Oklahoma Appeals Court Clarifies Banks’ Fiduciary Duties and Customer Privacy Obligations Under the Oklahoma Financial Privacy Act

In addition to federal privacy laws, numerous states have enacted their own financial privacy statutes that banks and other financial institutions must navigate when responding to requests for customer information.[1] In a recent decision, Oklahoma’s intermediate appellate court seemingly narrowed the scope of claims arising under Oklahoma’s financial privacy law while clarifying the duties of financial institutions within its borders.

In Parker, et al. v. Valliance Bank (“Parker”), the Oklahoma Court of Civil Appeals affirmed a directed verdict in favor of Valliance Bank (the “Bank”). In holding in the Bank’s favor, the Court rejected the consumer-Plaintiffs’ claims that the Bank violated Oklahoma’s Financial Privacy Act (the “Act”) and breached its duty of care and/or fiduciary duties by producing documents in response to a subpoena that did not comply with certain requirements of the Act.[2]

In Parker, the Bank received a subpoena in a foreclosure action — to which it was not a party — seeking financial records of an LLC defendant. The subpoena demanded that a Bank representative appear for deposition and produce essentially all documents related to the LLC’s banking relationship. Critically, the LLC’s loan file contained personal financial documents of its individual members and their other holdings, which had been submitted in connection with the LLC’s loan application. The Bank produced the subpoenaed documents only after motions to quash the subpoena and for a protective order were denied.[3]

The Parker Plaintiffs — the individuals, trusts, and businesses whose financial records were produced as part of the LLC’s loan file — alleged that the production of those documents led to their inclusion in the foreclosure suit and caused damages exceeding $500,000. They asserted claims “as Bank customers,” alleging “the Bank was negligent, violated their rights protected by the Oklahoma Financial Privacy Act, and that the Bank breached a duty of care to protect their private and confidential financial information.”[4]

In addressing these claims, the Parker Court first recognized that the negligence claim was rooted in the production of financial documents and that the Act provides the “exclusive lawful means” of obtaining customer financial records.[5] The Court thus consolidated its analysis of the negligence and statutory claims into a single inquiry: whether the Bank had breached its duties under the Act.[6] The Court ultimately found that the Bank had violated the Act by responding to a subpoena lacking written certification from the issuer of that issuer’s compliance with the Act, a prerequisite to a financial institution’s production of customer financial records under 6 O.S.2021 § 2208(A).

However, the Court held that this duty was owed not to the Plaintiffs, but to the LLC — which was not a party to the lawsuit. The Court explained that the documents produced and now in dispute all came from the LLC’s loan file. It emphasized that the Plaintiffs never argued those documents were improperly in the Bank’s possession. Rather, all the documents at issue were voluntarily provided by the Plaintiffs, who were Bank “customers,” to obtain financing for another “customer,” the LLC. The Court further found that “[t]he only duty that the Bank owed to all of its other customers, including the [Plaintiffs], was to take ‘reasonably prudent’ measures to prevent another customer’s financial records from being inadvertently included in the documents produced in response to that subpoena” — and the Plaintiffs had not asserted such a claim.[7]

Importantly, the Parker Court held that, although the Bank violated the Act by not requiring a certificate of compliance before producing the LLC’s documents, “the Act did not require the Bank to segregate and withhold from production documents lawfully in its possession because they happened to have also related to or been provided by another customer whose records were not the subject of the subpoena.”[8] Simply put, “[t]o the extent [Plaintiffs] proved the Documents were produced in violation of the Act, that claim belongs to [the LLC], or more specifically, pursuit of that claim belongs to the Trustee in [the LLC’s] bankruptcy.”[9]

The Parker Court next addressed the Plaintiffs’ claim that, in addition to the Act, the Bank owed them “special duties,” fiduciary in nature, and that the Bank’s production of the documents constituted a tortious breach of those duties. The Court rejected this argument out of hand, holding that the Plaintiffs’ relationship with the Bank was contractual and that while a failure to keep customer records private might constitute a breach of contract (which was not pled), it did not give rise to a tort claim. The Court then pointed to 6 O.S.2021 § 425, which provides:

Unless a state or national bank shall have expressly agreed in writing to assume special or fiduciary duties or obligations, no such duties or obligations will be imposed on the bank with respect to a depositor of the bank or a borrower, guarantor, or surety, and no special or fiduciary relationship shall be deemed to exist.

