Skip navigation

Joint letter to BOP re commissary rules and privacy concerns - Sept. 2015

Download original document:
Brief thumbnail
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
September 1, 2015
Rules Unit, Office of General Counsel
Federal Bureau of Prisons
Attn: Sarah Qureshi
320 First St., NW
Washington, DC 20534

RIN 1120-AB56
Proposed Rule Regarding Inmate Commissary Account Deposit Procedures
Comments and Petition for Further Rulemaking

Dear Ms. Qureshi:
The undersigned organizations submit the following comments concerning the above-referenced
proposed rule, and ask that they be made part of the administrative record.
On July 7, 2015, the Bureau published a proposed rule that sets forth a new process by which the
Bureau may obtain transaction information concerning people who send or attempt to send funds
to commissary accounts.1 As explained herein, the Bureau’s proposed rule, as applied to
customers of financial institutions,2 is not appropriate under the provisions of the Right to
Financial Privacy Act (“RFPA”).3
There are also numerous broader and more pressing issues related to commissary accounts that
are not addressed by the Bureau’s current regulations. Accordingly, the undersigned
organizations also submit the petition contained herein, pursuant to 5 U.S.C. § 553(e), requesting
further rulemaking concerning financial services in Bureau facilities.

Applicable Legal Framework

As the Bureau acknowledges, some (albeit not all) payment orders remitted to commissary
accounts are drawn on “financial institutions,” as defined in the RFPA.4 When someone
conducts a transaction through a financial institution, the protections of the RFPA generally
apply, and the institution is “prohibit[ed] . . . from providing a government agency with access
to any customer’s financial records unless the customer is first given notice and the opportunity
to object.”5
The RFPA “was enacted in response to a pattern of government abuse in the area of individual
privacy and was intended ‘to protect the customers of financial institutions from unwarranted

80 Fed. Reg. 38658 (Jul. 7, 2015).
As defined in 12 U.S.C. § 3401(1).
12 U.S.C. § 3401, et seq.
See 80 Fed. Reg. at 38659.
Commodity Futures Trading Comm’n v. Worth Bullion Group, 717 F.3d 545, 549 (7th Cir. 2013).

September 1, 2015
Page 2 of 7
intrusion into their records while at the same time permitting legitimate law enforcement activity
by requiring federal agencies to follow’ established procedures when seeking a customer’s
financial records.”6 Because the RFPA seeks to balance privacy rights with the needs of law
enforcement, the statute provides broad protection to customers, while also giving the
government numerous ways to obtain financial information, many of which the Bureau could use
with minimal effort.7 First, the government may obtain a customer’s written consent to
disclosure.8 To the extent that the Bureau’s proposed rule is premised on the customer-consent
provision, it is incompatible with the RFPA, which clearly and unambiguously prohibits such
consent being “required as a condition of doing business with any financial institution.”9
In addition, the RFPA allows the government to obtain financial records through issuance of a
search warrant or a judicial or administrative subpoena;10 however, the proposed rule does not
utilize any of these tools.
Finally, RFPA allows the government to obtain records through “a formal written request.”11
The Bureau seems to invoke the formal written request procedure when the Bureau states that the
proposed rule
is in compliance with the Right to Financial Privacy Act . . . which allows federal
agencies to have access to or obtain copies of the financial records of any customer from
a financial institution only if the financial records are reasonably described and . . . the
financial records are disclosed in response to a formal written request which meets
certain notice and other technical requirements. 12 U.S.C. 3402(5).12
The Bureau’s citation to the formal written request provision of RFPA is confusing. Both the
RFPA and applicable regulations promulgated by the Department of Justice require formal
written requests to be individualized and served on the relevant customer.13 Because no such
individualized notice procedure is contained in the proposed rule, the Bureau’s reference to the
formal written request provision appears to be a drafting error.


Anderson v. La Junta State Bank, 115 F.3d 756, 758 (10th Cir. 1997) (quoting Neece v. IRS, 922 F.2d 573, 575
(10th Cir. 1990)); see also H.R. Rep. No. 95-1383, at 9305 (1978) (explaining that the RFPA was enacted in
response to U.S. v. Miller, 425 U.S. 435 (1976)).
See Duncan v. Belcher, 813 F.2d 1335, 1339 (4th Cir. 1987) (“The [RFPA]’s provisions hardly insulate private
accounts from investigation by government agencies. On the contrary, the Act merely establishes summary
procedures for government investigators to follow.”).
12 U.S.C. § 3402(1).
12 U.S.C. § 3404(b).
12 U.S.C. § 3402(2) through (4).
12 U.S.C. § 3402(5).
80 Fed. Reg. 38658-38659.
12 U.S.C. § 3408(4)(A) (a copy of a formal written request must be “served upon the customer or mailed to his
last known address on or before the date on which the request was made to the financial institution,” together with a
prescribed statutory form of notice); 28 C.F.R. § 47.4 (formal written requests issued by Department of Justice
components must specifically identify the customer to whom the records pertain).

