Financial privacy in the United States has been in disrepair for more than 50 years, and it’s getting worse. Not only are decades-old beliefs (e.g., the third-party doctrine) highly questionable, but they are also particularly dangerous in the digital age. Efforts, both new and old, to surveil and collect data on Americans’ financial activity show that now is the time for Congress to craft a better framework for financial privacy. But Congress may not need to look far for ideas on how to protect Americans’ financial privacy.

The Right to Financial Privacy Act, originally enacted in 1978 in response to how the Bank Secrecy Act and the third-party doctrine weakened the protections of the Fourth Amendment to the U.S. Constitution, has already set a foundation for some of the protections needed today. However, it is largely due to a long list of exceptions in the Right to Financial Privacy Act that much of the financial surveillance over the past 50 years has been permitted to expand—hidden away from the public eye.

Part of the challenge is that the “right to financial privacy goes to the heart of the tension between an individual’s right to conduct [his or her] business without governmental intrusion and the government’s legitimate need for information in law enforcement.”¹ But striking this balance is not an insurmountable task. While critics point to curbing criminal activity to justify invading the public’s financial privacy,² there should be stronger protections so long as the U.S. justice system maintains that the public is innocent until proven guilty. Neither fishing expeditions nor thread pulling that may lead to investigations should be considered a sound justification when financial information can reveal a person’s relationships, profession, religion, political leanings, locations, and more.³ A revised legal and regulatory regime for the financial sector must protect citizens against warrantless searches and seizures—a protection guaranteed by the Fourth Amendment.

To restore Americans’ financial privacy, Congress should amend the Right to Financial Privacy Act to remove the exceptions to its protections. Removing the exceptions will not bar law enforcement and other government agencies from obtaining access to financial information. Instead, it will merely require that government agencies acquire a warrant or subpoena through the judicial process and notify Americans when they seek their records.⁴ During the past few years, Americans have seen time and time again how financial privacy can be violated by unchecked government authorities.⁵ Now is the time for Congress to establish the protections that should have remained in place since the beginning—especially amid the digital age.

The Bank Secrecy Act was signed into law by President Richard Nixon on October 26, 1970.⁶ At the time, the Bank Secrecy Act—a response to concerns over the use of secret foreign bank accounts⁷—made two major changes to the U.S. financial system: (1) requiring that U.S. financial institutions maintain records “where such records have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings” and (2) requiring that U.S. financial institutions report certain financial transactions to the U.S. Department of the Treasury (Treasury).⁸ In other words, the Bank Secrecy Act deputized American financial institutions as de facto law enforcement investigators. And although this initial form of the Bank Secrecy Act was only a fraction of what can be seen today, it did not take long for people to recognize how the law conflicted with the Fourth Amendment to the U.S. Constitution, considering it forced financial institutions to report information that the government would otherwise need a warrant to obtain.

By 1972, a group including the American Civil Liberties Union (ACLU), California Bankers Association, and Security National Bank applied for a temporary restraining order in the U.S. District Court for the Northern District of California in an effort to stop the enforcement of the Bank Secrecy Act.⁹ The group principally argued that the Bank Secrecy Act violated the Fourth Amendment’s protection from unreasonable search and seizure as well as the protections in the First and Fifth Amendments. In response, the district court issued a temporary restraining order to halt the Bank Secrecy Act’s enforcement while the complaint could be reviewed.¹⁰ However, the order was lifted after the district court held that most of the Bank Secrecy Act was constitutional. Yet efforts to stop the Bank Secrecy Act did not stop there.

In 1973, Rep. Fortney Stark (D‑CA) led a separate effort in Congress to enact legislation—a first draft of what would later be enacted as the Right to Financial Privacy Act—seeking to better protect financial privacy.¹¹ Representative Stark argued that the Bank Secrecy Act undermined the long‐​held tradition of confidentiality between banks and customers,¹² and therefore, his bill was designed in part to protect and preserve that expectation of confidentiality.¹³

In 1974, Congress made a step forward with the passage of a separate piece of legislation, titled the Privacy Act.¹⁴ The Privacy Act established requirements for government agencies in disclosing, handling, accessing, and maintaining information. Moreover, should a federal agency fail to adhere to these standards, the Privacy Act gave American citizens grounds to sue the agency. Nonetheless, the Privacy Act included many exceptions, resulting in privacy protections that do not apply consistently with law enforcement or even at all under circumstances deemed “routine use.”¹⁵

Also in 1974, the question of financial privacy reached the Supreme Court after a series of appeals—from both the plaintiffs and the government—in California Bankers Association v. Schultz. After reviewing the case, the Supreme Court held at the time that the Bank Secrecy Act did not violate the First, Fourth, or Fifth Amendments. In the majority opinion, the Supreme Court held that the Bank Secrecy Act was not an undue burden, considering it applied to “abnormally large transactions,” those of $10,000 or more.¹⁶ For example, at the time, one could purchase two brand-new Corvettes for that price.¹⁷ However, Justices Lewis Powell and Harry Blackmun warned in a concurring opinion, “A significant extension of the regulations’ reporting requirements … would pose substantial and difficult constitutional questions for me.… At some point, governmental intrusion upon these areas would implicate legitimate expectations of privacy.”¹⁸

In 1976, the question of financial privacy was again brought to the Supreme Court in United States v. Miller. When considering a case in which the Treasury Department’s Bureau of Alcohol, Tobacco, and Firearms presented grand jury subpoenas to collect the records of a suspected bootlegger’s financial activity, the Court held that Americans do not have a right to privacy when they share information with a third party (e.g., a bank or other financial institution). The Court wrote, “The depositor takes the risk, in revealing his [or her] affairs to another, that the information will be conveyed by that person to the Government”¹⁹—seemingly positing first that Americans must choose between a bank account and the Fourth Amendment, and second that Americans cannot expect the government to consider the Constitution when presented with information. From this decision (and other similar decisions) came what is now commonly known as the “third-party doctrine.”²⁰ As described by the Electronic Privacy Information Center (EPIC), so long as the “records are developed or maintained during the course of an ordinary business relationship by a person other than the subject of those records, the subject has no expectation of privacy and thus, no constitutional protection.”²¹ With the creation of the third-party doctrine, after years of citizens trying to push back against the Bank Secrecy Act, the Court seemingly made it stronger than ever before.

