In three previous posts we discussed the allegation against Bank of America raised in an interim majority (Republican) staff report of the House Select Subcommittee on the Weaponization of the Federal Government. In the report BoA is accused of providing the FBI with the identity of some of their customers who used BoA credit or debit cards in the Washington DC area without being asked, and highlighting the records of their customers who also purchased a firearm at some point. (Though there is disagreement among the witnesses cited in the report as to the exact criteria used by BoA in identifying and prioritizing customers.)

While the previous posts get into the major issues around ethics, law, and reform, there are a couple of outlying questions worth thinking about. One is, how would BoA know someone purchased a firearm anyway? The second is if the allegation is true, at least in a general sense, what might it mean for banks going forward?

But first, the necessary disclaimer: It is unclear if the allegation against BoA is true. More information is needed, and our understanding of the facts may change significantly as more details emerge. That said, we will treat the allegations as true for the purpose of discussion.

How would BoA know someone purchased a gun?

One of the claims made is that Bank of America, on its own initiative, placed customers who had at any point used a BoA card to purchase a firearm at the top of the list it provided to the FBI. If this is true, how would BoA know?

Admittedly there is some possible inconsistency between witnesses, with one saying the prioritization was tied to purchasing a firearm while another said that one of the criteria used in the BoA data was whether a purchase was made “at either gun shops or…stores that would sell firearms[.]”

Recall the recent controversy over the roll out of a unique Merchant Category Code (MCC) for gun stores. Such an MCC was advocated for by people who argued it could help banks detect and report suspicious behavior that might presage a mass shooting or straw purchase. As discussed previously, there are strong reasons to doubt the MCC would be useful for this purpose, while further eroding financial privacy and lowering trust in the financial system. Part of why the MCC wouldn’t be effective is that it wouldn’t tell the bank what was purchased, just that it was purchased from a store with the gun store MCC. This would make it both over- and underinclusive. Buy a candy bar at a gun store? Covered. Buy a gun at a large sporting goods store? Not covered.

Still, the MCC wasn’t created until September of 2022, so it wouldn’t have been in effect at the relevant time. (It isn’t really in effect now, but I digress.)

So how would BoA know a customer purchased a firearm, or even made a purchase from a gun store? It is possible that in some cases someone paid for the mandatory background check that accompanies an in-store (and in some cases private) firearms purchase separately, which would be a discreet record highly, though not perfectly, correlated with a firearms purchase. Still, it isn’t clear how often that happened.

Other alternatives would be that either BoA has finer grade detail on its purchases than is commonly believed or they did something like a keyword search for merchant names that would indicate gun store. In the former case there are potentially serious privacy concerns, and Congress should get more details.  In the latter case, which I think to be more likely, the data would be even more over- and underinclusive than the MCC. This could mean that BoA not only “prioritized” customers who had nothing to do with the riot simply because they engaged in lawful, constitutionally protected activity, but they also did a poor job of even identifying the relevant customers, exposing even more customers to federal scrutiny without even achieving their own intent.

Ultimately assuming the allegations are true we don’t know how precise BoA’s identification was, but it is something that should be a focus of Congressional oversight.

What might this mean for banks?

Besides any possible legal changes these allegations, if borne out, may have a significant effect on how banks are perceived and treated by both customers and the government.

First, if the allegations are true, or even just not proven false, Bank of America’s reputation will be damaged with some of its customers and potential customers. Bank of America was already viewed with skepticism by many with right-of-center political views due to its policies on firearms and other politicized industries. The allegation that BoA took the initiative to volunteer information on customers who were in DC during the Capitol Riot, but may have not been involved in the riot, could be seen as displaying hostility to Trump supporters. This concern would be exacerbated if BoA did in fact highlight customers who purchased a firearm as well, since accurately or not, buying a firearm is often coded as conservative. In fact, Bank of America has already been targeted by certain conservative groups over the allegations.

Of course, Bank of America’s reputation might be damaged beyond just conservatives. A lack of trust in banks is already a major reason why some people don’t use them. BoA being seen as voluntarily and over-inclusively exposing its customers to federal scrutiny is unlikely to endear it to privacy-conscious customers of any political persuasion.

The other party whose expectations may have been changed if the allegations against BoA are true is the government. BoA has allegedly shown itself willing and able to search and collate records of its customers who are potentially involved in a crime, using extremely noisy metrics, and identify those customers to the government on its own initiative. The government may come to expect such acts in the future.

Further, imagine a scenario where Donald Trump is elected president in 2024 and riots from left-of-center groups break out in DC during the election certification or inauguration. Is BoA now expected to query and collate its client records of customers in the area and volunteer client identities to the government, perhaps also prioritizing customers who spent money in a way that is coded left? If BoA fails to do so what does that mean for its relationship with its regulators and the public at large? Would it be interpreted that BoA only cares about violence from the political right and is indifferent (or even supportive) of violence from the political left?

The fallout wouldn’t necessarily stop with BoA either. Once one bank does something it demonstrates it can be done, so the expectation for all banks from both the public and the government may change.

It remains to be seen just what Bank of America did or didn’t do. But the issues raised by the troubling allegations found in the interim staff report are relevant regardless. Financial privacy is under-protected, and what protection it does have is under strain from the increasing digitization and politicization of finance. Congress should take this opportunity to do a thorough and fair inquiry and reform our privacy laws to make them adequate for the modern economy.