September 1, 2015
Page 3 of 7

The FRPA Prohibits Compulsory Authorizations for Disclosure

In the proposed rule, the Bureau seeks to obtain transactional information by unilaterally
declaring that a person must consent to disclosure of financial information when that person
sends or attempts to send funds to a commissary account. Although the RFPA allows the
government to obtain financial information by obtaining an account-holder’s written consent,
such consent is only valid if it is given in compliance with detailed statutory requirements.14 As
mentioned above, the RFPA prohibits requiring customer consent as a condition of doing
business with a financial institution. This provision operates to “prohibit blanket authorizations,
that is, authorizations for disclosures whose scope and purpose is not known at the time of the
The proposed rule seeks to impose precisely the type of blanket authorization that RFPA is
designed to prevent, and therefore is fundamentally incompatible with RFPA’s prohibition on
compelled consent.16 Moreover, the rule cites no lawful authority that allows the Bureau to
require any type of action on the part of someone who is neither an inmate, employee, nor visitor
at a Bureau facility.17 It is axiomatic that an agency cannot exercise rulemaking authority absent
a delegation of power from Congress.18 Here, the Bureau has pointed to no legislative act that
either: (1) authorizes the Bureau to regulate the activities of third-parties who do not work or
reside in correctional institutions, or (2) empowers the Bureau to override the provisions of the
The Bureau relies on the need to “use transactional information . . . to detect unlawful activity”
as a justification for the proposed rule.19 Although the Bureau is empowered to conduct
necessary investigations, this power does not include the ability to exempt itself from the
requirements of the RFPA.20 Accordingly, the rule as drafted cannot withstand judicial review.
Even if the Bureau can advance a strained reading of the RFPA in support of the rule, such
interpretation would not be entitled to any judicial deference because Congress has not delegated


12 U.S.C. § 3402(1).
Richard Fischer, Law of Financial Privacy (2005) ¶ 2.04[2][a].
See Dixon v. U.S., 381 U.S. 68, 74 (The government’s power “to prescribe rules and regulations . . . is not the
power to make law . . . but the power to adopt regulations to carry into effect the will of Congress as expressed by
the statute. A regulation which does not do this, but operates to create rule out of harmony with the statute, is a
mere nullity.” (quoting Manhattan Gen. Equip. Co. v. CIR, 297 U.S. 129, 134 (1936) (internal quotation marks
omitted; second omission by Dixon court)).
To the extent that the Bureau relies on the Housekeeping Act, 5 U.S.C. § 301 (which is cited in the Federal
Register notice), the Bureau’s reliance is misplaced. The Housekeeping Act gives an agency the power to regulate
internal affairs, but cannot be used as the basis to enact “substantive rules.” U.S. ex rel. O’Keefe v. McDonnell
Douglas Corp., 132 F.3d 1252, 1254-1255 (8th Cir. 1998); see also Schism v. U.S., 316 F.3d 1259, 1285 (D.C. Cir.
2002) (en banc) (“Simply put, an agency cannot do by regulation what the applicable statute itself does not
E.g., Bowen v. Georgetown Univ. Hosp., 488 U.S. 404, 471 (1988).
80 Fed. Reg. at 38659.
Cf. ExxonMobil Gas Marketing Co. v. Fed. Energy Regulatory Comm’n, 297 F.3d 1071, 1088 (D.C. Cir. 2002)
(“We emphatically agree that need for regulation cannot along create authority to regulate. Rather it is statutory
authorization alone that gives FERC the authority to regulate, and in the absence of such authority, FERC’s action is
plainly contrary to law and cannot stand.” (citations and internal quotation marks omitted, emphasis in original)).

