I am here because I was part of a little delegation of skeptics that visited FinCEN a few months ago to hear from Director Sloan and Judith Starr. We got to ask some tough questions and get some frank answers. It was a good dialogue, though I couldn’t say that we all came away from it as fans of FinCEN and Bank Secrecy Act reporting.
The folks at FinCEN have asked me to come and address some of the privacy issues involved in Bank Secrecy Act reporting. So, I hope you’re prepared to skip lunch, because we have a lot to cover . . . .
Before I get into some of the privacy concerns, though, let me introduce myself and what I do.
I am the Editor of Privacilla.org, which is a Web-based think-tank devoted to privacy as a public policy issue. We try to cover the entire range of issues, including privacy fundamentals, privacy from government and privacy in the private sector. Within the private sector, we break it down between financial, medical, and online privacy.
I began Privacilla after leaving the House Judiciary Committee, where I was a counsel for a few years, as part of a several year tour of duty in various offices on Capitol Hill.
I am also an Adjunct Fellow with The Progress & Freedom Foundation and I run a consulting firm called PolicyCounsel.Com. In the latter capacity, I consult to clients on privacy and many other issues. For that reason, do keep in mind my potential for bias, as you would any privacy advocate.
One of the things I constantly do is try to bring definition and organization to the various issues that are often called “privacy.” Things are improving, but in the past “identity fraud” has been called a privacy problem, even though it’s a serious crime problem. The terms “privacy” and “security” have been used interchangeably at times. They are not interchangeable concepts.
The Fair Credit Reporting Act is sometimes mischaracterized as a privacy law when, in fact, the credit reporting system is a stellar example of beneficial information-sharing. The FCRA is really about fairness and, in a few cases, freedom from unwanted marketing.
The federal do-not-call list is often called a “privacy” program even though reporters were able to query the list and discover which direct marketing executives had signed up for it.
Maybe the most important innovation I’ve tried to bring to the privacy debate is the idea of defining privacy so that we can know when we have it and when we don’t. So we can know what programs or laws advance privacy and what do not. So let me share with you that definition and parse it briefly.
Privacy is a subjective condition that individuals enjoy when two factors are in place — legal ability to control personal information, and exercise of that control consistent with one's interests and values.
Most importantly, privacy is a subjective condition. It is personal. That means that my sense of privacy is my own, and yours is yours. Legislators and regulators can’t pass laws to tell us we have privacy when we think we don’t. Those laws can only represent guesses about what privacy might look like.
The first factor that I mentioned is the legal power to control information. This essentially asks whether the law has deprived people of power to control information in some way. There are thousands of laws and regulations that reduce people’s power over information about themselves. Let there be no mistake about the good intentions of these laws, but they undermine privacy all the same.
The second factor I mentioned is exercise of control consistent with our interests and values. In the marketplace, consumers seek privacy on the terms they want it through voluntary exchange. They routinely refuse transactions that don’t satisfy them in whatever way is important to them, including the results for personal information. The greatest threat to privacy in the private sector is ignorance. If you don’t know how information moves in the Information Economy, you can’t reject practices that you disapprove of. The actions of educated and aware consumers determine what uses of information are acceptable.
The Bank Secrecy Act, of course, is implicated by that first factor: power to control information. By requiring banks to retain certain records about customers, the BSA denies consumers the power to control personal information that their financial institutions may hold or derive. The BSA prevents banks from offering consumers privacy on the terms they may want it.
And the BSA’s reporting requirements take things quite a bit further. Here, personal information is transferred to a government agency, which is not bound by contract or accountable to any higher authority if it makes new, unanticipated disclosures or uses of data. There may be details in the BSA that I don’t know about, but most federal agencies can make new uses of information merely by declaring them in the Federal Register.
There are a variety of ways that governments deprive citizens of privacy, and the Bank Secrecy Act has elements of each. First, it is anti-privacy law. It says to consumers and financial institutions, “You may not get together and agree to keep financial arrangements private.” Second, it is a surveillance program: the government is peering in on people’s lives without their consent or participation. Finally, BSA reports go into a public record, and specifically a database. This causes the information to be uniquely persistent, transferable, copyable, and usable.
It’s no wonder, then, that the Bank Secrecy Act and FinCEN are my favorite punching bags when I go out and give speeches. No private sector entity has the power to take privacy from people like the government does. And the government does it with aplomb in the Bank Secrecy Act.
But I’m not just here to butter you all up. Judith invited me to make some constructive comments. And I do have one or two.
First, there are a variety of marginal ways to protect privacy by reducing the amount of data you collect, the amount of time you keep it, how many copies you keep, and so on. I don’t have a detailed account of what you can do. But when we visited FinCEN, Director Sloan talked about an effort to reduce by as much as 30% the amount of information reported to FinCEN.
Depending on your perspective, you may regard this as an efficiency measure, a cost-saver, or what-have-you. But, from my perspective, it is a large incremental improvement in privacy.
