Skip to main content Accessibility help

We use cookies to distinguish you from other users and to provide you with a better experience on our websites. Close this message to accept cookies or find out how to manage your cookie settings.

Close cookie message
×
Hostname: page-component-77c89778f8-cnmwb Total loading time: 0 Render date: 2024-07-23T04:37:49.393Z Has data issue: false hasContentIssue false

1 - A Conceptual Overview of Bank Secrecy

from Part I - Bank Secrecy in Context

Published online by Cambridge University Press:  08 May 2017

By
Dora Neo
Edited by
Sandra Booysen  and
Dora Neo
Sandra Booysen
Affiliation:
National University of Singapore
Dora Neo
Affiliation:
National University of Singapore
Type
Chapter
Information
Can Banks Still Keep a Secret?
Bank Secrecy in Financial Centres Around the World
 , pp. 3 - 30
Publisher: Cambridge University Press
Print publication year: 2017

1.1 Introduction

Banks in many countries have a legal obligation not to disclose customer information, referred to as ‘bank secrecy’ or ‘bank confidentiality’. This traditionally means that banks cannot reveal the state of a customer's account or information that they come to know in the course of a customer's banking relationship with them. However, bank secrecy is generally not an absolute obligation, and banks are allowed to reveal customer information in specific circumstances. The most common examples of exceptions to the duty of secrecy would be where there is customer consent, or where the law requires disclosure. Another example is where a bank is suing its customer. These exceptions have grown more prominent as banks have come under intense international pressure to reveal customer information in the fight against money laundering and terrorist financing, and to combat cross border tax evasion, as discussed in Chapters 4 and 5. The banking system is an indispensable, if generally unwitting, partner in the process of turning the proceeds of crime into ‘clean’ money, and in facilitating the financial support of terrorism. Offshore bank accounts provide safe havens for funds to be hidden from domestic tax authorities. Banks possess valuable information about their customers and their customers' transactions that could lead to the prevention of crime and terrorism, the recovery of unpaid taxes and the apprehension of wrongdoers. These developments have resulted in banks being faced with positive duties to disclose information about their customers in a growing number of situations. These situations tend to be subsumed under the general umbrella of bank secrecy law, and tend to be discussed as exceptions to the bank's duty of secrecy. However, we should recognise that there is a second contrasting and equally compelling aspect of bank secrecy law which emphasises disclosure rather than secrecy, under which banks have a mandatory obligation to provide customer information to government authorities. These situations, in addition to just being classified as exceptions to the duty of secrecy, should appropriately have a separate label that emphasises that the bank has a duty of disclosure.

This chapter examines conceptual aspects of a bank's duty of secrecy to its customer, of the exceptions to that duty and of the bank's obligation of mandatory disclosure of customer information. It analyses the bank's duties in the context of protection of privacy on the one hand and mandatory state regulation on the other, and suggest this as an appropriate conceptual framework for understanding the law of bank secrecy. This analysis will necessarily be general, with examples given where appropriate. Analyses of the substantive legal rules are provided by the eight jurisdictional chapters in this book (covering China, Germany, Hong Kong, Japan, Singapore, Switzerland, the United Kingdom and the United States), which examine the law of bank secrecy in each relevant jurisdiction. This chapter draws upon these substantive principles of bank secrecy law that apply in these eight jurisdictions to support and illustrate its conceptual analysis. These are just examples, and the observations and conclusions in this chapter are meant to apply more generally, and are not confined to the eight jurisdictions.

1.2 Bank's Duty Not to Reveal Customer Information

1.2.1 ‘Secrecy’ versus ‘Confidentiality’

The focus of the law of ‘bank secrecy’ or ‘bank confidentiality’ is on a bank's duty not to reveal its customers' information. Exactly who is considered to be a customer or what type of information is protected by the bank's duty of secrecy will vary in different jurisdictions. In the most straightforward sense, a customer is someone who has an account with the bank, and customer information is information about the customer's account. But questions might arise whether one might be regarded as a customer before the account has been opened or after it has been closed, and whether customer information may extend beyond account deposit information to information that comes to the bank's knowledge in its capacity as banker. Further, the obligation not to reveal information may extend, in some jurisdictions, beyond banks properly so called to cover also other types of financial institutions. These refinements of local law should be borne in mind when the terms ‘bank’ or ‘customer’ are used. The term ‘financial information’ will be used here generally as a convenient reference to information that is protected by the bank's obligation of secrecy in a particular jurisdiction.

For current purposes, the point to be emphasised is that the label attached to the duty, whether it is ‘bank secrecy’ or ‘bank confidentiality’, may not necessarily reflect the relative level of strictness of the bank's substantive duty not to reveal customer financial information.Footnote 1 These terms may be used interchangeably in some jurisdictions, while other jurisdictions may more commonly use one term rather than the other, probably as a matter of convention.Footnote 2 Although some may feel impressionistically that secrecy denotes a higher duty than confidentiality, this is not necessarily the case, as illustrated by the substantive chapters in this book. Indeed, the two words have the same meaning in the English language,Footnote 3 and it is unfortunate that the term ‘bank secrecy’ has acquired a negative association with illicit activity, particularly international tax evasion. The strictness of the bank's duty is in fact determined by the extent of the exceptions to the duty and the sanctions for its breach, and not by any difference in the terminology used. Further, foreign words that are used in various countries to refer to a bank's duty not to reveal customer information may themselves be nuanced, but if that is the case, they may not be susceptible to exact translation into English. It would be unproductive to investigate whether the label ‘secrecy’ or ‘confidentiality’ should be used in translation when the two words bear the same essential meaning. Ultimately, as the jurisdictional chapters in this book show, a bank's duty not to reveal customer information is not absolute, and countries that use either or both of these labels allow for exceptions to the bank's duty.

As mentioned, the terms ‘bank secrecy’ and ‘bank confidentiality’ are also conventionally used to encompass the bank's legal obligation to disclose customer information to the authorities in specific circumstances. This aspect of the bank's duty will be discussed later in this chapter. It may be observed that the use of the terms ‘bank secrecy’ or ‘bank confidentiality’ in this context is not only inaccurate, but also misleading, as what is in fact required is the opposite: ‘bank disclosure’. Nevertheless, such wide usage of the two terms is well entrenched, and this chapter generally adopts it.

For consistency, the term, ‘bank secrecy’, will be usedFootnote 4 to include an interchangeable reference to ‘bank confidentiality’. This term will be used to refer to the bank's holistic obligations in relation to customer information, i.e. encompassing both the bank's traditional duty of secrecy/confidentiality as well as its growing duty of disclosure, or one or the other of these duties as the context requires. Where particular specificity is desired, this chapter refers either to the bank's duty not to reveal information (or to its duty of secrecy) on the one hand, or to its duty to disclose information on the other.

1.2.2 Conceptual Basis of Bank's Duty of Secrecy

1.2.2.1 Privacy and Confidentiality

The effect of the bank's duty not to reveal customer financial information is that the customer's privacy is protected. But is privacy protection the object of the imposition of this duty?

