[Federal Register Volume 83, Number 209 (Monday, October 29, 2018)]
[Proposed Rules]
[Pages 54297-54300]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-23396]



[[Page 54297]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 275

[Docket ID: DOD-2018-OS-0026]
RIN 0790-AK01


Right to Financial Privacy Act

AGENCY: Department of Defense.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule describes the procedures that the 
Department of Defense (DoD) is proposing to follow when seeking access 
to customer records maintained by financial institutions. These updates 
are required to fulfill DoD's responsibilities under the Right to 
Financial Privacy Act.

DATES: Comments must be received by December 28, 2018.

ADDRESSES: You may submit comments, identified by docket number and/or 
RIN number and title, by any of the following methods:
     Federal Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Department of Defense, Office of the Chief 
Management Officer, Directorate of Oversight and Compliance, 4800 Mark 
Center Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350-1700.
    Instructions: All submissions received must include the agency name 
and docket number or Regulatory Information Number (RIN) for this 
document. The general policy is for submissions to be made available 
for public viewing at http://www.regulations.gov without change, 
including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Cindy Allard, (703) 571-0086.

SUPPLEMENTARY INFORMATION: 

Authority and Background

    The Right to Financial Privacy Act of 1978, Public Law. No. 95-630, 
was enacted to provide the financial records of financial institution 
customers a reasonable amount of privacy from federal government 
scrutiny. The Act, which became effective in March 1979, establishes 
specific procedures that government authorities must follow when 
requesting a customer's financial records from a bank or other 
financial institution. It also imposes duties and limitations on 
financial institutions prior to the release of information sought by 
government agencies. In addition, the act generally requires that 
customers receive:
--A written notice of the federal authority's intent to obtain 
financial records
--An explanation of the purpose for which the records are sought
--A statement describing procedures to follow if the customer does not 
wish such records or information to be made available
    Certain exceptions allow for delayed notice or no customer notice 
at all. Prior to passage of the Act, bank customers were not informed 
that their personal financial records were being turned over to a 
government authority and could not challenge government access to the 
records. In United States v. Miller (425 U.S. 435 (1976)), the Supreme 
Court held that because financial records are maintained by a financial 
institution, the records belong to the institution rather than the 
customer; therefore, the customer has no protectable legal interest in 
the bank's records and cannot limit government access to those records. 
It was principally in response to this decision that the Right to 
Financial Privacy Act was enacted.

Coverage

    Coverage under the Act specifically extends to customers of 
financial institutions. A customer is defined as any person or 
authorized representative of that person who uses or has used any 
service of a financial institution. The definition also includes any 
person for whom the financial institution acts as a fiduciary. 
Corporations and partnerships of six or more individuals are not 
considered customers for purposes of the Act.

Requirements

    To obtain access to, copies of, or information contained in a 
customer's financial records, a government authority, generally, must 
first obtain one of the following:

--An authorization, signed and dated by the customer, that identifies 
the records, the reasons the records are being requested, and the 
customer's rights under the Act
--An administrative subpoena or summons
--A search warrant
--A judicial subpoena
--A formal written request by a government agency (to be used only if 
no administrative summons or subpoena authority is available)

    A financial institution may not release a customer's financial 
records until the government authority seeking the records certifies in 
writing that it has complied with the applicable provision of the Act. 
In addition, the institution must maintain a record of all instances in 
which a customer's records are disclosed to a government authority 
pursuant to customer authorization. The records should include the 
date, the name of the government authority, and an identification of 
the records disclosed. Generally, the customer has a right to inspect 
the records. Although there are no specific record-retention 
requirements in the act, financial institutions should retain copies of 
all administrative and judicial subpoenas, search warrants, and formal 
written requests given to them by federal government agencies or 
departments along with the written certification required. A financial 
institution must begin assembling the required information upon receipt 
of the agency's summons or subpoena or a judicial subpoena and must be 
prepared to deliver the records upon receipt of the written certificate 
of compliance.

Cost Reimbursement

    With certain exceptions, government entities must reimburse 
financial institutions for the cost of providing the information. This 
reimbursement may include costs for assembling or providing records, 
reproduction and transportation costs, or any other costs reasonably 
necessary or incurred in gathering and delivering the requested 
information. The Federal Reserve Board's Regulation S establishes rates 
and the conditions under which these payments may be made https://www.gpo.gov/fdsys/pkg/FR-2009-09-30/pdf/E9-23407.pdf.

