Joint letter to BOP re commissary rules and privacy concerns - Sept. 2015
Download original document:
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
September 1, 2015 Rules Unit, Office of General Counsel Federal Bureau of Prisons Attn: Sarah Qureshi 320 First St., NW Washington, DC 20534 VIA REGULATIONS.GOV AND FIRST-CLASS MAIL Re: RIN 1120-AB56 Proposed Rule Regarding Inmate Commissary Account Deposit Procedures Comments and Petition for Further Rulemaking Dear Ms. Qureshi: The undersigned organizations submit the following comments concerning the above-referenced proposed rule, and ask that they be made part of the administrative record. On July 7, 2015, the Bureau published a proposed rule that sets forth a new process by which the Bureau may obtain transaction information concerning people who send or attempt to send funds to commissary accounts.1 As explained herein, the Bureau’s proposed rule, as applied to customers of financial institutions,2 is not appropriate under the provisions of the Right to Financial Privacy Act (“RFPA”).3 There are also numerous broader and more pressing issues related to commissary accounts that are not addressed by the Bureau’s current regulations. Accordingly, the undersigned organizations also submit the petition contained herein, pursuant to 5 U.S.C. § 553(e), requesting further rulemaking concerning financial services in Bureau facilities. I. Applicable Legal Framework As the Bureau acknowledges, some (albeit not all) payment orders remitted to commissary accounts are drawn on “financial institutions,” as defined in the RFPA.4 When someone conducts a transaction through a financial institution, the protections of the RFPA generally apply, and the institution is “prohibit[ed] . . . from providing a government agency with access to any customer’s financial records unless the customer is first given notice and the opportunity to object.”5 The RFPA “was enacted in response to a pattern of government abuse in the area of individual privacy and was intended ‘to protect the customers of financial institutions from unwarranted 1 80 Fed. Reg. 38658 (Jul. 7, 2015). As defined in 12 U.S.C. § 3401(1). 3 12 U.S.C. § 3401, et seq. 4 See 80 Fed. Reg. at 38659. 5 Commodity Futures Trading Comm’n v. Worth Bullion Group, 717 F.3d 545, 549 (7th Cir. 2013). 2 September 1, 2015 Page 2 of 7 intrusion into their records while at the same time permitting legitimate law enforcement activity by requiring federal agencies to follow’ established procedures when seeking a customer’s financial records.”6 Because the RFPA seeks to balance privacy rights with the needs of law enforcement, the statute provides broad protection to customers, while also giving the government numerous ways to obtain financial information, many of which the Bureau could use with minimal effort.7 First, the government may obtain a customer’s written consent to disclosure.8 To the extent that the Bureau’s proposed rule is premised on the customer-consent provision, it is incompatible with the RFPA, which clearly and unambiguously prohibits such consent being “required as a condition of doing business with any financial institution.”9 In addition, the RFPA allows the government to obtain financial records through issuance of a search warrant or a judicial or administrative subpoena;10 however, the proposed rule does not utilize any of these tools. Finally, RFPA allows the government to obtain records through “a formal written request.”11 The Bureau seems to invoke the formal written request procedure when the Bureau states that the proposed rule is in compliance with the Right to Financial Privacy Act . . . which allows federal agencies to have access to or obtain copies of the financial records of any customer from a financial institution only if the financial records are reasonably described and . . . the financial records are disclosed in response to a formal written request which meets certain notice and other technical requirements. 12 U.S.C. 3402(5).12 The Bureau’s citation to the formal written request provision of RFPA is confusing. Both the RFPA and applicable regulations promulgated by the Department of Justice require formal written requests to be individualized and served on the relevant customer.13 Because no such individualized notice procedure is contained in the proposed rule, the Bureau’s reference to the formal written request provision appears to be a drafting error. 6 Anderson v. La Junta State Bank, 115 F.3d 756, 758 (10th Cir. 1997) (quoting Neece v. IRS, 922 F.2d 573, 575 (10th Cir. 1990)); see also H.R. Rep. No. 95-1383, at 9305 (1978) (explaining that the RFPA was enacted in response to U.S. v. Miller, 425 U.S. 435 (1976)). 7 See Duncan v. Belcher, 813 F.2d 1335, 1339 (4th Cir. 1987) (“The [RFPA]’s provisions hardly insulate private accounts from investigation by government agencies. On the contrary, the Act merely establishes summary procedures for government investigators to follow.”). 8 12 U.S.C. § 3402(1). 9 12 U.S.C. § 3404(b). 10 12 U.S.C. § 3402(2) through (4). 11 12 U.S.C. § 3402(5). 12 80 Fed. Reg. 38658-38659. 