OCC Reminds Banks of Obligations to Protect Customer Financial Records

The Office of the Comptroller of the Currency ("OCC") reminded banks of their statutory duties to safeguard customer financial records and to ensure appropriate use of Suspicious Activity Reports ("SARs").

In the Bulletin, the OCC cited findings from a congressional investigation and a recent Executive Order, which raised concerns about financial institutions sharing customer data with government agencies in ways that may have been politically motivated. The OCC reiterated that under the Right to Financial Privacy Act ("RFPA"), banks may not release financial records to government authorities unless proper legal process is followed, such as a subpoena, warrant, or customer authorization.

The OCC highlighted that banks must file SARs within 30 calendar days of initially detecting facts that may form the basis for a reportable suspicious activity. The OCC stated that while voluntary SARs are permitted, they should not be used as a pretext to evade RFPA restrictions. The OCC stated that voluntary filings should only occur when banks identify concrete suspicious activity, even if it does not meet mandatory reporting thresholds.

The OCC directed banks to review the Executive Order and adjust policies and procedures as needed to ensure that customer financial records are protected.