Avoiding Misuse of Americans’ Financial Records

Chairman Jordan, Ranking Member Plaskett, and members of the Subcommittee:

My name is Brian Knight. I am a senior research fellow at the Mercatus Center at George Mason University, although my testimony does not necessarily reflect the views of my employer. My research focuses on financial regulation, including its use as a tool of broader policy. It is an honor to be asked to testify.

In the wake of the events of January 6, 2021, law enforcement and financial firms collaborated to scan the accounts of an unknown number of Americans, using what appear to have been very broad criteria touching upon certain constitutional rights—of speech, of political and religious beliefs, of assembly, of owning and bearing a firearm—to identify potential suspects as well as to preempt future violence. The implications of this effort are troubling. The use of financial records as a dragnet or tool of surveillance violates the privacy of the American people with little likely benefit. It is incumbent upon Congress to identify how financial records are being used for these purposes and, if necessary, to reform the system to protect Americans’ privacy and liberty.

As a threshold matter, I want to make clear that my comments today are based on what information is publicly available, which is limited. Additional information, whether inculpatory or exculpatory, may materially change any analysis. However, the lack of information itself speaks to one of the major problems with the current financial surveillance regime—that it is opaque to both citizens and members of Congress. We know so little about how it works, how well it works, if it works at all, and what it costs, that the American people cannot make an informed assessment of whether it is a policy worth continuing.

I also want to make clear that my comments are not intended to deny that financial information can be useful to law enforcement. Nor are they meant to impugn anyone’s motives. The events of January 6 constitute an extremely serious crime. The threat of violence at the inauguration was a credible risk. Trying to prevent acts of extreme violence such as terrorist attacks and mass shootings is laudable. That law enforcement would consider using every tool available in the face of such serious threats is not surprising.

However, it is in the face of serious threats that the rights of the American people are in the most danger. Our history is unfortunately replete with examples of Americans’ civil rights being compromised in the name of security, often for no real benefit. Fear is toxic to liberty. Based on what is known publicly, I fear that we risk going down a dangerous path, where, in a likely futile effort to obtain security, we sacrifice further freedom.

America was founded on the idea that the interest of the state must be balanced by, and often yield to, the rights of the individual. The American tradition is not that law enforcement gets a blank check. Nor is it generally that law enforcement cannot access information at all. Rather, the American model looks to due process to balance the two legitimate interests. Unfortunately, in the case of financial records, that balance is badly askew.

My testimony will discuss the following: the current regime for government access to Americans’ financial records; recent allegations and other emerging efforts at financial surveillance and their troubling implications; reasons why using the tools of financial surveillance, such as Merchant Category Codes, are likely constitutionally suspect; reasons why we should be skeptical of their use even if such use is constitutional; and finally, ideas for reform.

The Current Regime

Americans write the story of their lives in their bank accounts. Modern economic realities require people to interact with financial intermediaries such as banks, credit card companies, and many other money services businesses to accomplish the most basic transactions. Yes, one could use only the cash they keep in their mattress, but only if they were willing to forgo many common activities such as having a mortgage, shopping online, or being employed by one of the increasing number of employers that uses automatic payroll deposit.

Those interactions all leave a trail of records created by the financial firms, and those records are obtainable by the government without a warrant or any need to get outside approval. The Bank Secrecy Act [1] (BSA) allows, and in some cases requires, covered financial firms to report “suspicious” activities to the government, but suspicious is not meaningfully defined.

As a result, financial firms are providing a massive amount of information to the government. For example, in fiscal year 2022, they submitted approximately 4.3 million suspicious activity reports (SARs). [2] The current regime also permits and encourages collaboration between financial firms and the government to craft data exchanges. Rather than an arm’s length transaction, financial firms have become assistants to government surveillance.

This generally occurs outside the public’s view—by design. The law prohibits the target of a SAR from being notified. [3] Even the Right to Financial Privacy Act (RFPA), which was intended to allow people to challenge the provision of financial records to the government in court under most circumstances, exempts SARs. [4] The only time a person is likely to know they were the target of a SAR is if they are being prosecuted.