13 12 U.S.C. § 3408(4)(A) (a copy of a formal written request must be “served upon the customer or mailed to his last known address on or before the date on which the request was made to the financial institution,” together with a prescribed statutory form of notice); 28 C.F.R. § 47.4 (formal written requests issued by Department of Justice components must specifically identify the customer to whom the records pertain). September 1, 2015 Page 3 of 7 II. The FRPA Prohibits Compulsory Authorizations for Disclosure In the proposed rule, the Bureau seeks to obtain transactional information by unilaterally declaring that a person must consent to disclosure of financial information when that person sends or attempts to send funds to a commissary account. Although the RFPA allows the government to obtain financial information by obtaining an account-holder’s written consent, such consent is only valid if it is given in compliance with detailed statutory requirements.14 As mentioned above, the RFPA prohibits requiring customer consent as a condition of doing business with a financial institution. This provision operates to “prohibit blanket authorizations, that is, authorizations for disclosures whose scope and purpose is not known at the time of the authorization.”15 The proposed rule seeks to impose precisely the type of blanket authorization that RFPA is designed to prevent, and therefore is fundamentally incompatible with RFPA’s prohibition on compelled consent.16 Moreover, the rule cites no lawful authority that allows the Bureau to require any type of action on the part of someone who is neither an inmate, employee, nor visitor at a Bureau facility.17 It is axiomatic that an agency cannot exercise rulemaking authority absent a delegation of power from Congress.18 Here, the Bureau has pointed to no legislative act that either: (1) authorizes the Bureau to regulate the activities of third-parties who do not work or reside in correctional institutions, or (2) empowers the Bureau to override the provisions of the RFPA. The Bureau relies on the need to “use transactional information . . . to detect unlawful activity” as a justification for the proposed rule.19 Although the Bureau is empowered to conduct necessary investigations, this power does not include the ability to exempt itself from the requirements of the RFPA.20 Accordingly, the rule as drafted cannot withstand judicial review. Even if the Bureau can advance a strained reading of the RFPA in support of the rule, such interpretation would not be entitled to any judicial deference because Congress has not delegated 14 12 U.S.C. § 3402(1). Richard Fischer, Law of Financial Privacy (2005) ¶ 2.04[a]. 16 See Dixon v. U.S., 381 U.S. 68, 74 (The government’s power “to prescribe rules and regulations . . . is not the power to make law . . . but the power to adopt regulations to carry into effect the will of Congress as expressed by the statute. A regulation which does not do this, but operates to create rule out of harmony with the statute, is a mere nullity.” (quoting Manhattan Gen. Equip. Co. v. CIR, 297 U.S. 129, 134 (1936) (internal quotation marks omitted; second omission by Dixon court)). 17 To the extent that the Bureau relies on the Housekeeping Act, 5 U.S.C. § 301 (which is cited in the Federal Register notice), the Bureau’s reliance is misplaced. The Housekeeping Act gives an agency the power to regulate internal affairs, but cannot be used as the basis to enact “substantive rules.” U.S. ex rel. O’Keefe v. McDonnell Douglas Corp., 132 F.3d 1252, 1254-1255 (8th Cir. 1998); see also Schism v. U.S., 316 F.3d 1259, 1285 (D.C. Cir. 2002) (en banc) (“Simply put, an agency cannot do by regulation what the applicable statute itself does not authorize.”). 18 E.g., Bowen v. Georgetown Univ. Hosp., 488 U.S. 404, 471 (1988). 19 80 Fed. Reg. at 38659. 20 Cf. ExxonMobil Gas Marketing Co. v. Fed. Energy Regulatory Comm’n, 297 F.3d 1071, 1088 (D.C. Cir. 2002) (“We emphatically agree that need for regulation cannot along create authority to regulate. Rather it is statutory authorization alone that gives FERC the authority to regulate, and in the absence of such authority, FERC’s action is plainly contrary to law and cannot stand.” (citations and internal quotation marks omitted, emphasis in original)). 15 September 1, 2015 Page 4 of 7 rulemaking authority under the RFPA to any agency, much less the Bureau.21 Moreover, Congress has directly spoken to the precise question at issue (by prohibiting compelled authorization), and the Bureau’s proposed rule is not based on a plausible interpretation of the RFPA. III. Even if Bureau Could Compel People to Authorize Disclosure, the Proposed Rule Lacks Numerous Mandatory Procedural Safeguards Even if the proposed rule could survive review under the RFPA’s ban on blanket consent to disclosure (which it cannot), it is flawed because of its failure to adhere to the procedural safeguards contained in section 3404 of title 12, United States Code, concerning customer authorizations. A. Written Authorization of Disclosure Most troublesome is the proposed rule’s lack of precision concerning how exactly authorization would be provided. In particular, the language of the proposed rule states that “[p]ersons sending