I don’t know the specifics of FinCENs plans, but reducing the number of reports will marginally improve the privacy situation by marginally reducing the amount of information in the hands of the government and subject to its vagaries.
You probably didn’t think I would be hard to persuade on this proposal, but I am wholeheartedly behind the proposal to reduce collections of information by FinCEN.
That was the easy one. Now it gets more complicated.
Privacy from government is a matter of reasonableness. The Fourth Amendment prohibits “unreasonable” search and seizure. If you were able to show that Bank Secrecy Act reporting had a strong correlation to detecting crime, the privacy arguments against the BSA would be quite a bit weaker.
One of the things I noticed on our visit to FinCEN was that the folks there could not articulate the law-enforcement benefit they provide in exchange for millions of taxpayer dollars, millions more in costs placed on financial services providers, and lost privacy for all Americans. The latest issue of the SAR [Suspicious Activity Report] Activity Review contains eight whole anecdotes about uses of SARs in successful prosecutions.
Now, I know well that it is difficult to articulate the benefits that come from law enforcement activities. When I worked on the Hill, I sat down with components of the Justice Department to work on their compliance with the Government Performance and Results Act, known more commonly as the Results Act. Articulating results-based measures of law enforcement efforts is very difficult, and at that time I did not see the Justice Department bureaucrats making much effort to actually do it.
I looked at FinCEN’s Strategic Plan and Performance Plan last night and they were interesting, but they are not designed to show that FinCEN and the Bank Secrecy Act are suppressing crime and catching criminals. They are measures of activity and quality, which is important, but they are not measures of results and they do not point to where results can be found.
Last night, I also went over the Supreme Court cases that two-stepped around the Fourth Amendment issues in the Bank Secrecy Act. In the California Bankers case (California Bankers Association v. Shultz, 416 U.S. 21 (1974)) and U.S. v. Miller (425 U.S. 435), the Court denied plaintiffs standing to dispute the collection of information about them for BSA purposes, then denied a Fourth Amendment claim about the information because it was held by third parties.
That’s bad law. Especially in the current age, because huge amounts of personal information are entrusted to third parties like ISPs. And, believe me, Americans expect it to remain private in those hands, subject only to release through legal process.
You have a particular privacy problem here because one of the reasons that the Court ratified BSA reporting was because it accepted the congressional finding that the information collected would “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings.”
Well, the facts on the ground today show that this information does not have a high degree of usefulness — to the tune of at least 30% and probably more. The BSA does not today have a reasonable relationship to discovering or preventing crime. It is an ongoing violation of our Fourth Amendment rights.
Like I said, I’m not just here to butter you up. I also have a solution to the problem you face. It is my third point, and probably the most dispensable because I don’t expect you to take it seriously.
If you want to solve the privacy problems that are at the heart of the BSA and FinCEN, you need to do two simple things: eliminate Currency Transaction Reporting and make Suspicious Activity Reporting voluntary. This would help you more than you probably expect.
First, it would eliminate over-reporting. What you have now is the sort of passive-aggressive response you get when you try to mandate good citizenship and penalize people for not doing right. Oh, you’re getting reports alright, and then some, because it’s safer to over-report than to report accurately. But they are not motivated by people trying to help. The BSA reduces good citizenship to a compliance matter, with less than stellar results.
Second, the information coming into the system would have a much closer relationship to crime control and discovery. It might even have a “high degree of usefulness.” Though I am a privacy advocate, I recognize that privacy gives way in our society when it might conceal crime or the fruits of crime. Good faith reporting of suspected crime already trumps privacy claims in our law, and that is good public policy.
Now, when I say that Suspicious Activity Reporting should be voluntary, I’m not actually calling for that great a change in what you do. The same outreach that goes on now could continue. Guidelines telling financial services providers what to look for should continue to issue. Your collection, analysis, and reporting functions could continue. You would just be working with data that is immensely more useful because it would actually be suspicious enough to motivate a citizen to report it.
So, I would recommend that you abandon the backward premise of the BSA, that good citizenship can be required, and make the leap of faith to relying on the goodness of the people out there in the financial services sector. You won’t be disappointed. You will have a better system, with less substantial privacy problems.
I don’t know what you folks think of the Total Information Awareness program or the CAPPS II program, but I am deeply skeptical of them, as are many Americans and Members of Congress. I have recently begun talking about the Bank Secrecy Act as the precedent that makes people think these government data mining programs are OK.
CAPPS II and the records in FinCEN have a common thread: they are databases of personal information about Americans that are shielded from our view by the law enforcement and national security exceptions to the Privacy Act. They are premised on collecting information about innocent Americans, presuming them to be part of a criminal enterprise rather than the hard-working honest people they are. This premise is inconsistent with principles and laws that are very fundamental to our way of life in the United States.
You have my gratitude for hearing my views on this, my thanks go to Director Sloan and Judith Starr for inviting me here, and I encourage you to think very carefully about the programs you are working on.
©2000-2003 Privacilla.org. All content subject to the Privacilla Public License.