Analysis of New California Financial Elder Abuse Reporting Law

Executive Summary
CBA opposed previous legislative proposals because of their unacceptable treatment of key issues vital to banks.  These include whether a bank could be liable (e.g., to a customer or alleged abuser) for making a false report, and whether criminal penalties could be imposed for failing to report. 

There was a concerted effort this year by the leadership in both the Assembly and Senate to pass financial elder abuse legislation.  Once passage became inevitable, CBA sought favorable amendments, and took a neutral position.  As a result, the Act resolves the key issues largely in banks’ favor.  CBA was successful in removing a provision that would have imposed criminal penalties against bank employees, including imprisonment, for failing to report an incident.  Instead, a civil penalty of up to $1000 (or $5000 for a willful failure) may be imposed only on the bank and not the employee.  Furthermore, the penalty may be imposed only by the attorney general, a district attorney, or a county counsel.  No other party is permitted to make a claim against the bank for failing to report.

As to liability for filing a report, the Act creates a privilege protecting banks from private rights of action, such as a defamation action by the alleged abuser.  These provisions, taken together, help alleviate the precarious balancing act that an obligation like this otherwise imposes on banks.

All bank employees are mandatory reporters.  In the event of an incident of suspected elder financial abuse, the bank is required to make an oral report to Adult Protective Services (APS) or to law enforcement immediately, followed by a written report within two working days. 

CBA was able to secure a delayed effective date for the bill of January 1, 2007, which should give banks time to prepare policies and procedures, and conduct the necessary training of personnel. 

Institutions Covered
Financial institutions.  The Act applies to officers and employees of “financial institutions,” including credit unions.  The definition of financial institution refers to 12 U.S.C. 1813(c), namely, a bank, savings association, uninsured branch or agency of a foreign bank, and certain commercial lending companies owned or controlled by a foreign bank.  This definition does not include non-depository institutions such as trust companies, or to the subsidiaries, affiliates, and holding companies of financial institutions that are not themselves financial institutions, as defined.

Included within the definition of financial institution for purposes of the Act is an “institution-affiliated party” (“IAP”) which is defined in 12 U.S.C. 1813. [1]  These include directors, controlling shareholders, agents and, under circumstances, [2] independent contractors (like attorneys and accountants) of the financial institution.  If the Act is intended to make IAPs mandated reporters, it does so awkwardly.  With regard to IAPs that are individuals, the Act by its terms imposes obligations on “officers and employees” of these individuals, which is meaningless, and apparently not on the individuals themselves. 

But even as to institutional IAPs, such as a controlling shareholder that is not a natural person, it is difficult to conceive of the circumstances in which an officer or employee of the shareholder should become aware of financial elder abuse in the course of providing financial services.  For this reason, this ambiguity may prove to be innocuous.

Mandated Reporters
The Act makes officers and employees of financial institutions "mandated reporter[s] of suspected financial abuse of an elder or dependent adult," [3] which encompasses separate definitions of “financial abuse” and “elder or dependent adult,” discussed below. 

A bank employee may become a mandated reporter through direct contact with an elder or dependent adult, which in most, but not all, instances means branch personnel.  The Act does not specify that direct contact is restricted to in-person contact, which means the term should be construed to include personnel who have telephone and other forms of remote contact with customers. 

A mandated reporter also includes bank personnel who do not have direct contact but who have observed or have knowledge of an incident of financial abuse while reviewing or approving the elder or dependent adult's financial documents, records, or transactions.   

As to either employee—one who has direct contact or one who only reviews records—an obligation to report arises if the observation or knowledge arises “in connection with providing financial services with respect to an elder or dependent adult,” within the scope of the person’s “employment or professional practice,”  and the potential abuse is “directly related to the transaction or matter that is within that scope of employment or professional practice.” [4]

Since a reporter is someone who works for a bank, these qualifiers would only rule out an obligation to report an incident that might be observed in off-the-job settings, or in an on-the-job setting involving a potential victim under circumstances unrelated to providing services by the bank.  Thus, for example, a teller would have no duty to report if she suspects financial abuse of a neighbor based on circumstances unrelated to the bank.