Exceptions to Notice and Certification Requirements

    In general, exceptions to the notice and certification requirements 
cover situations pertinent to routine banking business, information 
requested by supervisory agencies, and requests subject to other 
statutory requirements. Specific exceptions include records:

--Submitted by financial institutions to any court or agency when 
perfecting a security interest, proving a claim in bankruptcy, or 
collecting a debt for itself or a fiduciary
--Requested by a supervisory agency in connection with its supervisory, 
regulatory, or monetary functions.
--Sought in accordance with procedures authorized by the Internal 
Revenue Code (records that are intended to be accessed by procedures 
authorized by the Tax Reform Act of 1976)
--Required to be reported in accordance with any federal statute (or 
rule promulgated thereunder, such as the Bank Secrecy Act)

[[Page 54298]]

--Requested by the Government Accountability Office for an authorized 
proceeding, investigation, examination, or audit directed at a federal 
agency
--Subject to a subpoena issued in conjunction with proceedings before a 
grand jury (with the exception of cost reimbursement and the restricted 
use of grand jury information)
--Requested by a government authority subject to a lawsuit involving 
the bank customer (the records may be obtained under the Federal Rules 
of Civil and Criminal Procedure)

The Act also allows financial institutions to:

--Release records that are not individually identifiable with a 
particular customer
--Notify law enforcement officials if it has information relevant to a 
violation of the law

Exceptions to Notice Requirements but Not to Certification Requirements

    In certain cases, the Act does not require the customer to be 
notified of the request but still requires the federal agency 
requesting the information to certify in writing that it has complied 
with all applicable provisions of the act. Exceptions to the notice 
provisions include:

--Instances in which a financial institution, rather than a customer, 
is being investigated
--Requests for records incidental to the processing of a government 
loan, loan guaranty, loan insurance agreement, or default on a 
government guaranteed or government-insured loan (in this case, the 
federal agency must give the loan applicant a notice of the 
government's rights to access financial records when the customer 
initially applies for the loan. The financial institution is then 
required to keep a record of all disclosures made to government 
authorities, and the customer is entitled to inspect this record).
--Instances in which the government is engaging in authorized foreign 
intelligence activities or the Secret Service is carrying out its 
protective functions

    Although the Securities and Exchange Commission is covered by the 
Act, it can obtain customer records from an institution without prior 
notice to the customer by obtaining an order from a U.S. district 
court. The agency must, however, provide the certificate of compliance 
to the institution along with the court order prohibiting disclosure of 
the fact that the documents have been obtained. The court order will 
set a delay-of-notification date, after which the customer will be 
notified by the institution that the SEC has obtained his or her 
records.

Delayed-Notice Requirements

    Under certain circumstances, a government entity may request a 
court order delaying the customer notice for up to ninety days. This 
delay may be granted if the court finds that earlier notice would 
result in endangering the life or physical safety of any person, flight 
from prosecution, destruction of or tampering with evidence, or 
intimidation of potential witnesses or would otherwise seriously 
jeopardize or unduly delay an investigation, trial, or official 
proceeding. Delayed notice of up to ninety days is also allowed for 
search warrants.

Civil Liability

    A customer may collect civil penalties from any government agency 
or department that obtains, or any financial institution or employee of 
the institution who discloses, information in violation of the act. 
These penalties include:

--Actual damages,
--$100, regardless of the volume of records involved,
--Court costs and reasonable attorney's fees, and
--Such punitive damages as the court may allow for willful or 
intentional violations. An action may be brought up to three years 
after the date of the violation or the date the violation was 
discovered. A financial institution that relies in good faith on a 
federal agency's certification may not be held liable to a customer for 
the disclosure of financial records.

Description of Proposed Changes

    DoD's current rule was last updated on May 4, 2006 (71 FR 26221). 
DoD's proposed revisions seek to only include content relating to those 
instances when the Department submits ``formal written requests'' to 
financial institutions for customer records, as described by 12 U.S.C. 
3408. The final rule will apply DoD-wide to provide consistent 
implementation across all components. When the final rule is published 
one component-level rule at 32 CFR part 504 will be rescinded.

