Good intentions will always be pleaded for every assumption of authority. It is hardly too strong to say that the Constitution was made to guard the people against the dangers of good intentions. There are men in all ages who mean to govern well, but they mean to govern. They promise to be good masters, but they mean to be masters.
– Daniel Webster
On October 26, 2001, President George W. Bush signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act. Most people know it as the PATRIOT Act.
The law was aimed at countering the tragic terrorist attack on American soil, September 11, 2001. It was supposed to be our safeguard against terrorists – a collaborative approach to law enforcement that sought to bolster the ability of police, security, and spy agencies to share information, with the ultimate goal of protecting Americans. In Bush’s own words, it was meant to “enhance the penalties that will fall on terrorists or anyone who helps them.”1
Civil rights and privacy advocates hated it, fearing that the surveillance powers contained within its pages would lead to government infringements and intrusions that would never be turned back. Open government groups, too, criticized its passage.
Within the scope of a single month, the bill was introduced, sent through both sides of Congress, and signed by the president into law, a record-setting legislative success that left little time for members to discuss – never mind read – or debate its provisions. As Democrat Rep. Bobby Scott said upon receiving the bill in the House: “No one has really had an opportunity to look at the bill to see what is in it.” Regardless, the bill made it to the full House floor for vote on October 23 – the same day it was introduced – passed with a vote of 357–66 on October 24, and was sent over to the Senate for quick consideration. On October 26 the bill was passed through the Senate and sent to the president’s desk for signing.2
That’s fast – especially when you consider that on average only 10 percent of bills introduced into Congress are actually passed into law.3 Most are weighted down by political bartering, lost or hidden in the committee process, bypassed or ignored, ultimately abandoned, or placed on congressional calendars for subsequent sessions. Not so with the PATRIOT Act.
America was under siege, and the political call was for action. So now we’ve got the PATRIOT Act, with all its various morphings, add-ons, reauthorizations, and reforms. It’s a tremendous law with far-reaching impacts on average Americans, most of whom aren’t even aware of just how deep the government can now dig into once-private affairs. Take banking, for instance.
As far back as September 2003, banks were alerting customers of the prying tendencies of the PATRIOT Act. Industry analysts warned people who wanted to open new accounts to be on guard for in-depth questions, deeper background checks, and more hoops to jump through. Banks now are required to collect even more information on account holders and account applicants, verifying identifies and cross-checking names with terrorist databases.
The information verification goes beyond what would be considered basic business practice. In addition to requesting name, date of birth, address, and social security or taxpayer identification number, banks now might also ask for employer information and the nature of the customer’s line of business, the names and locations of the customer’s financial accounts, all the sources of the customer’s income, the customer’s total wealth accumulation, and the customer’s financial goals.4 Moreover, it’s not just banks, but all financial institutions – including credit agencies and broker dealers – that are subjected to the new information collection standards.
The reason for such questions? To get to know the customer better.
The PATRIOT Act doesn’t spell out for banks what questions they must ask their customers in order to remain in good standing with the federal government. But what the act does do is put the responsibility for knowing customers in the hands of the banks, and then gives the financial institutions wide latitude in determining how they might meet that goal. And if they don’t meet that goal to the satisfaction of the federal government?
Fines and punishments can result.
Congressional testimony in November 2004 by Herbert Biern, then a senior-level member of the Federal Reserve Board, said the PATRIOT Act gave the federal government tremendous oversight of banks and was “arguably the single most significant anti-money-laundering law” that Congress had approved since the 1970 Currency and Foreign Transactions Reporting Act, better known as the Bank Secrecy Act (BSA).5 That’s a startling statement, especially when one considers all the powers the federal government has at its disposal to control the financial sector. The BSA forces banks and other financial institutions to track and report both domestic and international transactions in excess of $10,000 to assist the government with criminal and tax investigations and prosecutions.
But there’s also the Money Laundering Control Act of 1986, which gave prosecutors the ability to go after financial institutions that knowingly circumvented the BSA and charge them with a criminal act. A few years later, Congress brought the Treasury Department into the action with the 1992 Annunzio-Wylie Anti-Money Laundering Act and the 1994 Money Laundering Suppression Act. Both gave the Treasury Department a stronger role in investigating and helping prosecute financial crimes, as well as in strengthening some of the punishments for banks that violate the BSA.6
Then came the PATRIOT Act, which expanded on all those previous laws.
In the first couple of years after it passed into law, the new statute:
• expanded the AML compliance program requirements to all financial institutions, including broker-dealers and casinos;
• increased the civil and criminal penalties for money laundering;
• facilitated access to records and required banks to respond to requests for information within 120 hours;
• required regulatory agencies to evaluate an institution’s AML record when considering bank mergers, acquisitions, and other applications for business combinations; and
• provided the secretary of the Treasury with the authority to impose “Special Measures” on jurisdictions, institutions, or transactions that are of “primary money-laundering concern.”7
Treasury has since designated many of its oversight powers to a unit within its agency, FinCEN.8 The bureau of FinCEN, in turn, has farmed out some of its regulatory authority to other federal agencies – including the various factions of the Federal Reserve – and in so doing, tangled the web of bureaucracy even further.