Congress is being kept in the dark. In the 2021 National Defense Authorization Act, Congress ordered that reports on how SARs are used, how effective they are, how long it takes for a SAR to be used, and other essential data be provided to Congress on a yearly basis, beginning in 2022. [5] To date, that information has not been provided. In fact, there is reason to believe that the responsible agencies themselves do not know this information. According to a 2022 Government Accountability Office report, most law enforcement agencies said they lacked the necessary systems to track and report such information and that spending the resources necessary to obtain the information may prevent them from fulfilling the agency’s “core mission.” [6]

In a recent hearing before the House Financial Services Committee [7] FinCEN Director Andrea Gacki acknowledged that FinCEN did not know how SARs were used and was only now beginning to collect the necessary statistics to determine this. [8] In short, a massive amount of information is being collected on Americans’ financial lives without even understanding how useful it is.

This situation is permitted because the Supreme Court has ruled that Americans lack a privacy interest in their financial records. [9] According to the rulings, either Americans share this information during commerce, such as a check, or the records don’t belong to them in the first place, instead belonging to the financial intermediary. [10] This is perhaps ironic, since federal law otherwise treats financial records as something customers have a significant privacy interest in and even quasi-ownership of.

Federal law requires financial firms to protect customer data from outside theft, limits how firms can use the data, and even requires firms to share a customer’s data with a competitor if the customer so orders. [11] There is, therefore, considerably inconsistency in the ways the law represents customer privacy, in effect telling customers, “It’s your data, and it should be private, but not from the government.”

However, as discussed further below, recent Supreme Court precedent may signal a changing perception that would call into question the constitutionality of the Bank Secrecy Act, at least in situations like those currently alleged. But we should not wait on the Court. Congress must critically reassess for itself whether the current regime is appropriate and make any necessary changes.

Present Allegations and Other Emerging Efforts at Financial Surveillance

The recent allegations of the government’s using Americans’ financial data as a tool of surveillance has troubling implications for Americans’ privacy. It is even more distressing when one realizes that these efforts aren’t necessarily unique but may simply be uniquely visible owing to the work of whistleblowers and the efforts of this Subcommittee.

Unfortunately, the present allegations are not the only emerging example of efforts to use financial information as a tool to surveille Americans engaged in legal, and in some cases constitutionally protected, activities. Both government and private actors are increasingly seeking to use financial records to track Americans. While justified by its proponents as a way of preventing violence, which is a noble cause, there are reasons to be skeptical of how effective these efforts will be and reasons to fear they will further erode individual privacy and public trust.

The highest-profile recent example is the federal government, in conjunction with banks, such as Bank of America, and other financial firms, apparently soliciting and obtaining financial records based on broad criteria, including location on and surrounding January 6; the purchase of a firearm, or at least from a vendor associated with firearms, within a certain period; the purchase of certain items associated with “extremism,” including religious texts; and the contents of messages associated with Venmo payments. [12] The government did not have identified suspects it was investigating; it was trying to identify suspects via mass data collection.

These efforts also included FinCEN sharing “typologies” and “methodologies” previously developed to help financial firms identify other illegal activities, such as mass shootings, based on what was presented as a series of large purchases in a short period of time from multiple vendors associated, at least tangentially, with firearms in a manner inconsistent with previous customer behavior. [13] This presumably included the methodology created by KeyBank and shared by FinCEN that purported to be of a narrow focus (implying broader typologies were also shared) but that relied on merchant category codes (MCCs), vendor names, including popular stores such as Dick’s Sporting Goods and Cabela’s, and spending thresholds that are likely to be both significantly over- and underinclusive. [14]

Another notable revelation in the KeyBank methodology is that KeyBank used several non-standard MCCs related directly to firearms manufacture. These MCCs are not part of the standard developed by the International Organization for Standardization (IOS), but rather are assigned by individual banks and other users, which means that there may be other MCCs relating to sensitive, and perhaps constitutionally protected, activities that are unknown to the public.