Expected Costs and Benefits

    The primary benefit to a DoD-wide rule is consistent implementation 
across the DoD's responsibilities under the Act. The Act requires DoD 
to reimburse a financial institution for such costs as are reasonably 
necessary and which have been directly incurred based on the rates of 
reimbursement established by the Federal Reserve Board in 12 CFR part 
219.3. The average cost of reimbursement from DoD to financial 
institutions over the past five years is $4,328 and the Department does 
not anticipate an increase with the finalization of this rule. DoD has 
not paid any civil penalties associated with this rule as discussed in 
the Civil Liability section of the rule. DoD welcomes comments on the 
costs associated with implementation of the Act.

Regulatory Procedures

Executive Order 12866, ``Regulatory Planning and Review'' and Executive 
Order 13563, ``Improving Regulation and Regulatory Review''

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distribute impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This rulemaking has been designated a ``significant 
regulatory action,'' although not economically significant, under 
section 3(f) of Executive Order 12866. Accordingly, the proposed rule 
has been reviewed by the Office of Management and Budget (OMB).

Executive Order 13771, ``Reducing Regulation and Controlling Regulatory 
Costs''

    This proposed rule is not expected to be subject to the 
requirements of E.O. 13771 (82 CFR 9339, February 3, 2017) because this 
proposed rule is expected to result in no more than de minimis costs.

Public Law 104-4, ``Unfunded Mandates Reform Act'' (2 U.S.C. Ch. 25)

    This proposed rule is not subject to the Unfunded Mandates Reform 
Act because it does not contain a federal mandate that may result in 
the expenditure by state, local, and tribal governments, in the 
aggregate, or by the private sector, of $100M or more in any one year.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. Ch. 6)

    It has been certified that 32 CFR part 275 is not subject to the 
Regulatory Flexibility Act (5 U.S.C. 601) because it does not have a 
significant economic

[[Page 54299]]

impact on a substantial number of small entities.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Ch. 35)

    It has been certified that 32 CFR part 275 does not impose 
reporting or recordkeeping requirements under the Paperwork Reduction 
Act of 1995.

Executive Order 13132, ``Federalism''

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on state 
and local governments, preempts state law, or otherwise has federalism 
implications. This proposed rule will not have a substantial effect on 
state and local governments, or otherwise have federalism implications.

List of Subjects in 32 CFR Part 275

    Banks, banking; credit; Privacy.

    Accordingly, 32 CFR part 275 is proposed to be revised to read as 
follows:

PART 275--RIGHT TO FINANCIAL PRIVACY ACT

Sec.
275.1 Purpose.
275.2 Definitions.
275.3 Authorization.
275.4 Formal written request.
275.5 Certification.
275.6 Cost reimbursement.


    Authority:  12 U.S.C. 3401, et seq.


Sec.  275.2   Purpose.

    The purpose of this regulation is to authorize DoD Components to 
request financial records from a financial institution pursuant to the 
formal written request procedure authorized by section 1108 of the Act 
and to set forth the conditions under which such requests may be made.


Sec.  275.2   Definitions.

    The terms used in this part have the same meaning as similar terms 
used in the Right to Financial Privacy Act of 1978, Title XI of Public 
Law 95-630.
    Act means the Right to Financial Privacy Act of 1978.
    DoD Components means the law enforcement activities of the Office 
of the Secretary of Defense, the Military Departments, the Office of 
the Chairman of the Joint Chiefs of Staff, the Joint Staff, the 
Combatant Commands, the Office of the Inspector General of the 
Department of Defense, the Defense Agencies, the DoD Field Activities, 
and all other organizational entities in the Department of Defense 
(hereafter referred to as the ``DoD Components'').


Sec.  275.3   Authorization.

