In addition to federal privacy laws, numerous states have enacted their own financial privacy statutes that banks and other financial institutions must navigate when responding to requests for customer information.[1] In a recent decision, Oklahoma’s intermediate appellate court seemingly narrowed the scope of claims arising under Oklahoma’s financial privacy law while clarifying the duties of financial institutions within its borders.
In Parker, et al. v. Valliance Bank (“Parker”), the Oklahoma Court of Civil Appeals affirmed a directed verdict in favor of Valliance Bank (the “Bank”). In holding in the Bank’s favor, the Court rejected the consumer-Plaintiffs’ claims that the Bank violated Oklahoma’s Financial Privacy Act (the “Act”) and breached its duty of care and/or fiduciary duties by producing documents in response to a subpoena that did not comply with certain requirements of the Act.[2]
In Parker, the Bank received a subpoena in a foreclosure action — to which it was not a party — seeking financial records of an LLC defendant. The subpoena demanded that a Bank representative appear for deposition and produce essentially all documents related to the LLC’s banking relationship. Critically, the LLC’s loan file contained personal financial documents of its individual members and their other holdings, which had been submitted in connection with the LLC’s loan application. The Bank produced the subpoenaed documents only after motions to quash the subpoena and for a protective order were denied.[3]
The Parker Plaintiffs — the individuals, trusts, and businesses whose financial records were produced as part of the LLC’s loan file — alleged that the production of those documents led to their inclusion in the foreclosure suit and caused damages exceeding $500,000. They asserted claims “as Bank customers,” alleging “the Bank was negligent, violated their rights protected by the Oklahoma Financial Privacy Act, and that the Bank breached a duty of care to protect their private and confidential financial information.”[4]
In addressing these claims, the Parker Court first recognized that the negligence claim was rooted in the production of financial documents and that the Act provides the “exclusive lawful means” of obtaining customer financial records.[5] The Court thus consolidated its analysis of the negligence and statutory claims into a single inquiry: whether the Bank had breached its duties under the Act.[6] The Court ultimately found that the Bank had violated the Act by responding to a subpoena lacking written certification from the issuer of that issuer’s compliance with the Act, a prerequisite to a financial institution’s production of customer financial records under 6 O.S.2021 § 2208(A).
However, the Court held that this duty was owed not to the Plaintiffs, but to the LLC — which was not a party to the lawsuit. The Court explained that the documents produced and now in dispute all came from the LLC’s loan file. It emphasized that the Plaintiffs never argued those documents were improperly in the Bank’s possession. Rather, all the documents at issue were voluntarily provided by the Plaintiffs, who were Bank “customers,” to obtain financing for another “customer,” the LLC. The Court further found that “[t]he only duty that the Bank owed to all of its other customers, including the [Plaintiffs], was to take ‘reasonably prudent’ measures to prevent another customer’s financial records from being inadvertently included in the documents produced in response to that subpoena” — and the Plaintiffs had not asserted such a claim.[7]
Importantly, the Parker Court held that, although the Bank violated the Act by not requiring a certificate of compliance before producing the LLC’s documents, “the Act did not require the Bank to segregate and withhold from production documents lawfully in its possession because they happened to have also related to or been provided by another customer whose records were not the subject of the subpoena.”[8] Simply put, “[t]o the extent [Plaintiffs] proved the Documents were produced in violation of the Act, that claim belongs to [the LLC], or more specifically, pursuit of that claim belongs to the Trustee in [the LLC’s] bankruptcy.”[9]
The Parker Court next addressed the Plaintiffs’ claim that, in addition to the Act, the Bank owed them “special duties,” fiduciary in nature, and that the Bank’s production of the documents constituted a tortious breach of those duties. The Court rejected this argument out of hand, holding that the Plaintiffs’ relationship with the Bank was contractual and that while a failure to keep customer records private might constitute a breach of contract (which was not pled), it did not give rise to a tort claim. The Court then pointed to 6 O.S.2021 § 425, which provides:
Unless a state or national bank shall have expressly agreed in writing to assume special or fiduciary duties or obligations, no such duties or obligations will be imposed on the bank with respect to a depositor of the bank or a borrower, guarantor, or surety, and no special or fiduciary relationship shall be deemed to exist.
