When the FBI Comes Calling

Do you know how to comply with a national security letter?

MOST CREDIT unions probably have never heard of a national security letter, much less seen or received one.

These letters basically are administrative subpoenas the Federal Bureau of Investigation (FBI) issues to obtain records in connection with terrorism investigations. The agency's authority to issue national security letters predates the USA PATRIOT Act and Sept. 11, 2001, but the act significantly enhanced the government's authority to issue national security letters. This includes using the letters to obtain consumers' financial information, such as loan and savings account records from credit unions and other financial institutions.

The FBI can issue national security letters to obtain:

* Financial records, pursuant to the Right to Financial Privacy Act;

* Local and long-distance telephone records and electronic communication records, pursuant to the Electronic Communications Privacy Act; and

* Credit bureau information identifying consumers and financial institutions, pursuant to the Fair Credit Reporting Act.

Section 3414(a)(5) of the Right to Financial Privacy Act gives the FBI the right to issue these letters to financial institutions. Requirements under Section 3414 are significantly different from other sections of the act with respect to certification and member notification.

For example, except where the member has authorized the disclosure, the sections of the Right to Financial Privacy Act relating to administrative subpoenas or summons, judicial subpoenas, and formal written requests require the government agency to provide a copy of the appropriate order or request to the member before providing it to the financial institution. The requirements for search warrants are somewhat different, although the member still must receive a copy (within 90 days after the financial institution is served). However, national security letters contain a gag provision preventing any credit union officer, employee, or agent from disclosing to any party, including the member, that the FBI has sought or obtained access to the requested information.

Ordinarily, for administrative subpoenas, judicial subpoenas, formal written requests, and search warrants under the act, the credit union would release a member's financial records only after the government agency certifies in writing that it has complied with the act's applicable provisions. Under Section 3414, however, the FBI generally will provide two certifications in writing:

* That the records are required for foreign counterintelligence purposes to protect against international terrorism; and

* That the FBI has complied with all applicable provisions of the Right to Financial Privacy Act.

In fact, both certifications for national security letters are included in the letter. An FBI employee with the rank of special agent in charge of a field division or an employee with a higher rank, such as deputy director or assistant director, must sign the letter and certifications.

The FBI's internal procedures state that national security letters must be hand-delivered to any credit union or financial institution from which the information is requested. In addition, the letter instructs the institution to provide the financial records personally to a representative of the FBI field division that delivered the letter. Records obtained pursuant to such a letter never should be returned to the FBI by mail or fax.

Compliance mandatory

In April 2004, the American Civil Liberties Union (ACLU) and an anonymous Internet service provider filed a lawsuit in the U.S. District Court for the Southern District of New York challenging the FBI's authority to issue the letters under the Electronic Communications Privacy Act. ACLU argued the law violated the First and Fourth amendments to the U.S. Constitution because the law didn't impose safeguards on the FBI's authority to compel disclosure of sensitive and private information. The lawsuit also challenged the constitutionality of the gag provision.

In September 2004, the judge ruled the national security letter statute and associated gag provision were unconstitutional. But credit unions still must comply with the letters because the federal regulation giving the FBI the authority to issue national security letters remains in effect despite the district court ruling.

In fact, the district court didn't rule that the letters were unconstitutional pursuant to the Right to Financial Privacy Act. It ruled the Electronic Communications Privacy Act section concerning the letters was unconstitutional.

For more information, see the January 2005 "Compliance Challenge" at cuna.org under "Compliance."

MICHAEL MCLAIN is assistant general counsel for the Credit Union National Association. Contact him at 608-231-4185 or at mmclain@cuna.com.

Copyright Credit Union National Association, Inc. Mar 2005
Provided by ProQuest Information and Learning Company. All rights Reserved