Payment Law Advisor Legal Commentary and Resources for the Payment Industry

A “Bad Apples” Database for Banks? Not So Fast.

Posted in Regulatory and Compliance

Evil 8-Bit Cartoon AppleOverview

Should banks, while guarding against rolling episodes of misconduct by bankers, have the ability to blackball employees from the banking industry?  A “bad apples” database of bank employees who have acted improperly in prior jobs would help ferret out potential problem employees before they are hired and able to do more bad banking deals, argues Michael Held, General Counsel of the Federal Reserve Bank of New York, during a speech at Yale Law School, on March 8, 2017.

A banker-misconduct database might seem promising, but getting it right would be complicated.  In the spirit of responding to Mr. Held’s invitation for input, we address three dimensions of the proposal: (1) identifying existing potential mechanisms to accomplish the same protective purpose; (2) squaring the reports generated by a banker-misconduct database with the longstanding protections afforded in the federal Fair Credit Reporting Act (FCRA); and (3) practical consequences of fairly treating an employee when resolving disputes and addressing his or her rights under the common law.

First, bank regulators, including the Federal Reserve, long have held powers to discipline, including to permanently ban, an employee thus holding an individual accountable for misconduct or violations of law that pose significant safety-and-soundness threats to the bank.  Isn’t the solution to use existing enforcement mechanisms instead of creating a wholly new federal statutory framework?

Second, the proposed database may very well fit within the definition of a “consumer reporting agency” and the information to be provided within the definition of a “consumer record,” thereby triggering the protections of the FCRA.  So instead of working to encourage the liability-free exchange of information about problem employees between banks, the database could cause a new line of banking-related FCRA litigation and defeat the purpose of having such a database in the first place.

Third, the practical consequences of the contemplated database make the concept far less appealing.  Banks would have an incentive to over-report violations, even low-level policy violations, in order to protect themselves.  Employees would have little ability to “correct” errors, short of lengthy litigation.  And employee privacy rights will be essentially cast aside, in favor of protecting banks.

Though imaginative and potentially useful, Mr. Held’s “bad apples” database plan may have a slew of downsides that make it less appealing than already-existing enforcement tools to improve the culture of compliance in banks.

Outline of a Banker-Misconduct Database

A “rolling bad apple” is trouble for banks because the individual can, according to Mr. Held, move from bank to bank engaging in misconduct at every stop, thereby spoiling the barrel (i.e., causing problems for the bank, regulators and customers).  The solution proposed is to create a database to identify the problem employees—those who have exited a position under problem circumstances.  The database would be created under the authority of some form of legislation that will also provide protections/immunities to the banks, database and users from such common liabilities as defamation, invasion of privacy and the like.

In an article in the American Banker about the proposed database, a representative of the American Bankers’ Association is quoted as saying “The idea is a great idea”; in contrast, a law professor and former bank regulator notes:  “You can use the existing law [to crack down on recidivists].  And [the banking agencies have] failed to use the existing law, which is why they have the problem.”  The divergent perspectives on the proposal prompt a series of questions, including:  Would enacting a federal law to found a banker-misconduct database be a good idea or would a new legal apparatus be unnecessary because the Federal Reserve and other banking agencies (save the Consumer Financial Protection Bureau) already have authorities to curb or to prevent the “rolling bad apples” problem?  Just as importantly, what kind of relation would the new law bear to the FCRA?  Would Mr. Held have the new law override the FCRA’s protections and limits?

Mr. Held outlines the development of a banker-misconduct database in the context of raising solutions to improve the culture of compliance at banks.  In particular, Mr. Held sheds light on the typical practice a bank uses to barely comment on its former employee when another bank asks for a reference during the process of considering the individual’s employment application.  The prospective employer-bank needs information about the applicant, but the former-bank employer is not giving that up, for fear of liability if the application were to go awry.  Mr. Held describes an arrangement in which a prospective employer-bank could be made aware that an applicant has been associated with unlawful activity, or any violation of a former-bank employer’s policies, and thus can decline to hire that individual to avoid a “bad apple.”  Special legislation would be required to make this system work, which would create an arrangement along these lines: first, each participating bank would have a duty to report on its bad employees;  in exchange, the reporting bank would be protected by statutory immunity from civil suits for its reporting, including misreporting, exaggerating the underlying events, or even tortious conduct (i.e., defamation); and finally, upon inquiry, recruiting banks would receive detailed reports of the information “on file” about the prospective employee, ostensibly for the purpose of preventing the “bad apples” from becoming employed at a new bank.

