Introduction
A recent decision from the U.S. District Court for the Northern District of California, Sequeira v. United States Department of Homeland Security, No. 4:22-cv-07996-HSG, offers important clarification on the scope of the Right to Financial Privacy Act (RFPA) and its applicability to money transmitters and similar non-bank financial service providers. The ruling exposes a sharp divide between how federal law treats these businesses for anti-money laundering (AML) and surveillance purposes and how (or whether) it protects their customers’ financial privacy.
For money transmitters, virtual currency kiosks, and other FinCEN-registered money services businesses (MSBs), the decision is highly instructive. It suggests that, absent a lending or credit component, such entities are unlikely to be deemed “financial institutions” under the RFPA—even though they are treated as financial institutions under the Bank Secrecy Act (BSA).
Background of the Sequeira Litigation
In Sequeira, plaintiffs brought a putative class action against two groups of defendants: (1) federal agencies (including DHS and ICE), and (2) a set of money transfer companies—Western Union, Continental Exchange Solutions (Ria), DolEx, and Viamericas. The plaintiffs alleged that these money transfer companies routinely transmitted detailed transaction records into a shared law enforcement platform, the Transaction Record Analysis Center (TRAC), and that various federal agencies accessed those records without complying with the RFPA’s procedural safeguards.
The plaintiffs’ theory hinged on a threshold proposition: that these money transfer companies were “financial institutions” within the meaning of the RFPA because they qualified as “consumer finance institutions” under 12 U.S.C. § 3401(1). On this point, the court’s March 21, 2024 order (Dkt. 116) became a pivotal interpretive decision.
The RFPA’s Narrow Definition of “Financial Institution”
The RFPA prohibits government authorities from obtaining a customer’s financial records from a “financial institution” unless specified procedures—such as customer notice and an opportunity to challenge—are followed. The statute defines “financial institution” in 12 U.S.C. § 3401(1) through a closed list of entities:
- Banks and savings banks
- Card issuers (as defined in the Truth in Lending Act)
- Industrial loan companies
- Trust companies
- Savings associations, building and loan, and homestead associations (including cooperative banks)
- Credit unions
- “Consumer finance institutions”
Notably absent are money transmitters, money services businesses, and virtual currency exchangers. The RFPA also does not automatically incorporate the broader “financial institution” or “financial activity” definitions used in the Bank Holding Company Act or the BSA/FinCEN framework. Because the RFPA does not define “consumer finance institution,” the Sequeira court was required to construe the term as a matter of first impression in the Ninth Circuit.
Defining “Consumer Finance Institution”
The parties in Sequeira offered competing interpretations. Plaintiffs urged a broad reading that would include institutions whose primary purpose is assisting consumers with financial transactions, such as sending remittances. The money transfer defendants advocated a narrower definition: entities for which the provision of financing and loans is a core business function.
The court adopted the narrower construction, aligning with prior decisions such as CFTC v. Worth Bullion Group, Inc. and FTC v. Sterling Precious Metals, LLC, which had interpreted “consumer finance institution” to cover companies principally engaged in extending financing or cash loans, not merely handling payments or transfers. Judge Gilliam emphasized both the statutory context—surrounding terms like banks, credit unions, and savings institutions—and the prior authority in concluding that Congress had in mind lenders, not general payment intermediaries. Under this reasoning, a company that simply transmits funds from one party to another does not become a “consumer finance institution” solely by virtue of participating in consumer financial transactions.
Application to the Money Transfer Defendants
On this statutory footing, the court drew a critical distinction among the money transfer defendants.
- Continental and Viamericas: The complaint alleged that these entities provided money transfer services but did not allege any consumer credit or lending products. On those facts, the court held that they did not qualify as consumer finance institutions and therefore were not “financial institutions” under the RFPA. The RFPA claims against them were dismissed for failure to state a cognizable legal theory.
- DolEx and Western Union: The complaint, by contrast, alleged that DolEx offered installment loan products (including “prestamos familiares”) and that Western Union provided installment-type money transfer credit products. Taking those allegations as true at the Rule 12(b)(6) stage, the court concluded it was at least plausible that these entities’ core business included consumer financing, bringing them within the “consumer finance institution” category. As a result, the RFPA claims against DolEx and Western Union survived the motion to dismiss and were permitted to proceed into discovery.
