Bank Duties to Respond to Requests for Customer Financial Information
Congress enacted the Right to Financial Privacy Act (“RFPA” or the “Act”) to safeguard customer information from itself, the federal government. Further, despite the RFPA’s significant protections afforded to customer information, the Act is far from a moratorium on revealing customer information. Due to several exemptions under the Act coupled with relatively recently enacted state information protections, banks often find themselves navigating a labyrinth of provisions in determining whether compliance with a request for customer information is mandatory. This article assists with making such determinations by discussing three main exemptions under the RFPA as well as certain type of requests outside the scope of the Act.
Before delving into exemptions and coverage, it is important to note that the RFPA only applies to requests for information made by the federal government. Accordingly, the Right to Financial Privacy Act does not prevent disclosure of information when a request is made by a private party, state, city, or a local government. While many states enacted provisions to address such requests, any party that is not a part of the federal government of the United States is outside the scope of the RFPA provisions.
The first exception under the Act is a judicial or administrative subpoena or summons. Any division of the federal government that obtains such a subpoena has no further requirements under the RFPA and a financial institution is required to comply with such a subpoena. Both types of subpoenas must be authorized by a judge of either civil, criminal, or an administrative court. Generally, it is not necessary for a bank to determine which type of court authorized a subpoena, as long the subpoena was authorized by a court. Certain courts and jurisdictions created processes allowing parties to issue subpoenas without the approval of a judge. While such subpoena are valid requests for information, they are not exempt from the RFPA and a financial institution would not be able to rely on such a subpoena in disclosing information under the RFPA, unless other exemptions allowing disclosure also apply to the request.
The second exception under the Act is a formal written request by a government agency made to a financial institution to release records of a customer. For this exemption to apply under the RFPA, a federal government entity must make a request in writing, where the entity certifies that: (1) the request is made by an entity of the federal government; and (2) it is not possible to obtain a judicial or an administrative subpoena. Under this exception, a bank is not required to further determine whether a subpoena cannot in fact be obtained and the bank is shielded from liability to a customer if in fact the federal government would have been able to obtain a subpoena but failed to do so.
The third exemption under the Act is an instance where a request is for information that is already required to be reported by a federal statute or rule. For example, the Bank Secrecy Act (BSA) requires reporting, among other types of information, suspected money laundering activities. An entity of the federal government may be in the process of investigating a customer and request information on a particular transaction that may establish the customer is laundering money. If the bank would ordinarily be required to report the details of such a transaction under the BSA, disclosure of the details of such a transaction to government, without further certification or a subpoena, would not violate the RFPA.
Lastly, requests for tax records of a customer are separately governed by the Taxpayer First Act in addition to the RFPA. While the Taxpayer First Act is beyond the scope of this article, any party requesting tax related information of a customer must comply with the provisions of the Taxpayer First Act, in addition to the RFPA, when a request is made by the federal government.
This article sets forth the main exemptions under the RFPA, under which a financial institution may disclose records of a customer with impunity. However, the RFPA contains a number of other provisions that may applicable, which the bank must also review in the event a request for information by the federal government is not covered by any of the exemptions discussed here.
Consumer Financial Protection Bureau Indicates a Shift in the Regulatory Winds
In the first week of the Biden administration and upon appointment to his position, Acting Director of the Consumer Financial Protection Bureau (CFPB) Dave Uejio sent out an e-mail to Bureau staff indicating his priorities for the agency moving forward in anticipation of President Biden’s nominee for director, Rohit Chopra is confirmed. A week later, Acting Director Uejio published his e-mail to Bureau staff on the CFPB blog so that the public and financial institutions could see the agency’s shift when it comes to regulation.
In his letter, Uejio established two main priorities that the CFPB will focus on in the immediate future: (1) relief for consumers who have been impacted by the COVID-19 pandemic and its financial effects; and (2) racial equity. Acting Director Uejio expressed concern with the findings in the Bureau’s January 2021 Supervisory Highlights. The highlights contained information that examiners found regarding banks and their role in assisting consumers during the pandemic. Examiners found several significant issues when it came to the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) and Payment Protection Program (PPP).
First, some mortgage servicers have been giving consumers inaccurate or incomplete information about CARES Act forbearances, failed to process these requests, and collected late fees even though these forbearances were approved. Second, there were also servicers that withdrew money on consumers that were in deferment. Further, there were some financial institutions that had set off stimulus payments and unemployment insurance benefits to cover fees and debts, which Compliance Alliance strongly recommends against doing without a legal opinion in the affirmative. While these were only a few examples among the many violations, it is natural that the Supervision, Enforcement, and Fair Lending (SEFL) Division has been directed to take a more aggressive approach in enforcing consumer protections during this time and expediting investigations.
With this prioritization by the CFPB, consumer compliance with anything COVID-19 related becomes increasingly significant. Compliance Alliance has been working to provide members with answers and tools regarding the most recent round of PPP. However, COVID-19 compliance does not end there. Banks must remain vigilant in upholding the spirit of their role in this economic recovery and providing consumers with needed relief. Our PPP Resources for 2021 page as well as our Business Continuity/Pandemic Toolkit can be valuable resources and are updated as new guidance comes out.
Acting Director Uejio also indicated in his letter that it is time for the Bureau to take on a bolder role in upholding racial equity. Naturally, this means fair lending trends and issues becomes a key priority but will only be the beginning point of achieving this overall goal. Banks should remain vigilant and be prepared for changes to come from the CFPB. For example, the CFPB will now be supervising lenders regarding the Military Lending Act. As the CFPB implements these changes, Compliance Alliance will be there to guide you, and assist and protect your consumers along the way.