Officers and employees could include joint employees of the bank and an insurance affiliate or other affiliated or unaffiliated entity.  But it does not include a person who is not a bank employee who performs similar functions, even if the person works at a branch. 

The Act does not distinguish between customers and non-customers, so there would be no basis not to report because the elder or dependent adult applied for an account or a loan but did not ultimately become a customer of the bank.  Similarly, a duty to report is not extinguished simply because the victim has closed an account or is otherwise no longer a customer.

Suspected Abuse
The Act establishes two separate standards that trigger the reporting requirement.  The first is set forth in W&I Code Section 15630.1(d)(1), which states that a report must be filed when the employee observes or has knowledge of an incident that reasonably appears to be financial abuse, or who reasonably suspects financial abuse to have occurred. 

The other standard is imbedded in the definition of the term, "suspected financial abuse of an elder or dependent adult," defined in subsection (h) of the same section.  This term, which is not used in subsection (d)(1) that establishes the reporting obligation, is defined as:

“behavior or unusual circumstances or transactions, or a pattern of behavior or unusual circumstances or transactions, that would lead an individual with like training or experience, based on the same facts, to form a reasonable belief that an elder or dependent adult is the victim of financial abuse as defined in Section 15610.30.” [5]

To complicate matters further, both standards incorporate yet another key definition: financial abuse.  An analysis of these definitions follows.

First, “financial abuse” is a concept that is already defined under existing law, and it occurs when a person “takes, secretes, appropriates, or retains real or personal property of an elder or dependent adult to a wrongful use or with intent to defraud, or both,” or assists in any of the above. [6]   Included within the meaning of “wrongful” is an act that is performed in “bad faith,” which goes to the state of mind of the perpetrator.  The definition includes more details and nuances, but they are more relevant to a prosecutor than to a bank.  For purposes of reporting by banks, financial abuse has occurred when someone in the broadest terms wrongfully appropriates funds or assets from an elder or dependent adult, or assists in doing so, through a transaction involving the bank. [7]  

Second, the standard is an objective one, meaning that it would not be a defense that an employee did not personally (that is, subjectively) suspect that abuse has occurred if a similarly situated person observing the same facts would have suspected abuse.  This standard underscores the importance of proper training of all employees who are potential reporters.

Third, it is sufficient that a person reasonably believes that abuse has occurred.  Bankers are not required to confirm that the technical conditions of abuse have in fact occurred.  This standard is consistent with the intent of the Act that bank personnel are held only to report instances of potential financial abuse, and allow professionals to follow up.

Fourth, the standard articulated in subsection (h) makes reference to a “pattern” of behavior or unusual circumstances or transactions, which suggests a need to consider looking beyond just the incident at hand.  This standard, however, would not appear to apply to employees not having direct contact, as they are specifically required only to consider documents they are reviewing or approving.

Finally, a bank is not required under the Act to report incidents of elder abuse other than financial abuse.  It specifically states that if a bank fails to report an incident that also involves physical abuse, the penalties applicable to such failure do not apply. [8]   Certainly, a bank is not prohibited from making such a report, but the privileges created in the Act apply only to reports of financial abuse.

Elder and Dependent Adult 
An elder means a California resident who is 65 years of age or older. [9]  A dependent adult means a California resident between 18 and 64 years of age with specified physical or mental limitations (including because of age) that restrict the person’s ability to carry out “normal activities” or to protect his or her rights.  It also includes a person in that age range who is admitted as an inpatient to a “24-hour health facility,” which refers to a comprehensive list of hospitals, clinics, and other in-patient facilities. [10] Note that the California residence requirement raises the possibility that a bank could find itself outside of the privileges and immunities provisions of the Act for a report on a non-resident.

Training materials that the Act requires APS to make available to banks will help banks sort through these definitions.  Notwithstanding the technical nature of these definitions, it bears re-emphasizing that bank personnel are not expected to have the expertise to determine factually that a potential victim is an elder or dependent adult before reporting.  Banks are encouraged simply to report potential incidents of financial elder abuse.  The availability of unconditional immunity is intended partly to address this knowledge gap as between bank reporters and mandated reporters in the health care and other related professions.