Mr. Held provides a rational explanation for establishing a banker-misconduct database—to cure the ills from scant self-reporting.  Still, Mr. Held does not pause to consider that banks could self-regulate the way that most all other employers do.  What is it about the banking industry that’s so special as to warrant a federally-protected framework to house information, including potentially misleading information, about former employees?  Admittedly, banking institutions have been the object of key federal initiatives over several generations (e.g., systemic deposit-insurance and share-insurance schemes), and protecting the maturity-transformation function that is vitally performed by banks could warrant special measures.  Still, other types of financial institutions—particularly insurers or securities brokers and dealers—could also inflict harm to our financial system or to the buyers of their products and services if employees engage in unlawful practices or perform functions in violation of those institutions’ internal policies; should a proposal be cast more broadly to a “financial-institution misconduct database?”  If that path is not pursued and yet some form of banker-misconduct database might be “helpful” to limit spoilage of another bank’s organizational culture due to a rolling bad apple, could not the Federal Reserve (along with other banking agencies) take the first steps by creating a database of enforcement actions against institution-affiliated parties?

The Banking Agencies Have Experience Casting Out Bad Apples

Mr. Held’s concerns about the risk of rolling bad apples appear to track the type of risk posed by the FX trader who was the subject of an enforcement action settled in January 2017.  In that action, the Board of Governors of the Federal Reserve issued a consent order barring the trader from participating in the banking industry.  The bar was permanent.  See In Re Jason Katz, Nos. 17-001-E-1; 17-001-B-I (Jan 4, 2017).  Not in one tour, but in two tours, the FX trader (according to the facts stipulated in the Board’s order), engaged in bogus transactions (“non bona fide trades”) to disguise trading positions designed to manipulate the prices of certain FX pairs, and along the way the FX trader “disclos[ed] confidential customer information to competitor FX traders,” in violation of the policies maintained by each employer-bank.  Thus, the rot posed by this bad apple involved both unlawful conduct—e.g., felony price fixing in violation of 15 U.S.C. 1—and conduct prohibited by the bank’s internal policies, designed to promote the safe-and-sound operations of the bank.

The Financial Industry Regulatory Authority (FINRA) has also instituted BrokerCheck, a bad apples database, which tracks the disciplinary and employment history for over one million brokers.  Although the database is intended to safeguard retail investors from problematic brokers, it has recently garnered criticism for failing to provide meaningful information to investors in a useful format and publishing mere accusations and decades-old misdemeanors.[1]

On what basis could the Federal Reserve permanently ban an employee from further working in the business of banking?  From the full-throttle authorities granted to the banking agencies following the S&L crisis that, according to one publication, is estimated to cost taxpayers an amount north of $100 billion.   By enacting the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA), Congress and the President substantially strengthened the enforcement powers of the federal banking agencies under the Federal Deposit Insurance Act (FDI Act).  Among other measures, the provisions enacted in FIRREA empower each of the banking agencies to target an individual—the “institution-affiliated party”—that could lead a bank to engage in any unsafe or unsound practice.  The scope of the term “institution-affiliated party” appears to have been designed to empower a banking agency to sanction, among others, any officers or employees of the bank.[2]  If a banking agency that has the capacity for onsite supervision of a bank under the FIRREA can inspect the day-to-day operations of the bank, review its books and records, etc., and is empowered to hold an individual accountable for misconduct or violations of law that pose significant safety-and-soundness threats to the bank, then could not the same agency take steps to thwart bad apples from rolling on to another bank?  Might Mr. Held further consider steps the banking agencies themselves could take, by building on existing authorities under the FDI Act and other laws, to help a prospective employer-bank seeking valuable information about an individual applicant for employment?  Wouldn’t that be effective?