or depositing . . . funds to an inmate’s commissary account . . . consent to the collection, review, use, disclosure, and retention, of all related transactional data.”22 This language is fatally vague about how the account-holder actually provides consent. Under the RFPA, consent for disclosure must be provided in a written statement, signed and dated by the account holder.23 Yet the proposed rule does not explain how such written consent will be obtained and whether it will be in a particular form prescribed by the Bureau. Indeed, the proposed rule could be read as using a system of implied consent, wherein any time a person sends money to a commissary account, they are deemed to have provided consent for purposes of the RFPA. This cannot be the case, however, because—consistent with the plain text of the RFPA—courts have held that customer consent to disclosure cannot be implied.24 To the extent that the Bureau anticipates obtaining express written consent from customers, the rule leaves a host of important questions unanswered. For example, the RFPA states that customer consent is valid if the customer “furnishes to the financial institution and to the Government [a written authorization].”25 Thus, in a case where a customer purchases a money order at her bank and sends it to the Bureau for deposit in a commissary account, who is responsible for obtaining the customer’s written authorization? When will the customer be asked to sign an authorization form? How will that authorization be transmitted to the bank and the Bureau? The proposed rule does not even acknowledge, let alone answer, any of these questions. 21 See King v. Burwell, 135 S.Ct. 2480, 2488-2489 (2015) (refusing to apply deference to tax regulations interpreting the Affordable Care Act in the absence of express Congressional grant of authority to IRS). 22 Inmate Commissary Accounts, 80 Fed. Reg. 38658, 38660 (to be codified at 28 C.F.R. § 506.3). 23 12 U.S.C. § 3404(a). 24 Duncan, 813 F.2d at 1339 (“[T]he district court was in error in concluding that [plaintiff] impliedly authorized disclosure of his records. . . . The [RFPA] does allow the government to obtain records with the customer’s consent, but only by a ‘signed and dated statement’ that recites the nature of the records, the purposes of disclosure, the customer’s rights and other information.”) 25 12 U.S.C. § 3404(a). September 1, 2015 Page 5 of 7 B. Additional Procedural Safeguards In addition to the basic problems discussed above, the Bureau has failed to address numerous other safeguards required under the RFPA. In its proposed rule, the Bureau attempts to vitiate all privacy protections and gut the procedural requirements of the RFPA by regulatory fiat. Because the proposed rule does not provide for the mandatory safeguards outlined in section 3404, the Bureau cannot issue the rule as currently drafted. In particular, the proposed rule leaves at least five critical questions unanswered, as discussed in more detail below. 1. Duration of Authorization Under the RFPA, a customer’s authorization to disclose financial information must be limited to a duration of three months or less.26 The proposed rule fails to specify how long a customer’s purported authorization will last. Assuming for purposes of argument that BOP seeks the maximum allowable duration of three months, then additional questions arise, because the proposed rule clearly envisions a perpetual system of disclosure. Thus, it is unclear whether the Bureau will seek new authorizations from each depositor as existing authorizations expire. Or, will the Bureau require a new authorization each time a person deposits money to a commissary account? Or does the Bureau have some alternate theory? 2. Right of Revocation When an account holder authorizes disclosure of his financial information, the RFPA requires that he be informed of the right to “revoke such authorization at any time before the financial records are disclosed.”27 First, the proposed rule makes no provision for informing the customer as required under the RFPA. More to the point, however, even if a customer is informed, the proposed rule does not address the mechanics of revocation. To whom should a revocation be submitted? Need a revocation be in writing? If so, need it be in any particular form? May a revocation be submitted simultaneously with the initial authorization? Indeed, given the general tenor of the proposed rule, it is unclear whether the Bureau would even honor a revocation of consent. As part of this rulemaking the Bureau should expressly confirm that it will comply with the revocation provisions of the RFPA. 3. Identification of Financial Records A customer authorization for disclosure must “identif[y] the financial records which are authorized to be disclosed.”28 The proposed rule seeks to compel authorization for the release of “all related transactional data,”29 but does not define or describe what such data entails. 26 12 U.S.C. § 3404(a)(1). 12 U.S.C. § 3404(a)(2). 28 12 U.S.C. § 3404(a)(3). 29 Inmate Commissary Accounts, 80 Fed. Reg. 38658, 38660 (to be codified at 28 C.F.R. § 506.3). 