The Oxford English Dictionary defines privacy as ‘the state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; seclusion; freedom from interference or intrusion’.Footnote 5 The Cambridge Dictionary Online defines it as ‘someone's right to keep their personal matters and relationships secret’.Footnote 6 Simple as the process of definition may seem to a layperson from a linguistic point of view, privacy is an amorphous concept which scholars have found difficult to define with precision. One legally oriented conception of privacy that is relevant to the present discussion is that it is the ‘claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.’Footnote 7 Another sees it in terms of the extent to which an individual has control over information about himself or herself.Footnote 8 Both of these examples have been critiqued,Footnote 9 underlining the difficulty in defining privacy with exactness or comprehensiveness.Footnote 10 Another viewFootnote 11 sees privacy as ‘a state of voluntary physical, psychological and informational inaccessibility to others to which the individual may have a right and privacy is lost and the right infringed when without his consent others “obtain information about [the] individual, pay attention to him, or gain access to him”’.Footnote 12

I suggest that privacy is something that is desired by human beings generally, and this would apply also to organisations, although in the latter case such desirability is likely to be usually for economic reasons alone. Even the most open person or organisation will have some matters that he, she or it would prefer not to share with others. Scholarly arguments have been made that privacy serves some important functions; for instance, it engenders personal autonomy (avoidance of ‘manipulation or domination by others’); allows emotional release (removal of one's ‘social mask’); facilitates self-evaluation and offers an environment where an individual can ‘share confidences and intimacies’ and ‘engage in limited and protected communication’.Footnote 13 Privacy is often spoken of as a right. This could be meant in various senses, for instance, as a constitutional right, a legal right, a human right, an ethical right or a moral right. An examination of the philosophical foundations of privacy is beyond the scope of this chapter, and I will approach the discussion from the point of view that, apart from the language of rights, privacy is at least a desired value or a desired state.

Closely related to the concept of privacy is the concept of confidentiality. Confidentiality overlaps with privacy but is not identical to it. Both are based on the individual living in a community, but privacy rights are more fundamental in that they precede the obligations of confidentiality. PattendenFootnote 14 explains it in this way: privacy rights require at least two people in a community, whereas confidentiality rights require at least three. Where A, B and C live in a community, confidentiality is achieved where A and B keep something from C, whereas privacy is attained where A is able to keep something from B and C. Confidentiality would require trust between individuals whereas privacy does not. ‘Confidentiality requires some privacy, privacy requires no confidentiality.’Footnote 15 Therefore, confidentiality is less all-encompassing and is narrower than privacy protection. Broadly speaking, a duty of confidentiality could be seen to be an obligation on a person (such as a bank) not to reveal facts that are told to him or that he comes to know about by virtue of his confidential relationship with another person (such as a customer). Because of its more circumscribed ambit, and the values of privacy and trust related to it, courts and legislatures have been more willing to protect confidential relationships than to protect privacy rights in a more general way. This point will be illustrated later in this chapter.

1.2.2.2 Legal Basis of the Bank's Duty of Secrecy and Relevance to the Concepts of Privacy and Confidentiality

This section explores the legal basis of the bank's duty of secrecy with a view to establishing a link to privacy protection or otherwise.

Private Law

It would appear that a bank's duty not to disclose customer information is a generally applicable private law obligation. All eight jurisdictions covered in this book provide examples of banks' private law duties of secrecy, even if sometimes in limited circumstances, as in the case of China. There may, in some countries, additionally be a public law duty of secrecy that applies to banks. This section focuses on the bank's duty of secrecy in private law, leaving public law duties to be examined later. A breach of a private law duty attracts only civil remedies, for example damages or an injunction. The bank will be liable to its customer, but it will not be subject to penal or regulatory sanctions.

Contract

Contract law is the most important source for the bank's duties of secrecy in private law. Where there is an express term in the contract between a bank and its customer requiring the bank not to reveal customer information,Footnote 16 this is clearly motivated by the parties' concern with privacy protection, particularly on the part of the customer. Where the contract is silent about the bank's duty of secrecy, this duty is implied in many countries.Footnote 17 Although the implied contractual duty approach is used in both common law and civil law countries, the common law analysis seems to be more developed and consistently applied across different common law jurisdictions, and will therefore be used to illustrate the connection with the concept of privacy.

The implied term approach in common law countries was first adopted in the influential UK case of Tournier v. National Provincial and Union Bank of England,Footnote 18 which today continues to be the basis for the bank's duty of secrecy not just in the United Kingdom but also in other common law countries such as Hong Kong, Australia and Canada.Footnote 19 It was also accepted by the Singapore courts before the Court of Appeal declared it to be supplanted by the statutory provision for bank secrecy in section 47 of Singapore's Banking Act.Footnote 20 In the United States, a similar implied term approach was adopted by Peterson v. Idaho First National BankFootnote 21 before it became overshadowed by the Right to Financial Privacy Act (1978) (RFPA),Footnote 22 which will be discussed later. When implying terms into a contract, common law courts are trying to give effect to the unexpressed intentions of the parties. The principles used in the process of implying terms are relevant to our conceptual analysis. The precise requirements (or at least the articulation of these requirements) that courts apply for the implication of contractual terms may vary in different countries. In Tournier, the court applied the principles that were established in the leading English case on implied terms at that time, In re Comptoir Commercial Anversois and Power.Footnote 23 Although other newer cases are now more commonly used as standard authorities for the implied term approach in the United Kingdom, In re Comptoir Commercial Anversois and Power provides useful general guidance. There, the court was of the view that a term should not be implied merely because it would be a reasonable term to include if the parties had thought about the matter, but that it must be such a necessary term that both parties must have intended that it should be a term of the contract, and have only not expressed it because its necessity was so obvious that it was taken for granted.Footnote 24 In Tournier, Scrutton LJ referred to this principle and stated:

Applying this principle to such knowledge of life as a judge is allowed to have, I have no doubt that it is an implied term of a banker's contract with his customer that the banker shall not disclose the account, or transactions relating thereto, of his customer except in certain circumstances.Footnote 25

While it might seem that a customer would typically be more concerned about secrecy than the bank, it must be emphasised that an implied term is one which a court considers that both parties would necessarily have agreed upon. A finding of an implied duty of secrecy shows the importance that the court thinks both the customer and the bank must have ascribed to secrecy. In Tournier, Atkin LJ specifically stated that he was ‘satisfied that if [the bank] had been asked whether they were under an obligation as to secrecy by a prospective customer, without hesitation they would say yes’.Footnote 26

However, neither Scrutton nor Atkin LJJ elaborated specifically upon why it was seen as necessary to imply a term of secrecy in Tournier.Footnote 27 This is probably because, like the implied contractual term approach, the underlying conceptual basis of the bank's implied duty of secrecy was so obvious to them that they had taken it for granted. Although the word ‘privacy’ was never mentioned in Tournier, it seems clear, from the discussion of the implied term analysis above, that protection of the customer's privacy was precisely the unspoken conceptual basis of the bank's implied duty of secrecy.Footnote 28 Based on this analysis, the finding that the bank had an implied contractual duty of secrecy meant that the court found that both the bank and the customer must have intended that the bank should not reveal customer information, at least without the customer's consent or in the absence of other specific circumstances. Such concern with maintaining secrecy must obviously be linked with the desirability of privacy protection (whether as a primary or ancillary aim) to the parties.

