Compliance Bulletin

New Obligation to Disclose Financial Records
October 27, 2009

Asection of a major California health bill (ABX4 5) requires financial institutions to furnish the California Department of Health Care Services (“DHCS”), or its designee, with information regarding the assets of any person who is applying for or receiving benefits through DHCS, if the person has provided the DHCS with an authorization pursuant to Welfare and Institutions Code Section 14013.5. The requirement on the state is one of the conditions attached to continued receipt of federal Medi-Cal payments pursuant to the federal American Recovery and Reinvestment Act.

The Welfare & Institutions Code authorization would allow the DHCS to obtain from a financial institution “any financial record held by the institution with respect to the applicant or recipient, and any other person, as applicable, whenever the department determines the record is needed in connection with a determination with respect to the eligibility for, or the amount or extent of, the medical assistance.”

The bill, which adds Section 293 to the California Financial Code, requires neither the DHCS nor the person whose records are requested to furnish the financial institution with a copy of the disclosure authorization.

The federal Right to Financial Privacy Act of 1978 (“RFPA”) generally requires federal government agencies to pursue legal process in order to gain access to financial records unless the customer authorizes such disclosure. The RFPA applies to a “government authority” which is defined as “any agency or department of the United States, or any officer, employee, or agent thereof.” 12 U.S.C. 3401(3) At this time we do not know why the DHCS believes it is covered by the RFPA; it is perhaps acting as an “agent” of a covered federal government authority.

A qualifying authorization under 12 U.S.C. Section 3404(a) of the RFPA is one that is given to the requesting agency and the financial institution, is signed and dated, and:

  1. authorizes such disclosure for a period not in excess of three months;
  2. states that the customer may revoke the authorization at any time before the records are disclosed;
  3. identifies the financial records which are authorized to be disclosed;
  4. specifies the recipient of and purposes of the disclosure; and
  5. states the customer’s rights under the RFPA.

Though stated inartfully, the bill specifically provides that an authorization obtained by the DHCS is considered to satisfy the financial institution’s obligation under the RFPA [3]. Specifically, a request supported by an authorization satisfies Section 3404(a) of the RFPA (quoted at length above) even though an authorization will not be furnished to the financial institution [4]. The DHCS is not required to certify to the financial institution, as required by Section 3403(b), that it has complied with the RFPA, as long as the DHCS obtains the Welfare & Institutions Code authorization. Moreover, the request specifically satisfies the requirements of Section 3404(b)(3) and Section 3402 that the requesting agency must reasonably describe the requested financial records.

The DHCS is required to reimburse institutions for the production of records in accordance with the RFPA. As interpreted by the Federal Reserve Board in 12 CFR Section 219.3, the government agency must reimburse for “reasonably necessary costs” for searching for, reproducing or transporting records, including personnel time [5].

ABX4 5 makes no reference to the state’s version of the RFPA codified at Government Code 7460 et al., known as the California Right to Financial Privacy Act. This law prohibits government agencies from requesting or receiving bank customers’ financial records in connection with a “civil or criminal investigation” unless processes are followed that are similar to the RFPA. While arguably a typical DHCS request is not an “investigation” the financial institution will have no knowledge of the nature of the request since the bill does not require the DHCS to furnish a copy of the authorization or even to certify that an authorization has been obtained.

As this provision was attached to a massive health spending bill and did not undergo the normal legislative committee vetting process, the business community was not involved in its development. CBA will study the bill and consider the need for cleanup legislation, particular to secure protection from liability under the state RFPA.

ABX4 5 includes no specific enforcement language or liability provision. It is an urgency bill and thus became effective when enacted on July 28, 2009. The lead lobbyist on ABX4 5 for CBA is Jason Lane.

  1. As defined in 12 U.S.C. Section 3414(1) as: “any office of a bank, savings bank, card issuer as defined in section 1602 (n) of title 15, industrial loan company, trust company, savings association, building and loan, or homestead association (including cooperative banks), credit union, or consumer finance institution.”
  2. Section 14013.5 requires those persons whose resources are required to be disclosed for eligibility purposes to authorize the DHCS to obtain their financial records from financial institutions. Persons covered include the applicant or recipient and any other person that the DHCS determines whose records are needed to determine eligibility.
  3. The general requirement is stated in 12 U.S.C. Section 3403(a).
  4. Because a copy of the authorization will not be furnished to the financial institution, the financial institution may be challenged in complying with information sought by the DHCS thereunder. A financial institution may be uncertain as to whether the information to be provided is within or without that authorization. Further, because the information subject to disclosure covers “assets,” an undefined term in the bill, a financial institution may need to investigate more than deposit accounts owned by the person whose records are subject to disclosure. That person could have pledged assets or assets in safekeeping with the financial institution, for example.
  5. These costs may not be charged to the customers/ accountholders or to their spouse, to a parent of an unemancipated minor, or any other person whose resources are required by federal law to be disclosed to determine the eligibility of the applicant or recipient. Appendix A to Section 219.3 sets forth the following Reimbursement Schedule:


Photocopy, per page—$.25

Paper copies of microfiche, per frame—$.25

Duplicate microfiche, per microfiche—$.50

Computer diskette—$5.00

Search and Processing:

Clerical/Technical, hourly rate—$11.00

Manager/Supervisory, hourly rate—$17.00

The information contained in this CBA Regulatory Compliance Bulletin is not intended to constitute, and should not be received as, legal advice. Please consult with your counsel for more detailed information applicable to your institution.

© This CBA Regulatory Compliance Bulletin is copyrighted by the California Institutioners Association, and may not be reproduced or distributed without the prior written consent of CBA.