In 1977, the Privacy Protection Study Commission—a commission created by Congress with the passage of the Privacy Act of 1974—issued a report titled Personal Privacy in an Information Society.²² The commission argued that “as records continue to supplant face-to-face encounters in our society, there has been no compensating tendency to give the individual the kind of control over the collection, use, and disclosure of [his or her] information.”²³ The commission noted that many challenged the Bank Secrecy Act because of the questions it raises regarding not only the confidentiality between customers and financial institutions, but also the “relationship between government and citizens in a free society.”²⁴ The commission also argued that the 1974 Privacy Act “had not resulted in the general benefits of the public that either its legislative history or the prevailing opinion as to its accomplishments would lead one to expect.”²⁵ So while the 1974 Privacy Act may have been a step forward, it did not do enough to protect Americans’ privacy broadly, and it certainly did not protect Americans’ financial privacy.

Although financial privacy took many heavy hits from the Bank Secrecy Act, Congress did establish some early protections. Just two years after the Supreme Court established the third-party doctrine,²⁶ Congress passed the Right to Financial Privacy Act—an act that was “essentially designed to reverse the [Supreme Court’s] decision [in United States v. Miller] in the context of financial records and provide standing for individuals to complain about the improper release of information about them in records maintained by financial institutions.”²⁷ Although well-intentioned, the Right to Financial Privacy Act did not offer the privacy protections its name suggests.

At its core, the Right to Financial Privacy Act established a process for notifying the public when the government requests their financial information and providing the public the opportunity to challenge said requests.²⁸ This process begins with 12 U.S.C. Section 3402, which prohibits government authorities from accessing financial records—a direct response to United States v. Miller and the third-party doctrine. The law then specifies that the government may only access financial records held at a financial institution if authorized by a customer’s agreement, an administrative subpoena or summons, a search warrant, a judicial subpoena, or a formal written request.²⁹ More so, customers must be notified that their records are sought by the government, unless the court agrees there is reason to delay the notice.³⁰ And in the case of a subpoena or formal written statement, customers must also be given at least 10 days to object to the disclosure of their information. The instructions provided in the notice for objecting are as follows:

1. Fill out the accompanying motion paper and sworn statement or write one of your own, stating that you are the customer whose records are being requested by the Government and either giving the reasons you believe that the records are not relevant to the legitimate law enforcement inquiry stated in this notice or any other legal basis for objecting to the release of the records.
2. File the motion and statement by mailing or delivering them to the clerk of any one of the following United States district courts: [to be determined]
3. Serve the Government authority requesting the records by mailing or delivering a copy of your motion and statement to [to be determined]
4. Be prepared to come to court and present your position in further detail.
5. You do not need to have a lawyer, although you may wish to employ one to represent you and protect your rights.³¹

The Right to Financial Privacy Act extends these protections and requirements to information held by depository institutions; money service businesses; money order issuers, sellers, and redeemers; travelers check issuers, sellers, and redeemers; the U.S. postal service; securities and futures industries; futures commission merchants; commodity trading advisers; and casinos and card clubs.

Unfortunately, the Right to Financial Privacy Act has a major weakness: 12 U.S.C. Sections 3413 and 3414, or the list of exceptions. Taken broadly, the exceptions provide particular situations or conditions in which the law does not apply.³² In practice, the exceptions that allow government access to financial records apply to some of the most routine instances of financial data collection. Each exception is broken down into more general terms in Appendix A, but the full list of exceptions as written in the law is as follows:

1. Disclosure of financial records not identified with particular customers;
2. Disclosure to, or examination by, supervisory agency pursuant to exercise of supervisory, regulatory, or monetary functions with respect to financial institutions, holding companies, subsidiaries, institution-affiliated parties, or other persons;
3. Disclosure pursuant to Title 26 [or the Internal Revenue Code];
4. Disclosure pursuant to federal statute [e.g., the Bank Secrecy Act] or rule promulgated thereunder;
5. Disclosure pursuant to federal rules of criminal procedure or comparable rules of other courts;
6. Disclosure pursuant to administrative subpoena issued by administrative law judge;
7. Disclosure pursuant to legitimate law enforcement inquiry respecting name, address, account number, and type of account of particular customers;
8. Disclosure pursuant to lawful proceeding, investigation, etc., directed at financial institution or legal entity or consideration or administration respecting government loans, loan guarantees, etc.;
9. Disclosure pursuant to issuance of subpoena or court order respecting grand jury proceeding;
10. Disclosure pursuant to proceeding, investigation, etc., instituted by Government Accountability Office and directed at a government authority;
11. Disclosure necessary for proper administration of programs of certain government authorities;
12. Crimes against financial institutions by insiders;
13. Disclosure to, or examination by, employees or agents of Board of Governors of Federal Reserve System or Federal Reserve banks;
14. Disclosure to, or examination by, Resolution Trust Corporation or its employees or agents;
15. Disclosure to, or examination by, Federal Housing Finance Agency or Federal Home Loan Banks;
16. Access to information necessary for administration of certain veteran benefits laws;
17. Disclosure pursuant to federal contractor–issued travel charge card;
18. Disclosure to the Bureau of Consumer Financial Protection;
19. Access to financial records for certain intelligence and protective purposes; and
20. Emergency access to financial records.³³

