AGENCY:

Department of Defense.

ACTION:

Proposed rule.

SUMMARY:

This proposed rule describes the procedures that the Department of Defense (DoD) is proposing to follow when seeking access to customer records maintained by financial institutions. These updates are required to fulfill DoD's responsibilities under the Right to Financial Privacy Act.

DATES:

Comments must be received by December 28, 2018.

ADDRESSES:

You may submit comments, identified by docket number and/or RIN number and title, by any of the following methods:

• Federal Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
• Mail: Department of Defense, Office of the Chief Management Officer, Directorate of Oversight and Compliance, 4800 Mark Center Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350-1700.

Instructions: All submissions received must include the agency name and docket number or Regulatory Information Number (RIN) for this document. The general policy is for submissions to be made available for public viewing at http://www.regulations.gov without change, including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT:

Cindy Allard, (703) 571-0086.

SUPPLEMENTARY INFORMATION:

Authority and Background

The Right to Financial Privacy Act of 1978, Public Law. No. 95-630, was enacted to provide the financial records of financial institution customers a reasonable amount of privacy from federal government scrutiny. The Act, which became effective in March 1979, establishes specific procedures that government authorities must follow when requesting a customer's financial records from a bank or other financial institution. It also imposes duties and limitations on financial institutions prior to the release of information sought by government agencies. In addition, the act generally requires that customers receive:

—A written notice of the federal authority's intent to obtain financial records

—An explanation of the purpose for which the records are sought

—A statement describing procedures to follow if the customer does not wish such records or information to be made available

Certain exceptions allow for delayed notice or no customer notice at all. Prior to passage of the Act, bank customers were not informed that their personal financial records were being turned over to a government authority and could not challenge government access to the records. In United States v. Miller (425 U.S. 435 (1976)), the Supreme Court held that because financial records are maintained by a financial institution, the records belong to the institution rather than the customer; therefore, the customer has no protectable legal interest in the bank's records and cannot limit government access to those records. It was principally in response to this decision that the Right to Financial Privacy Act was enacted.

Coverage

Coverage under the Act specifically extends to customers of financial institutions. A customer is defined as any person or authorized representative of that person who uses or has used any service of a financial institution. The definition also includes any person for whom the financial institution acts as a fiduciary. Corporations and partnerships of six or more individuals are not considered customers for purposes of the Act.

Requirements

To obtain access to, copies of, or information contained in a customer's financial records, a government authority, generally, must first obtain one of the following:

—An authorization, signed and dated by the customer, that identifies the records, the reasons the records are being requested, and the customer's rights under the Act

—An administrative subpoena or summons

—A search warrant

—A judicial subpoena

—A formal written request by a government agency (to be used only if no administrative summons or subpoena authority is available)

A financial institution may not release a customer's financial records until the government authority seeking the records certifies in writing that it has complied with the applicable provision of the Act. In addition, the institution must maintain a record of all instances in which a customer's records are disclosed to a government authority pursuant to customer authorization. The records should include the date, the name of the government authority, and an identification of the records disclosed. Generally, the customer has a right to inspect the records. Although there are no specific record-retention requirements in the act, financial institutions should retain copies of all administrative and judicial subpoenas, search warrants, and formal written requests given to them by federal government agencies or departments along with the written certification required. A financial institution must begin assembling the required information upon receipt of the agency's summons or subpoena or a judicial subpoena and must be prepared to deliver the records upon receipt of the written certificate of compliance.

Cost Reimbursement

With certain exceptions, government entities must reimburse financial institutions for the cost of providing the information. This reimbursement may include costs for assembling or providing records, reproduction and transportation costs, or any other costs reasonably necessary or incurred in gathering and delivering the requested information. The Federal Reserve Board's Regulation S establishes rates and the conditions under which these payments may be made https://www.gpo.gov/​fdsys/​pkg/​FR-2009-09-30/​pdf/​E9-23407.pdf.

Exceptions to Notice and Certification Requirements

In general, exceptions to the notice and certification requirements cover situations pertinent to routine banking business, information requested by supervisory agencies, and requests subject to other statutory requirements. Specific exceptions include records:

—Submitted by financial institutions to any court or agency when perfecting a security interest, proving a claim in bankruptcy, or collecting a debt for itself or a fiduciary

—Requested by a supervisory agency in connection with its supervisory, regulatory, or monetary functions.