Reporting 
A report must be made by telephone “immediately, or as soon as practicably possible,” followed by a written report sent within two working days to the local adult protective services agency or a local law enforcement agency. [11]   If the reporting employee “knows” that the elder or dependent adult resides in a long-term care facility, [12] the report must be made to the local ombudsman or local law enforcement agency rather than to APS.  After receiving a report, APS is required to notify law enforcement or other responsible agency. [13]

The Act does not specify the information that must be disclosed in the report, nor does it specify any limits on the type or amount of information that would be protected by a privilege.  It does create a new exception in the California Right to Financial Privacy Act (RFPA) [14] to permit county APS offices and long-term care ombudsmen who are investigating financial elder abuse to request name and account number information from a bank, and to permit the bank to release that information.  

This amendment to the RFPA, which creates a narrow exception, creates an inconsistency with the Act, which contemplates the disclosure of broader facts.  Also, the amendment does not create an exception for reports to law enforcement agencies, to whom reports of financial elder abuse may be given instead of to APS.  Under another section of the RFPA, banks are permitted to release customer information to law enforcement if it is a victim of a crime, but potential financial abuse of a customer in itself is generally not a crime against the bank. [15]   

It is unlikely that this amendment to the RFPA is intended to delineate the entirety of the information to include in a report.  The Act requires that county APS offices provide banks with instructional materials, including how to report incidents and “what types of information would assist the county adult protective services agency with its investigation of the report.”  This language suggests that banks will be expected to furnish more information than name and account numbers. 

Will this inconsistency between the two laws expose banks to liability under the RFPA?  Violation of the RFPA is a misdemeanor that could bring imprisonment and a fine of up to $5,000. [16]   The answer likely lies with the financial privacy laws, SB 1 and GLBA, [17] both of which create general exceptions for disclosures related to crime and fraud prevention, and in the case of SB 1, disclosures related to financial elder abuse as well. [18]

An employee is not required to make a report of financial abuse based solely upon an allegation of such by the elder or dependent adult, or any other person, but two conditions must be met to support the refusal.  First, the employee, having no obligation to investigate, is not aware of other corroborating or independent evidence of the alleged abuse   And, second, in the employee’s professional judgment, he or she reasonably believes that financial abuse did not occur. [19]  

In these circumstances, the risk of not reporting (potential civil penalty and reputation risk) would appear to outweigh the risk that the bank would be liable for taking seriously a claim by the victim.  On the other hand, an allegation by a person other than the potential victim may warrant more circumspection.

Privileges and Immunities

The Act shields mandatory reporters in two ways.  First, a report is covered under Civil Code Section 47(b).  That law makes privileged a communication that is made in an “official proceeding authorized by law.”  Under a recent Supreme Court case [20] in which CBA participated as friend of the court, the court confirmed that this term encompasses reports of suspected crime to law enforcement agencies, and that such privilege is not conditioned upon a showing of good faith.  However, the privilege would not shield a reporter from a claim for malicious prosecution and certain ancillary claims. [21]  

Additionally, a bank employee enjoys an absolute privilege under W&I Code Section 15634.  Note, however, that having a legal privilege is not the same as not being sued, but it does make a successful suit more unlikely.  If a bank files a report under circumstances in which it is not a mandated reporter (for example, it reports suspicion of physical abuse rather than financial abuse, or reports that a caretaker is overcharging for services unrelated to the provision of bank services), the bank could still avail itself of a privilege, but it is subject to a good faith standard.

The Act also creates a privilege for a bank if it permits a requesting APS office or law enforcement agency investigating suspected abuse to have “access” to the elder or dependent adult. [22]   This provision currently applies to persons and entities that would have some form of custody over the elder or dependent adult, such as a care custodian.  Normally, a bank should not be in a position of taking custody of a customer, and thus would not be in a position to provide “access.”  However, the need to assert the privilege could arise where, for example, a claim is made incident to the bank calling local law enforcement regarding an incident, and officers arrive while the customer is still at the branch and proceed to interview the customer and the alleged perpetrator.