The Bankers-Misconduct Database and the FCRA

But wait, there’s more!  Unless the legislative framework Mr. Held envisions were to specifically override (i.e., create an exception to) the FCRA for the banking industry, the proposed database could be on a collision course with the FCRA and myriad of analogous state laws, which cover a broad spectrum of activities, including employment decisions.

The FCRA regulates a consumer reporting agency (CRA), a person that furnishes data to a CRA, and a user of a “consumer report.”  For starters, a report generated from a banker-misconduct database would appear to be a classic example of a consumer report, which is “any written, oral, or other communication of any information by a [CRA] bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility” for credit, insurance, or employment purposes.  If the banker-misconduct reports were to be generated by a CRA, then the persons furnishing data destined for the reports, as well as the users, would be subject to the requirements of the FCRA.

To escape the CRA designation, the banker-misconduct database might need to come within one of the employment-specific exceptions under the FCRA.  Specifically, Section 603(d)(2)(D) of the FCRA exempts from the definition of a “consumer report” any communication described in Section 603(o) or Section 603(y).  Section 603(o) exempts certain reports to a prospective employer for the purpose of procuring an employee for the employer or procuring an opportunity for a natural person to work for the employer when those reports are “made by a person who regularly performs such procurement.”[3]  In other words, it protects employment agencies who collect consumer reports from CRAs for use by prospective employers, on the theory that the employment agency is merely a conduit and the originating CRA maintains liability.  It is difficult to see how a database that was designed to be the original holder of the consumer information could also fit within the “employment agency” purpose of the exception.

Section 603(y) exempts communications made to an employer “in connection with an investigation of—(i) suspected misconduct relating to employment; or (ii) compliance with Federal, State, or local laws and regulations, the rules of a self-regulatory organization, or any preexisting written policies of the employer.”[4]  The banker-misconduct database would not appear to be designed for generating reports to assist a bank when investigating suspected misconduct by its existing employees.  Rather, the bad apples would be applicants.

Admittedly, the language of Section 603(y)(l)(B)(i) could be interpreted to apply in the context of a bank’s consideration of an application because that process relates to a type of “investigation” “relating to employment.”  But this interpretation seems shaky because other provisions describe the misconduct as relating to the “pre-existing written policies of the employer” (how would an applicant know about those policies?) and an “employee” (who typically is not also an applicant).  Moreover, in a letter ruling issued in September 2015, the FTC staff offers the view that the exclusion in Section 603(y) “cover[s] only investigations of current employees, rather than investigations of both current employees and job applicants.”[5]  In the letter, the FTC staff explains that “… the language of Section 603(y) itself contemplates an existing employer/employee relationship.  For example, the title of the section refers to employee investigations, rather than background screening of potential employees.  Similarly, subsection 603(y)(1)(B)(i) refers to ‘suspected misconduct relating to employment’ and subsection 603(y)(1)(B)(ii) refers to ‘preexisting written policies of the employer,’ both phrases that connote an existing employment relationship.”[6]

If bank regulators give weight to the analysis of the FTC staff, a report obtained from a banker-misconduct database would not be eligible for the  Section 603(y) exemption if used by a prospective employer-bank when conducting a pre-employment background check, rather than an investigation relating to an existing employee.  Moreover, it doesn’t appear that any of the “joint user” scenarios, such as a user’s provision of a consumer report to the user’s service provider,[7] are relevant.