In parallel, the court interpreted “customer” under § 3401(5) to require that the financial institution maintain an account in the person’s name, relying on Third Circuit authority and legislative history indicating that the RFPA was intended to protect the person whose account records are sought—not every person whose information passes through a financial intermediary.
The Later Procedural Dismissal
A later opinion in the case (reported at 347 F.R.D. 510) ultimately dismissed the action on Rule 19 “indispensable party” grounds, after the court concluded that the State of Arizona—architect of the TRAC program—was a required but immune party that could not be joined. That subsequent dismissal did not reverse the court’s prior RFPA interpretation; rather, it rested on joinder and sovereign immunity principles. The definition of “consumer finance institution” articulated in Dkt. 116 remains a key substantive component of the court’s analysis.
Regulatory Asymmetry: BSA vs. RFPA
The combined effect of Sequeira and existing federal guidance is a pronounced regulatory asymmetry for money transmitters and related businesses. Under the BSA and FinCEN regulations, money transmitters and many virtual currency businesses are treated as “financial institutions,” and are required to:
- Register as MSBs
- Implement risk-based AML programs
- Conduct KYC/customer identification
- Maintain transaction and SAR-related records for defined periods
- Provide records and supporting documentation to FinCEN and law enforcement upon request in specified contexts
However, under Sequeira’s reading of the RFPA, a pure money transmission business—one that does not also engage in consumer lending or credit—will generally fall outside the RFPA’s definition of “financial institution.” That means:
- RFPA’s customer-notice, delayed-notice, and certificate-of-compliance requirements are unlikely to apply to such entities.
- When law enforcement serves administrative subpoenas or similar process directly on a money transmitter that does not offer credit products, RFPA-based objections may not be sustainable in light of Sequeira and the statutory text.
In short, these businesses are “financial institutions” for surveillance and recordkeeping purposes under the BSA, but not necessarily for privacy-protection purposes under the RFPA.
Implications for Money Transmitters and Crypto ATM Operators
For firms whose business model is limited to money transmission, remittances, or crypto exchange at kiosks, Sequeira is a strong signal that RFPA protections will not be automatically available when federal agencies seek customer transaction data. At the same time, Sequeira suggests that entities that blend money transmission with consumer lending or installment-type products may enter RFPA territory. Where a company’s core business includes providing credit or financing to consumers, a court may regard it as a “consumer finance institution” and thus as an RFPA “financial institution,” with all the associated obligations regarding customer notice and procedure. This has several practical implications:
- Product Design and Expansion: MSBs and crypto platforms contemplating installment products, credit lines, or other financing arrangements should understand that expanding into consumer lending may change their RFPA posture and expose them to new procedural constraints when law enforcement seeks records.
- Law Enforcement Process Management: For pure money transmitters, compliance programs should be calibrated to recognize that RFPA is unlikely to provide a statutory shield. Internal policies should instead focus on verifying the facial validity and scope of subpoenas or warrants, ensuring appropriate authentication, and minimizing overproduction, while honoring BSA obligations.
- Customer Communications and Expectations: Marketing and privacy disclosures should avoid suggesting RFPA protections where they likely do not exist, while still emphasizing robust data security, contractual privacy commitments, and adherence to applicable state privacy statutes.
Conclusion
Sequeira v. DHS underscores that statutory labels do not always move in lockstep across federal regimes. Money transmitters and crypto ATM operators are treated as “financial institutions” for BSA/AML purposes but, under the RFPA as interpreted in Sequeira, are generally not financial institutions unless they also function as consumer lenders.
For clients in the money transmission and virtual currency sectors, this decision should inform both how they structure their product offerings and how they respond to law enforcement demands for customer financial records. Careful, statute-specific analysis is required: being regulated “like a bank” for AML does not necessarily mean being protected “like a bank” for customer financial privacy.
Sequeira reinforces that money transmitters may face extensive AML obligations without corresponding RFPA protections. Understanding where your business falls under this framework is critical, particularly if you offer or plan to offer consumer credit products.
To discuss how this decision impacts your business and compliance posture, schedule a consultation with Cogent Law.