Dear Representatives Waters, Kildee, Moore, Green and Perlmutter:
We write in response to your letter to us dated June 21, 2017 regarding the legal restrictions on Deutsche Bank’s ability voluntarily to provide you, in your capacity as individual Members of Congress, with certain confidential financial information that you have requested.
Your letter addresses two statutes, raises questions regarding their application to requests made by Congress in its official capacity, and then suggests that these laws also do not apply to your informational requests. We have a different view of the applicable legal requirements. We also see a critical legal distinction between inquiries conducted pursuant to congressional rules adopted by duly-authorized committees, on the one hand, and informational requests made by individual members, on the other. We respectfully disagree with the suggestion that Deutsche Bank freely may reveal confidential financial information in response to requests from individual Members of Congress.
As explained in our June 8, 2017 response to your original request, like other financial institutions in the United States, Deutsche Bank is governed by laws and internal policies designed to protect confidential customer information. When Deutsche Bank receives a request for such information, it must act in a manner consistent with these laws and policies and its ability to disclose such material is sharply limited. In short, we reiterate that while Deutsche Bank seeks to cooperate, it must obey the law.
The Right to Financial Privacy Act (“RFPA”) specifically governs how financial institutions like Deutsche Bank must respond to information requests from the federal government. The legislation was intended to “protect and preserve the confidential relationship between [financial] institutions and their customers and the constitutional rights of those customers …” Right to Financial Privacy Act, H.R. 9142, 95th Cong., Sec. 2(b) (1977). You suggest that the law does not apply to Members of Congress because “[t]he legislative branch has never been considered an ‘agency or department’” and therefore is not a “government authority” within the meaning of the statute. However, Congress itself has given the term “department” a far broader definition than suggested by your letter. See, e.g., 18 U.S.C. § 6 (“The term ‘department’ means one of the executive departments enumerated in section 1 of Title 5, unless the context shows that such term was intended to describe the executive, legislative, or judicial branches of the government.”). Here, Congress’s desire to protect customer privacy through the passage of the RFPA compels the conclusion that the term “department” should not be given a narrow reading.
Indeed, the statute provides consumers with broad privacy protections from even formal governmental requests for confidential financial information. To that end, even the exception you cite that allows for disclosure to prevent unlawful conduct permits such disclosure only to defined governmental authorities and narrowly limits the scope of the information that may be provided. See 12 U.S.C. § 3403(c). We are unaware of any evidence that Congress intended that these privacy protections could be circumvented by a letter request from an individual Member of Congress to a financial institution.
More specifically, as noted above, the RFPA establishes formal processes by which government entities may obtain confidential customer information. With respect to Congress, the statute provides that congressional committees may access information already properly obtained by other parts of the government. However, this exception to the RFPA’s restrictions is limited to duly authorized committees of Congress. See, e.g., 12 U.S.C. § 3412(d) (authorizing access to confidential financial information only by “a duly authorized committee or subcommittee of the Congress”). Significantly, the RFPA does not vest such authority in individual Members of Congress.
The conclusion is the same under the second law identified in your letter. The Gramm-Leach-Bliley Act codifies “the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.” 15 U.S.C. § 6801(a). While we agree that certain exceptions to the rule of non-disclosure exist under the statute, these exceptions do not permit Deutsche Bank under the circumstances presented here to provide you with confidential, non-public information related to its customers or any reviews it may or may not have conducted with respect to any such customers. Rather, the statute provides for the lawful disclosure of non-public information to government entities including courts, the financial institution’s regulators, and to “comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities….” See 15 U.S.C. § 6802(e)(8). Respectfully, like the RFPA, this statute does not, in the context of legislative inquiries, provide for the disclosure of confidential information outside of an official congressional inquiry.
As your letter acknowledges, and as we have noted above, federal laws also include procedures for various types of confidential information to be disclosed to appropriate governmental bodies for law enforcement purposes or in connection with duly-authorized investigations. We do not dispute that such investigations may include those authorized under the Rules of the Congress. However, with respect to the House of Representatives, this investigative authority resides with the House itself or by formal and explicit delegation to a Committee or Subcommittee, but not with individual Members. See, e.g., Exxon Corp. v. FTC, 589 F.2d 582, 593 (D.C. Cir. 1978) (“Disclosure of information can only be compelled by authority of Congress, its committees or subcommittees, not solely by individual members; and only for investigations and congressional activities.”).
Finally, your letter suggests that Deutsche Bank may seek customer authorization for the release of confidential information. For the reasons discussed above, we do not see a legal basis for the bank to make such a request.
While we believe the legal requirements for Deutsche Bank to be clear in this matter, we would be happy to further discuss these legal issues with your staff as you have suggested.
Steven R. Ross
Leslie B. Kiernan