Tort

Another potential source of the bank's duty of secrecy in private law is the law of tort. In Switzerland, for instance, Art. 28 of the Swiss Civil Code protects the privacy rights of any natural or legal person, and this has been recognised by the Swiss Supreme Court to include information relating to financial affairs.Footnote 29 An intrusion into these rights would also attract tortious liability under Art. 41 of the Swiss Code of Obligations.Footnote 30 A few other chapters of this book also mention tort law,Footnote 31 sometimes in a tentative mannerFootnote 32 or as a matter of tangential relevance where the duties imposed are not specifically focused on bank secrecy.Footnote 33 Tort law imposes a duty on a person to respect certain interests of other persons, which does not depend on the existence of a contractual relationship. The interests protected by tort law have traditionally included, for example, bodily integrity (protected by the torts of assault and battery) and the interest in one's reputation (protected by the tort defamation). Another example of interests protected under tort law would be those arising under certain statutes: where a statute imposes a duty on someone to do something, breach of this duty may sometimes be actionable as the tort of breach of statutory duty.Footnote 34 While a bank's disclosure of customer information could amount to the commission of the tort of defamation or the tort of breach of statutory duty (assuming that the requisite elements of the relevant tort are made out), these torts generally have limited or no connection with bank secrecy, and are not helpful to our conceptual analysis. We have seen that tort law in Switzerland protects the customer's privacy. Modern tort law in some common law countries has expanded also to include the protection of privacy, although this may not always be relevant to bank secrecy. For example, many US states recognise the tort of invasion of privacy, which encompasses the public disclosure of private facts.Footnote 35 Under this tort, the disclosure of customer information by a bank would not be a breach of its tortious duty if the information is not given publicity by being communicated to the public at large, but is told to one person or a small group of persons.Footnote 36 A contrasting example to the United States is provided by the United Kingdom, where the tort of invasion of privacy is not generally recognised, and privacy is protected largely by the law of confidence, which is examined later.Footnote 37 Naturally, where it is easier to bring an action for breach of contract, the parties would prefer that to bringing a tort action.

Duty of Confidence

Another possible legal basis for the bank secrecy obligation in common law countries is the duty of confidence.Footnote 38 Both CranstonFootnote 39 and EllingerFootnote 40 have noted that the banker–customer relationship is one of agency, which is a relationship of confidence that creates an obligation of secrecy.Footnote 41 This basis for bank secrecy has not been fully explored as the contractual approach is so dominant. Even where the contract does not provide for an express duty of bank secrecy, the bank's implied contractual duty of secrecy is well-established, and there is little need for an aggrieved customer to look beyond the law of contract. Nevertheless, a breach of confidence action has the advantage of being available where there is an absence of a contractual relationship. This might be useful, for example, where a potential customer does not proceed to enter into a contract with the bank.

The law of confidence imposes a duty to treat information as confidential. This duty of confidence arises from a relationship of confidence, where one party to the relationship is regarded as being legally bound to keep certain information about the other person confidential. The presence of an express or implied term of a contract is one of the ways of establishing a duty of confidence,Footnote 42 in the sense that one person cannot reveal information about another, and this has been discussed earlier. The duty of confidence could also arise from an equitable obligation where the circumstances import an obligation of confidentiality. It is in this context that the law of confidence is usually referred to, e.g. in connection with intellectual property law. The UK case of Coco v. AN Clark (Engineers) LtdFootnote 43 provides an example of a typical fact situation that arises in such cases: Coco was developing a moped (motor-assisted cycle) and provided information to Clark in the course of negotiations to develop the moped. Clark decided not to proceed with the deal with Coco, and instead developed its own moped, allegedly using some of Coco's designs. The court in that case decided that three elements were necessary to establish a claim for breach of confidence: (i) the information to be protected had to have the necessary quality of confidence; (ii) the information was imparted in circumstances importing an obligation of confidence and (iii) there was an unauthorised use of the information by the defendant to the detriment of the party who originally communicated it. Therefore, if a reasonable person in the shoes of the recipient of the confidential information would have known that the information was confidential and imparted to him in confidence, there would be an implied equitable duty of confidentiality. In the House of Lords' judgement in AG v. Observer Ltd, Lord Goff stated: ‘a duty of confidence arises when confidential information comes to the knowledge of a person (the confidante) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others.’Footnote 44 A second form of the action of breach of confidence has developed in the UK courts. In Campbell v. MGN, Lord Hoffmann stated that the second form of the action protects against misuse of information based on individual autonomy and dignity and the right to control the dissemination of information about one's private life, rather than the duty of good faith.Footnote 45 In the case, a newspaper published a story about the drug addiction of Naomi Campbell, a model, and included photos of her leaving the Narcotics Anonymous meeting. A majority of 3:2 in the House of Lords found in favour of Campbell. The court was of the view that a duty of confidentiality would exist when the facts gave rise to ‘a reasonable expectation of privacy’,Footnote 46 i.e. when a person knows or ought to know that the other can reasonably expect their privacy to be protected. In Douglas v. Hello! Ltd, Lord Nicholls stated, obiter, that the developed action of breach of confidence covered ‘two distinct causes of action, protecting two different interests: privacy and secret (confidential) information’, and was of the view that these two should be kept distinct and that information could qualify for protection on the grounds of privacy, confidentiality or both.Footnote 47 The English Court of Appeal has confirmed that later form of the action, misuse of private information, which protects a person's privacy and is available in the absence of an initial relationship of confidence, should be classified a tort and not an equitable wrong.Footnote 48

On facts similar to those in Tournier, it would seem that the law of confidence overlaps with the law of contract. The widespread acceptance of the contractual analysis in this situation usually makes it unnecessary for the equitable analysis to be explored. But if the latter analysis was attempted, one could argue that the bank would owe the customer a duty of secrecy under the law of confidence, even in the absence of contract. The three principles stated in cases like Coco v. AN Clark (Engineers) LtdFootnote 49 are capable of applying, with any necessary modification, to the bank–customer situation, although the confidential information concerned might not actually need to be imparted to the bank, as much of the information concerned, for example the customer's transactions or his account balance, would already be within its knowledge as a result of the banking services provided. It is hard to say whether it may be possible also for the customer to have a claim against the bank based on the second form of the action for breach of confidence, i.e. misuse of private information, as this area of the law is still developing.

Privacy, Confidentiality and the Private Law Bases of Bank Secrecy

The earlier discussion of the legal basis of the bank's duty of secrecy, particularly contract law and the law of confidence, sheds some light on the conceptual aspects of this duty. The underlying conceptual basis of privacy protection has been discussed earlier. The significance of the relationship of confidence between the bank and its customer as a factor leading to the imposition of the duty has also been discussed, in relation to the duty of confidence that might arise concurrently or independently with the contractual liability.

Cranston suggests that the decision in Tournier is based on the general principles governing breach of confidence.Footnote 50 This suggestion is not inconsistent with the contractual analysis seen in Tournier. Indeed, in Tournier, both Bankes and Scrutton LJJ referred to the confidentiality that existed in the relationship between the customer and the bank.Footnote 51 It might seem circular to say that the confidentiality of the bank–customer relationship led to implied contractual duties of confidentiality.Footnote 52 The connection between the nature of the relationship and the imposition of the duty would be clearer if we put this in another way. We could say that the close relationship of trust between the bank and its customer makes it obvious that it is necessary to imply a contractual term that the bank would not reveal information about its customer's financial affairs. In other words, the reason why courts see it as necessary to imply a term of bank secrecy is not just to protect the customer's privacy, but also to give effect to the expectations arising from the close relationship between bank and its customer. One of the factors that is relevant in the law of confidence is the nature of the information – that it must have the quality of confidence. This consideration is probably also applicable when the court considers the need to imply a term – that financial information is something that the customer would want to keep private. However, this is not vital: in some jurisdictions, it is not just the customer's account information that is protected, but also any information that has come to the bank's knowledge in the course of providing banking services to the customer.