Under this 1994 statute, a fiduciary duty between a financial institution and its customers may only be created by express language to that effect in a written agreement. Finding that the Plaintiffs “produced no document by which the Bank agreed “in writing to assume special or fiduciary duties or obligations[,]” it held that no special or fiduciary relationship existed, and the Plaintiffs’ breach of fiduciary duty claim failed “as a matter of law.”[10]

In doing so, the Parker Court distinguished Djowharzadeh v. City National Bank and Trust Co. of Norman, 1982 OK CIV APP 3, 646 P.2d 616. Djowharzadeh, decided over four decades ago, had indicated that a “special relationship” existed between a borrower and a bank.[11] In rejecting the application of Djowharzadeh, the Parker Court held that: “to the extent that Djowharzadeh, decided prior to the enactment of 6 O.S.2021 § 425, holds that a bank owes its customers a fiduciary duty in the absence of a written agreement creating that duty, it has been abrogated by that statute.”[12]

The Parker Court further rejected the Plaintiffs’ reliance on Oklahoma Uniform Jury Instructions (OUJI) — Civil No. 26.2, which included among possible fiduciary relations those with a “banker,” holding that: “To the extent this instruction misstates the law applicable to banks and their customers, it is the duty of the court to provide instructions that ‘accurately state the law.’”[13] Emphasizing that the Plaintiffs had asserted only two theories of recovery, neither of which was supported by law, the Parker Court affirmed the trial court’s directed verdict in favor of the Bank.

Although the Bank in Parker ultimately avoided liability, the opinion signals the potential viability of negligence and even breach of contract claims for improper disclosures of customer information, if properly pled. It also underscores the importance of recognizing and complying with the various state financial privacy laws, like Oklahoma’s. Despite moving to quash the offending subpoena, the Bank in Parker was still found to have violated the Act. These statutes impose specific duties that financial institutions must satisfy before responding to any subpoena for customer financial records, and determining the applicable law often requires review of numerous statutory chapters and regulatory codes.

For financial institutions, continued compliance practically demands maintaining state-specific policies and procedures — and, at a minimum, a policy broad enough to address the laws of every state in which the institution does business, paired with attorney oversight to ensure compliance. Regular review and revision of these policies is equally essential. Parker teaches that failing to maintain current, compliant policies could lead not only to statutory violations and regulatory scrutiny, but also to potential tort liability from affected customers — along with the reputational harm that often follows.

 

[1] See, e.g., Tex. Fin. Code 59.006; N.C. Gen. Stat. §§ 53B-1 through 53B-10.

[2] Parker v. Valliance Bank, 2026 OK CIV APP 5, 587 P.3d 907.

[3] The bank had also moved to quash the subpoena, but counsel for the Bank was apparently not at the hearing and there was no formal disposition of the Bank’s motion. Id. at ¶¶ 7-9. This is likely why the Parker Court limited its consideration of the other motions, including a motion to quash from certain Parker Plaintiffs, to issues of notice and waiver by the LLC, who did not file its own motion despite being the entity whose records were subpoenaed. Id at ¶ 23. The record reflects the LLC may not have been summoned in the foreclosure action, was possibly an improper party to it based on a pending bankruptcy, and never appeared in that litigation. Id. at n.2, 6. Notably, although the trial court’s denial essentially ordered that the depositions/production go forward, Parker offers no opinion as to whether the Bank’s compliance with that order, on an ultimately defective subpoena, could have immunized the Bank against any violation of the Act.

[4] Parker, 2026 OK CIV APP 5, ¶ 11, 587 P.3d at 911.

[5] Id. at ¶ 19.

[6] See id. at ¶ 18 (“Where a regulatory statute “delineate[s] the defendant’s conduct, courts may adopt the conduct required by the statute[ ] as that which would be expected of a reasonably prudent person—providing courts believe the statutorily required conduct is appropriate for establishing civil liability”).

[7] Id. at ¶ 26.

[8] Parker, 2026 OK CIV APP 5 at ¶ 27, 587 P.3d at 915.

[9] Id at ¶ 28.

[10] Id. at ¶ 30.

[11]  Djowharzadeh involved allegations a loan officer’s provision of a prospective borrower’s confidential loan information to shareholders in the bank who then usurped the prospective borrower’s opportunity to purchase a duplex at below market value. The Parker Court indicated this was probably more properly framed as a tortious interference with business relations claim, rather than one arising in fiduciary duties. Id. at ¶ 32.

[12] Id. at ¶ 33.

[13]  Id. at ¶ 34.

New CFIUS Regulations Add Another Layer of Regulatory Considerations to Transactions Involving Foreign Investors

Earlier this year, new regulations promulgated by the Committee on Foreign Investment in the U.S. (the “CFIUS”) that implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) took effect, strengthening the oversight authority and expanding the jurisdictional reach of the CFIUS.  Although the new CFIUS regulations initially went largely unnoticed by the vast majority of investors, investors are starting to feel the effect of these expanded regulations as they are advised by deal counsel of a need for targeted due diligence and additional representations and warranties related to CFIUS compliance obligations.