Setting aside the subject of each exception for a moment, the shear scope of the list of exceptions opens the Right to Financial Privacy Act to the risk of being rendered ineffective.³⁴ However, matters are only made worse by the fact that the exceptions themselves provide broad authority to law enforcement and other government agencies that routinely act as the most common collectors of financial information. As noted by the Financial Crimes Enforcement Network (FinCEN),

Other than FinCEN, the other supervisory agencies considered relevant and appropriate for these purposes include the criminal investigative services of the armed forces; the Bureau of Alcohol, Tobacco, and Firearms; the attorney general, district attorney, or state’s attorney at the state or local level; the Drug Enforcement Administration; the Federal Bureau of Investigation; the Internal Revenue Service or tax enforcement agencies at the state level; the Office of Foreign Assets Control; state or local police departments; the U.S. Attorney’s Office; Immigration and Customs Enforcement; the U.S. Postal Inspection Service; and the U.S. Secret Service.³⁶ Thus, given all the exceptions provided to so many government agencies, the Right to Financial Privacy Act does not strengthen Americans’ financial privacy as its authors initially sought (see Table 1).

To understand how the Right to Financial Privacy Act has failed to live up to its name in practice, one need only look at how the past 50 years have been marked by a continued erosion of Americans’ financial privacy. Legislated expansions of financial surveillance, law enforcement investigations and regulatory pressure taking advantage of loopholes, and even often-hidden factors like inflation have intruded on Americans’ financial privacy.

The lack of financial privacy in the United States caught the attention of most Americans when the U.S. government considered surveilling all bank accounts with at least $600 of annual activity.³⁷ The saga began in the spring of 2021 when the Treasury released its annual revenue proposals.³⁸ Nestled on page 88 was a proposal to “introduce comprehensive financial account reporting to improve tax compliance.”³⁹ The plan was to require banks and other financial institutions to “report gross inflows and outflows with a breakdown for physical cash, transactions with a foreign account, and transfers to and from another bank account with the same owner” so long as the account in question had at least a gross flow threshold of $600.⁴⁰

As the proposal gained favor in Congress and attention across the country, many Americans were left asking how such a proposal could be considered constitutional, and some members of Congress quickly responded with legislative proposals to stop what was a violation of the spirit of the Fourth Amendment.⁴¹ For example, Sen. Tim Scott (R‑SC) introduced the Prohibiting IRS Financial Surveillance Act with 49 cosponsors.⁴² Likewise, Rep. Ashley Hinson (R‑IA) introduced the Protecting Financial Privacy Act of 2021 with 65 cosponsors.⁴³ To address these criticisms and defend its position, the Treasury issued a press release, stating that

While true, the Treasury’s statement reveals the dismal state of financial privacy in the United States.⁴⁵ Because the Treasury is right: a great deal of financial surveillance is already taking place. Moreover, it has been steadily expanding for years, long after the Bank Secrecy Act was enacted.

In 1992, for example, the Annunzio-Wylie Anti–Money Laundering Act was one of the first major expansions of the Bank Secrecy Act.⁴⁶ Much like when the Bank Secrecy Act gave the secretary of the Treasury the authority to require currency transaction reports, the Annunzio-Wylie Anti–Money Laundering Act gave the secretary of the Treasury the authority to require financial institutions to “report any suspicious transaction relevant to a possible violation of law or regulation.”⁴⁷ In doing so, the law also barred financial institutions from notifying the public of when a report was filed. To oversee this new reporting regime, the Money Laundering Suppression Act of 1994 authorized the secretary of the Treasury to designate the Financial Crimes Enforcement Network (FinCEN) as the agency supervising suspicious activity reports (SARs).⁴⁸

In 2001, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act was enacted to deter terrorism. Although stopping terrorism is indeed a worthwhile endeavor, the law dramatically reduced financial privacy in the United States in its effort to identify and thwart terrorist financing.⁴⁹ For example, the law introduced “know your customer” requirements to force financial institutions to collect identifying information and run checks on potential customers. The law also expanded the requirements for financial institutions to file SARs—further turning financial institutions into de facto deputy law enforcement investigators.⁵⁰ And as mentioned earlier, although one would be correct to wonder why such news is not more widely reported, both employees from financial institutions and the government are prohibited under the law from notifying customers when a SAR is filed.⁵¹ So instead of protecting the privacy of their depositors, financial institutions are forced to protect the secrecy of government investigations into the financial activity of Americans, whether those investigations have a legitimate criminal predicate or not.⁵²

In 2021, Congress passed the Infrastructure Investment and Jobs Act, which not only established a de facto ban on legal cryptocurrency mining, but also mandated that individuals must report on one another when exchanging cryptocurrency worth $10,000 or more.⁵³ The reports must include the name, address, and taxpayer identification number of the payer, as well as the amount paid, the date, and the nature of the transaction. Failure to report, incorrect information, or missing information may result in a $25,000 fine or five years in prison.⁵⁴