That’s just a brief background glimpse at how deep the federal government has plunged into the financial sector. But even that quick glance serves to shatter any notion of an individual’s finances remaining private.
Why care?
Remember the days when banks would entice customers with free toasters or appliances for opening accounts? The PATRIOT Act’s amendment to the BSA now means banks must instead play Big Brother, and generate what’s called a Customer Identification Program (CIP) that lays out account-opening procedures and tells employees what information to collect from each and every potential client – including a list of all the personal information that must be gathered and stored.9 The CIP is so banks can show federal authorities that, yes indeed, they’ve established a personal relationship with each customer, and they’ve done due diligence to make sure none of their clients are criminals – or worse, terrorists.
But is it sound security policy or regulatory overkill? The Bank Secrecy Act already required banks to report suspicious activity to the federal government by filing the aptly named Suspicious Activity Report, or SAR. The PATRIOT Act ratchets up the motivation for banks to perform thorough customer checks.
As Biern testified, “Today, it is abundantly clear that banking organizations face legal, reputational and operational risks when they do not perform appropriate due diligence and safeguard their institutions with adequate internal controls to mitigate risks.”10
Banks now establish profiles of customers to determine their normal level of banking activity and then monitor them to assess if there is ever deviation. That’s called Customer Due Diligence, or CDD, and if you’ve ever been asked for some highly sensitive information while applying for a new account or conducting a financial transaction – information that maybe struck you as a bit random or overly intrusive – now you know why.11 The financial institution was just doing its CDD on you – and you don’t even get a free toaster in return.
Banking institutions are under so much pressure to comply with the demands of the PATRIOT Act and all its regulatory expansions that they’re even trying to review transactions that are conducted by other banks, mainly in the international market. The line of logic is this: know and vet even those institutions that may one day do business with your own customers. That’s a tall order for most banks. Just where in the eye of the federal government does an individual bank’s responsibility for a customer’s actions end?
But maybe the bigger question: how much are all these mandates going to cost?
One anti-money-laundering expert estimated in 2003 – before the regulations were tightened even further – that the costs for banks to comply with the PATRIOT Act would hit around $200 million each year. The banks, of course, would pass these costs on to the customer in the form of higher fees. It was predicted the average charge per customer would rise nearly 300 percent, from about $7.50 a year to $22 a year.12
Fast-forward a few years and the costs have only grown.
In 2011, banks were still wrestling with the costs of compliance with the PATRIOT Act. In a survey conducted by financial services giant Deloitte, nearly half of the more than thirteen hundred respondents to the web-based poll “Global Fraud and Corruption: A Decade of Change” cited the costs of complying with PATRIOT Act-related regulations as their greatest concern.13 That concern, coupled with the sluggish economy that hit lenders hard, has led most small- to mid-size financial institutions to grapple with the unsavory choice of cutting corners on compliance to keep afloat or abide by all the mandates and hope the bank won’t be forced to sell to one of the giant banks.
Choosing the former, and bypassing federal mandates, carries significant risks.
When the PATRIOT Act first went into effect, the Federal Reserve was somewhat slow to take enforcement action. For instance, between 2001 and 2004, the Federal Reserve issued only about two dozen public enforcement citations of varying degrees – from imposing civil penalties to issuing cease-and-desist orders – on small and large institutions that were deemed to have violated money-laundering and bank secrecy laws.14 But the agency has stepped up its enforcement and, in recent years, shown a more aggressive side.
Between January and August 2013, the Federal Reserve issued about forty of these violation orders, almost twice the amount it sent in the entire first three years of the PATRIOT Act’s passage.15
This isn’t really to say banks deserve pity. Institutions that engage in criminal activity or aid with the spread of terrorism should be prosecuted to the fullest extent of the law. But the way the federal government uses banks to create profiles on every American with a bank account smacks of police state policy. The government invades the privacy of these Americans by demanding banks ask for and collect personal information. Yet the government doesn’t specify what the banks must ask. When people get upset for the intrusion, they blame the banks, not the government, which hovers in the background all the while, wielding the power to impose punishments for banks that don’t meet standards that aren’t even clearly spelled out. If you’re applying for a credit card and the questions get a bit too personal, whom are you going to blame? The PATRIOT Act? That’s doubtful. More likely, you’ll blame the financial institution. And that’s how the federal government avoids massive consumer criticisms in this regard. It shields its regulatory actions behind the banks, so most consumers see the financial sector, rather than the government, as the enemy. Talk about a win-win for the federal government.
That’s not the only fallout from the PATRIOT Act, however.
