If you define “privacy” as “the state of being free from public attention,” then the title of the Right to Financial Privacy Act (RFPA) sounds like a customer’s financial records are absolutely protected from disclosure. While there are privacy and confidentiality rules community banks must observe, the RFPA limits the audience and process for financial records’ disclosure but does not offer carte blanche coverage. What are the rules, and how are they different?

The RFPA was enacted in 1978 and covers requests for financial records that financial institutions receive from a federal government authority. It defines “government authority” as any agency or department of the United States, or any officer, employee or agent thereof. It defines “financial record” as an original of, a copy of, or information known to have been derived from any record held by a financial institution pertaining to a customer’s relationship with the financial institution. 

The RFPA requires that:

  • a customer receives notice before financial institutions disclose the customer’s financial records to the government

  • a customer has a right to challenge the release of his or her financial records to the government

  • government agencies show records of compliance with the RFPA.

The RFPA applies to subpoenas from “any agency or department of the United States, or any officer, employee or agent thereof,” otherwise known as governmental authority (12 U.S.C. § 3401). Governmental authority under the RFPA is limited to the federal government. Private parties or state and local government are not regulated under the RFPA but could be under state law.

RFPA includes rules about the process federal government authorities must follow, and compliance requirements for banks responding to and keeping records of the requests. Section 1103(b) prohibits a financial institution from releasing the financial records of a customer until the government authority seeking the records certifies in writing to the financial institution that it has complied with the applicable provisions of the RFPA.

Federal government authorities will generally present the bank with one of the forms of Certificates of Compliance:

  • 12 U.S.C. 3404 (Customer Authorization)

  • 3405, 3407, 3408 (Administrative Subpoena, Judicial Subpoena and Formal Written Request)

  • 3406 (Search Warrant)

  • 3413 (Basic Identifying Account Information Exception)

  • 3414 (Emergency Access)

A Certificate of Compliance with the Right to Financial Privacy Act of 1978–(Form DOJ-461) may also be presented. The RFPA permits banks to rely on the certificates in good faith and generally relieves the bank, its employees and agents of any liability to the customer regarding the disclosure of the financial records.

Community banks should establish a procedure for addressing all requests for customer information, whether they are covered by the RFPA or not. In compliance with Section 3411 of RFPA and upon receipt of the required certificate, a financial institution should assemble the records requested, create a file record of the request and supporting documentation, and prepare to deliver the records to the government authority. Unless the request includes a gag order or similar notice prohibition, the bank should give proper notice of the request to the affected customers.

Banks are entrusted with customers’ personal data and must safeguard this data from being released in error or without authority. Privacy and confidentiality are critical responsibilities of financial institutions. The RFPA is not the same as privacy of consumer financial information under the Gramm-Leach-Bliley Act (GLBA) and Regulation P–Privacy of Consumer Financial Information, or the general responsibility of a financial institution to hold customer information in confidentiality.

Confidentiality of customer information

Confidentiality is the foundation of the financial institution–customer relationship, and banks have a duty to protect the confidentiality of existing and former customers. Confidentiality requires judicious oversight and compares to holding customer information, using it or sharing it on a “need to know” basis only. While there are no specific “confidentiality regulations,” a bank’s internal controls should be reviewed periodically to ensure the appropriate use, disclosure and maintenance of customer information. Generally, confidentiality of customer information must be strictly adhered to, unless the bank is permitted to disclose the information by an RFPA-compliant request or a customer authorization, or is compelled by law or similar obligation to disclose the information.

Privacy of consumer financial information
Banks have privacy responsibilities, and they include principles for:

  • banks’ collection and storage of customer information, including nonpublic, personal information

  • customers’ rights to access and correct information about themselves

  • the disclosure of personal information, including nonpublic, personal information.

The Privacy Act of 1974 established a Code of Fair Information Practice that governs the collection, maintenance, use and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. The GLBA, or Financial Services Modernization Act of 1999, enhanced requirements for privacy of consumer financial information, including disclosures about collecting, maintaining, sharing and using the information, and the security of the information. The Privacy Act and GLBA are codified in Regulation P.

Regulation P
Regulation P requires a financial institution to provide notice to customers about its privacy policies and practices; describe the conditions under which a financial institution may disclose nonpublic, personal information about consumers to nonaffiliated third parties; and provide a method for consumers to prevent a financial institution from disclosing the information to most non-affiliated third parties by exercising the right to opt out of the disclosure.

While the technicalities of RFPA, privacy laws and confidentiality standards are not identical, they work together to provide protection to customers’ personal and financial information. Community banks should ensure there are no gaps among the policies and procedures for collection, use, maintenance and disclosure of customer information to comply with all three.

Compliance calendar

A look at upcoming regulatory changes

April 1, 2018

Effective date for Mortgage Servicing Amendment (Regulations X and Z, and FDCPA).

May 11, 2018

Effective date for BSA customer due-diligence rules (beneficial ownership).

April 1, 2019

Prepaid Account Rule provisions finalized and delayed from April 1, 2018 to 2019.

July 1, 2019

Effective date for Regulation CC: Expedited Funds Availability Act in regard to check collection and return provisions.

Aug. 19, 2019

Majority of payday lending rules go into effect. Some were effective Jan. 16, 2018. The CFPB is looking into whether or not this entire rule should be reconsidered.

Visit ICBA's regulatory calendar »