Help! My institution maintains that the subpoena or government document they receive requesting information serves as their certificate of compliance. I disagree. They also do not obtain or retain any record of customer authorization or notification. I think they have several serious RFPA violations, but they say this has never been brought up in the past. Your thoughts?

I'll take a stab at this and say I agree with you that they do not have a proper certificate of compliance. This document certifys that the party requesting information has complied with the RFPA and I don't think a subpoena does that for you.

auditormb - You are only referring to requests from Federal Government Entities - right. Also, the IRS and Federal Grand Juries also may operate under different rules. Other entities may have different rules to follow depending on State laws.

Yes, I'm only referencing requests from federal government agencies (excluding the exceptions for IRS/Title 26 and grand juries).

This may seem a bit long-winded but I'm quoting from our policy. I hope this helps.

To gain access to customer’s records, the act requires, with certain exceptions, that the federal government agency obtain one of the following:

• An authorization signed and dated by the customer, which identifies the records being sought, the reasons the records are being requested, and the customer’s rights under the Right to Financial Privacy Act. The agency’s request should be on an official form and contain the required customer authorization.
• An administrative subpoena or summons
• A search warrant
• A judicial subpoena
• A formal written request by a government agency (to be used only if no administrative summons or subpoena authority is available)

If the Bank receives a request for information from a federal agency, the Bank may not release the financial records of a customer until the federal government authority seeking the records certifies in writing that it has complied with the applicable provision of the Right to Financial Privacy Act. Documents will not be furnished to the federal agency for at least 14 days after a request is received. However, the USA PATRIOT Act requires the Bank to respond immediately to Federal directives issued in connection with a list of known or suspected terrorists or organizations provided to the bank. (FinCEN Tracking List)

Thanks, that definitely helps.

Show them what a REAL Certificate of Compliance looks like to help them understand what it should be.

We have a version in the BOL Forms section of BankersOnline. You can access the form directly (in pdf format) at the link below.

Certificate of Compliance

Two things to remember about a Certificate of Compliance -- #1 it can be a major shield against liability, but #2 you must receive it BEFORE you turn over the information. It only protects you from liability if you release the records in good faith reliance upon the certificate of compliance.