Privacy Statements Need More Disclosures
In privacy disclosure statements provided to customers of depository financial institutions such as credit unions, a casual reading suggests that privacy of one's assets and transactions is being protected from the eyes of nosey individuals, outside business employees and potential marketing companies.
However, the privacy statements typically indicate that there are third parties who may receive private information about customers. These third parties include insurance companies, mortgage service companies, consumer reporting agencies, data processors, card processors, government agencies and other organizations deemed necessary. To a certain extent, it is suggested in the disclosure statement that this is the limit of who has access to the information about customers of financial institutions.
But, there are two cases where credit unions are required to notify federal government agencies and are not declared on the privacy statements. These are Suspicious Activity Reports and Currency Transaction Reports. Suspicious activity takes several forms, including suspected violations of federal laws, criminal activity, money laundering, computer intrusions and the nebulous transaction where the customer has no business or apparent lawful purpose. If these activities are detected in the judgment of employees of a credit union, it is required to file a SAR to the appropriate office of the Internal Revenue Service.
Two issues arise with the current SAR provisions. First, the credit union that fails to submit SARs may be subject to fines and penalties. These fines have not been trivial in a number of cases. Hence, credit unions have recognized that it is better to err on the side of reporting, than not reporting. Second, customers of credit unions are not notified of the filing of the SAR. In fact, the current law prohibits notifying customers.
Many questions have been raised about the proliferation of SARs, allowing the government to delve into the legal, private transactions of customers of credit unions. That issue is not raised here. The concern here is that customers do not know that a SAR can be filed against them in the privacy statements issued by banks. Privacy statements should state that a SAR can be filed in the case of suspicious transactions.
Currency transactions can also be filed against customers without notification. Any cash transaction above $10,000 triggers a Currency Transaction Report that is sent to the appropriate IRS office. Current provisions of the CTR law do not prohibit notifying the customer of a filing. However, credit unions do not typically notify. (For certain businesses with routine large cash transactions such as a retail store, a depository financial institution can file a Designation of Exempt Person Form.)
It is probably more commonly known by customers of credit unions that transactions above $10,000 create a report of some sort. But, some customers may not know. Why not make it transparent in the so-called privacy statements?
Given the above potential filings, privacy statements given to customers of credit unions and other depository financial institutions are clearly not statements of privacy and are deceptive. They indicate potential third parties that have access to the financial information and transactions of credit union customers. But, they fail to disclose the potential CTR and SAR filings to the IRS. At the least, privacy statements should include a statement that suspicious activities will potentially be reported and that cash transactions over $10,000 will also be reported. Or, the statement should not have the word privacy in it anywhere. Instead, the statement should be called a public access disclosure.
James R. Gale is an emeritus professor of economics and finance in the School of Business and Economics at Michigan Technological University and board member at Michigan Tech Employees Federal Credit Union. He can be reached at 906-482-7668 or firstname.lastname@example.org