A rough parallel can be drawn between the bank–customer relationship and professional relationships, such as lawyer–client and doctor–patient relationships, which have been long-accepted to impose duties of confidentiality.Footnote 53 In the nineteenth-century English case of Taylor v. Blackburn, Gaselee J stated that ‘the first duty of an attorney is to keep the secrets of his client. Authority is not wanted to establish that proposition.’Footnote 54 The duty of secrecy may also be part of the ethical code of professionals. The medical profession, for instance, is bound by the Hippocratic Oath, which includes the statement: ‘I will respect the secrets which are confided in me, even after the patient has died.’Footnote 55 However, as Bankes LJ cautioned in Tournier,

[T]he privilege of non-disclosure to which a client or a customer is entitled may vary according to the exact nature of the relationship between the client or the customer and the person on whom the duty rests. It need not be the same in the case of the counsel, the solicitor, the doctor, and the banker, though the underlying principle may be the same.Footnote 56

While privacy is clearly the interest that is being protected by the bank's duty of secrecy, a key factor for such protection is the relationship of confidence between the bank and its customer. In the absence of a relationship of confidence, a contractual term of bank secrecy might not have been implied by the courts in various countries, and the law of confidence would not be applicable. Strangers are not bound to keep each other's secrets. Neither are contractual parties, in the absence of a special relationship of confidence or a contractual obligation to do so. A person who happens to catch sight of somebody else's account balance at an ATM is not required by law to keep this information to himself, and a car wash contractor who sees a bank account statement on the dashboard of a car that he is cleaning is unlikely to be bound to do so either.

The connection between confidentiality and the protection of privacy can be drawn by reference to the law of confidence, which serves to protect an individual's privacy in the specific context in which it operates. Gurry draws the connection between the action for breach of confidence and protection of the confider's privacy in this way: ‘[If] the confidential information is personal to the confider, the [legal] action for breach of confidence allows him the right to ensure that a confidante does not disseminate the information to others thereby granting greater access over the confider to others and causing a loss to the confider's state of privacy.’Footnote 57 One could say that the concept of privacy underlies the obligation of bank secrecy, which is based on a confidential relationship created, inter alia, by contract.

Statute Providing Specifically for Private Law Duties of Bank Secrecy

The RFPA in the United States imposes limits on the power of the federal government to obtain customer financial records.Footnote 58 A bank that violates the RFPA may be subject to civil liability, including actual damages, punitive damages if the violation is wilful or intentional, and attorneys' fees.Footnote 59 It is notable for the current discussion that this is a statute which provides specifically for private law duties of bank secrecy, and that its name states unequivocally its concern with privacy protection. The RFPA and its relationship with the protection of customer privacy must be understood in context. Unlike the bank's contractual obligation of secrecy which applies generally, this statute is directed at disclosures made to the US government. This is because the RFPA was enacted in 1978 in response to the US Bank Secrecy Act of 1970,Footnote 60 which contrary to its name, required US financial institutions to report customer information to the government in certain circumstances. The RFPA was therefore needed as a counterbalance to this erosion of the customer's privacy.

Criminal Law

The stakes are high when the bank's duty of secrecy is governed by a penal provision, as breach of the duty would render the bank liable to criminal sanctions such as a fine and/or imprisonment rather than just a private law action such as one for breach of contract. This criminal law duty might be over and above any of the private law duties discussed earlier. The motives for the imposition of criminal liability for a breach of the bank's duty of secrecy in any particular jurisdiction may or may not be directly linked to the protection of privacy. Of the eight countries covered in this book, a duty of bank secrecy is imposed by the criminal law only in Singapore and Switzerland. In Switzerland, the penal law requirement for bank secrecy is found in Art. 47 of the Swiss Banking Act, while in Singapore, this is coincidentally found in section 47 of the Singapore Banking Act. It should be noted that in both these countries, the statutory provisions did not introduce the duty of bank secrecy, which already existed under private law.Footnote 61

It is commonly believed that the criminal provision for Swiss bank secrecy, first implemented in 1934, was aimed to protect the interests and information of German citizens of Jewish origin, who were foreigners in Switzerland, from confiscation by the Nazi government in Germany, who attempted to gain control of these assets.Footnote 62 Two other reasons have been suggested.Footnote 63 One is that the Swiss bank secrecy provision was the result of pressure from French clients of Swiss banks after the names of some prominent French clients were found by the French police, and the French government made demands on the Swiss authorities in relation to tax evasion. The other is that increased government supervision on Swiss banks after a spate of bankruptcies in the 1930s led to Swiss banks, which had previously been subject only to light regulation, asking for a statutory guarantee of bank secrecy in exchange. These historical reasons do not specifically emphasise privacy rights, but the desirability of privacy in these situations must have been an important underlying consideration. In Chapter 11, Nobel and Braendli state that the Swiss Federal Court had always been of the opinion that bank secrecy was not a basic, constitutional, legal principle, but was merely a legal norm that may have to be withdrawn in the face of conflicting interests.Footnote 64

In Singapore, there was no explanation for the inclusion of a bank secrecy provision when Singapore promulgated its first banking law statute in 1970 following its independence from Malaysia. This prohibited bank officers from disclosing customer account information to a non-resident person.Footnote 65 In 1983, the 1970 secrecy provision was amended to prevent disclosure to both residents and non-residents.Footnote 66 At the same time, this, as well as amendments in 1984,Footnote 67 expanded and refined the situations in which the bank's duty of secrecy in section 47 did not apply. Section 47 was repealed and re-enacted in 2001, with a long list of exceptions found in Schedule 3 of the Banking Act.Footnote 68 The parliamentary debates provide some insight into the thinking of the authorities. In the 1983 debate, a Member of Parliament raised the question of enhancing the competitiveness of the country's banking sector and supporting its growth as a financial centre as counterpoints in the parliamentary debate on the introduction of provisions that would allow banks to disclose customer information in more situations.Footnote 69 This question seemed to have stemmed from the Member's assumption that weaker bank secrecy would weaken competitiveness. In the 2001 debate, the then-Deputy Prime Minister stated that high standards of bank secrecy were a way to maintain customer confidence in the banking system.Footnote 70 However, he was speaking not in the context of justifying the existence of a duty of secrecy, but to push forward amendments that would provide greater exceptions to the bank's duty of secrecy, so too much should not be made of his statement. Given that these statements supporting a strict duty were made in the context of an amendment to expand the exceptions to the duty, perhaps the point to be taken is the importance of balancing the interests of secrecy with those of disclosure where appropriate. Privacy protection was not mentioned in any of the parliamentary debates, and it would appear that the aims for criminalising bank secrecy in Singapore were pragmatic.Footnote 71

Even where the imposition of criminal liability for a breach of the bank's duty of secrecy may not be directly motivated by privacy protection, it is likely that this would at least be a relevant underlying consideration. Taking the example of Singapore, it would appear that the criminal law duty of bank secrecy was imposed for the economic reason of promoting competitiveness and building customer confidence in Singapore's financial system. That strong bank secrecy laws would promote such aims must be because of the value that bank customers would place on their privacy when selecting a jurisdiction in which to conduct their financial affairs.

Financial Sector Regulation and Voluntary Codes

Banks may be affected by general regulatory provisions in the financial industry that are not specifically directed at bank secrecy, but are relevant to it. An example from the United Kingdom is the power of the Financial Conduct Authority to regulate banks according to certain general principles under the Financial Services and Markets Act 2000, for instance to conduct business with integrity (Principle 1)Footnote 72 and with due skill, care and diligence (Principle 2),Footnote 73 and to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. If third parties obtain access to customer information because of a security breach, this might render the bank liable to an enforcement action under which a penalty is payable.Footnote 74

An obligation to preserve customer confidentiality may also be imposed by voluntary codes of conduct adopted by the banking industry. One example is the Lending Code in the United Kingdom which states not only that personal information will be treated as private and confidential, but also that secure and reliable banking systems will be provided.Footnote 75 Another is the Association of Banks in Singapore's Code of Consumer Banking Practice (2009) which states that banks will obey their duty of secrecy required by the Banking Act.Footnote 76

In these instances, the aim of the regulation or code would generally be to maintain the general stability of the financial system and to ensure high standards of service and ethical conduct. The bank's duty regarding the secrecy of customer information and records is one of the features that supports these aims.