Thanks to the PATRIOT Act, the Central Intelligence Agency can now deviate from its founding mission of rooting out international espionage and turn its spying eyes on American citizens. Of course, the CIA already had a history of putting Americans under surveillance – but doing so was illegal and scandalous. Agents involved in Operation CHAOS, for example, tracked and collected information on Vietnam War dissenters and student activists between 1967 and 1973. The Rockefeller Commission exposed the program, ruling it an egregious violation of the CIA’s charter.16
While that probably didn’t stop the CIA’s information-collection game, now the agency is legally able to grab everything from a citizen’s telephone conversations and Internet activity to school records and financial transactions. Moreover, it can share the information with other law enforcement agencies. It’s a quid pro quo. Other law enforcement agencies previously banned by law from sharing information on Americans with the CIA can now send it right along to the agency. Thanks to the PATRIOT Act, the gathered information can also be given to the National Security Agency, the Secret Service, the Department of Defense, and the Immigration and Naturalization Service – no court order needed.17
When the PATRIOT Act first passed in 2001, the American Civil Liberties Union warned of its section 203, saying it would serve as a means for law enforcement agencies to give the CIA information related to foreign intelligence or counterintelligence that’s released during grand jury proceedings. And why should you care? As the ACLU warned, the definition of “foreign intelligence information” was pretty broad. As written, the CIA could ostensibly collect information on American citizens that had little to do with counterintelligence or with protecting the nation from a terrorist attack.18
Years later, much of that section still stands. Even though the ACLU has been joined by others voicing similar concerns, the controversial section 203 has withstood several sunsets and lived past previously set automatic expiration dates.
Another hotly contested section of the PATRIOT Act – section 215 – has also withstood the effects of time. Section 215 guides how the federal government can access records and information through the Foreign Intelligence Surveillance Act (FISA) of 1978. The FISA set up a special court that was supposed to hear requests from the government to conduct electronic surveillance operations. Under the act, the chief justice of the United States Supreme Court holds the power to name seven judges from the nation’s seven federal judicial court circuits to serve on the special court and field the requests from government. Originally FISA allowed only an agency – say, the FBI – the ability to petition the court for business records related to hotels, motels, and vehicle rentals. Section 215 of the PATRIOT Act expanded the authority of government agencies to obtain records from nearly all types of businesses. Further, the section gave the FBI the ability to obtain more than records. Under section 215, law enforcement agents could also acquire “any tangible thing” related to the investigation, including books, papers, and documents.19
That’s pretty broad. But that’s not all.
Section 215 also relaxed the requirements on government to show how these record seizures were necessary to its investigation. Previously, FISA mandated that FBI agents show “specific articulable facts” to the judge that would prove the records were related to an investigation about a “foreign power or the agent of a foreign power,” the text of the act states.20 But post–section 215, the government only has to say that the records or documents are necessary to conduct a foreign intelligence investigation, or to protect Americans against terrorism. If the information provided in court meets the broad standards set forth in section 215, the judge must approve the application. The judge doesn’t even have much discretion with the requests.21
That’s how you get to a scenario like the private telecommunications company Verizon being forced to give up telephone records of millions of American citizens. It’s all in the name of national security. Moreover, under the PATRIOT Act and section 215, even third-party record holders, like libraries, churches, medical providers, and video rental establishments, can be compelled to divulge private information on individual Americans.22
The PATRIOT Act was reauthorized in 2005, and in that version section 215 required that requesters of information provide a list of “tangible things” to the FISA court that are relevant to an ongoing investigation – such as what a grand jury would allow. The reauthorization also put Congress in charge of overseeing FISA and tasked the Department of Justice with auditing and rating the effectiveness of section 215. But to opponents, that wasn’t good enough. Many claimed the definition of tangible things was overly broad and would pretty much grant any government agency going through FISA whatever information was desired. Moreover, the requests could be made in complete secret.
The privacy protection group Electronic Frontier Foundation warned that targets of section 215 surveillance would never know they were under watch because the FISA court affixed gag orders to all its approved applications.23
In 2009, Sen. Russell Feingold, a Democrat from Wisconsin, criticized section 215 as an overly secretive spy program that should be explained in greater detail to the American people. In 2011, Sen. Mark Udall, a Democrat from Colorado, said the government was wrongfully collecting information from individuals who were not even connected to terrorism or espionage investigations.24
But in 2011, President Obama signed an extension to keep section 215, in its 2005 form, intact until June 1, 2015. And Senator Wyden, once again, expressed dismay. In an August 2013 letter, he called the FISA court the “most one-sided court in the nation” and said the need for section 215 reform or outright repeal was immediate.25
The section 215 fight is pitting Democrat against Democrat, legislative branch against executive branch. But for the average American, the underlying concerns with section 215 are pretty simple: Does the federal government have the right to demand via a secret court petition that a local library release an individual’s book borrowing records? Or that a privately held company release personal information on an unaware customer – an American citizen who may not even be part of an official criminal or terrorist investigation?
One of the leading authors of the PATRIOT Act, Rep. Jim Sensenbrenner, Republican from Wisconsin, apparently didn’t think so.
In a letter to US attorney general Eric Holder dated June 6, 2013, Representative Sensenbrenner expressed concern about “what appears to be an overbroad interpretation of the Act” and suggested the FBI went above and beyond the law by citing section 215 to the FISA court to obtain telephone records on millions of Verizon clients. From his letter: “I do not believe [this]... is consistent with the requirements of the Patriot Act. How could the phone records of so many innocent Americans be relevant to an unauthorized investigation?”26
Good question. And one that rocked the nation.
Which brings us to PRISM, and the whole National Security Agency debacle.