In 2022, the Special Measures to Fight Modern Threats Act was introduced as an amendment to a larger bill to build off of the tools provided by the USA PATRIOT Act to expand the Treasury’s powers and authority by removing the checks and balances designed to protect American citizens.⁵⁵ The House Committee on Financial Services initially described the proposal as streamlining “the process by which special measures may be introduced and modernizes the authorities granted to the Financial Crimes Enforcement Network (FinCEN).”⁵⁶ In practice, said “streamlining” would have been achieved by removing the requirements to notify the public of when the Treasury uses special measures as part of its enforcement. For the Treasury to use its special measures authority, the current law requires a notice of proposed rulemaking as well as a 120‐​day limit on the enforcement. However, as originally written, the bill would eliminate both the requirement to notify the public and the 120‐​day limit on enforcement. As Jerry Brito and Peter Van Valkenburgh first described it in their analysis of the bill, “in other words, it is an attempt … to use the moral panic surrounding criminal usage of cryptocurrencies … to strip our surveillance laws of all public processes.”⁵⁷ Despite still seeking to expand the Treasury’s powers, the bill was later amended and reintroduced several times without the language that would have removed the checks on the Treasury’s power.⁵⁸

Similarly, another bill, the Transparency and Accountability in Service Providers Act, was introduced in 2022 to “expand the scope and authorities of anti–money laundering [procedures].”⁵⁹ To do so, the bill would require so‐​called financial gatekeepers to adopt anti–money laundering procedures to actively monitor for potential criminal activity. The bill calls for the Treasury to require this of any person involved in the exchange of foreign currency, digital currency, or digital assets; managing, advising, or consulting with respect to money or other assets; the provision of cash vault services; the processing of payments; the wiring of money; the direct or indirect filing of any return on behalf of a foreign individual, trust, or fiduciary; the formation, registration, acquisition, or disposition of a corporation, limited liability company, trust, foundation, limited liability partnership, partnership, association, or arrangement; the sourcing, pooling, organization, or management of capital; and the process of acting as a trustee.

With Congress enacting such sweeping powers and attempting to go even further on many occasions, it should be little surprise that Americans have steadily become more wary of the government’s activities.⁶⁰ In 2017, a Reuters and Ipsos poll found that 75 percent of adults—up from 67 percent in 2013—would not voluntarily let investigators monitor their internet activity to combat terrorism.⁶¹ In fact, as Figure 1 shows, Americans are overwhelmingly unwilling to give up their privacy in the name of the war on terror.⁶² Yet it isn’t just the war on terror that the U.S. government has used to justify further encroaching on Americans’ financial privacy.

The wars on drugs, crime, and poverty have been used for decades as a justification to peer into the lives of Americans. Most infamously, Operation Choke Point was an initiative by the Department of Justice to go after so-called controversial businesses (e.g., state-licensed cannabis dispensaries, payday lenders, pawn shops, or gun shops) with the intent of, as one official described it, “choking them off from the very air they need to survive.”⁶³ In other words, as reported in the Wall Street Journal, “rather than just targeting individual firms, the government is now going after the infrastructure that enables companies to withdraw money from people’s bank accounts.”⁶⁴ After already having forced financial institutions to collect information on account holders, Operation Choke Point was the next step forward in terms of the government taking action on information that had otherwise been sitting idle.⁶⁵

But Operation Choke Point was not an anomaly. Just a few years after the full scope of Operation Choke Point was revealed,⁶⁶ Sen. Ron Wyden (D‑OR) helped bring to light that the U.S. Immigration and Customs Enforcement (ICE) had been collecting records on money transfers to or from Mexico greater than $500.⁶⁷ ICE had collected approximately 6 million transaction records between 2019 and 2022—all without a warrant. Instead, ICE issued eight administrative subpoenas, or court orders, instructing Western Union and Maxitransfers Corporation to turn over records for six months at a time.⁶⁸ As Matthew Guariglia, a policy analyst at the Electronic Frontier Foundation, explained, “this is a blatantly illegal exploitation of the government subpoena power—and an all too familiar one that must stop.”⁶⁹

In August 2022, attention shifted to the U.S. Department of Treasury when it declared Tornado Cash—a decentralized software protocol designed to enhance cryptocurrency privacy—a sanctioned entity and thus barred all Americans from using the service after it was found that a North Korean state-sponsored hacking group had used the service.⁷⁰ Much like when the government used Operation Choke Point to target financial infrastructure instead of individual actors, it seems that the Treasury opted to go after an entire software protocol dedicated to improving financial privacy rather than the bad actors that it was after on paper.⁷¹ The blurring of lines was made abundantly clear when U.S. Secretary of State Antony Blinken tweeted (and then deleted) the claim that Tornado Cash was a North Korean state-sponsored hacking group.⁷² It’s certainly possible that Treasury officials similarly did not recognize that Tornado Cash was a decentralized software protocol (i.e., there’s no person in control of it), but there is little excuse to shut down an entire service in pursuit of criminals when there are ample tools to go after the criminals themselves.⁷³

Looking just beyond America’s borders, the public was also confronted with how much financial privacy has deteriorated and how real the risk of financial oppression can be in other free nations when Canadian Prime Minister Justin Trudeau invoked the Emergencies Act for the first time in Canadian history.⁷⁴ In doing so, Trudeau froze the bank accounts of protestors and expanded the reach of existing anti–money laundering laws in Canada to stop the protests over COVID-19 restrictions. Although not in the United States, it’s important to recognize that freezing the accounts of political rivals is a tactic that is usually reserved for authoritarian countries like Russia or China—not the sixth-freest nation in the world, as rated by the Cato Institute’s Human Freedom Index.⁷⁵ Mercatus Center scholar Brian Knight was correct to note that “the events in Canada should serve as a wake-up call [for the United States] and prompt us to change the laws, regulations, and institutions that govern who controls [your financial activity].”⁷⁶ In light of these actions by an otherwise nonautocratic country, and the demonstrable willingness of Congress to expand the weaponization of the financial infrastructure, it’s reasonable to think the United States will do the same if presented with a similar emergency situation. Operation Choke Point, the mass collection of records on money transfers, the sanctioning of Tornado Cash, and similar intrusions by the U.S. government are already proof of how real that risk is.