1.3 Exceptions to Bank's Duty of Secrecy – Conceptual Aspects

The bank's duty of secrecy is not absolute, but is subject to exceptions. Many examples of these exceptions can be found in the jurisdictional chapters of this book. Situations where the bank is permitted to disclose customer information, discussed in this section, must be distinguished from those in which the bank is required to disclose customer information, which is discussed in the next section. There is usually an overlap between the two situations, because a situation where a bank is required to disclose customer information would also usually be a situation where such disclosure would be permitted as an exception to the bank's duty of secrecy. However, situations where the bank is required to disclose customer information impose a positive duty of disclosure on the bank that is not present where the bank is merely excused from its duty of secrecy.

Allowing exceptions to the bank's duty of secrecy is in keeping with the nature of the concept of privacy, and therefore also of the related concept of confidentiality. Privacy is not an absolute concept, and ‘its protection must always be sought against conflicting values or interests.’Footnote 77 Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms provides:

Right to respect for private and family life

  1. 1. Everyone has the right to respect for his private and family life, his home and his correspondence.

  2. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others.Footnote 78

The precise details of this provision are more applicable to the discussion in the next section relating to the bank's mandatory duty of disclosure. For now, it should be noted that even under the European Convention, which acknowledges the human right to privacy, exceptions to this right are provided. It would follow that it is perfectly consistent conceptually to have exceptions to the bank's duty of secrecy, even where privacy is being protected in the sense of being a desirable value falling short of a legally protected right.

Two exceptions to the bank's duty of secrecy are common across various countries. The first is where disclosure is made with the consent of the customer. This exception underlines the fact that the customer can always waive his right to secrecy.Footnote 79 The second is where disclosure is made under compulsion of law. The latter exception is particularly relevant in the implied term situation, where it is assumed that the parties could not have intended the bank to contravene the law in seeking to adhere to its contractual obligations. The applicability of these two broad exceptions means that the implied term approach remains conceptually intact despite the onslaught of pressures leading to the so-called erosion of the bank's duty of secrecy, because the implied term of secrecy is envisaged to be only as strict as the parties intend it to be, and the law allows it to be.

Other examples of exceptions to the bank's duty of secrecy are provided by Schedule 3 of the Singapore Banking Act, which lists a total of more than twenty specific situations where disclosure of customer information is allowed, subject to the conditions set out in the schedule.Footnote 80 The exceptions deal with a wide range of situations, including the commonly occurring exceptions mentioned earlier, namely where the written consent of the customer has been obtained, or law enforcement situations such as where disclosure is in compliance with an order to furnish information for investigating an offence. There are also exceptions to facilitate the operational requirements of the bank. For example, disclosure is permissible in connection with an internal audit of the bank and for the outsourcing of its operations. Disclosure is also permitted to facilitate the workings of features of the financial system, for example the collation of information by the credit bureau.Footnote 81 These operationally inclined exceptions are more extensive than those allowed under common law. From a conceptual point of view, these exceptions promote the efficient functioning of the bank and the financial system, and are consistent with the pragmatic aims of the Singapore bank secrecy provision.

1.4 Conceptual Aspects of the Bank's Duty of Mandatory Disclosure

In certain situations, the law imposes a mandatory duty on the bank to disclose customer information. Three prominent examples are where disclosure is required in relation to anti-money laundering (AML), countering the financing of terrorism (CFT) and combatting international tax evasion. These matters are discussed in detail in Chapters 4 and 5, and are also touched upon in the jurisdictional chapters of this book. Where mandatory disclosure coincides with an exception to the bank's duty of secrecy, the analysis in the previous section will apply. Ultimately, the existence of exceptions to the bank's duty of secrecy is consistent with the non-absolute nature of the concept of privacy. In this section, an additional aspect of the situation is considered, and that is the active interference with the customer's privacy by the state authorities. Public authorities have to justify this interference by invoking competing interests such as national security, the economic well-being of the country and the prevention of crime, which are among those set out in Art. 8 of the European Convention of Human Rights, extracted in the previous section. Countervailing protections may have to be set out to limit the extent of the interference. For example, as mentioned earlier, the US Bank Secrecy ActFootnote 82 which required banks to provide customer information in certain circumstances was counterbalanced by the RFPA which instituted safeguards such as the proper procedure to be followed and the requirement to inform the customer about the information request.Footnote 83

The imposition of mandatory duties on banks to disclose customer information may be problematic in countries like Germany, where bank secrecy is protected by the Constitution.Footnote 84 From the customer's point of view, this guarantees the right of ‘informational self-determination’, which is the right to decide ‘whether and to what extent one wishes to disclose personal information’.Footnote 85 Just as the bank's mandatory duty of disclosure infringes on the customer's right of privacy, it also infringes on the bank's constitutional right to exercise freedom of occupation, i.e. the freedom to choose and perform one's occupation.Footnote 86 However, limitations may be imposed on these constitutional rights ‘to the extent that they pursue a legitimate public interest, are based on statute and respect the principle of appropriateness’.Footnote 87 These constitutional rights are therefore ‘subject to legislative overrides’ and do not offer absolute protection from state intervention, but ‘a disproportionate use of the legislative incursions by the German state’ may be challenged by the customer or the bank in the Constitutional Court.Footnote 88

In the law relating to AML and CFT, if a bank suspects that funds are the proceeds of a criminal activity, or are related to terrorist financing, it is required to report its suspicions to the financial intelligence unit in its country.Footnote 89 In relation to taxation, banks must disclose customer information to tax authorities as a result of the sweeping developments to counter international tax evasion, particularly as a result of the US Foreign Accounts Tax Compliance Act (FATCA), and the widespread acceptance of the OECD's common standard for the automatic exchange of information in tax matters.Footnote 90 Banks are exempted from their duties of secrecy when they disclose customer information pursuant to AML, CFT and international taxation laws. These incursions into customer privacy are largely based on internationally agreed standards set by the Financial Action Task Force (FATF) and the OECD, and do not seem to be controversial as being undue interference. The FATF recommendations are endorsed by more than 190 countriesFootnote 91 and more than 100 countries have committed to implementing the OECD standard for the automatic exchange of information by 2018.Footnote 92 Even FATCA, which is the result of the unilateral action of the US government, has many subscribers,Footnote 93 as the economic consequences of not cooperating – the imposition of a 30 per cent withholding tax in certain payments made from the United States to non-compliant financial institutions – would be devastating.

The disclosure requirements imposed on banks by the laws relating to AML, CFT and the prevention of international tax evasion must be looked at beyond the lens of bank secrecy. The objectives of the AML and CFT regimes are to combat money laundering and terrorist financing by preventing these activities and bringing to justice the perpetrators of these offences as well as those who aid their commission. In the case of money laundering, there is also the aim of preventing the underlying predicate offences in relation to which funds are being laundered, such as drug trafficking, corruption and other serious crimes. Issues of bank secrecy arising from the duty to report suspicious transactions are just part of the big picture. Another important element is the ‘know your customer’ (KYC) requirements of the AML and CFT regime, which impose an equal burden on banks. Further, the KYC and suspicious transactions reporting requirements are not confined to the financial industry but applicable also to other designated businesses and professionals such as lawyers and accountants. Similarly, the disclosure of information for tax purposes can be seen as an extension of the international cooperation in tax matters that has been taking place for years, even if its scope is unprecedented.