—Sought in accordance with procedures authorized by the Internal Revenue Code (records that are intended to be accessed by procedures authorized by the Tax Reform Act of 1976)

—Required to be reported in accordance with any federal statute (or rule promulgated thereunder, such as the Bank Secrecy Act)Start Printed Page 54298

—Requested by the Government Accountability Office for an authorized proceeding, investigation, examination, or audit directed at a federal agency

—Subject to a subpoena issued in conjunction with proceedings before a grand jury (with the exception of cost reimbursement and the restricted use of grand jury information)

—Requested by a government authority subject to a lawsuit involving the bank customer (the records may be obtained under the Federal Rules of Civil and Criminal Procedure)

The Act also allows financial institutions to:

—Release records that are not individually identifiable with a particular customer

—Notify law enforcement officials if it has information relevant to a violation of the law

Exceptions to Notice Requirements but Not to Certification Requirements

In certain cases, the Act does not require the customer to be notified of the request but still requires the federal agency requesting the information to certify in writing that it has complied with all applicable provisions of the act. Exceptions to the notice provisions include:

—Instances in which a financial institution, rather than a customer, is being investigated

—Requests for records incidental to the processing of a government loan, loan guaranty, loan insurance agreement, or default on a government guaranteed or government-insured loan (in this case, the federal agency must give the loan applicant a notice of the government's rights to access financial records when the customer initially applies for the loan. The financial institution is then required to keep a record of all disclosures made to government authorities, and the customer is entitled to inspect this record).

—Instances in which the government is engaging in authorized foreign intelligence activities or the Secret Service is carrying out its protective functions

Although the Securities and Exchange Commission is covered by the Act, it can obtain customer records from an institution without prior notice to the customer by obtaining an order from a U.S. district court. The agency must, however, provide the certificate of compliance to the institution along with the court order prohibiting disclosure of the fact that the documents have been obtained. The court order will set a delay-of-notification date, after which the customer will be notified by the institution that the SEC has obtained his or her records.

Delayed-Notice Requirements

Under certain circumstances, a government entity may request a court order delaying the customer notice for up to ninety days. This delay may be granted if the court finds that earlier notice would result in endangering the life or physical safety of any person, flight from prosecution, destruction of or tampering with evidence, or intimidation of potential witnesses or would otherwise seriously jeopardize or unduly delay an investigation, trial, or official proceeding. Delayed notice of up to ninety days is also allowed for search warrants.

Civil Liability

A customer may collect civil penalties from any government agency or department that obtains, or any financial institution or employee of the institution who discloses, information in violation of the act. These penalties include:

—Actual damages,

—$100, regardless of the volume of records involved,

—Court costs and reasonable attorney's fees, and

—Such punitive damages as the court may allow for willful or intentional violations. An action may be brought up to three years after the date of the violation or the date the violation was discovered. A financial institution that relies in good faith on a federal agency's certification may not be held liable to a customer for the disclosure of financial records.

Description of Proposed Changes

DoD's current rule was last updated on May 4, 2006 (71 FR 26221). DoD's proposed revisions seek to only include content relating to those instances when the Department submits “formal written requests” to financial institutions for customer records, as described by 12 U.S.C. 3408. The final rule will apply DoD-wide to provide consistent implementation across all components. When the final rule is published one component-level rule at 32 CFR part 504 will be rescinded.

Expected Costs and Benefits

The primary benefit to a DoD-wide rule is consistent implementation across the DoD's responsibilities under the Act. The Act requires DoD to reimburse a financial institution for such costs as are reasonably necessary and which have been directly incurred based on the rates of reimbursement established by the Federal Reserve Board in 12 CFR part 219.3. The average cost of reimbursement from DoD to financial institutions over the past five years is $4,328 and the Department does not anticipate an increase with the finalization of this rule. DoD has not paid any civil penalties associated with this rule as discussed in the Civil Liability section of the rule. DoD welcomes comments on the costs associated with implementation of the Act.

Regulatory Procedures

Executive Order 12866, “Regulatory Planning and Review” and Executive Order 13563, “Improving Regulation and Regulatory Review”

Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This rulemaking has been designated a “significant regulatory action,” although not economically significant, under section 3(f) of Executive Order 12866. Accordingly, the proposed rule has been reviewed by the Office of Management and Budget (OMB).

Executive Order 13771, “Reducing Regulation and Controlling Regulatory Costs”

This proposed rule is not expected to be subject to the requirements of E.O. 13771 (82 CFR 9339, February 3, 2017) because this proposed rule is expected to result in no more than de minimis costs.

Public Law 104-4, “Unfunded Mandates Reform Act” (2 U.S.C. Ch. 25)

This proposed rule is not subject to the Unfunded Mandates Reform Act because it does not contain a federal mandate that may result in the expenditure by state, local, and tribal governments, in the aggregate, or by the private sector, of $100M or more in any one year.

Public Law 96-354, “Regulatory Flexibility Act” (5 U.S.C. Ch. 6)

It has been certified that 32 CFR part 275 is not subject to the Regulatory Flexibility Act (5 U.S.C. 601) because it does not have a significant economic Start Printed Page 54299impact on a substantial number of small entities.

Public Law 96-511, “Paperwork Reduction Act” (44 U.S.C. Ch. 35)

It has been certified that 32 CFR part 275 does not impose reporting or recordkeeping requirements under the Paperwork Reduction Act of 1995.

Executive Order 13132, “Federalism”

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. This proposed rule will not have a substantial effect on state and local governments, or otherwise have federalism implications.

List of Subjects in 32 CFR Part 275

• Banks, banking; credit; Privacy

Accordingly, 32 CFR part 275 is proposed to be revised to read as follows:

PART 275—RIGHT TO FINANCIAL PRIVACY ACT

Authority: 12 U.S.C. 3401, et seq.