MCCs are assigned based on the merchant’s general business and do not reveal what specific items were purchased, but they can provide greater detail of a customer’s activities the more tailored they are. This reality prompted recent efforts by Amalgamated Bank, the City of New York, and certain pension funds to get the ISO to create an MCC specifically for gun stores. [15] This move has been justified as a way to allow banks to detect suspicious activity that may indicate an imminent crime, especially a mass shooting, and allow them to alert law enforcement. [16] While some states have banned the use of the gun store MCCs, California has mandated it, explicitly for the purpose of surveillance. [17]

In summation, we have recent evidence that indicates that law enforcement sought payment information to help determine, at a minimum, Americans’ whereabouts, political and religious views, and whether they own a firearm. We also know that there are efforts to increase the granularity and expand the collection of similar information, all of which is highly sensitive and personal.

In other contexts, the Supreme Court has ruled that Americans have a constitutionally protected expectation of privacy for much of this information. And yet the government and banks, perhaps with the best of intentions, can share it without any due process.

As discussed further below, there are significant reasons we should be both skeptical of the efficacy of these efforts and worried about their constitutionality and the damage they may cause.

Questions About Constitutionality

The current BSA system assumes that Americans lack a constitutionally protected right to privacy in their financial records. This assumption is based, in turn, on the belief that people do not have a privacy right in data they share with others or the records of another. Since it is the financial firm’s records that the government receives, the customer cannot claim a privacy right in them. This assumption comes from a series of Supreme Court cases in the 1970s. [18] United States v. Miller, a case involving bootlegging and tax evasion, is particularly relevant. In that case the Court held that law enforcement can obtain a suspect’s financial records without a warrant because the records are not the suspect’s papers, and therefore, the suspect lacks a protectable privacy interest.

However, more recent Supreme Court precedent, especially the 2018 case of Carpenter v. United States [19] calls that into question and may indicate that warrantless financial surveillance, especially of the type of collection alleged in the Subcommittee’s reporting and being recently advocated and implemented in California, may be constitutionally suspect.

Briefly, in Carpenter, the Court declined to extend the reasoning of United States v. Miller to the context of cell-tower location data. While acknowledging that the cell phone data belonged to the phone company, not the customer, the Court found that wireless customers had a Fourth Amendment privacy interest in cell-tower records showing their location. The Court reasoned that the sensitivity of the information, the ubiquity and necessity of cell phones in modern life, and the inability to not create the information because it was generated automatically as a condition of using the phone required finding a privacy interest. Failing to do so, the Court reasoned, would allow the government “near perfect surveillance, as if it had attached an ankle monitor to the phone’s user” as well as information about the user’s past movements in a way that traditional observation does not. [20]

As I have discussed in greater detail elsewhere, [21] the logic of Carpenter matches the present situation better than that of the 1970s cases. To be sure, the Court did not overturn Miller, but when one considers the sensitivity, ubiquity, and necessity of electronic financial records and their power to give the government sweeping and retrospective surveillance of peoples’ movements, beliefs, and the most intimate details of their lives, it is hard to believe there are no constitutional concerns. It is possible that were the Court presented with facts like those alleged, it might overturn or distinguish Miller and follow the logic of Carpenter.

Reasons For Skepticism

Even if one discounts the constitutional argument, the potential costs of this type of surveillance likely outweigh any potential benefit. Further embracing financial surveillance, especially directed at sensitive and constitutionally protected activities, threatens Americans’ privacy and trust in our system of law enforcement. It also risks further straining what appears to be an already overburdened system, harming its ability to perform legitimate functions. Further, there are reasons to be deeply skeptical that using this type of financial surveillance of Americans to preempt violence will even be effective.

The threat to Americans’ privacy is obvious. As mentioned previously, the examples of financial surveillance that have recently come to light involve searching Americans’ financial records to gain information about private and sensitive matters. It was the very sensitive nature of the data that made it attractive to law enforcement. Such an action should be subject to due process and transparency, but it isn’t. Instead, it appears that law enforcement and financial firms can simply collaborate over email without the targets ever finding out.

We don’t know the full scope of what is being searched. We don’t know who has access to that information or how reasonable their determinations are. We don’t know how securely the information is being stored. We don’t know how common coordination between government and firms is. We don’t know what other types of search criteria are being used and what other legal activities may be seen as red flags.