Were legislated expansions, law enforcement investigations, and regulatory pressures not enough on their own, each year that passes with a positive inflation rate offers another hidden increase in the level of financial surveillance, because the Bank Secrecy Act reporting thresholds were not crafted with an adjustment for inflation. The original reporting threshold for currency transaction reports (CTRs) was $10,000—a relatively large transaction in the 1970s.⁷⁷ If, for example, the threshold had been adjusted for inflation, then CTRs would now be required only for transactions of at least $72,000 (see Figure 2).⁷⁸

The erosion of financial privacy in the wake of ever-expanding financial surveillance is especially important to consider given that Supreme Court Justices Lewis Powell and Harry Blackmun noted in their 1974 support of the Bank Secrecy Act that the $10,000 requirement was high enough to not create an undue burden.⁷⁹ It is unclear if Justices Powell and Blackmun would have believed that the current, inflation-adjusted threshold was low enough to now be unduly burdensome, but their opinion suggests so:

At a 2022 congressional hearing dedicated to the oversight of FinCEN, Reps. Barry Loudermilk (R‑GA), Joyce Beatty (D‑OH), French Hill (R‑AR), Bryan Steil (R‑WI), and Roger Williams (R‑TX) all expressed concern over inflation silently increasing the scope of financial surveillance.⁸¹ In particular, Representative Steil pointed out at the hearing that by increasing the range of financial surveillance, the “haystack” investigators must search has been ever increasing in size—effectively hiding the “needle,” or actual criminal activity, that investigators are looking for.⁸²

Over the years, other members of Congress have tried to rectify the issue with legislative amendments to add inflation adjustments to the reporting required by the Bank Secrecy Act. For example, Rep. Steven Pearce (R‑NM) and Rep. Blaine Luetkemeyer (R‑MO) introduced the Counter Terrorism and Illicit Finance Act in 2018 to increase the reporting thresholds for CTRs, SARs, and money service businesses. In addition, the bill would have also required FinCEN to conduct a formal review of the effectiveness of those reporting thresholds.⁸³ Ultimately, only the requirement for a formal review was passed in the National Defense Authorization Act for Fiscal Year 2021, in Sections 6204 and 6205.⁸⁴ In short, those sections required FinCEN to provide several reports regarding the possibility of raising the reporting thresholds to account for inflation. FinCEN Acting Director Himamauli Das testified before Congress in April 2022 that the reports should be ready by the end of 2022 (as of March 2023, the reports have not been made public).⁸⁵ The decision to increase the reporting thresholds per inflation should be a simple one considering that in 2016 FinCEN judged inflation as having been significant enough to warrant an increase for the monetary penalties that FinCEN charges to the public.⁸⁶

The “invisibility” with which financial surveillance is being expanded should concern all Americans. Howard Anglin, former deputy chief of staff for Canadian prime minister Stephen Harper, pointed out this reality when the Canadian government began to freeze the bank accounts of protestors in 2022, but his words were an eye-opening description of both the limited consideration of inflation and the broader consideration of financial surveillance as a whole:

The relative invisibility of inflation is likely one contributing reason why the American people have not objected widely to the government’s increased financial surveillance. By relying on inflation—instead of the legislative process—to steadily increase the scope of surveillance, the Bank Secrecy Act regime has been allowed to proceed undetected and unquestioned. Employing such actions may be a favorable strategy for an authoritarian leader, but it should not be the strategy of representative governments—especially ones that are considered the freest nations in the world.⁸⁸

At the core of much of the financial surveillance taking place in the United States is the third-party doctrine and a so-called reasonable expectation of privacy. Soon after Congress enacted the Bank Secrecy Act, the Supreme Court held in United States v. Miller that a person cannot reasonably expect privacy when providing information to a third party (e.g., a financial institution). But is it so unreasonable to expect privacy, or confidentiality, with your banker? The Cato Institute surveyed Americans in August 2022 and found that the answer is decidedly no (Figure 3). When asked if it is unreasonable for your bank to share your records and transactions with the federal government, 79 percent of respondents said yes.⁸⁹ Likewise, when asked if the government should need to obtain a warrant to access their financial records, 83 percent of the respondents said yes.

In recent years, the Supreme Court appears to have recognized the need for change. In Kyllo v. United States (2001), the Supreme Court had to weigh the constitutionality of law enforcement using thermal imaging to surveil the inside of a home from afar.⁹⁰ Ultimately, the Court held that the right to be secure in one’s home under the Fourth Amendment was not limited to physical intrusions. In United States v. Jones (2012), the Supreme Court held that attaching and monitoring a tracking device on an individual’s vehicle “constitutes a search or seizure within the meaning of the Fourth Amendment.”⁹¹ In Carpenter v. United States (2018), the Supreme Court likewise held that the government’s acquisition of cellphone tracking data was a search under the Fourth Amendment.⁹² And across all of these cases, there were moments where the Supreme Court turned back to Katz v. United States (1967), in which the Supreme Court had held that the “Fourth Amendment protects people, not places.”⁹³ In Katz, Justice John Marshall Harlan wrote that

Between rolling passwords, security questions, multifactor authentication requirements, and closed-door meetings, one can make the case that most people exhibit an actual expectation of privacy with respect to their financial records. Moreover, as the Cato Institute’s national survey demonstrates, a majority of Americans from across political ideologies do in fact find it reasonable to expect privacy with one’s financial records. These facts suggest that Congress should better protect Americans’ financial privacy.