1.5 Privacy Protection in Perspective

The developments in relation to bank secrecy since the 1990s have largely been to curtail its scope and to allow or to require banks to disclose customer information in an increasing number of situations in response to modern challenges and situations as discussed in Chapters 4 and 5 and the jurisdictional chapters of this book. In particular, the bank's duties of disclosure for AML, CFT and prevention of tax evasion purposes have been alluded to earlier. Protection of the customer's privacy in financial matters is gradually being reduced and sacrificed. This might seem inconsistent with other aspects of privacy which seem to be enjoying increased protection, such as personal data protection, which has seen active development internationally. This has been triggered by technological advances and social changes. With the rise of computerisation and e-commerce, massive amounts of data about individuals are now easily stored and retrieved. An increasing number of countries have adopted data protection laws to regulate the collection and use of such data,Footnote 94 and such laws are applicable to banks (in addition to their secrecy obligations), as they are to other businesses. This increased protection of privacy in the sphere of data protection might appear diametrically opposed to the erosion of privacy that is happening in the sphere of bank secrecy, but this development must be seen in context. The relative novelty of data protection laws has led to attention being focused on the new privacy rights that it provides rather than on its limitations. Like bank secrecy, data protection is not absolute. Taking the example of Singapore, the Monetary Authority of Singapore (MAS) has clarified that for the purposes of meeting the AML and CFT requirements, such as in the course of performing customer due diligence, financial institutions can collect, use and disclose personal data of an individual customer without the respective individual's consent.Footnote 95 More generally, the Singapore statute provides for situations where collection, use or disclosure of information without consent is permitted, for instance where it is clearly in the interest of the individual, where there is an emergency, where it is necessary in the national interest or otherwise authorised by law.Footnote 96 These exceptions, particularly the open-ended exception that applies to a disclosure authorised by law, might potentially be as wide as those applying to bank secrecy.

Privacy is a multifaceted concept, and different aspects may require different treatment, depending on the existing state of the law and the circumstances calling for protection or erosion of privacy. Data protection law and bank secrecy law are examples of the regulation of informational privacy. Other aspects include laws on health privacy and online privacy. Privacy also involves being free from observation or disturbance. Contemporary phenomena, like the rise of terrorism, are relevant not just to banking but also to other spheres and may pose similar challenges. For example, the requirement for disclosure of banking information where it is suspected that a transaction is connected with terrorist financing has a parallelism in the need for surveillance or monitoring of private citizens without heeding their privacy rights.

Because of the broadness of the concept of privacy, courts may be wary of allowing a general right of action based on privacy. The example of the United Kingdom is a case in point where the courts were unwilling to recognise the legal right of privacy although they had for many years developed the law of confidence, which protects aspects of privacy.Footnote 97 In the UK House of Lords case of Wainwright v. Home Office,Footnote 98 Lord Hoffmann distinguished between privacy as a value underlying the existence of some legal right, and privacy as a legal right in itself,Footnote 99 and expressed the view that any protection of privacy as such must come from the legislature. The House of Lords held in Wainwright v. Home Office that there was no action in the United Kingdom for invasion of privacy and that the Human Rights Act 1998 and Art. 8 of the European ConventionFootnote 100 did not create such a cause of action. In Campbell v. MGN,Footnote 101 the House of Lords gave effect to the Convention by interpreting the common law duty of confidence to take into account the Art. 8 right to privacy, resulting in two forms of the action for breach of confidence, one based on the traditional principles of confidentiality and the second based on privacy.Footnote 102

1.6 Conclusion

A bank's obligation to keep its customer's information secret rests ultimately on the concept of privacy. It is an aspect of privacy protection that is well established, as in other confidential relationships such as the solicitor–client and doctor–patient relationships. Such protection has been conveniently facilitated in some jurisdictions by the willingness of the courts to find an implied contractual term imposing such a duty. Privacy, in the sense of being able to keep one's information private, and confidentiality, in the sense of being able to trust another person to do so, are both relevant underlying concepts. The bank's duty of secrecy to its customer is based mainly on private law, but some jurisdictions impose criminal sanctions for breach of the duty of bank secrecy. Even where the reasons for such criminalisation are pragmatic, for example to build an attractive financial centre or to promote stability in the banking system, privacy protection is likely to be an underlying consideration. These motivations capitalise on the customer's desire for privacy, and take advantage of the trust in a financial system that tends to result when financial privacy is protected. Exceptions to the duty of bank secrecy are growing, and positive duties of disclosure are being imposed in an increasing number of situations. This erosion of the obligation of secrecy is consistent with the idea that privacy is not an absolute right, and must be balanced against competing interests. Similar trade-offs are being made in other areas, for instance where individuals are subject to electronic surveillance in the fight against crime, which is made possible by technological advances. The rise of information technology has led to the enactment of data protection laws, which can serve to protect individual privacy. However, like bank secrecy laws, data protection laws are generally subject to exceptions. The growing obligation of banks to disclose customer information must be seen in perspective. The erosion of bank secrecy is largely in relation to disclosures to government authorities, and the duty of disclosure arises in the context of state intervention for purposes that go beyond bank secrecy law, such as crime prevention, national security, international cooperation and economic advancement. Customer privacy is still protected in cases where there are no overriding competing interests, an example in many countries being the disclosure to private persons without the consent of the customer.

Footnotes

Earlier versions of this paper were presented at the Bank Secrecy Symposium organised by the Centre for Banking & Finance Law at the National University of Singapore on 4–5 December 2014, and the NUS Law Faculty Research Seminar Series on 6 April 2016. I am grateful to the participants at these presentations and to my colleague, Sandra Booysen, for helpful comments on my drafts.

1 For example, the discussion on Singapore by Booysen in Chapter 10 refers to ‘bank secrecy’, as did the heading in the Singapore Banking Act (Cap 19, 2008 Rev Ed Sing) before the coming into force of s 32(a) of the Banking (Amendment) Bill (No. 1/2016) (see infra note 2), whereas the discussion on Hong Kong by Gannon in Chapter 8 refers to ‘bank confidentiality’. If there is to be any difference in strictness of the bank's duty based on the meaning of the two terms, one might expect this to be in the jurisdiction where the impressionistically stricter word ‘secrecy’ is used, but this is not the case. Instead, the exceptions in Schedule 3 of Singapore's Banking Act are arguably wider than those that apply under the common law in Hong Kong.

2 See, for example, the discussion of the United Kingdom by Stanton in Chapter 12, where the author uses the term ‘bank secrecy’ in his chapter, although the conventional reference in the United Kingdom is to ‘bank confidentiality’, on the grounds that there is no difference in meaning between the two. In Singapore, a bill to amend the Banking Act, supra note 1 was passed on 29 February 2016, whereby the heading of s 47, which sets out the bank's obligation not to disclose customer information, was changed from ‘banking secrecy’ to ‘privacy of customer information’. See s 32(a), Banking (Amendment) Bill, supra note 1.

3 For example, the Oxford English Dictionary, 3rd edn (Oxford University Press, 2010) defines ‘secrecy’ as ‘the action of keeping something secret or the state of being kept secret’. It defines ‘confidentiality’ in a similar way, as being ‘the state of keeping or being kept secret or private’. The term ‘secret’ is defined as ‘something that is kept or meant to be kept unknown or unseen others’.

4 This will also serve to minimise confusion between the term ‘duty of confidentiality’ and the term ‘relationship of confidence’ or ‘confidential relationship’ that will be introduced later in this chapter.

5 Oxford English Dictionary, supra note 3, online: www.oed.com/view/Entry/151596?redirectedFrom=privacy#eid

6 Cambridge Dictionaries Online, online: http://dictionary.cambridge.org/dictionary/english/privacy

7 A.F. Westin, Privacy and Freedom (London: Bodley Head, 1967) at 7.

8 See e.g. C. Fried, ‘Privacy’, Yale Law Journal, 77 (1968) 475 and R. Parker, ‘A Definition of Privacy’, Rutgers Law Review, 27 (1974) 275 at 280–1.