This all raises important concerns about the protection of Americans’ legitimate privacy issues, from their government, financial firm employees, and potential malicious actors who would seek to compromise government and private systems to access that information. This concern is not unique to the present allegations and is by no means limited to conservatives. For example, after the Supreme Court’s decision in Dobbs vs. Jackson Women’s Health Organization, many women realized that their financial records could indicate whether they had pursued an abortion. [22] Nothing says that if we stay on the current path, we won’t see increasing escalation of financial surveillance directed at disfavored groups and activities across the political spectrum.

Not only is Americans’ privacy threatened, but so is their trust in both law enforcement and the financial system. Already, innocent Americans are worried they may be put on a list for performing constitutionally protected activity. They already believe that big banks and the government are hostile to them, even though they have not committed a crime. Further coopting the financial system as a tool of surveillance would only deepen and spread this distrust.

While the privacy costs are high, it is not clear how useful the information is. For example, the information reported to have been provided by Bank of America, which was given to at least two FBI field offices, was ultimately pulled from the FBIs system because the “leads lacked allegations of federal criminal conduct.” [23] Likewise, given the broad scope of the search criteria shared by FinCEN, it is likely that search results swept in far more innocent people than guilty.

Efforts to use financial surveillance to prevent crimes such as mass shootings are also unlikely to be effective. To do so, the bank would need to be able to correctly identify suspicious activity and report it promptly; FinCEN would need to triage it promptly; and then law enforcement would need to respond promptly.

On what basis do we believe this will occur? How will banks identify suspicious activity with the limited, though still sensitive information they have access to? Remember, banks don’t know what is being purchased, only what store it is being purchased from. Cabela’s sells firearms, but they also sell bass boats and pellet grills. If Cabela’s is a “gun store,” a lot of non-gun purchases will be swept up; if they aren’t, a lot of gun purchases will be missed.

Further, what confidence do we have that banks will be able to identify suspicious activities at a rate better than random? For example, the spending thresholds recommended in the KeyBank methodology are much more than it takes to commit a terrible act of violence but less than it takes to buy a really nice hunting rifle and scope. Banks are faced with the problem that the stricter the criteria they use, the fewer legitimate threats will get flagged, but the looser the criteria, the more false positives will be submitted to law enforcement.

False positives would not only harm innocent Americans but would also place more strain on the BSA system, whose effectiveness is already highly questionable. Adding potentially millions of false positives will require resources and manpower that could go to pursuing legitimate reports to be spent instead on wild goose chases. This will likely result in longer turnaround times and lower quality responses overall.

Apparently, nobody knows how quickly FinCEN triages SARs or how quickly law enforcement responds to SARs on average, despite Congress having asked for this information years ago. Advocates of financial surveillance need to answer the critical threshold question of how quickly law enforcement would realistically act on a threat. Yet that information isn’t publicly available. What is known is that large numbers of false positives will only impede the system’s legitimate operation. [24]

Ideas For Reform 

The need for BSA reform generally is obvious, and much good work has already been done to propose changes. [25] I will limit my proposals to what I think are most directly relevant to the issues raised by the Subcommittee’s reporting and by recent efforts to use MCCs as a tool of surveillance. [26]

First, Congress should consider mandating that a customer be notified, after a reasonable period, if they are the target of a SAR. If a compelling reason exists, such as an ongoing criminal investigation, law enforcement could petition a court to delay that notification. Otherwise, citizens should eventually know if and why a report was filed on them. Doing so will help the public and Congress better understand how the current SAR system works and assess whether it is worth the cost.

Second, Congress should obtain from FinCEN, other relevant agencies, and financial institutions a complete and up-to-date list of all MCCs and other criteria used by financial services firms to categorize customer transactions and how that information is reported to the government. The level of possible intrusiveness of financial surveillance is inherently linked to the granularity of the data available.

Third, Congress should investigate the nature of interactions between financial institutions and the government around data sharing. The BSA and RFPA originally appeared to contemplate a largely arm’s-length relationship; however, the relationships are now far more collaborative. Given this situation, changes to the law may be appropriate.