While financial privacy is in the interest of most Americans, it is not necessarily in the interest of law enforcement, regulators, or other government agencies.⁹⁵ Unsurprisingly, these government agencies have been more interested in expanding their investigations than expanding citizens’ privacy protections. As noted by the Electronic Privacy Information Center, “much of the opposition to the [Right to Financial Privacy Act] has been by federal law enforcement officials who are concerned that the proposed privacy protections would impede federal authorities in their investigation and prosecution of white-collar and organized crime.”⁹⁶ In fact, the North American Securities Administration Association (NASAA) was quick to state its opposition in 1977 as the Right to Financial Privacy Act was gaining momentum:

The NASAA went on to argue that obtaining warrants and subpoenas is sometimes too hard or takes too much time—an argument also made by U.S. attorney for the Southern District of New York Robert Morgenthau in his supportive testimony for the Bank Secrecy Act nearly 10 years earlier in 1967 and an argument made by the Department of Justice in support of expanding the Bank Secrecy Act 45 years later in 2022.⁹⁸ The NASAA also took issue with the Right to Financial Privacy Act’s requirement to seek permission from the account holder, stating that “to provide notice to a target that an agency is investigating certain business activity permits the person to effectively cover up or pull out of the jurisdiction.”⁹⁹

When an act is faced with such a critique, there are three questions worth considering. First, what limit should there be to what the government may seize in pursuit of combatting crime? In one of the more extreme examples, the walls around one’s home are sufficient to provide privacy for any number of possible crimes. Yet the Supreme Court has defended the home even from spying from afar.¹⁰⁰

Second, given that there is some established limit to what the government can seize, what amount of suspected illegal activity must there be to justify crossing that limit? Although some policymakers may be quick to respond that they would eliminate all illegal activity, that policy is simply untenable.¹⁰¹ The Bank Secrecy Act is already an example of this reality. With each expansion of the Bank Secrecy Act, it has become harder for financial institutions to stay in business and harder for consumers to have access to affordable services. It is estimated that complying with the Bank Secrecy Act in 2019 cost the U.S. financial industry $26.4 billion.¹⁰² Yet as it stands, despite the millions of Bank Secrecy Act reports filed each year, there is little to show for its attempts to eliminate illegal activity.¹⁰³ Instead, it is only the American public that is bearing the cost of this financial surveillance policy.

So, with it established that there exists some limit to government surveillance that may legally take place and that this surveillance puts a direct cost on Americans, the third question becomes: how can government agencies get the information they need without intruding on the rights of American citizens? The Fourth Amendment clearly provides the “framework to balance the competing interests of individuals’ financial privacy and the government’s ability to gather evidence to enforce laws.”¹⁰⁴ Yes, requiring that a warrant be obtained by showing probable cause will make it harder for law enforcement and other government agencies. However, the Constitution exists for a reason: it was designed to protect American citizens from unchecked state powers.

To establish a stronger Right to Financial Privacy Act, Congress should remove the exceptions to its protections. Doing so would merely require that law enforcement and other government agencies seek a warrant for Americans’ financial records. Otherwise, offering protections everywhere except where they really matter offers no protections at all. To do so, Congress should strike 12 U.S.C. Section 3413(a)–(r) and 12 U.S.C. Section 3414(a)–(e). Removing these sections will not affect the exceptions provided for customer disclosures, subpoenas, or warrants in 12 U.S.C. Section 3402.

The Right to Financial Privacy Act should also be strengthened with respect to the formal written requests that it allows government authorities to issue when there is no warrant or subpoena authority available. Congress should strike 12 U.S.C. Section 3408(2), as regulations should not be considered an avenue for circumventing the Fourth Amendment protections this law sought to establish. Likewise, Congress should strike 12 U.S.C. Section 3408(4)(A)2, because Americans should not be forced to sue the government to have their rights respected when it has already been judged that the authority for a warrant or subpoena does not exist.

Congress should repeal the Bank Secrecy Act in its entirety. Short of that, it should, at the very least, repeal the sections of the Bank Secrecy Act that require financial institutions to report on their customers.¹⁰⁵ To do so, Congress should amend 12 U.S.C. Sections 3402, 3413, and 3414 as well as 31 U.S.C. Sections 5313–16, 5318(a)(2), 5318A, 5321, 5325, 5326, 5331–32, 5341–42, and 5351–55.

To the extent that reporting requirements may still exist after amending the Right to Financial Privacy Act and the Bank Secrecy Act, Congress should require annual inflation adjustments for all Bank Secrecy Act reporting thresholds. To do so, Congress could use the following language:¹⁰⁶

1. Not later than the end of the 180-day period beginning on the date of the enactment of this Act, and annually thereafter, the Secretary of the Treasury shall revise regulations issued with respect to Section 5313 of Title 31, United States Code, to update each $10,000 threshold in such regulations to [insert inflation-adjusted amount as of the current day].
2. Section 5331 of Title 31, United States Code, is amended by striking “10,000” each place such term appears in heading or text and inserting “[insert inflation-adjusted amount as of the current day].”
3. Not later than the end of the 180-day period beginning on the date of the enactment of this Act, and annually thereafter, each Federal department or agency that issues regulations with respect to reports on suspicious transactions described under Section 5318(g) of Title 31, United States Code, shall update each $5,000 threshold amount in such regulations to [insert inflation-adjusted amount as of the current day] and each $2,000 threshold amount in such regulation to [insert inflation-adjusted amount as of the current day].