Emerging Risks for Banks in 2021
The pandemic has permeated all facets of the community and touched all our lives. COVID has upended the world and the banking sector is no exception. Many financial institutions are facing difficult times in these economic uncertain times with lingering aftereffects. While there are headways to be made, there are also headwinds ahead for banks. Enterprise risks management (ERM) needs to move rapidly to ensure a system of safe and sound risk management. This is the new world order where we are “redefining the art of the possible in a post-COVID-19 world.”  With banks continue to raise the bars and levels of competition, a few notable risks are emerging for 2021 that banks should take heed of for this year.
The markets are at an all-time high, yet the level of anxiety is climbing to match that of the broader indexes. As uncertainty surrounds the current economic conditions with unemployment and social benefits, banks continue to look for ways to meet the credit needs of their customers, and the markets are reacting accordingly. According to David Kelly, Chief Credit Risk at FirstBank Holding Company in Lakewood, Colorado, the biggest emerging credit risk is not just from a deterioration of the economy but how will we handle when deferrals that have been granted expire. 
Online and mobile banking has become a new normal in many ways. The digital transformation is taken shape in front of our very own eyes and along the way, it is not one without risk. What underpins it all is the complex operation of banks. From managing frauds to information technology, all have to be in line with what banks are expecting to be successful. Not only there is a transformation in the front line, but the back and middle offices are taking shape as well. Banks must be cognizant of emerging risks that can loom beneath the surface in their operational function.
With new rules and regulations, banks have turned to compliance as the focal point. Compliance is and has always been the risk backbone of the banking world but now it is ever more involved than before to ensure banks are operating within the confine of the playbook in a fiercely competitive playing field. With more personnel and FTE dedicated to compliance, the calls have been to focus on how to keep banks in compliance. Within the bank’s operations, there must be compliance top-of-mind to ensure a critical understanding of how risks lurk upstream to downstream. With the new administration in place, there will be changes and changes that banks will have to pivot and adapt quickly.
Ultimately, these are some but not all of the risks banks are facing. Banks must practice safe and sound enterprise risk management to mitigate risks and potential hazards they encounter. Risks emerge from every corner of the banking world, and banks must be diligent in exercising the steps necessary to reduce risk exposure. Build out your risk management practices to ensure a system that will satisfy regulatory expectations. A strong risk culture should be first and foremost. Banking has gone virtually digital in a short time. What was once thought by many was impossible is possible to transform the current state of banking. Deloitte, Shilling, Celner, 2020, “2021 Banking and Capital Markets Outlook”
 ABA, Knudson, 2021, “Top Bank Risks for 2021”
A New Administration Means A New Focus on Fair Lending
Fair Lending is expected to make its way back to the forefront with regulators, as the new administration gets underway. Fair Lending has long been a “hot topic” among regulators, but there tends to be some back and forth on priority depending on the party affiliation of the administration. With the recent changes in the administration, it is once again expected to be a priority. The Trump administration was not as actively focused on anti-discrimination laws such as the Equal Credit Opportunity Act and the Fair Housing Act as was the Obama administration and what is expected from the Biden Administration. President Biden’s goals were stated in his “Plan to Build Back Better” which focused on an increase in economic inclusion as well as the combating of systemic racism. This goal is expected to be accomplished by federal regulators and agencies acting in unison with the Department of Justice to increase enforcement actions and to place a greater focus on areas of Fair Lending.
While no new significant bills impacting banking have yet passed, we are sure to see significant impact based on the changes in leadership among regulatory agencies. For example, Biden recently appointed Dave Uejio as the Acting Director of the Consumer Financial Protection Bureau (CFPB) and nominated Rohit Chopra to fill the permanent position as director for a period of five years. Rohit has served previously as a CFPB assistant director, a Federal Trade Commissioner, and a Special Advisor at the U.S. Department of Education. Chopra has been an advocate for the use of disparate impact analysis which is an assessment that detects discriminatory lending practices. He has also suggested an increase in data collection efforts and agency focus on mass data surveillance which can be discriminatory and harmful to consumers. Other key agencies which likely to replace leadership and senior officials, indicating administrative enforcement and litigation toward the consumer financial services industry, include Department of Housing and Urban Development (HUD) and the Department of Justice (DOJ).
In the months and years to come, Fair Lending is likely to bolster more regulation and enforcement which will prioritize fair and equal lending issues. Other areas of Fair Lending which we are likely see an increase focus and a possibility of increased restrictions are debt collection and loan servicing as this was an area which was greatly impacted by the COVID-19 pandemic. We should also expect to see an increase in focus and enhanced guidance for Limited English Proficiency (LEP). Until this point, we have seen limited enforcement action declaring LEP fair lending violations or Unfair Deceptive, and Abusive Acts and Practices (UDAAP) as this can be the effect of the limited guidance which currently exists. The CFPB is also likely to revisit regulations under the statues for which it has rulemaking authority such as the 2020 Final Rule for HUD Disparate Impact or the reversal of changes which were made to the CFPB enforcement structure.
To prepare for these changes which are likely in progress, financial institutions should conduct a thorough review of their fair lending policies and procedures to ensure they compliance with federal regulatory expectations and requirements. Financial institutions should stay abreast of regulatory changes and monitor the areas of focus as outlined by regulators and enforcement agencies. And finally, they should consider conducting a review of their loan programs to determine any gaps or disparities in their fair lending process. These changes are coming, so stay proactive and informed.