This week I was asked to give a presentation in DC about the history of financial surveillance. Now, most people know that the Patriot Act did tremendous damage to privacy in general. But fewer people understand the extent of damage that it did to financial privacy in particular.
Basically, the Patriot Act was the Bank Secrecy Act on steroids.
In this newsletter I want to look at Title III of the Patriot Act: The International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001, and 5 ways that the Patriot Act destroyed financial privacy.
This was a moment in time that radically expanded financial surveillance under what we were told was a temporary measure, but it ended up lasting forever.
The Patriot Act standardized and mandated “Know Your Customer” (KYC) rules across all financial institutions.
Before 2001, “KYC” existed in principle but was largely determined by banks. Institutions determined their own risk tolerance, and what customer information they would collect. A community bank might rely on non-documentary checks and longstanding relationships, while a larger bank might collect more documents.
For example, if Betty wanted to open a bank account and you’ve known her since she was 5, and you knew her parents for 20 years and they’ve held an account with you for years, you might already have a pretty good understanding of the risk level of that potential customer. As a business, you would determine what you needed from them in order to let them open an account.
The Patriot Act introduced minimum ID standards. It enforced a Customer Identification Program (CIP) for every bank, broker‑dealers, mutual funds, and other similar institute in the US. These entities had to collect and verify government-issued IDs for every customer. They also had to cross-check identities against government watchlists.
This is when privacy in banking effectively ended and financial anonymity became illegal. “Risk-based KYC” went from a business choice to a legal requirement.
The Patriot Act broadened the definition of a “money transmitter”: Before 2001 it was just “a licensed sender of money”. After the change it covered any person engaged as a business in transmitting funds, including informal money transfer systems. That was a big expansion.
The Patriot Act also imposed an AML‑program mandate across financial institutions, extending coverage for different sectors.
This massively widened the surveillance reach, pulling basically every financial touchpoint into a federal dragnet.
The Patriot Act allowed unprecedented data sharing across agencies and borders.
Sections 351 and 358 broke down specific information-sharing barriers between the FBI, CIA, NSA, FinCEN, and foreign governments.
For example, SARs (Suspicious Activity Reports) were formalized under the 1992 Annunzio-Wylie Anti–Money Laundering Act to strengthened reporting rules. Banks became required to file reports against ANYTHING they deemed suspicious about how someone was using their own money. SARs were originally confined to Treasury oversight, and could be shared with law enforcement. But the Patriot Act expanded this access so that now these could be shared freely with intelligence agencies.
Under the Annunzio-Wylie Anti–Money Laundering Act it was already illegal for banks to tell customers when a suspicious activity report was filed. But with the Patriot Act came extended “safe harbor” provisions, where banks were encouraged to proactively share customer data with intelligence, without fear of being sued by the customer because they would have legal immunity.
It covered liability under “any contract or other legally enforceable agreement”, So if you had a contract with your bank that they’d keep your information private? The government said the bank now had immunity if they shared that information and broke the contract.
(Just to put this into context: The 4th amendment is mean to stop the government getting your information without a warrant. So instead, the government mandated that banks collect that information, and then granted the banks legal immunity for sharing that information with the government. An egregious overstep of what was meant to be a constitutional protection, if ever I’ve seen one.)
Additionally Section 314(b) created a safe harbor financial institutions to share customer and activity information with other financial institutions, when they in good faith suspect money laundering or terrorist financing.
So the net result of these safe harbor rules was that banks were both REQUIRED to report SARs and other information to the government, and they were legally shielded from aggressively and proactively doing so, and were also allowed to exchange intelligence with other banks. It basically fueled the private-sector surveillance grid that we have today, and deputized the financial system as investigatory agents in it.
Mass data pipelines from private banks to the surveillance state were legalized overnight.
The Patriot Act authorized surveillance of correspondent and foreign accounts.
A “correspondent account” is a US bank account opened by a foreign bank so that foreign customers can move dollars, clear wires, and access the US financial system.
Think of it as the on-ramp to the dollar network for non-US banks.
The Patriot Act forced US banks to perform “enhanced due diligence” on all correspondent accounts held for foreign banks. It made dollar-clearing a surveillance chokepoint: any transaction touching the US financial system was now subject to monitoring.
It also added extraterritorial subpoena and forfeiture reach. If a foreign bank uses a US correspondent account, US authorities can subpoena records held abroad related to that account, and can freeze or take money sitting in that US account to enforce a seizure. This extended American surveillance standards globally, and made access to dollars conditional on cooperation. It also allowed for the override of local confidentiality or privacy rules. The result is a chilling effect: many foreign banks simply close accounts for whole customer groups or regions to avoid US penalties, even when those customers are legal where they live.
The Patriot Act hard-wired banks into intelligence investigations, and made the relationship permanent. For example, it introduce something called government “broadcast lookups”. This is where FinCEN can blast a query to thousands of financial institutions (like “do you have anything on X person/entity?” or “do you have anything matching these patterns?”) and banks must search their records quickly and report back.
It shifted the relationship from requiring passive reporting from banks to creating on-demand, system-wide queries, where banks have been deputized as active responders and participants.
Under the Patriot Act, FinCEN’s mission was also codified as financial intelligence. Congress tied it explicitly to collecting, analyzing, and disseminating financial data in support of law-enforcement and intelligence, giving the FinCEN a permanent mandate and making it a statutory intel hub.
The Patriot Act took a crisis, used the opportunity to create a mass surveillance program in the financial sector, and then rewrote the rules for how money is allowed to move, who gets to participate, and what the government can see. Then it quietly froze those rules in place until most people forgot there had ever been another way.
But we don’t have to accept this new normal, where every customer is now treated like a suspect, or where you have to beg for permission to access your own money and hope that the person holding on to it doesn’t instead file a secret report about you.
The financial sector was conscripted into the surveillance regime because it provided a loophole to avoid Fourth-Amendment protections. We should instead insist on real warrants, not outsource surveillance to private companies.
But if we can’t roll back what has become an ingrained surveillance overreach that we all take for granted these days, at least there are now decentralized payment systems that don’t opt in to traditional financial rails at all. These give people back human dignity, instead of egregious violation of their financial privacy.
I think that we also need to tell a better story about risk, because endless de-risking has become a license for collective punishment that shuts people out of the financial system entirely. Of course we don’t want to protect criminals – this is about restoring traditional check and balances, as well as basic civic norms, that used to be obvious: you should be able to use your own money without being tracked, profiled, and stored forever in a government database.
Yours in privacy,
Naomi
