Jan. 6 subpoena highlights tension between data privacy and compliance

 

Rep. Jim Jordan, R-Ohio.
House Judiciary Committee Chair Jim Jordan, R-Ohio, said in a cover letter for a subpoena to Citigroup last week that law enforcement's use of "back-channel discussions with financial institutions" to collect data on suspects related to the Jan. 6, 2021, attack on the Capitol was "alarming."
Bloomberg News

WASHINGTON — House Republicans' subpoena of Citibank over concerns about how some large banks allegedly shared data with law enforcement may be the latest example of politics leaking into the banking sector, but banks shouldn't easily dismiss the incident as partisan bickering. 

Underlying the conflict is a longstanding tension between data privacy and banks' obligations to cooperate with law enforcement, especially when it comes to anti-money-laundering and counterterrorism financing laws, experts say. It's a growing concern for banks, as they grapple with how to walk the tightrope between cooperating with government agencies and protecting consumers' privacy — and how to do that in an increasingly politicized country. 

"Data is the lifeblood of the system, and it's where you're going to get the most details about someone," said Brian Knight, senior research fellow at the Mercatus Center at George Mason University. "So if I wanted to paint a picture about somebody, I would go for the financial data because that's going to tell you so much about a person and their views and their habits. Part of this is two sides yelling at each other, but underlying that is how that information is treated so it's not abused by whichever side happens to have access to it." 

Last week, the House Judiciary Committee subpoenaed Citibank for documents related to House Republicans' belief that major banks illegally shared private financial data with the Federal Bureau of Investigation related to the Jan. 6 insurrection at the U.S. Capitol.

House Republicans said they are concerned that at least one institution — Bank of America — appears to have shared some data about individuals who made certain purchases and transactions. The transactions in question include  Airbnb, hotel or airline travel reservations in the Washington, D.C., area in the days leading up to Jan. 6. 

Of particular concern to Rep. Jim Jordan, R-Ohio, chairman of the Judiciary Committee and the Select Subcommittee on the Weaponization of the Federal Government, is the release of data on individuals who purchased a firearm with a Bank of America credit card that supposedly went to the top of the list provided to the FBI, according to a cover letter attached to the subpoena. 

The GOP lawmakers say this sharing was done without the proper process, although they don't specify what that process would have been. 

"Federal law enforcement's use of back-channel discussions with financial institutions as a method to investigate and obtain private financial data of Americans is alarming," Jordan said. "The documents received to date only bolsters our need for all materials responsive to our request." 

The letter to Citibank also included a screenshot of an email sent to Citibank and other banks from the FBI, inviting them to participate in a meeting on "identifying the best approach to information sharing."

citibank branch
AB - Policy & Regulation
August 18, 2023 3:16 PM

American Banker was unable to independently verify the accuracy of the letter's accusations. Citi and Bank of America did not respond to requests for comment when the subpoena was issued.

"While we have no comment on specific matters, the FBI cannot open an investigation without evidence of a federal criminal violation or a threat to national security," the FBI said in a statement. "We follow the law and the facts."

Experts say that the issue will come down to the details of how this information was allegedly provided, and an interpretation of the Right to Financial Privacy Act of 1978, which generally requires that individuals receive notice and an opportunity to object before a bank can disclose personal financial information to a federal government agency, often in the context of law enforcement. Typically — although with significant exceptions — law enforcement agencies need to file a subpoena to receive that information. 

There's an exemption to the law when terrorism is involved, or if a financial institution has filed a Suspicious Activity Report. Based on the public documents, it's not possible to know if the FBI or the Financial Crimes Enforcement Network presented this as a domestic terrorism investigation to the banks. 

Without knowing the precise nature of the request banks received from law enforcement, experts said it can be tricky for banks to know what to do when law enforcement agencies request information and where to draw the line between complying and protecting their consumers' data.

"There is a perceived tension between complying with AML regulations and financial privacy laws," said Alison Jimenez, president and founder of Dynamic Securities Analytics, Inc. "Banks need to provide nuanced training to staff on how to comply with financial privacy requirements, but without chilling compliance with SAR filings."

Knight said it's difficult to know what's normal in these kinds of situations, because the public doesn't usually have a window into this process. The incentives, however, favor banks erring on the side of providing information to law enforcement in the form of Suspicious Activity Reports. 

"Banks are constantly complaining that the burden of complying with the suspicious activity reporting system is very high," Knight said. "Because they have to file a lot of reports, and if they file a lot of reports and it turns out it was unnecessary, nothing happens to them. If they fail to file a report and it turns out that it was relevant, they get in trouble." 

Bankers generally lean toward complying with law enforcement requests, said Dina Ellis Rochkind, a lawyer at Paul Hastings. Since the 9/11 terrorism attacks, AML and anti-terrorism funding has tended to be one of the few bipartisan and industry-supported regulations in Washington. 

"The banks, especially after 9/11, recognized that they needed to do more on national security," she said. "Keep in mind that Wall Street is in New York, so AML rules are one of those things where banks work with the regulators to come up with workable solutions. The banks had a personal connection to the aftermath of 9/11 and willingly stepped up to safeguard the U.S."

Knight said that, while he is unsure how this dynamic will play out, the ideal resolution would be for regulators and lawmakers to have a productive conversation about making SAR filings and other bank information available to law enforcement helpful in prosecuting crimes. 

"My somewhat optimal scenario would be we'd have an intelligent conversation about the tradeoffs — about how useful this type of data is with suspicious activity reports," Knight said. "Those things actually are for law enforcement, [but] are they actually useful for preventing terrorist attacks?"

For reprint and licensing requests for this article, click here.
Politics and policy Regulation and compliance AML
MORE FROM AMERICAN BANKER