That brings us back to the core of the FCRA:  the Federal Reserve or any other entity that compiles a database of information submitted by banks pertaining to acts of misconduct by individuals might very well fall under the definition of a CRA, which is “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.”  As such, the database operator would be obligated to use “reasonable procedures” to protect “the confidentiality, accuracy, relevancy, and proper utilization” of consumer credit information contained in consumer reports.  In turn, financial institutions that report employee misconduct (“furnishers” under the FCRA) and prospective employers (“users” under the statute), also would be bound by numerous compliance requirements.  As furnishers, financial institutions would need to ensure accuracy of information provided to the bad actor database and establish and maintain reasonable written policies and procedures implementing FCRA requirements. Financial institutions also would be obligated to investigate disputes that are submitted either directly or indirectly by consumers and, if appropriate, direct the CRA to correct or delete disputed information.  This seems incompatible with the regime contemplated by Mr. Held.

Further, a prospective employer would be required to notify a “bad apple” when taking adverse action (e.g., declining an employment offer) based on information in a report from the database.  In the event that a prospective employer decides to withdraw a job offer based on information in the report, it would have to provide the affected person with a copy of the report, a written description of the individual’s rights under the FCRA, and notice to dispute the accuracy or completeness of any information in a consumer report.  Again, Mr. Held may not have considered this outcome.

Last but not least, the consequences of FCRA violations can be substantial, and will likely have a chilling effect on the database. The FCRA provides for a private right of action and permits an individual claimant to recover actual damages, statutory damages, and (in some cases) punitive damages—plus, attorneys’ fees and costs.  So unless the enabling legislation were to usurp these established FCRA rights, an applicant deemed a “bad actor” could presumably have grounds for a civil lawsuit.

What Else Could Get Complicated?

Even if the FCRA does not spell the end of the banker-misconduct database, from an employment law perspective, the idea appears to be perilous.  Consider the following:

  • No threshold of seriousness. Held mentions “not only violations of law, but also bank policies that govern their behavior” that would go into the database.  By that account, there would be no clear standard regarding the level or type of the transgression that would be required to be reported to the database.  A database intended to target conduct relating to high-level fraudulent activity could trigger reporting on minor items, such as mishaps by low-level bank tellers, who could find themselves fenced out from other banking jobs because they were fired for violations of bank operating procedures.
  • No easy feat to “correct” errors in reported transgressions. How could errors get corrected?  Held cites dual options to pursue redress of errors (i.e., abuse by banks) reported to the database: either a low-cost and fast-track ombudsman hearing or “full judicial review” in federal court.  How will an ombudsman be able to decide what really happened—i.e., whether the information provided by the former bank is accurate or not—in a fast-track system?  Without detailed and extensive testimony and documentary evidence, a classic “he-said-she-said” dynamic would set in, and then what does the ombudsman do?  This would lead to longer, more expensive and delayed adjudication in court.  Meanwhile, an individual can’t work in the banking field, and can’t earn a living.  So the prospect of clearing one’s name through the ombudsman and/or court will be a hollow victory without the ability to be made whole financially.
  • Right to privacy breached. Employers essentially would be disclosing private facts about an employee to the database, to be later released to any other bank that later acts on the employee’s employment application.  Will the banker-misconduct database legislation trump state law privacy rights?  If not, the initial act of disclosing the information could trigger liability for breach of privacy rights.

Mr. Held is surely right to emphasize the importance of a culture of compliance among banks and bank employees.  But the specific mechanism he proposes seems to have many downsides.  This is especially so where one well-established statutory scheme already provides the needed regulatory authority, while another would have to be overridden.


[1] Craig McCann, Chuan Qin, and Mike Yan, “How Widespread and Predictable is Stock Broker Misconduct?” Securities Litigation & Consulting Group, April 26, 2016; Danny Sarch, “Why Finra needs to fix BrokerCheck now”, June 3, 2016. available at: (last visited May 16, 2017).

[2] 12 U.S.C. §§ 1813(u), 1818(e)

[4] 15 U.S.C. § 1681a(y).

[5] Letter from staff of the FTC, 2015 WL 7873873, at *2 (Sept. 8, 2015) (emphasis added).

[6] Id.

[7] See, e.g., FTC Staff Report, “40 Years of Experience with the Fair Credit Reporting Act, at 31, available at