CFIUS Regulatory Framework

The CFIUS, which was created by the Defense Production Act of 1950, is tasked with reviewing any transaction “which could result in foreign control of any person engaged in interstate commerce in the United States.”  50 U.S.C. § 2170.  The basic premise of the regulatory scheme is that the CFIUS will review these transactions, assess the potential for impact on national security, and make formal recommendations to the President as to the appropriate mitigating action necessary to protect the national interest.

Recent Changes to CFIUS Regulations

Until recently, the CFIUS’s jurisdiction was limited primarily to acquisitions of U.S. businesses by non-U.S. businesses.  See Ralls Corporation v. Committee on Foreign Investment in the United States, 758 F.3d 296 (D.C. Cir. 2014).  Earlier this year, however, new CFIUS rules permanently expanded CFIUS jurisdiction to include certain “other” investments—namely, non-controlling foreign investments in U.S. businesses involved in certain critical technologies, critical infrastructure, or the personal data of U.S. nationals (referred to as “TID” businesses, for technology, infrastructure, and data). Covered non-controlling investments afford the foreign investor access to material nonpublic technical information or substantive involvement in the U.S. business’s decision-making with respect to the technology, infrastructure, or data.

In sum, the new CFIUS regulations expanded the jurisdiction of regulators to transactions involving U.S. businesses that: (1) produce, design, test, manufacture, fabricate, or develop “critical technologies”; (2) own, operate, manufacture, supply, or service “critical infrastructure”; or (3) maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security.  31 CFR § 800.211.  Thus, even if a transaction will not result in foreign control of a U.S. business, it may still be subject to CFIUS review if it involves a TID U.S. business.

Critical Technology

For purposes of CFIUS regulations, critical technology is defined as follows:

(a) Defense articles or defense services included on the United States Munitions List (USML) set forth in the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120–130);

(b) Items included on the Commerce Control List (CCL) set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (EAR) (15 CFR parts 730–774), and controlled—

(1) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or

(2) For reasons relating to regional stability or surreptitious listening;

(c) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);

(d) Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and material);

(e) Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and

(f) Emerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).

31 C.F.R. § 800.215.  The nuances of each of these critical technologies should be carefully considered when engaging in a transaction involving foreign investors.

Sensitive Personal Data

The CFIUS also may review certain transactions involving U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target or tailor products or services to certain populations, including U.S. military members and employees of federal agencies with national security responsibilities, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The categories of data include types of (1) financial (e.g., bank account statements, credit applications, payment history, credit reports, credit scores); (2) geolocation, (3) health data (similar to HIPPA’s definition of non-public health information), (4) e-mail communications, (5) chat or other similar communications, (6) biometrics, and (7) information regarding government contractors.  See 31 C.F.R. § 800.241.

While this may seem like an unreasonable burden, the administrative record includes policy statements that inject some degree of restraint into the definition of sensitive personal data.  84 FR 50177.  More specifically, the ancillary information published in the federal register provides the following:

Given that most companies collect some type of data on individuals, the proposed rule protects national security while attempting to minimize any chilling effect on beneficial foreign investment by focusing on the sensitivity of the data itself, as well as the sensitivity of the population about whom the data is maintained or collected. In particular, the proposed rule identifies specific categories of data that constitute sensitive personal data only if the U.S. business (a) targets or tailors its products or services to sensitive U.S. Government personnel or contractors, (b) maintains or collects such data on greater than one million individuals, or (c) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The proposed definition also includes all genetic information and generally carves out data pertaining to a U.S. business’s own employees.

Id. at 50177-78 (emphasis added).

It is also of note that the information collected does not qualify unless it includes “identifiable data.”  31 C.F.R. § 800.239.  Based on the administrative record, it is clear that regulators wanted businesses to use common sense in assessing whether data constituted “identifiable data” by including the following as part of the administrative record:

In some cases, a U.S. business may maintain or collect the data described in § 800.241(a)(1)(ii)(A)-(J), but it is not possible to attribute such data to any specific individual. For example, a U.S. business may store health records on its servers, but those records are encrypted such that only a third party in possession of the encryption key can read the data. The U.S. business in these circumstances would not be maintaining or collecting sensitive personal data. The proposed rule makes clear, however, that identifiable data is not limited to data that includes an individual’s name or other obvious identifier, but rather includes any personal identifier, as defined in § 800.239.