September 1, 2015
Page 4 of 7
rulemaking authority under the RFPA to any agency, much less the Bureau.21 Moreover,
Congress has directly spoken to the precise question at issue (by prohibiting compelled
authorization), and the Bureau’s proposed rule is not based on a plausible interpretation of the

Even if Bureau Could Compel People to Authorize Disclosure, the Proposed Rule
Lacks Numerous Mandatory Procedural Safeguards

Even if the proposed rule could survive review under the RFPA’s ban on blanket consent to
disclosure (which it cannot), it is flawed because of its failure to adhere to the procedural
safeguards contained in section 3404 of title 12, United States Code, concerning customer

Written Authorization of Disclosure

Most troublesome is the proposed rule’s lack of precision concerning how exactly authorization
would be provided. In particular, the language of the proposed rule states that “[p]ersons
sending or depositing . . . funds to an inmate’s commissary account . . . consent to the collection,
review, use, disclosure, and retention, of all related transactional data.”22 This language is fatally
vague about how the account-holder actually provides consent.
Under the RFPA, consent for disclosure must be provided in a written statement, signed and
dated by the account holder.23 Yet the proposed rule does not explain how such written consent
will be obtained and whether it will be in a particular form prescribed by the Bureau. Indeed, the
proposed rule could be read as using a system of implied consent, wherein any time a person
sends money to a commissary account, they are deemed to have provided consent for purposes of
the RFPA. This cannot be the case, however, because—consistent with the plain text of the
RFPA—courts have held that customer consent to disclosure cannot be implied.24
To the extent that the Bureau anticipates obtaining express written consent from customers, the
rule leaves a host of important questions unanswered. For example, the RFPA states that
customer consent is valid if the customer “furnishes to the financial institution and to the
Government [a written authorization].”25 Thus, in a case where a customer purchases a money
order at her bank and sends it to the Bureau for deposit in a commissary account, who is
responsible for obtaining the customer’s written authorization? When will the customer be asked
to sign an authorization form? How will that authorization be transmitted to the bank and the
Bureau? The proposed rule does not even acknowledge, let alone answer, any of these questions.


See King v. Burwell, 135 S.Ct. 2480, 2488-2489 (2015) (refusing to apply deference to tax regulations interpreting
the Affordable Care Act in the absence of express Congressional grant of authority to IRS).
Inmate Commissary Accounts, 80 Fed. Reg. 38658, 38660 (to be codified at 28 C.F.R. § 506.3).
12 U.S.C. § 3404(a).
Duncan, 813 F.2d at 1339 (“[T]he district court was in error in concluding that [plaintiff] impliedly authorized
disclosure of his records. . . . The [RFPA] does allow the government to obtain records with the customer’s consent,
but only by a ‘signed and dated statement’ that recites the nature of the records, the purposes of disclosure, the
customer’s rights and other information.”)
12 U.S.C. § 3404(a).

September 1, 2015
Page 5 of 7

Additional Procedural Safeguards

In addition to the basic problems discussed above, the Bureau has failed to address numerous
other safeguards required under the RFPA. In its proposed rule, the Bureau attempts to vitiate all
privacy protections and gut the procedural requirements of the RFPA by regulatory fiat. Because
the proposed rule does not provide for the mandatory safeguards outlined in section 3404, the
Bureau cannot issue the rule as currently drafted. In particular, the proposed rule leaves at least
five critical questions unanswered, as discussed in more detail below.

Duration of Authorization

Under the RFPA, a customer’s authorization to disclose financial information must be limited to
a duration of three months or less.26 The proposed rule fails to specify how long a customer’s
purported authorization will last. Assuming for purposes of argument that BOP seeks the
maximum allowable duration of three months, then additional questions arise, because the
proposed rule clearly envisions a perpetual system of disclosure. Thus, it is unclear whether the
Bureau will seek new authorizations from each depositor as existing authorizations expire. Or,
will the Bureau require a new authorization each time a person deposits money to a commissary
account? Or does the Bureau have some alternate theory?

Right of Revocation

When an account holder authorizes disclosure of his financial information, the RFPA requires
that he be informed of the right to “revoke such authorization at any time before the financial
records are disclosed.”27 First, the proposed rule makes no provision for informing the customer
as required under the RFPA. More to the point, however, even if a customer is informed, the
proposed rule does not address the mechanics of revocation. To whom should a revocation be
submitted? Need a revocation be in writing? If so, need it be in any particular form? May a
revocation be submitted simultaneously with the initial authorization? Indeed, given the general
tenor of the proposed rule, it is unclear whether the Bureau would even honor a revocation of
consent. As part of this rulemaking the Bureau should expressly confirm that it will comply with
the revocation provisions of the RFPA.

Identification of Financial Records

A customer authorization for disclosure must “identif[y] the financial records which are
authorized to be disclosed.”28 The proposed rule seeks to compel authorization for the release of
“all related transactional data,”29 but does not define or describe what such data entails.