9 See e.g. N. MacCormick, ‘Privacy: A Problem of Definition’, British Journal of Law & Society, 1 (1974) 75 and R. Gavison, ‘Privacy and the Limits of Law’, Yale Law Journal, 89 (1980) 421.

10 R. Gellman, ‘Does Privacy Law Work?’ in P. Agre and M. Rotenberg (eds.), Technology and Privacy: The New Landscape (Cambridge, MA: MIT Press, 1998). At 193, Gellman writes: ‘Lawyers, judges, philosophers, and scholars have attempted to define the scope and meaning of privacy, and it would be unfair to suggest that they have failed. It would be kinder to say that they have all produced different answers.’

11 R. Pattenden, Law of Professional-Client Confidentiality (Oxford University Press, 2003) at 9.

12 R v. Department of Health, ex p Source Informatics [1999] 4 All ER 185 at 195 (Latham J).

13 These are the four functions identified by A.F. Westin and summarised in R. Wacks, Privacy and Media Freedom (Oxford University Press, 2013) at 21.

14 See Law of Professional-Client Confidentiality, supra note 11 at 6.

15 Footnote Ibid.

16 An example can be seen in Germany, where the general terms and conditions included in every bank–customer relationship called ‘AGB Banken’ provide that the bank ‘has the duty to maintain secrecy about any customer-related facts and evaluations of which it may have knowledge’. The bank may only disclose information concerning the customer if it is legally required to do so or if the customer has consented thereto or if the bank is authorised to disclose banking affairs. See Hofmann in Chapter 7 at p. 199.

17 See the jurisdictional Chapters 613.

18 [1924] 1 KB 461.

19 See the discussion by Gannon on Hong Kong in Chapter 8 and Stanton on the United Kingdom in Chapter 12. See also chapters 7, 13 and 19 in G. Godfrey (gen. ed.), Neate and Godfrey: Bank Confidentiality, 5th edn (London: Bloomsbury, 2015). Tournier was also accepted by the Singapore courts before the Court of Appeal declared in Susilawati v. American Express Bank Ltd [2009] 2 SLR (R) 737 at para. 67 that the statutory regime under s 47 of the Singapore Banking Act was the exclusive regime governing banking secrecy in Singapore. See the discussion by Booysen in Chapter 10.

20 Susilawati v. American Express Bank Ltd [2009] 2 SLR(R) 737 at para. 67. See the discussion by Booysen in Chapter 10.

21 367 P. 2d 284 at 290 (Idaho, 1961). See the discussion by Broome in Chapter 13.

22 12 USC § 3402 (2013).

23 [1920] 1 KB 868.

24 Footnote Ibid. at 899–900, quoted in Tournier, supra note 18 at 483–4.

25 Tournier, supra note 18 at 480–1.

26 Footnote Ibid. at 483–4.

27 Footnote Ibid. at 474.

28 Bankes LJ, the third judge in Tournier, came closest to explaining why secrecy was important, stating that the ‘credit of the customer depends very largely upon the strict observance of that confidence.’ Tournier, supra note 18 at 474. This may have been true on the facts of the case, where the breach of the duty of secrecy by the bank manager would have revealed the weak financial position of the customer, but it can hardly be taken as a general rule, as a disclosure of a high credit balance in a customer's account may very well enhance his credit. A better general explanation is that it is important to protect the privacy of a client as revelation of his financial affairs may affect him adversely.

29 See Neate and Godfrey: Bank Confidentiality, supra note 19 at 920. See also Nobel and Braendli in Chapter 11.

30 Footnote Ibid. at 920. See also Nobel and Braendli in Chapter 11. Nobel and Braendli state that the law of personal rights as set out in the Swiss Civil Code are a source of the client's rights to secrecy in the banking relationship, and explain that an infringement would lead to tortious liability.

31 See Booysen in Chapter 10, where the torts of defamation, breach of statutory duty and misuse of personal information were suggested as possible ways for a customer to seek redress against a bank. The tort of breach of statutory duty was also mentioned by Stanton in Chapter 12, albeit in relation to the more general UK Payment Services Regulations 2009, SI 2009/209, which are not specifically directed at bank secrecy.

32 Omachi in Chapter 9 states that in Japan, the legal basis for bank secrecy had not been much discussed lately, but that it was broadly understood that a bank would be liable in tort or for breach of contract.

33 Wang in Chapter 6 suggests that in China, the Decision to Strengthen Network Information Protection made by the NPC Standing Committee and the Consumer Interests Protection Law both impose a tortious duty on banks to protect the personal information of the customers.

34 An example is the UK Payment Services Regulations 2009, supra note 31 which requires an authorised payment institution to maintain arrangements sufficient to minimise the risk of loss through negligence or poor administration, and provides an action in tort for breach of statutory duty if this requirement is contravened. See Regs. 19(4) and 120. See the discussion by Stanton in Chapter 12, where it is suggested that a customer who loses money as a result of cybercrime (presumably because the bank has failed to keep its information secret) has an action in tort for its recovery under these regulations.

35 See The American Law Institute, Restatement (Second) of Torts, § 652D.

36 See Footnote ibid., comments to § 652D. For example, in the US case of Peterson v. Idaho First National Bank, supra note 21, the plaintiff's claim for the tort of invasion of privacy failed because there was no public dissemination of information regarding the plaintiff's account, and the case was decided on the bank's implied contractual duty of secrecy.

37 In the United Kingdom, the law of confidence is part of equity law, although the second form of this action, the action for misuse of private information, has now been recognised as a tort: Vidal-Hall v. Google [2015] EWCA Civ 311.

38 See Booysen, Chapter 10 at p. 288–9 and Stanton, Chapter 12 at p. 343–4.

39 R. Cranston, Principles of Banking Law, 2nd edn (Oxford University Press, 2002) at 169–74.

40 E.P. Ellinger, E. Lomnicka and C.V.M. Hare, Ellinger's Modern Banking Law, 5th edn (Oxford University Press, 2011) at 171–2.

41 See the discussion by Stanton, Chapter 12 at p. 343–4.

42 See R.G. Toulson and C.M. Phipps, Confidentiality, 3rd edn (London: Sweet & Maxwell, 2012) at 54.

43 [1969] RPC 41.

44 [1990] 1 AC 109 at 261.

45 [2004] 2 AC 457 at para. 51.

46 Footnote Ibid. at paras. 21, 96 and 134.

47 [2007] UKHL 21 at para. 255.

48 Vidal-Hall v. Google, supra note 37. The form of action could be significant for procedural reasons (e.g. whether there could be service out of the jurisdiction, as well as to determine the type of damages that can be recovered).

49 Supra note 43.

50 R. Cranston (ed.), Legal Issues of Cross-Border Banking (London: Bankers’ Books Ltd, 1989).

51 Tournier, supra note 18 at 474 (Bankes LJ) and 480–1 (Scrutton LJ).

52 See Stanton in Chapter 12 at p. 343.

53 This parallel is explicitly drawn by Bankes and Scrutton LJJ in Tournier, supra note 18 at 474 (Bankes LJ) and 480–1 (Scrutton LJ).

54 (1836) 3 Bing (NC) 235.

55 The Hippocratic Oath was introduced as the ‘Declaration of Geneva’ at the 2nd General Assembly of the World Medical Association in Geneva in September 1948, and has undergone subsequent amendments without affecting the pledge of secrecy. For the full declaration, see WMA, ‘WMA Declaration of Geneva’ (September 1948), online: www.wma.net/en/30publications/10policies/g1/index.html

56 Tournier, supra note 18 at 474. Indeed, the analogy between doctors, lawyers and bankers might not always be appropriate in every jurisdiction or for different types of liability. In Belgium for instance, the Supreme Court decided that bankers did not come under the scope of the application of Art. 458 of the Criminal Code, which provided that doctors, surgeons, health officers, pharmacists and all other persons who, because of their status or profession, are confided secrets will be fined or imprisoned if they reveal those secrets. Bankers were distinguished because they only had a duty of ‘discretion’. See Cass, 25 October 1978, Pas. 1979, I, 237 discussed in Neate and Godfrey: Bank Confidentiality, supra note 19 at 85.