Penalties  
If a mandated reporter fails to report financial abuse, the bank is subject to a civil penalty of up to $1,000, or up to $5,000 for a willful failure.  The penalty may be imposed only in a civil action brought by the attorney general, district attorney, or county counsel.  The Act states that “Multiple actions for the civil penalty may not be brought for the same violation.”  

Relation to Other Laws
W&I Code Section 15630.1(g) provides that “nothing in the Financial Elder Abuse Reporting Act of 2005 shall be construed to limit, expand, or otherwise modify any civil liability or remedy that may exist under this or any other law.”  The intent of this provision is to clarify that this new law can only be brought by the listed parties for a violation under this law.  What the Act does not do, for example, is create a new bank duty to protect elders and dependent adults from financial abuse.  However, it remains to be seen how the courts will interpret this section.

Selected Topics
Is there a duty to investigate?  The Act specifies that the duty to report as applied to personnel who do not have contact with an elder or dependent adult does not include a duty to look beyond the information before the person at the time he or she is reviewing documentation.  Thus, for example, if the documents do not reveal on their face the age of the customer (or evidence that the customer is a dependent adult), the employee would not have a basis to suspect reportable abuse and would not have an obligation to look at additional information.  This provision recognizes the way that banks work, that is, that numerous transactions are processed based more on the sufficiency of documentation rather than an evaluation of their underlying purpose.

As discussed previously, the Act specifically provides that if a bank is notified about an incident of alleged financial abuse, it has no duty to investigate when deciding whether or not to file a report.  Nevertheless, the provision that establishes the general duty to report is silent about a duty to inquire or investigate.  Instead, as discussed above, the provision alludes to the employee’s scope of employment or professional practice.

Here, banks’ experience with the Bank Secrecy Act (BSA) may be instructive.  While banks may not be subject to a general duty to investigate under the Act, it does have affirmative duties under BSA to monitor suspicious activities.  Thus, a duty to investigate in certain circumstances may be deemed to be within the reporter’s scope of employment or professional practice.  Also, as awareness of financial elder abuse among bankers increases through training, so may the expectation that bank employees exercise a duty to inquire.  This does not mean that bank managers must routinely interview potential victims for potential abuse, but rather that the standard of care is likely to rise.

Is there a duty to intervene?  This is not to say that the bank has any duty to intervene.  The Act places an obligation on banks only to report incidents of suspected elder financial abuse, not to take corrective actions.  It is the responsibility of APS and, in some instances, law enforcement, to investigate and to intervene.  Whether a bank decides to disallow a transaction from being completed should be subject to the bank’s overall policies, such as those pertaining to fraud prevention.  The Act does not address this issue.  Note that the privileges created by the Act relate to the making of a report, and not to the taking of other actions.

Documenting decisions not to file?  The Act does not require banks to document decisions not to file a report, but then, neither does the BSA regulation require this practice for SARs.  It remains to be seen whether the enforcement environment will compel bankers to adopt this practice.  Will the attorney general, a district attorney, or county counsel vigorously enforce the Act against banks within their jurisdiction? 

The Act is different from BSA in another way—bank regulators generally ascribe to the bank, as an entity, knowledge of disparate facts available at different parts of the bank relevant to a suspicious transaction.  In contrast, the Act focuses on the knowledge or awareness of the individual reporter, and imposes no specific duty to investigate.  These factors mitigate against the need to document reasons for not reporting.  Nevertheless, banks should consider documenting any decision not to file a report after receiving an allegation of abuse from a potential victim or another person, as the Act specifically describes how the bank can defend such a claim (see above).

Training.  The inclusion of all employees as potential mandated reporters makes it imperative that the bank conduct broad-based training on financial elder abuse.  The Act does not specifically require banks to conduct training for employees.  Rather, it requires APS to furnish training materials to banks, covering what is abuse and neglect of an elder or dependent adult, how to recognize it, how APS investigates reports, and how to report incidents and what type of information is needed. [23]   CBA will work with the various APS agencies to ensure that the type and amount of information to be reported are reasonable, and that the various counties’ requirements are uniform.