12 U.S.C. § 3404(a)(1).
12 U.S.C. § 3404(a)(2).
12 U.S.C. § 3404(a)(3).
Inmate Commissary Accounts, 80 Fed. Reg. 38658, 38660 (to be codified at 28 C.F.R. § 506.3).

September 1, 2015
Page 6 of 7

Purpose of Disclosure

RFPA requires that a customer providing an authorization for disclosure be informed of “the
purposes for which . . . such records may be disclosed.”30 Although the Bureau’s notice of
rulemaking makes generalized references to detecting unlawful activity, there is no indication
that customers will receive an individualized, statutorily adequate description of the purpose for
which their financial information is being disclosed.

Notification of Statutory Rights

Under the RFPA, any written authorization for disclosure must “state[] the customer’s rights
under [the RFPA].”31 A customer’s rights include the protections mentioned above, as well as
the right to obtain a record of all disclosures made by the financial institution.32 The proposed
rule does not provide for a disclosure of these rights.

Petition for Rulemaking

The Bureau seeks to codify the proposed rule as a component of part 506, title 28, Code of
Federal Regulations. Part 506 is entitled “Inmate Commissary Account,” and governs a system
by which “the Bureau [can] maintain inmates’ monies while they are incarcerated.”33 The
Bureau’s administration of commissary accounts is of particular interest to the undersigned
organizations, because of the myriad consumer-protection issues that have arisen in recent years
concerning financial services in correctional institutions.34 Given the numerous issues which are
in need of attention, it is important that the Bureau develop a comprehensive system of consumer
protections applicable to users of the commissary system. Accordingly, pursuant 5 U.S.C. §
553(e), the undersigned organizations hereby petition the Bureau to issue rules concerning the
operation of commissary accounts, including, at a minimum, rules addressing the following
 Applicability of Regulation E. Concurrent with the growing use of electronic
transactions, the Bureau appears to be placing greater emphasis on electronic payments in
the context of commissary accounts. Part 1005, title 12, Code of Federal Regulations
(“Regulation E”) contains a comprehensive system of consumer protections issued under
the Electronic Fund Transfer Act.35 The Bureau must acknowledge that Regulation E
applies to electronic transfers to and from commissary accounts, and provide guidance on
how consumers may invoke the protections of Regulation E.
 Release payments. When a person leaves the custody of the Bureau with a positive
balance in his or her commissary account, the Bureau disburses such funds to the person
upon his or her release. The Bureau should issue rules concerning how such payments
are made to ensure that the returned balances are accessible in full.

12 U.S.C. § 3404(a)(3).
12 U.S.C. § 3404(a)(5).
12 U.S.C. § 3404(c).
28 C.F.R. § 506.1.
See generally, Letter from Stephen Raher, Prison Policy Initiative, to Richard Cordray, Consumer Financial
Protection Bureau (Mar. 18, 2015), available at
15 U.S.C. § 1693, et seq.

September 1, 2015
Page 7 of 7



Fees. The Bureau should publish a readily-accessible schedule of all fees applicable to
commissary accounts (including release payments), and should ensure that all such fees
are just and reasonable.
Kickbacks. The Bureau should provide by rule that it will not accept payment of money
or other value from any contractor who is selected to provide financial services. In the
absence of such a policy, the Bureau at a minimum should provide clear disclosure to all
consumers (both commissary account holders, and non-incarcerated people who send
money to commissary accounts) of any such payments that the Bureau receives in
connection with contracts related to commissary accounts.
Unclaimed property. The Bureau should ensure that all funds held for the benefit of
people who are in the custody of the Bureau—regardless of whether such funds are held
directly by the Bureau or by a contractor—are subject to the unclaimed property
provisions of 31 U.S.C. § 1322.

Congress enacted the RFPA to provide customers of financial institutions with protections
against government intrusion into their financial privacy. Although the statute does allow
customers to voluntarily disclose their financial information to the government, it is carefully
drafted to ensure that such consent is narrowly-tailored and not coerced. The Bureau’s proposed
rule runs roughshod over these statutory protections and should not be adopted in its present
Moreover, in the rapidly-changing world of prison-based financial services, there are numerous
consumer protection problems that are in acute need of attention. It is, therefore, disappointing
that the Bureau has chosen to focus its efforts on eroding privacy protections instead of
proposing regulatory changes that would benefit incarcerated people and their families by
curbing financially abusive practices. The undersigned organizations are committed to
addressing these important issues, and look forward to the Bureau’s response to the petition
contained herein.
Human Rights Defense Center
National Consumer Law Center (on behalf of its low income clients)
Prison Policy Initiative