84 FR 50178 (emphasis added).  Thus, if the information is encrypted or otherwise anonymized, it will not qualify as identifiable dataSee 31 C.F.R. § 800.202 (“The term anonymized data means data from which all personal identifiers have been completely removed.”).

Mandatory Filings

Another significant change in the review regime is the introduction of mandatory filings for certain transactions. Historically, all filings made to the CFIUS were submitted on a voluntary basis. However, FIRRMA introduces, and the new regulations implement, the concept of mandatory filings. Despite this, the process remains mostly based on voluntary filings, with a relatively small number of transactions requiring a mandatory filing, namely, (i) a substantial foreign government investment in a TID U.S. business, or (ii) controlling or non-controlling investments in critical technologies within the scope of the CFIUS Pilot Program on critical technologies.

  • A substantial foreign government investment in a TID business. Under the new regulations, there is a substantial interest if a foreign person obtains 25 percent or more voting interest in the TID business, and a foreign government owns 49 percent or more of the foreign person. FIRRMA §1705(v)(IV)(bb)(AA); 31 CFR §800.244;
  • CFIUS Pilot Program on critical technologies of Nov. 10, 2018. Controlling or non-controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more critical technologies in one of 27 identified industries – including aviation, defense, semiconductors, telecommunications and biotechnology – are subject to a mandatory filing with CFIUS. The final regulations, for now, will continue to use the same NAICS codes. However, the CFIUS announced that it will issue a notice of proposed rulemaking, perhaps moving away from an industry-based approach for these filing requirements in favor of “export control licensing requirements.” In the meantime, mandatory declarations must be filed 45 days before the close of a transaction.

For either mandatory or voluntary filings, FIRRMA has developed an abbreviated filing process through a declaration, allowing parties to submit basic information to the CFIUS.  FIRRMA §1706(v)(1). These provisions are expanded in the new, final regulations.  31 CFR §800.401.  The declarations should generally not exceed five pages in length, and it is likely that a form will be ultimately designed to increase the ease and usefulness of the process. Although declarations are intended to streamline the process by moving less complex transactions through the CFIUS review process with less administrative burden on the filing companies, filing a declaration may actually increase the processing time: the CFIUS has 30 days to render a decision on a mandatory declaration, but may at that time require a full notice, adding a full review cycle to reach a decision, thereby delaying the overall timing of a mergers and acquisition transaction. This may act as a significant deterrent to the use of this mechanism.

Penalties

FIRRMA directs the CFIUS to impose certain fees on parties who violate the CFIUS review process. Any person who submits a material misstatement or omission in a declaration or notice, or who makes certain other false statements, may be liable for a civil penalty of up to $250,000 per violation.  31 C.F.R. 800.901(a). Any person who fails to comply with the mandatory filing procedures may be liable for a civil penalty of up to $250,000 or the value of the transaction, whichever is greater.  31 C.F.R. 800.901(b).  Furthermore, any person who, after Dec. 22, 2018, intentionally or through gross negligence violates a material provision of a mitigation agreement entered into before Oct. 11, 2018, will also be liable for a civil penalty of up to $250,000 or the value of the transaction.  31 C.F.R. 800.901(c).  Further guidance on penalties is expected in new rules to come from the CFIUS.

Conclusion

FIRRMA and the recently enacted final regulations make a variety of sweeping changes to the CFIUS process that will certainly bring more transactions under the scope of CFIUS review.  These changes were implemented in response to increased national security concerns but were carefully crafted to avoid suppressing foreign direct investment in the United States.  Nevertheless, given the significant penalties associated with violations of CFIUS regulations, it is extremely important that all parties to investment transactions take steps to ensure compliance with CFIUS regulations.

 

Federal Bank Regulators Issue Joint Statement on Risk-Focused Approach to AML/BSA Compliance Programs

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a joint statement to emphasize their risk-focused approach to examinations of banks’ Bank Secrecy Act/anti-money laundering (BSA/AML) compliance programs. Although the joint statement does not alter long-standing BSA/AML compliance standards, it highlights the need for financial institutions of all sizes to determine their internal and external risk profile and implement a risk-based BSA/AML compliance program that reflects the realities of the risks faced by particular financial institution. In light of the recent focus on BSA/AML compliance, banks and financial institutions should review their BSA/AML compliance programs on a regular basis, update their enterprise-wide risk profile, and review/enhance their BSA/AML compliance program to ensure that it adequately addresses the relevant risks.

The full text of the Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision is set forth below.
Joint Statement on Risk-Focused Bank Secrecy Act-Anti-Money Laundering Supervision