is the threat of massive sanctions and penalties for violating the Bank Secrecy Act by failing to file a Suspicious Activity Report, or failing to have in place procedures calculated to facilitate the filing of such reports. The “soft place” is the absolute immunity afforded financial institutions for reporting as suspicious the financial transactions of their customers, together with the statutory assurance that their customers will never know that their bank reported their transactions to the government.26 Thus, financial institutions have every incentive to report anything out of the ordinary as “suspicious” and little disincentive to refrain from inundating FinCEN with reports about their customers’ perfectly legal, but unusual, large transactions. Worse still, FinCEN retains all the reports, as may the law enforcement entities that download its data.27 Congress should level the playing field by shedding a little sunshine on the process.

Fourth, Congress should ensure people who represent consumer and privacy interests are included in the Bank Secrecy Act Advisory Group. Under current law, the Advisory Group includes only law enforcement officials and representatives of business subject to the Bank Secrecy Act reporting requirements.28 The Advisory Group’s mandate should be expanded from law enforcement and business interests to include measures to protect financial privacy. The Advisory Group should meet in public, not secretly, behind closed doors.

Fifth, Congress should examine the Right to Financial Privacy Act with an eye toward amending it to ensure that the privacy and notice it promises become more the rule, not the exception.

 
Conclusion
Congress should step in aggressively to protect financial privacy. Neither the courts nor the bankers are doing the job, and the current statutory and regulatory scheme guarantees that they will continue to fail to do the job. If Congress fails to repeal or substantially modify the statutory basis for the proposed Know Your Customer regulations, or to strengthen the Right To Financial Privacy Act, it will itself have perpetrated a massive deception on the quarter of a million people who spoke out against the proposed Know Your Customer regulations.

What is in place today is a massive financial surveillance system that fails to properly balance the needs of law enforcement agents, financial institutions, and customer privacy rights. What should be in place after congressional review is a system based on the following principles:

1. a customer’s innocent financial transactions can reveal the most intimate details of a person’s life, and are no business of the federal government; 
2. financial institutions should be given proper incentives and disincentives to ensure that this principle is upheld; 
3. a financial institution that is victimized by the criminal conduct of one of its customers should be able to report that criminal conduct voluntarily, as is the case for other crimes, provided proper privacy protections are in place to ensure that no abuses result; 
4. banks should not be protected when they falsely report as criminal conduct confidential information about one of their customers, and customers who are not engaged in such conduct have a right to know that the privacy of their financial transactions has been compromised; and 
5. instead of massive surveillance system that damages financial privacy, the subpoena with notice and the court order based on probable cause ought to be the law enforcement tools utilized to fight financial crimes.

When it comes to protecting the financial privacy rights of Americans, the buck stops with Congress. Neither the courts, the bankers, nor the bank regulators can do what you must do to protect our privacy.

Endnotes:
1 63 Fed. Reg. 67524 (Dec. 7, 1998).

2 63 Fed. Reg. 67536 (Dec. 7, 1998).

3 63 Fed. Reg. 67516 (Dec. 7, 1998).

4 63 Fed. Reg. 67529 (Dec. 7, 1998). 5 Federal Reserve, Bank Secrecy Act Compliance Manual, Section 601.0, (Sept. 1997) on-line at: http://www.bog.frb.fed.us/boarddocs/SupManual/bsa/97bsaman.pdf. Similar language appears in a similar document issued by the FDIC, http://www.fdic.gov/banknews/manuals/exampoli/99INSTRU_main.htm, and the OCC has similar requirements.

6 BSA Compliance Manual, Section 103.0, pp. 19-20.

7 A Suspicious Activity Report can be viewed at http://www.treas.gov/fincen/forms.html#90.

8 “Transactions” include any deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond or other investment security, or any other payment through the financial institution.

9 Suspicious Activity Reports are filed to report suspicious activity relating to crimes other than money laundering and violations of the BSA, including bribery, check fraud, check kiting, loan fraud, counterfeiting, credit card fraud, embezzlement and self-dealing. Financial institutions may also report customer transactions on Suspicious Activity Reports even when reporting is not required.

10 Adapted from 31 CFR Sec. 103.21, 12 CFR Secs. 563.180, 21.11 and 208.20, and the directions for completing the Suspicious Activity Report.

11 Press reports indicate that from 1996 – 1998, 233,000 such reports were filed, and that nearly 100,000 such reports were filed last year alone. CQ Daily Monitor, February 10, 1999, at p. 5, and Robert O’Harrow, Jr. “Disputed Bank Plan Dropped,” The Washington Post, March 24, 1999, at p. E1.

12 Forty per cent of the Suspicious Activity Reports received by FinCEN are issued because the financial institution preparing the report suspects a violation of the Bank Secrecy Act. FinCEN, First Review of the Suspicious Activity Reporting System, p. 8 (April 1998) (hereinafter “FinCEN 1st Review”).

13