Subject to Inquiry: White Collar, Congressional, SEC, Energy Enforcement & Other Government Inquiries

A recent case in Florida provides an excellent reminder of the confidentiality restrictions that govern the release of Suspicious Activity Reports (SARs) (pdf). By way of background, the Bank Secrecy Act (BSA) prohibits banks and other financial institutions from notifying any person involved in a suspicious transaction that the transaction has been reported. When a financial institution receives a subpoena or other request to disclose a SAR from any person (other than a law enforcement or bank supervisory agency), regulations implementing the BSA require the institution to decline to produce the SAR or any information that would disclose that a SAR has been prepared or filed.

FinCEN interprets the SAR confidentiality provisions of the BSA even more broadly than the confidentiality restrictions imposed by the regulations, and, last year, FinCEN issued a proposed rule (pdf) to codify its broad interpretation by requiring banks and other financial institutions to decline to produce to any person a SAR or any information that would reveal the existence of a SAR. The preamble to the proposed rule stated that this broader standard has been upheld by courts and that the BSA created an unqualified and non-waivable privilege in civil litigation. Several federal bank regulators, such as the OCC (pdf), proposed similar regulations contemporaneous with FinCEN’s proposed rule.

That brings us to Regions Bank, et al. v. Scott Allen, et al. (pdf), which was decided by the Fifth District Court of Appeal in Florida on March 12, 2010. Regions Bank sought review of a trial court’s order compelling the bank to produce documents in discovery despite the bank’s assertion of the SAR privilege. The plaintiffs sought “investigatory” material including the bank’s internal emails and communications regarding certain accounts. Following a hearing on the plaintiffs’ motion to compel, the trial court determined that any SAR, to the extent it existed, was privileged and could not be disclosed by the bank to the plaintiffs. However, the court ordered the bank to produce any other requested document. The bank could redact references to a SAR or any language disclosing whether a SAR existed or would be prepared, but the trial court held that the bank’s internal emails and communications could not be withheld in their entirety under the SAR privilege.

The court of appeal held that the trial court ruled properly with respect to the non-disclosure of the SARs, but that the trial court’s decision regarding the bank’s other internal documents was too broad. The appellate court found that “redaction will not be adequate to protect the confidentiality of a SAR investigation or the fact of a SAR’s preparation” because “[r]edaction of a document does not change its character.” Instead, the court ordered the trial court to conduct an in camera examination of documents that fell within the “grey area of disclosure.”

The Regions Bank case provides a useful reminder to banks and other financial institutions of the broad scope of SAR confidentiality and their obligation to invoke the SAR privilege in civil litigation.

The filing of a lawsuit on May 21, 2010 by the American Medical Association (AMA) against the Federal Trade Commission (FTC) could signal yet another delay of the enforcement deadline of the Red Flags Rule.

The Red Flags Rule requires many businesses to develop, implement and administer an Identity Theft Prevention Program designed to detect the warning signs (or red flags) of identity theft, as well as to prevent and mitigate them.  Similar to an AML program, the Identity Theft Prevention Program should be tailored to the risks of identity theft and must contain certain core elements.

The FTC’s original enforcement deadline of November 1, 2008 for non-bank entities has been delayed several times already and currently is scheduled to take effect on June 1, 2010.  Federal regulatory banking agencies have already begun enforcing the rule. 

The AMA’s lawsuit (pdf), filed on behalf of physicians, follows on the heels of successful lawsuits brought by the American Bar Association (ABA) on behalf of lawyers and the American Institute of Certified Public Accountants (AICPA) on behalf of accountants.  In those cases, federal courts granted summary judgment for the ABA and enjoined the FTC from enforcing the Red Flags Rule against accountants for 90 days after a decision has been rendered by the court of appeals in the ABA case.

Congress is also considering legislation that would provide exemptions from the Red Flags Rule for certain professions, including lawyers, accountants and physicians.  Despite passing in the House of Representatives by a 400-0 vote on October 20, 2009, H.R. 3763 (pdf) has yet to be considered by the Senate, and no related bills have been introduced in the Senate.

In light of the federal court’s injunction preventing enforcement of the FTC’s Red Flags Rule against accountants, it appears probable that a similar injunction will be entered in the action filed by the AMA.  That is, the court may decide that the interests of justice are best served by enjoining enforcement of the Red Flags Rule against physicians until the FTC’s appeal in the ABA case has been decided. 

In the meantime, hospitals, physicians’ offices, and other businesses that may be subject to the Red Flags Rule should become knowledgeable about the Red Flags Rule’s requirements and prepare to implement an Identity Theft Prevention Program in the event the enforcement deadline is not delayed past June 1, 2010.