Right to Financial Privacy Act Overview Right to Financial Privacy Act (RTFPA) is codified at 12 USC 3401 No implementing regulation General Requirements Prohibits a credit union from disclosing its members’ financial records to any federal agency except in limited circumstances. With some exceptions, a credit union can only provide federal agencies access to the financial records of a member when the federal agency has met the following conditions 1. Reasonably described the records sought 2. Provided one of the following: a. A written authorization from the member allowing the credit union to disclose the information b. An administrative subpoena c. A validly issued search warrant d. A judicial subpoena e. A formal written request 3. Certifies in writing that it has complied with the requirements of the RTFPA (Certificate of Compliance). Exceptions General Guidelines for Exceptions If an exception applies, the federal agency requesting the information should provide the specific statutory authority for the exception Always have an attorney review exceptions to ensure the release of information is allowed Suspicious Activity Reports Credit Unions must comply with SAR reporting instructions for this exception to apply. 1 Right to Financial Privacy Act Certain Lending Activities Filing federal liens Proving claims in bankruptcy proceedings Collecting on a debt owing to the credit union Processing of a government loan Examinations An exception applies to any disclosure of member information made during the course of an exam by a federal or state regulator. IRS Reporting Exceptions apply to all disclosures of member information required under the IRS Code, for example, information returns. Federal Reporting For example, HMDA reporting would be exempt. Federal Civil or Criminal Lawsuits If a member and a federal agency are legal parties to a civil or criminal lawsuit and the federal agency requests information from the credit union about one of its members under appropriate court rules, the credit union may turn the information over without violating the RTFPA. Special Procedures Federal agencies engaging in certain foreign intelligence activities and the Secret Service do not need to produce one of the five documents discussed above in order to request information about a member The agency must still provide the Certificate of Compliance The credit union is absolutely prohibited from disclosing to its member that the information was sought or obtained. Authorizing Documents Member’s Written Authorization The authorization must be in the form of a signed and dated statement which: 1. Authorizes the credit union to disclose the information for a period which does not exceed three months. 2. States that the member may revoke the authorization at any time prior to the credit union’s disclosure of the information. 2 Right to Financial Privacy Act 3. Identifies the records authorized to be disclosed. 4. Specifies the purpose for which the records may be disclosed along with the agency to which they may be disclosed. 5. States the member’s rights under the RTFPA. If a member provides this written authorization, he generally has the right to receive a copy of whatever records are disclosed pursuant to his authorization. Administrative Subpoena An administrative subpoena is a formal request for information issued by an executive branch agency of the federal government. The credit union may release member information pursuant to an administrative subpoena only if: The credit union has reason to believe that the records sought are related to a legitimate law enforcement inquiry. The member has been served with a copy of the subpoena on or before the credit union is served with it, and the credit union receives a copy of a notice sent to the member specifically describing the nature of the inquiry. The credit union waits 10 days from the date the member was served the subpoena (or 14 days if the member was served by mail) to see if notice is received that the member has filed a motion to stop the subpoena. Search Warrant A valid search warrant will be signed by a judge (or in some cases a magistrate). A credit union presented with a validly executed search warrant can surrender only the information described in the warrant. Judicial Subpoena A judicial subpoena is issued by a court. The procedures in terms of compliance with the RTFPA are identical whether a subpoena is administrative or judicial in nature. Grand Jury Subpoena The credit union is prohibited from notifying the member that the records have been requested and disclosed. The requested records must be presented in person to the grand jury. 3 Right to Financial Privacy Act Formal Written Requests Formal written requests are used only in very specific circumstances. The credit union should ensure all the following requirements have been met prior the release of information: 1. There is no administrative subpoena authority to suit the agency’s purpose 2. The request is authorized by regulations of the particular agency making the request 3. There is reason to believe that the records sought are relevant to a legitimate law enforcement inquiry The credit union must also receive proof that a copy of the formal written request was served on the member in question, along with a notice of their rights. Information should not be divulged until 10 days have expired from the date the member was served or 14 days from the date the notice was mailed to the member. Notice to the member Affected members are typically entitled to know what exactly was turned over to federal agencies. The agency obtaining the information generally has a duty to let the member know that it has obtained information from the credit union. The member can learn from the credit union exactly what was divulged. The credit union should not voluntarily advise the member that records have been turned over. 4 Right to Financial Privacy Act Cost Reimbursement In some instances credit unions may charge the requesting agency a fee as reimbursement for the reasonable costs incurred in terms of time spent in assembling the requested records. The Federal Reserve Board’s Regulation S contains procedures for determining what costs are recoverable. Expenses in connection with requests for records under the following situations cannot be reimbursed: o Security interest, bankruptcy claims, and debt collection — costs for records provided to perfect a security interest, prove a claim in bankruptcy, or collect a debt. o Government loan programs — costs for records requested in order to process loans under government loan, loan guaranty, or loan insurance programs. o Nonidentifiable information — records not identifiable as specific to a particular member. o Financial supervisory agencies — records released to supervisory agencies as part of their supervisory duties (NCUA, state regulators). o Internal Revenue summons — records requested by the IRS as authorized by the Internal Revenue Code. o Federally required reports — records required to be reported by federal statute or rule. o Government civil or criminal litigation — requests for information authorized by law for cases where the government authority and the member are parties to the case. o Administrative agency subpoenas — records requested by administrative subpoena issued by an administrative law judge as part of a legal proceeding where the agency and the member are parties to the case. o Investigation of the financial institution or its non-member. o General Accounting Office requests. o Federal Housing Finance Board requests. 5 Right to Financial Privacy Act Civil Penalties A credit union that discloses financial records or information to a federal agency in violation of the requirements of the RTFPA can be civilly liable to the affected member for the sum of: $100 regardless of the volume of records involved Any actual damages sustained by the member as a result of the disclosure Any punitive damages allowed by a court if the violation was willful or intentional All costs incurred by the member — including reasonable attorney’s fees. Record Retention Because the statute of limitations for asserting RTFPA violations is rather open-ended, credit unions should retain all records of requests for information, including copies of all information provided to federal agencies, all notes taken by staff, and all evidence of compliance with the RTFPA, indefinitely. 6