Fourth, Congress should investigate how relevant government agencies and financial institutions view their powers and limitations under the law. Given the secrecy of information sharing, those whose information has been shared find it almost impossible to challenge the exchange in court. This means that the judiciary may not be able to correct mistaken views of the law that government and industry may have. Congress’s assessment of whether the understanding of government and industry conforms with both the law and congressional intent will help inform whether reform is necessary.

Fifth, financial institutions should be granted greater legal protection for pushing back in good faith on government requests that they consider outside the law or for failing to file SARs when they deem them unreasonable. This protection would need to shield institutions from regulators’ informal efforts to punish them through procedural and formal actions.

Sixth, Congress should explicitly include a reasonableness requirement for all transfers of information, whether voluntary or—owing to a compulsive reporting requirement—obligatory. Law enforcement is limited to reasonable suspicion in other contexts, and it should not be different here. That standard should at a minimum prevent dragnet style mass requests or transfers based on nothing more than location or constitutionally protected activity. It should also allow for the suppression of evidence obtained or derived from unreasonable transfers in a subsequent trial as well as for a customer’s private right to action against the government, the financial institution, or both.

Failing this, FinCEN should be required to define “suspicious” via regulation in a way that is consistent with the reasonableness requirement imposed on law enforcement in other contexts and that explicitly precludes dragnet style mass requests as well as reports based solely or primarily on constitutionally protected activity.

Seventh, Congress may wish to consider prohibiting the use of MCCs or other classifying criteria that directly relate to, or seek to identify, constitutionally protected activities. The most obvious is the purchase of firearms, but criteria that focus on political, religious, or other core constitutional rights could also endanger privacy. Congress may also wish to expand this restriction beyond constitutional rights to other highly sensitive issues such as healthcare.

Eighth, Congress should create or enhance a body—either within or outside of the relevant agencies—to investigate privacy issues and advocate for the protection of consumer privacy from excessive intrusion. This body should have the ability to access all necessary records, be able to compel testimony, and be insulated from pressure from agency management. Inspector generals could be one option, and an independent body could be another. [27]

Ninth, Congress should establish a clear statutory right to allow its members and staffers to promptly access relevant data from government agencies. Their access would be subject to proper handling requirements and necessary customer privacy protections but without the agencies’ ability to prevent or unduly impede access. This is essential to meaningful oversight.

Conclusion

Americans should not have to choose between having meaningful privacy and engaging with the modern economy. Recent efforts to use financial surveillance to prevent crime, while understandable, highlight a growing danger that our current financial privacy regime will effectively eliminate the ability of Americans to keep their movements, faith, political beliefs, and other sensitive activities private from the government without any meaningful protections or due process. This is not a conservative or liberal problem; it is not a Democrat or Republican problem. It is a problem that faces all of us, and we must be willing to enact necessary reforms to restore the proper balance between liberty and security. Otherwise, we risk ending up with neither.

Attachment: Brian Knight, “Financial Privacy: Limits, Developments, and Ideas for Reform,” (Statement for the Record, Submitted to the House Financial Services Committee, Mercatus Center at George Mason University, Arlington, VA, February 14, 2024); Brian Knight, “Is the Bank Secrecy Act Vulnerable to Constitutional Challenge Over Post-January 6th Data Collection?” FinRegRag, February 26, 2024. 