27 September 1, 2015 Page 6 of 7 4. Purpose of Disclosure RFPA requires that a customer providing an authorization for disclosure be informed of “the purposes for which . . . such records may be disclosed.”30 Although the Bureau’s notice of rulemaking makes generalized references to detecting unlawful activity, there is no indication that customers will receive an individualized, statutorily adequate description of the purpose for which their financial information is being disclosed. 5. Notification of Statutory Rights Under the RFPA, any written authorization for disclosure must “state the customer’s rights under [the RFPA].”31 A customer’s rights include the protections mentioned above, as well as the right to obtain a record of all disclosures made by the financial institution.32 The proposed rule does not provide for a disclosure of these rights. IV. Petition for Rulemaking The Bureau seeks to codify the proposed rule as a component of part 506, title 28, Code of Federal Regulations. Part 506 is entitled “Inmate Commissary Account,” and governs a system by which “the Bureau [can] maintain inmates’ monies while they are incarcerated.”33 The Bureau’s administration of commissary accounts is of particular interest to the undersigned organizations, because of the myriad consumer-protection issues that have arisen in recent years concerning financial services in correctional institutions.34 Given the numerous issues which are in need of attention, it is important that the Bureau develop a comprehensive system of consumer protections applicable to users of the commissary system. Accordingly, pursuant 5 U.S.C. § 553(e), the undersigned organizations hereby petition the Bureau to issue rules concerning the operation of commissary accounts, including, at a minimum, rules addressing the following topics: Applicability of Regulation E. Concurrent with the growing use of electronic transactions, the Bureau appears to be placing greater emphasis on electronic payments in the context of commissary accounts. Part 1005, title 12, Code of Federal Regulations (“Regulation E”) contains a comprehensive system of consumer protections issued under the Electronic Fund Transfer Act.35 The Bureau must acknowledge that Regulation E applies to electronic transfers to and from commissary accounts, and provide guidance on how consumers may invoke the protections of Regulation E. Release payments. When a person leaves the custody of the Bureau with a positive balance in his or her commissary account, the Bureau disburses such funds to the person upon his or her release. The Bureau should issue rules concerning how such payments are made to ensure that the returned balances are accessible in full. 30 12 U.S.C. § 3404(a)(3). 12 U.S.C. § 3404(a)(5). 32 12 U.S.C. § 3404(c). 33 28 C.F.R. § 506.1. 34 See generally, Letter from Stephen Raher, Prison Policy Initiative, to Richard Cordray, Consumer Financial Protection Bureau (Mar. 18, 2015), available at http://static.prisonpolicy.org/releasecards/CFPB-comment.pdf. 35 15 U.S.C. § 1693, et seq. 31 September 1, 2015 Page 7 of 7 V. Fees. The Bureau should publish a readily-accessible schedule of all fees applicable to commissary accounts (including release payments), and should ensure that all such fees are just and reasonable. Kickbacks. The Bureau should provide by rule that it will not accept payment of money or other value from any contractor who is selected to provide financial services. In the absence of such a policy, the Bureau at a minimum should provide clear disclosure to all consumers (both commissary account holders, and non-incarcerated people who send money to commissary accounts) of any such payments that the Bureau receives in connection with contracts related to commissary accounts. Unclaimed property. The Bureau should ensure that all funds held for the benefit of people who are in the custody of the Bureau—regardless of whether such funds are held directly by the Bureau or by a contractor—are subject to the unclaimed property provisions of 31 U.S.C. § 1322. Conclusion Congress enacted the RFPA to provide customers of financial institutions with protections against government intrusion into their financial privacy. Although the statute does allow customers to voluntarily disclose their financial information to the government, it is carefully drafted to ensure that such consent is narrowly-tailored and not coerced. The Bureau’s proposed rule runs roughshod over these statutory protections and should not be adopted in its present form. Moreover, in the rapidly-changing world of prison-based financial services, there are numerous consumer protection problems that are in acute need of attention. It is, therefore, disappointing that the Bureau has chosen to focus its efforts on eroding privacy protections instead of proposing regulatory changes that would benefit incarcerated people and their families by curbing financially abusive practices. The undersigned organizations are committed to addressing these important issues, and look forward to the Bureau’s response to the petition contained herein. Sincerely, Dēmos Human Rights Defense Center National Consumer Law Center (on behalf of its low income clients) Prison Policy Initiative