Based on the information you have given us, we do not believe that the bank should respond to the Department of Healthcare and Family Services letter requesting information on a customer’s checking accounts. Even confirming that an individual was a customer of the bank would risk violating the customer’s privacy rights, as would providing information about the customer’s checking accounts or safe deposit box. (Regulation P defines “nonpublic personal information” to include “[t]he fact that an individual is or has been one of your customers.” 12 CFR 1016.3(q)(2)(i)(C).) As explained below, the Illinois and federal financial privacy laws allow banks to respond to subpoenas, court orders, and other types of governmental requests, but we do not believe that the letter you described would fit into any of those permitted categories.
The Illinois Banking Act generally prohibits banks from sharing customers’ financial records (205 ILCS 5/48.1), unless an exception applies, such as:
- “The furnishing of information about the existence of an account of a person to a judgment creditor of that person who has made a written request for that information.”
- “[T]he financial records are disclosed in response to a lawful subpoena, summons, warrant, citation to discover assets, or court order which meets the requirements of subsection (d) of this Section.” (Note that the Illinois law also requires that the bank mail a copy of the subpoena to the customer that is the subject of the subpoena, unless the subpoena specifically prohibits the bank from doing so. 205 ILCS 5/48.1(d).)
Similarly, federal law generally prohibits banks from sharing customers’ financial records (“nonpublic personal information”) (15 USC 6802(a)) unless an exception applies, such as:
- “To comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.”
From the information you have given us, it does not sound like the Department’s request is a judgment, subpoena, court order, or other type of governmental request that would qualify for one of the exceptions to the Illinois or federal privacy laws. Therefore, we suggest contacting the Department with your concerns about their request.