Under this 1994 statute, a fiduciary duty between a financial institution and its customers may only be created by express language to that effect in a written agreement. Finding that the Plaintiffs “produced no document by which the Bank agreed “in writing to assume special or fiduciary duties or obligations[,]” it held that no special or fiduciary relationship existed, and the Plaintiffs’ breach of fiduciary duty claim failed “as a matter of law.”[10]
In doing so, the Parker Court distinguished Djowharzadeh v. City National Bank and Trust Co. of Norman, 1982 OK CIV APP 3, 646 P.2d 616. Djowharzadeh, decided over four decades ago, had indicated that a “special relationship” existed between a borrower and a bank.[11] In rejecting the application of Djowharzadeh, the Parker Court held that: “to the extent that Djowharzadeh, decided prior to the enactment of 6 O.S.2021 § 425, holds that a bank owes its customers a fiduciary duty in the absence of a written agreement creating that duty, it has been abrogated by that statute.”[12]
The Parker Court further rejected the Plaintiffs’ reliance on Oklahoma Uniform Jury Instructions (OUJI) — Civil No. 26.2, which included among possible fiduciary relations those with a “banker,” holding that: “To the extent this instruction misstates the law applicable to banks and their customers, it is the duty of the court to provide instructions that ‘accurately state the law.’”[13] Emphasizing that the Plaintiffs had asserted only two theories of recovery, neither of which was supported by law, the Parker Court affirmed the trial court’s directed verdict in favor of the Bank.
Although the Bank in Parker ultimately avoided liability, the opinion signals the potential viability of negligence and even breach of contract claims for improper disclosures of customer information, if properly pled. It also underscores the importance of recognizing and complying with the various state financial privacy laws, like Oklahoma’s. Despite moving to quash the offending subpoena, the Bank in Parker was still found to have violated the Act. These statutes impose specific duties that financial institutions must satisfy before responding to any subpoena for customer financial records, and determining the applicable law often requires review of numerous statutory chapters and regulatory codes.
For financial institutions, continued compliance practically demands maintaining state-specific policies and procedures — and, at a minimum, a policy broad enough to address the laws of every state in which the institution does business, paired with attorney oversight to ensure compliance. Regular review and revision of these policies is equally essential. Parker teaches that failing to maintain current, compliant policies could lead not only to statutory violations and regulatory scrutiny, but also to potential tort liability from affected customers — along with the reputational harm that often follows.
—
[1] See, e.g., Tex. Fin. Code 59.006; N.C. Gen. Stat. §§ 53B-1 through 53B-10.
[2] Parker v. Valliance Bank, 2026 OK CIV APP 5, 587 P.3d 907.
[3] The bank had also moved to quash the subpoena, but counsel for the Bank was apparently not at the hearing and there was no formal disposition of the Bank’s motion. Id. at ¶¶ 7-9. This is likely why the Parker Court limited its consideration of the other motions, including a motion to quash from certain Parker Plaintiffs, to issues of notice and waiver by the LLC, who did not file its own motion despite being the entity whose records were subpoenaed. Id at ¶ 23. The record reflects the LLC may not have been summoned in the foreclosure action, was possibly an improper party to it based on a pending bankruptcy, and never appeared in that litigation. Id. at n.2, 6. Notably, although the trial court’s denial essentially ordered that the depositions/production go forward, Parker offers no opinion as to whether the Bank’s compliance with that order, on an ultimately defective subpoena, could have immunized the Bank against any violation of the Act.
[4] Parker, 2026 OK CIV APP 5, ¶ 11, 587 P.3d at 911.
[5] Id. at ¶ 19.
[6] See id. at ¶ 18 (“Where a regulatory statute “delineate[s] the defendant’s conduct, courts may adopt the conduct required by the statute[ ] as that which would be expected of a reasonably prudent person—providing courts believe the statutorily required conduct is appropriate for establishing civil liability”).
[7] Id. at ¶ 26.
[8] Parker, 2026 OK CIV APP 5 at ¶ 27, 587 P.3d at 915.
[9] Id at ¶ 28.
[10] Id. at ¶ 30.
[11] Djowharzadeh involved allegations a loan officer’s provision of a prospective borrower’s confidential loan information to shareholders in the bank who then usurped the prospective borrower’s opportunity to purchase a duplex at below market value. The Parker Court indicated this was probably more properly framed as a tortious interference with business relations claim, rather than one arising in fiduciary duties. Id. at ¶ 32.
[12] Id. at ¶ 33.
[13] Id. at ¶ 34.