57 F. Gurry, Breach of Confidence (Oxford: Clarendon Press, 1984) at 14.

58 12 USC (2013). Under this statute, any financial records sought must be ‘reasonably described’ and either (1) the customer authorised the disclosure, (2) there is an administrative subpoena, (3) there is a search warrant, (4) there is a judicial subpoena or (5) there is a formal written request from a federal government authority: 12 USC § 3402 (2013). If the government seeks information about a customer's account, the bank must notify the customer so that the customer has the opportunity to challenge the government's request: 12 USC § 3405(2) and (3) (2013). See further the discussion by Broome in Chapter 13.

59 12 USC § 3417(a) (2013).

60 The formal name of this statute is the Currency and Foreign Transactions Reporting Act of 1970, 31 USC For a discussion of its provisions, see Broome in Chapter 13 at p. 375–7.

61 There is some uncertainty in Singapore whether the implied term approach in Tournier still survives (see Booysen in Chapter 10). Even if it does not, there is still the possibility of an express contractual term providing for a duty of confidentiality that meets the statutory minimum standard.

62 See Nobel and Braendli in Chapter 7 and Neate and Godfrey: Bank Confidentiality, supra note 19 at 922.

63 See D. Chaikin, ‘Policy and Fiscal Effects of Swiss Bank Secrecy’, Revenue Law Journal, 15 (2005) 90 at 96–8, relying on the work of M. Perrenoud in ‘Les fondements historiques du secret bancaire en Suisse’, Observatoire de la Finance, 12 (Genève 2002) at 31–7. Available online: http://epublications.bond.edu.au/rlj/vol15/iss1/5

64 Nobel and Braendli in Chapter 11 at p. 313–4.

65 Banking Act (Act 41 of 1970). This replaced the Malayan Banking Ordinance No. 62 of 1958 which had hitherto continued to apply in Singapore post-independence.

66 Banking (Amendment) Act 1983 (Act 6 of 1983).

67 Banking (Amendment) Act 1984 (Act 2 of 1984).

68 Banking (Amendment) Act 2001 (Act 23 of 2001). For the history of the statutory provisions relating to bank secrecy in Singapore, see S. Booysen, ‘Bank Secrecy in Singapore and the Customer's Consent to Disclosure’, Journal of International Banking Law and Regulation, 10 (2011) at 501, 502–3, and Booysen in Chapter 10.

69 See speech of Member of Parliament, Dr Ow Chin Hock, on the second reading of the Banking (Amendment) Bill: Parliamentary Debates Singapore: Official Report, vol 61 at col 452 (30 August 1993). The unspoken assumption made by Dr Ow here was that a higher rather than a lower degree of confidentiality would enhance the competitiveness and growth of Singapore as a financial centre.

70 See statement in parliament by Lee Hsien Loong on the second reading of the Banking (Amendment) Bill: Parliamentary Debates Singapore: Official Report, vol 73 at col 1689 (16 May 2001).

71 A bill to amend the Banking Act, supra note 1 was passed on 29 February 2016, whereby the heading of s 47, which sets out the bank's obligation not to disclose customer information, was changed from ‘banking secrecy’ to ‘privacy of customer information’. See s 32(a) Banking (Amendment) Bill (No. 1/2016). No other changes were made to s 47 by this bill, and the change in heading was probably meant to move away from the pejorative associations with the word ‘secrecy’ and to state the factual effect of the section, rather than a reflection of a concern with protecting privacy per se.

72 Financial Conduct Authority, ‘Principles for Businesses’, PRIN 2.1.1.1, online: www.handbook.fca.org.uk/handbook/PRIN.pdf

73 Footnote Ibid., PRIN 2.1.1.2.

74 See Stanton in Chapter 12 at p. 347.

75 Footnote Ibid. at p. 345.

76 Association of Banks in Singapore, ‘Code of Consumer Banking Practice’ (November 2009), cl 3.c.ii.

77 N. Witzleb, D. Lindsay, M. Paterson and S. Rodrick (eds.), Emerging Challenges in Privacy Law (Cambridge University Press, 2014) at 1.

78 Available at Council of Europe, ‘European Convention on Human Rights’ (4 November 1950), online: www.echr.coe.int/Documents/Convention_ENG.pdf. That there are exceptions to the concept of privacy is also acknowledged by academic writings, for example, the seminal article by Warren and Brandeis entitled ‘The Right to Privacy’, published in Harvard Law Review, 4 (1890) at 193.

79 Clauses providing for customer consent to disclosure of information by the bank in certain circumstances are commonly included in the standard terms and conditions of banks, and the question arises whether such clauses will be binding if the customer is not aware of these terms. See for example, the discussion by Booysen in Chapter 10 and Nobel and Braendli in Chapter 11.

80 See the discussion by Booysen in Chapter 10.

81 The exceptions in Schedule 3 of the Singapore Banking Act are merely permissive, and the bank and its customer are allowed to agree to stricter standards of confidentiality than required by the statute, see s 47(8).

82 Also known as the Currency and Foreign Transactions Reporting Act of 1970, 31 USC.

83 12 USC (2013). See the discussion by Broome in Chapter 13.

84 See generally Hofmann in Chapter 7.

85 See Hofmann in Chapter 7 at p. 206 and chapter 16 in Neate and Godfrey: Bank Confidentiality, supra note 19 at 384.

86 Footnote Ibid.

87 Footnote Ibid. at 384.

88 Hofmann in Chapter 7 at p. 207.

89 See Nakajima in Chapter 4 on the international pressures on banks to disclose information.

90 See O'Brien in Chapter 5 on international developments in exchange of tax information.

91 See FATF, ‘Countries’ (2016), online: www.fatf-gafi.org/countries

92 See OECD, ‘Global Forum on Transparency and Exchange of Information for Tax Purposes: Status of Commitments’ (9 May 2016), online: www.oecd.org/tax/automatic-exchange/commitment-and-monitoring-process/AEOI-commitments.pdf

93 More than 110 countries have signed intergovernmental agreements with the United States under FATCA. See US Department of the Treasury, ‘Foreign Account Tax Compliance Act (FATCA)’ (11 July 2016), online: www.treasury.gov/resource-center/tax-policy/treaties/Pages/FATCA.aspx

94 For a discussion of data protection and its relationship with bank secrecy, see Greenleaf and Tyree in Chapter 2.

95 See e.g. Monetary Authority of Singapore, ‘MAS Notice 626 on Prevention of Money Laundering and Countering the Financing of Terrorism – Banks’ (24 April 2015), at para. 13, online: www.mas.gov.sg/∼/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Anti_Money%20Laundering_Countering%20the%20Financing%20of%20Terrorism/MAS%20Notice%20626%20%20April%202015.pdf

96 Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Schedules 2–4. The balance that must be struck between individual rights and wider societal interests can be seen in the Singapore's Personal Data Protection Act 2012, which provides in section 3 that: ‘The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.’

97 See Toulson and Phipps, Confidentiality, supra note 42, especially chapter 6.

98 [2004] 2 AC 406.

99 Footnote Ibid. at para. 31.

100 Article 8(1) of the ECHR, supra note 78 states, inter alia, that ‘everyone has the right to respect for his private and family life, his home and his correspondence.’

101 Supra note 45.

102 These are explained by Lord Nicholls in Douglas v. Hello! Ltd, supra note 47 at para. 255.

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×