In addition, banks need to establish monitoring and reporting policies and procedures.  Many may find that they can fold these policies into their BSA program.  Employees to involve in such training would include branch personnel, telephone banking customer service personnel, personnel who correspond with customers by electronic mail, loan processing personnel, credit review committees, wire transfer operators, and perhaps even item processing personnel to the extent that they engage in investigating exceptions.

Centralizing reporting.  Whether banks will try to centralize reporting of financial elder abuse may depend on the type and amount of information a report must include.  This will be a matter of negotiation among banks, law enforcement agencies, and APS.  Smaller banks may be able to have individual branch managers assume the responsibility to make reports.  But the needs for efficiency, compliance, quality assurance are likely to compel many banks to seek to centralize reporting in the same way that they centralize BSA compliance. 

As already discussed, there are two components to making a report: a telephone call made immediately after an incident is observed or suspected, followed by a written report within two business days.  The telephone call is the more likely report that can be made by the branch.  Each county has an APS office responsible for handling cases in that county.  A branch manager or other percipient witness is in a better position to convey not only the details of the incident, but also to communicate meaningfully about the situation in the local area, such as the fact that the dependent adult resides at a particular hospice.  On the other hand, if all that is required during the phone call is name and account number, this function could easily be centralized.

Telephone reporting of incidents that are identified through a review of documents, such as by loan review personnel, should be amenable to centralizing.  Presumably, the evidence of potential financial abuse in these situations would be based on facts gleaned from documentation rather than direct observation of the customer’s behavior.  Written reports should be centralized.

A potential problem arises when multiple employees observe the same incident and thereby become mandated reporters.  The Act addresses this issue by permitting the reporters to enter into an “agreement” among themselves that one person will make a report.  The Act does not specify that the agreement must be in writing; presumably, adherence to a policy that reporting is assigned to a particular department or designated personnel would suffice.  It also adds that any member of the group who knows that the designated person has failed to make a report must then make the report. [24]

Should the bank simultaneously file an SAR?  An SAR is required if the bank “knows, suspects, or has reason to suspect” certain violations of law. [25]   A reporting threshold of $5000 applies for external incidents, though banks may report any suspicious incident.  A report under the Act is required if the bank observes or has knowledge of suspected financial abuse of an elder or dependent adult, which is an illegal act in California. [26]   No dollar threshold applies. 

The similar filing standards suggest that if evidence of financial elder abuse supports making a report under the Act, the evidence could also support filing an SAR.  This opens the possibility that a bank could satisfy its reporting obligation under the Act by submitting a report that contains similar information included in an SAR, understanding however that the SAR is subject to a 30 day filing period compared to two business days under the Act.  As CBA works with APS and law enforcement agencies to develop standards for reporting, we will be mindful of these and other potential efficiencies.

Should the bank observe the SAR prohibition against notifying the suspected perpetrator of the filing of a report?  Unlike the SAR regulation, the Act does not specifically prohibit notifying a suspect that a report has been filed.  Nevertheless, the bank should observe this practice at all times, particularly if the bank is simultaneously filing an SAR.  Branch personnel should be especially mindful of this policy since they are likely to have direct contact with suspects.

Effective Date and Sunset  
The bill is effective on January 1, 2007, and is scheduled to sunset on January 1, 2013.  Until January 1, 2007, the existing rules apply.  That is, there is no obligation to report, and if a bank files a report of financial abuse as a voluntary reporter, the reporter is protected from liability unless it can be proven that a false report was made and the reporter knew that the report was false.  If the report is made to a law enforcement agency, the Civil Code Section 47(b) privilege is available today.

CBA is developing an implementation program to help the industry prepare to comply with the Act, to include training, working with APS and law enforcement agencies, and possible clean-up legislation as needed.  CBA’s lead lobbyist this year on financial elder abuse legislation was Kevin Gould. 

Leland Chan

The information contained in this CBA Regulatory Compliance Bulletin is not intended to constitute, and should not be received as, legal advice.  Please consult with your counsel for more detailed information applicable to your institution.