Notes

1. Bank Secrecy Act, 12 U.S.C. §1829b; 12 U.S.C §1951–1960; 31 U.S.C §5311 et seq.
2. Financial Crimes Enforcement Network, FinCEN FY 2022 Year in Review, April 21, 2022.
3. 31 U.S.C. § 5318(g)(2).
4. 12 U.S.C. § 3413(d).
5. Public Law 116-283 § 6201.
6. Government Accountability Office Report, Bank Secrecy Act: Action Needed to Improve DOJ Statistics on Use of Reports on Suspicious Financial Transactions, August 25, 2022.
7. House Financial Services Committee Hearing, “Oversight of the Financial Crimes Enforcement Network (FinCEN) and the Office of Terrorism and Financial Intelligence (TFI),” Video, February 14, 2024, https://www.youtube.com/watch?v=HAlGmDhq-tI.
8. House Financial Services Committee Hearing, “Oversight of the Financial Crimes Enforcement Network (FinCEN) and the Office of Terrorism and Financial Intelligence (TFI),” 1:07:25.
9. See e.g. California Bankers Association v. Shultz, 94 S. Ct. 1494, 1525–1526 (1974); United States v. Miller, 96 S. Ct. 1619 (1976).
10. See Miller, 96 S. Ct. 1619.
11. See e.g. Gramm–Leach–Bliley Act, 15 U.S.C. § 6801 et seq; Dodd-Frank Act 12 U.S.C. § 5533.
12. See US House of Representatives, Interim Staff Report, Committee on the Judiciary and the Select Subcommittee on the Weaponization of the Federal Government, May 18, 2023; Chairman Jim Jordan, letter to Christopher Wray, Director, Federal Bureau of Investigation (Wray letter), January 17, 2024; Chairman Jim Jordan, House Committee on the Judiciary, letter to Noah Bishoff, AML Officer, Plaid Inc., (Bishoff letter), January 17, 2024.
13. Secretary Corey Tellez, Letter to Senator Tim Scott, (Scott letter), February 9, 2024.
14. Bishoff Letter. For a more detailed discussion and critique of the KeyBank methodology please see Brian Knight, “(Updated) MCCs and Financial Privacy, Again,” FinRegRag, January 18, 2024; Brian Knight “More Thoughts on the Use of MCCs for Law Enforcement Tracking,” FinRegRag, January 24, 2024.
15. See Associated Press, “Visa, Mastercard, AmEx to Start Categorizing Sales from Gun Shops,” NBC News, September 10, 2022; Leah Collins, “Amalgamated Bank CEO on Why We Can and Should Track Gun Purchases on Cards,” CNBC, July 13, 2022.
16. Kate Fitzgerald, “Will New Merchant Code for Gun Sales Turn Issuers into Morality Police?” American Banker, September 16, 2022.
17. Caitlin Mullen, “States Split Over Gun Merchant Category Code,” Payments Dive, October 2, 2023.
18. See Shultz, 94 S. Ct. 1494; Miller, 96 S. Ct. 1619.
19. Carpenter v. United States, 138 S. Ct. 2206 (2018).
20. Carpenter, 138 S. Ct. at 2219–2220.
21. Brian Knight, “Is the Bank Secrecy Act Vulnerable to Constitutional Challenge over Post-January 6th Data Collection?,” FinRegRag, February 26, 2024.
22. Alejandra Caraballo, “Payment Data Could Become Evidence of Abortion, Now Illegal in Some States,” New York Times, June 29, 2022.
23. US House of Representatives, Interim Staff Report, Committee on the Judiciary and the Select Subcommittee on the Weaponization of the Federal Government, May 18, 2023; Wray letter.
24. The extent of the legitimacy of the BSA is beyond the scope of this testimony.
25. See e.g. Norbert Michel and Jennifer Schulp, “Revising the Bank Secrecy Act to Protect Privacy and Deter Criminals” (Policy Analysis No. 932, Cato Institute, Washington, DC, July 26, 2022); Nicholas Anthony, “The Right to Financial Privacy” (Policy Analysis No. 945, Cato Institute, Washington, DC, May 2, 2023); David Burton and Norbert J. Michel, “Financial Privacy in a Free Society” (The Heritage Foundation, Report, Washington, DC, September 23, 2016). (Note: I am not endorsing every idea in these papers. Rather, I refer the Subcommittee to them as resources.)
26. Many of these ideas are also included in my statement for the record entitled “Financial Privacy: Limits, Developments, and Ideas for Reform” (Statement for the Record submitted to the House Financial Services Committee, Mercatus Center at George Mason University, Arlington, VA, February 14, 2024).
27. The US Privacy and Civil Liberties Oversight Board presents one model, though any new outside agency should have its own subpoena power rather than relying on the Department of Justice.