    The DoD Components are authorized to request financial records of 
any customer from a financial institution pursuant to a formal written 
request under the Act only if:
    (a) No administrative summons or subpoena authority reasonably 
appears to be available to the DoD Component to obtain financial 
records for the purpose for which the records are sought;
    (b) There is reason to believe that the records sought are relevant 
to a legitimate law enforcement inquiry and will further that inquiry;
    (c) The request is issued by a supervisory official of a grade 
designated by the head of the DoD Component. Officials so designated 
shall not delegate this authority to others;
    (d) The request adheres to the requirements set forth in Sec.  
275.4 of this part; and
    (e) The notice requirements required by section 1108(4) of the Act, 
or the requirements pertaining to the delay of notice in section 1109 
of the Act, and described in 275.3(e) (1) through (e)(5) are satisfied, 
except in situations (e.g., section 1113(g)) where no notice is 
required.
    (1) The notice requirements are satisfied when a copy of the 
request has been served on the customer or mailed to the customer's 
last known address on or before the date on which the request was made 
to the financial institution together with the following notice which 
shall state with reasonable specificity the nature of the law 
enforcement inquiry: ``Records or information concerning your 
transactions held by the financial institution named in the attached 
request are being sought by the Department of Defense [or the specific 
DoD Component] in accordance with the Right to Financial Privacy Act of 
1978 for the following purpose:''
    (2) Within ten days of service or within fourteen days of mailing 
of a subpoena, summons, or formal written request, a customer may file 
a motion to quash an administrative summons or judicial subpoena, or an 
application to enjoin a Government authority from obtaining financial 
records pursuant to a formal written request, with copies served upon 
the Government authority. A motion to quash a judicial subpoena shall 
be filed in the court that issued the subpoena. A motion to quash an 
administrative summons or an application to enjoin a Government 
authority from obtaining records pursuant to a formal written request 
shall be filed in the appropriate United States District Court. Such 
motion or application shall contain an affidavit or sworn statement 
stating:
    (i) That the applicant is a customer of the financial institution 
from which financial records pertaining to said customer have been 
sought; and
    (ii) the applicant's reasons for believing that the financial 
records sought are not relevant to the legitimate law enforcement 
inquiry stated by the Government authority in its notice, or that there 
has not been substantial compliance within the provisions of Public Law 
95-630.
    Service shall be made upon a Government authority by delivering or 
mailing by registered or certified mail a copy of the papers to the 
person, office, or department specified in the notice which the 
customer has received a request.
    (3) If you desire that such records or information not be made 
available you must:
    (i) Fill out the accompanying motion paper and sworn statement or 
write one of your own, stating that you are the customer whose records 
are being requested by the Government and either giving the reasons you 
believe that the records are not relevant to the legitimate law 
enforcement inquiry stated in this notice or any other legal basis for 
objecting to the release of the records.
    (ii) File the motion and statement by mailing or delivering them to 
the clerk at an appropriate United States District Court.
    (iii) Serve the Government authority requesting the records by 
mailing or delivering a copy of your motion and statement to the 
Government authority.
    (iv) Be prepared to go to court and present your position in 
further detail.
    (v) You do not need to have a lawyer, although you may wish to 
employ one to represent you and protect your rights.
    (4) If you do not follow the above procedures, upon the expiration 
of ten days from the date of service or fourteen days from the date of 
mailing of the notice, the records or information requested therein may 
be made available. The records may be transferred to other Government 
authorities for legitimate law enforcement inquiries, in which event 
you will be notified after the transfer.
    (5) Also, the records or information requested therein may be made 
available if ten days have expired from the date of service or fourteen 
days from the date of mailing of the notice and within such time period 
you have not filed a sworn statement and an

[[Page 54300]]

application to enjoin the Government authority in an appropriate court, 
or the customer challenge provisions.


Sec.  275.4   Formal written request.

    (a) The formal written request must be in the form of a letter or 
memorandum to an appropriate official of the financial institution from 
which financial records are requested. The request shall be signed by 
the issuing official, and shall set forth that official's name, title, 
business address, and business phone number. The request shall also 
contain the following:
    (1) The identity of the customer or customers to whom the records 
pertain;
    (2) A reasonable description of the records sought; and
    (3) Such additional information which may be appropriate--e.g., the 
date when the opportunity for the customer to challenge the formal 
written request expires, the date on which the DoD Component expects to 
present a certificate of compliance with the applicable provisions of 
the Act, the name and title of the individual (if known) to whom 
disclosure is to be made.
    (b) In cases where customer notice is delayed by court order, a 
copy of the court order must be attached to the formal written request.


Sec.  275.5   Certification.

    Before obtaining the requested records pursuant to a formal written 
request described in Sec.  275.4 of this part, an official of a rank 
designated by the head of the requesting DoD Component shall certify in 
writing to the financial institution that the DoD Component has 
complied with the applicable provisions of the Act.


Sec.  275.6   Cost reimbursement.

    Cost reimbursement to financial institutions for providing 
financial records will be made consistent with title 12, Code of 
Federal Regulations, part 219.3, subpart A.

    Dated: October 22, 2018.
Shelly E. Finke,
Alternate OSD Federal Register, Liaison Officer, Department of Defense.
[FR Doc. 2018-23396 Filed 10-26-18; 8:45 am]
 BILLING CODE 5001-06-P