California law Senate Bill One (SB1) passed on 19th August 2003 has been trumpeted as a strong consumer measure – but it may help money launderers to prevent information about them being passed within financial services groups.
When consumer groups and some radical opponents defeated the Know Your Customer provisions of the Gramm-Leach-Bliley Act in 1999, they also forced through an amendment that said that US states could pass more stringent privacy measures if they wished. Most of the original provisions have since found their way into law or regulation through the USA Patriot Act and measures imposed under it. The instant response in California was to demand strict controls on what financial services businesses operating in the state were able to do with customer information they hold.
The danger for banks is that, in its original draft by pressure groups, SB1 did not include an exemption for the release of information for compliance with the USA Patriot Act and other measures.
SB1 – now known by its official name, the California Financial Information Privacy Act – provides for it to be a criminal offence to pass information within the group or to others if a criminal opts out of information exchange.
This opt-out requirement means that, on the face of it, centralisation of records and monitoring within a group will be a criminal offence where the customer opts out.
However, there are provisions that permit the collecting and administration of account information in the ordinary course of providing services, and provisions for the disclosure of information for “reporting, investigating, or preventing fraud or material misrepresentation”.
The Act makes no mention of reports necessary to comply with the Bank Secrecy Act but it does provide that “non-public personal information [may be] released as required by Title III of the federal United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act;)” and may, therefore, be released even if the customer opts out.
But that provision may not go far enough: it may be held as operative only where suspicion already exists and not for the purpose of forming suspicion so making group wide monitoring a risky proposition.
The law applies to all financial institutions operating in California (regardless of where they are incorporated or regulated) with regard to accounts held by Californian residents.
It specifically prevents the refusal of services to those who do opt out, leaving banks and others open to criticism if they reject accounts on the grounds of suspicion where a customer has refused to allow information to be pooled within a group.
The obvious risks are in relation to aggregation of deposits (especially with regard to the USA Patriot Act’s somewhat bizarre definition of private banking as, among other things, accounts with a balance of more than $1m) and where a customer holds accounts in more than one group company and moves funds between them: the information needed to identify suspicion will be restricted.