Likewise, if such reporting requirements are permitted to continue, Congress should require FinCEN to publicly report the number of SARs and CTRs that effectively curb financial crime. The report should detail how many reports are received, reviewed, and requested by other governmental agencies. In addition, FinCEN should report how many reports resulted in conviction, settlement, or additional charges in investigations unrelated to money laundering. The reports should make a clear distinction between criminal investigations that originated with SARs or CTRs and criminal investigations that merely used existing SARs or CTRs to strengthen existing cases. To do so, Congress could use the following language:¹⁰⁷

Congress should also eliminate 26 U.S.C. Section 6050I because no American should be forced by law to report on the activity of another American—especially when that activity is between only two parties. Yet, 26 U.S.C. Section 6050I requires exactly that when Americans choose to use cash or cryptocurrencies.¹⁰⁸ This section should be repealed in its entirety. Between blockchain forensics and traditional investigations, there already exist plenty of tools available to law enforcement; Americans should not and need not be forced to become informants on one another against their will.¹⁰⁹

Finally, Congress should turn its focus toward the future by enacting protections for two-party, or peer-to-peer, transactions. Holding cryptocurrency in a “self‐​hosted” wallet is merely the digital equivalent of holding physical cash in a traditional wallet. It gives the owner complete control over what’s held inside it and, to the extent that they want to do so, the ability to maintain their privacy. Congress should not let financial surveillance further encroach on Americans’ privacy by being expanded to cover self-hosted wallets and peer-to-peer exchanges. To do so, Congress could use the following language:¹¹⁰

In a concurring opinion in United States v. Jones, Justice Sonia Sotomayor wrote,

Considering how much has changed since the Bank Secrecy Act, United States v. Miller, and the Right to Financial Privacy Act took effect in the 1970s, Justice Sotomayor is right: it is time to reconsider the third-party doctrine, the reasonable expectation of privacy, and financial privacy. “Having technology” in the 1970s meant having a television and an electric typewriter. Less than 20 percent of families had a credit card issued by a bank.¹¹² Today, technology is an integral part of modern life: Americans use credit or debit cards for nearly all purchases, acquire loans directly on their phones, and leave a digital trail nearly everywhere they go. So, while such financial records may have offered only limited insights into one’s life in the 1970s, these financial records now offer a full, detailed representation of one’s life.

Such unrivaled access to the lives of all Americans makes it evident that now, more than ever, it is time to rethink how financial privacy is treated in the United States. There will still be much to do in the long run, but the recommendations proposed here could help to significantly restore the financial privacy protections that have been eroded over the past 50 years.

To better understand the exceptions provided in the Right to Financial Privacy Act, this appendix breaks down and explains each of the 20 exceptions.¹¹³

Disclosure of financial records not identified with particular customers. The Right to Financial Privacy Act does not apply to financial records if the records do not identify particular customers. Examples could include benefit packages for employees, budgeting outlays, and similar high-level records that might be maintained by a financial institution.

Disclosure to, or examination by, supervisory agency pursuant to exercise of supervisory, regulatory, or monetary functions with respect to financial institutions, holding companies, subsidiaries, institution-affiliated parties, or other persons. The Right to Financial Privacy Act does not apply to financial records shared with any regulatory agency that has oversight over the institution in question. Examples could include records requested by the Federal Deposit Insurance Corporation or Federal Reserve during an audit.

Disclosure pursuant to Title 26 [or the Internal Revenue Code]. The Right to Financial Privacy Act does not apply to financial records shared in accordance with the Internal Revenue Code or tax system. Examples could include credit card statements, check records, invoices, and receipts.

Disclosure pursuant to federal statute [e.g., the Bank Secrecy Act] or rule promulgated thereunder. The Right to Financial Privacy Act does not apply to financial records sought in connection with federal statutes. For example, this exception means there are no protections regarding suspicious activity reports or currency transaction reports.

Disclosure pursuant to federal rules of criminal procedure or comparable rules of other courts. The Right to Financial Privacy Act does not apply to financial records sought under the rules and procedures that govern civil and criminal cases in the U.S. court system. Examples could include records sought during an ongoing court case.

Disclosure pursuant to administrative subpoena issued by administrative law judge. The Right to Financial Privacy Act does not apply to financial records if an administrative law judge issues a subpoena. Examples could include relevant papers, books, electronically stored information, or documents.

Disclosure pursuant to legitimate law enforcement inquiry respecting name, address, account number, and type of account of particular customers. The Right to Financial Privacy Act does not apply when law enforcement officials have a “legitimate inquiry” for only the name, address, account number, and account type of a particular customer.

Disclosure pursuant to lawful proceeding, investigation, etc., directed at financial institution or legal entity, or consideration or administration respecting government loans, loan guarantees, etc. The Right to Financial Privacy Act does not apply to financial records in connection to a government loan program on the condition that they are only used for their initial purpose with the government loan program. However, if a civil, criminal, or regulatory violation is suspected, the official overseeing the government loan program can instruct the relevant agency to independently seek out the records.

Disclosure pursuant to issuance of subpoena or court order respecting grand jury proceeding. The Right to Financial Privacy Act does not apply to financial records sought by a grand jury subpoena. Examples could include relevant papers, books, electronically stored information, or documents.

Disclosure pursuant to proceeding investigation, etc., instituted by Government Accountability Office and directed at a government authority. The Right to Financial Privacy Act does not apply to financial records requested by the Government Accountability Office as part of an ongoing proceeding, investigation, examination, or audit of another government authority.

