Skip to content
 

Bank Trapped in RFPA Violation Through Army Subpoena

by Mary Beth Guard, BOL Guru

I've been writing about, and teaching on, financial privacy matters for more than a decade. In all that time, no decision has ever shocked me as much as the July 2, 2002 decision of the 9th Circuit Court of Appeals in the case of Flowers v. First Hawaiian Bank.

Imagine that you receive a subpoena seeking customer financial records. The subpoena is from the Army. You aren't familiar with the procedural niceties of military justice, but you realize immediately that the Army would be considered a "federal governmental authority" for purposes of the Right to Financial Privacy Act ("RFPA"). You know that if "customer" financial records (as that term is uniquely defined in the RFPA) are sought, you cannot turn over the records unless the government authority:

  • has obtained customer authorization for the release of records, with the authorization containing the 7 elements required by statute; OR
  • the government authority has utilized one of the procedures authorized by the RFPA, using a judicial or administrative subpoena, a search warrant, or a summons, and giving the customer notice and an opportunity to challenge (unless the particular type of request is exempt from the notice and challenge procedure; OR
  • the records request falls within an exception to the RFPA.

You look through the exceptions, beginning with Section 3413, and you find one that appears to comply. Under Section 3413(e), it reads:

"(e) Disclosure pursuant to Federal Rules of Criminal Procedure or comparable rules of other courts Nothing in this chapter shall apply when financial records are sought by a Government authority under the Federal Rules of Civil or Criminal Procedure or comparable rules of other courts in connection with litigation to which the Government authority and the customer are parties."

You have been told that this Army proceeding relates to alleged larceny by your customer. The Army (a government authority) is a party. Your customer (whose records are sought) is a party. This is a military court. Everything fits, right? And since 3413(e) says that nothing in this chapter [the RFPA] shall apply "when financial records are sought by a Government authority under the Federal Rules of Civil or Criminal Procedure or comparable rules of other courts in connection with litigation to which the Government authority and the customer are parties", you figure the records request falls within the exception and you can turn over the records. The customer will not be entitled to notice and an opportunity to challenge under the RFPA because nothing in the RFPA applies. And since nothing in the RFPA applies, the part of the RFPA that relates to your bank obtaining a certificate of compliance (3417(c)) wouldn't be applicable either. Right?

That's precisely the situation First Hawaiian Bank faced in this case. The bank turned over the records. The customer sued. The bank defended, arguing that the records request fell within the 3413(e) exception. The district court agreed, saying the bank's conduct in response to the Army's Article 32 (that's the name for the type of Army proceeding being used) subpoena was within the RFPA's exemption for information disclosed in the course of litigation between the government and a private citizen. The 9th Circuit Court of Appeals reversed.

The 9th Circuit says that the 3413(e) exemption has four requirements, all of which must be met for the exemption to apply. The records must be sought by

  1. a governmental authority,
  2. under the Federal Rules of Civil or Criminal Procedure or comparable rules of other courts,
  3. in connection with litigation,
  4. to which the governmental authority and the customer are parties.

The Court found that requirements 1,3, and 4 were satisfied, but #2 was not. The reason #2 is not met, according to the Court, is because a subpoena issued in an Article 32 proceeding is not issued "under the Federal Rules of Civil or Criminal Procedure or comparable rules of other courts." Like you're supposed to KNOW that the Uniform Code of Military Justice makes no mention of subpoenas in Article 32 hearings and therefore subpoenas aren't valid in those proceedings????? For God's sake, if the military lawyers didn't figure that out, how in the world was the bank supposed to???? The subpoena even stated on its face that it is a subpoena in an Article 32 proceeding. The Court talked about that, saying the subpoena "invokes nonexistent legal authority for its issuance."

After finding that the subpoena wasn't validly issued under "comparable rules of other courts", the Court reasoned that the records should not have been turned over without the customer first being afforded the protections of the RFPA -- advance notice by the government and an opportunity to challenge access to the records. Since the customer didn't get those protections, the RFPA was violated. The bank could have protected itself from liability IF it had produced the records in good faith reliance upon a certificate of compliance tendered to it by the Army. But since the bank thought the whole RFPA (including the Certificate of Compliance part) was inapplicable because the bank assumed the subpoena was proper and therefore believed the exception applied, the bank did not request, or receive, a certificate of compliance. According to the Court, that means the bank may be held liable to the customer.

There probably aren't five bank lawyers in the United States who would have concluded that the subpoena was invalidly issued and the exemption therefore did not apply. And it could get even worse. The Court notes that it does not, in this case, address the situation where a particular rule authorizes the issuance of a subpoena and the subpoena actually issued is defective in some respect -- but it dangles that issue as one that could possibly arise in some other case in the future.

Should you change anything you're doing as a result of this court decision? Insist upon a certificate of compliance from the government authority in any instance where you are turning over customer financial records. I have long referred to the certificate of compliance as a "bullet-proof shield", protecting you from liability. Under this Court's decision, even when you believe the RFPA is inapplicable because it appears an exemption applies, you need to obtain the certificate of compliance. It puts the government on the hook. In the certificate, they are attesting to the fact that they have complied with the law. If you rely on their certification in good faith, the statute should protect you. The key is "good faith", however. If you know, or have reason to know, that the government is not in compliance, no piece of paper will protect you.

First published on BankersOnline.com 7/3/02

First published on 07/03/2002

Filed under: 
Compliance
Filed under compliance as: 
Compliance/Compliance Management
Financial Privacy
RFPA

Report a problem with this page

Search Topics