Disclosure necessary for proper administration of programs of certain government authorities. The Right to Financial Privacy Act does not apply to financial records required to carry out the Social Security or Railroad Retirement Acts. Examples could include credit card statements, check records, invoices, and receipts.

Crimes against financial institutions by insiders. The Right to Financial Privacy Act does not apply to financial records concerning the possible commission of a crime by an executive, employee, or customer of a financial institution furnished to either the attorney general or the secretary of Treasury, or other enforcement agency. Examples could include credit card statements, check records, invoices, and receipts.

Disclosure to, or examination by, employees or agents of Board of Governors of Federal Reserve System or Federal Reserve banks. The Right to Financial Privacy Act does not apply to financial records sought by employees of the Federal Reserve System. Examples could include bank reserves, capital ratios, and balance sheets.

Disclosure to, or examination by, the Resolution Trust Corporation or its employees or agents. The Right to Financial Privacy Act does not apply to financial records sought by the Resolution Trust Corporation. Examples could include bank reserves, capital ratios, and balance sheets.

Disclosure to, or examination by, the Federal Housing Finance Agency or Federal Home Loan Banks. The Right to Financial Privacy Act does not apply to financial records sought by the Federal Housing Finance Agency or Federal Home Loan Banks. Examples could include bank reserves, capital ratios, and balance sheets.

Access to information necessary for administration of certain veteran benefits laws. The Right to Financial Privacy Act does not apply to financial records disclosed to the Department of Veterans Affairs solely for the purpose of properly carrying out benefits programs. Examples could include credit card statements, check records, invoices, and receipts.

Disclosure pursuant to federal contractor–issued travel charge card. The Right to Financial Privacy Act does not apply to financial records disclosed regarding a contractor-issued travel card issued for official government travel. Examples could include receipts, invoices, and statements.

Disclosure to the Bureau of Consumer Financial Protection. The Right to Financial Privacy Act does not apply to financial records disclosed to the Bureau of Consumer Financial Protection. Examples could include bank reserves, capital ratios, and balance sheets.

Access to financial records for certain intelligence and protective purposes. The Right to Financial Privacy Act does not apply to financial records disclosed to a government authority authorized to conduct counterintelligence, foreign intelligence, or investigations of international terrorism. For example, this exception provides an open-door policy for the Secret Service, Central Intelligence Agency, Federal Bureau of Investigation, and others.

Emergency access to financial records. The Right to Financial Privacy Act does not apply to financial records disclosed if the government determines that delaying access would lead to someone being physically injured, property being damaged, or a criminal going on the run.

To understand the erosion of financial privacy over time at a glance, this appendix provides a brief timeline of significant events between 1970 and 2022.

• 1970—Bank Secrecy Act
• 1972—Currency transaction report (CTR) is set at $10,000
• 1972—American Civil Liberties Union, California Bankers Association, and Security National Bank apply for a temporary restraining order in the U.S. District Court for the Northern District of California
• 1973—Rep. Fortney Stark (D‑CA) seeks to better protect financial privacy, arguing that the Bank Secrecy Act undermined the long-held tradition of confidentiality between bankers and customers
• 1974—California Bankers Association v. Shultz
• 1974—Privacy Act
• 1976—United States v. Miller and the creation of the third-party doctrine
• 1977—Privacy Protection Study Commission releases a report titled Personal Privacy in an Information Society, criticizing the 1974 Privacy Act for failing to deliver the protections one would expect
• 1978—Right to Financial Privacy Act
• 1980—Adjusting CTR threshold for inflation puts it at approximately $19,000
• 1990—Adjusting CTR threshold for inflation puts it at approximately $31,000
• 1990—Financial Crimes Enforcement Network (FinCEN) is created
• 1992—Annunzio-Wylie Anti–Money Laundering Act
• 1994—Money Laundering Suppression Act
• 1996—Suspicious activity report
• 2000—Adjusting CTR threshold for inflation puts it at approximately $41,000
• 2001—Kyllo v. United States
• 2001—Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act
• 2010—Adjusting CTR threshold for inflation puts it at approximately $53,000
• 2012—United States v. Jones
• 2013–2017—Operation Choke Point
• 2018—Carpenter v. United States
• 2020—Adjusting CTR threshold for inflation puts it at approximately $63,000
• 2021—U.S. Treasury seeks to monitor bank accounts with $600 of annual activity
• 2021—Infrastructure Investment and Jobs Act mandates citizens report on each other’s cryptocurrency use
• 2022—Adjusting CTR threshold for inflation puts it at approximately $68,000
• 2022—Canadian Prime Minister Justin Trudeau freezes more than 200 bank accounts in attempt to stop protestors
• 2022—Rep. Jim Himes (D‑CT) introduces bill to expand Treasury’s ability to censor financial transactions
• 2022—ICE revealed to have been collecting approximately 6 million records from 2019 to 2022 for money transfers greater than $500 to and from Mexico
• 2022—Treasury sanctions Tornado Cash

The author thanks Norbert Michel, Jordan Brewer, Ann Rulon, Jennifer Schulp, Laura Bondank, Patrick Eddington, Zachary Wong, JP Koning, Marta Belcher, Dante Disparte, Christian Kameir, and Nicholas Thielman for their suggestions. The author also thanks Emily Ekins for surveying the American public on questions regarding financial privacy. Any errors belong to the author alone.

Anthony, Nicholas. “The Right to Financial Privacy: Crafting a Better Framework for Financial Privacy in the Digital Age,” Policy Analysis no. 945, Cato Institute, Washington, DC, May 2, 2023.