As Lender’s know, the Department of Human Services (DHS) and the Oregon Health Authority (OHA) regularly request verification of certain customer financial information. Pursuant to ORS 192.588, DHS and OHA are required to certify to the financial institution in writing, signed by an agent from DHS or OHA that:
- the person whose account information is sought is an applicant for or recipient of public assistance as defined in ORS 411.010 or medical assistance as defined in ORS 414.025; and
- that DHS or OHA has authorization from the person for the release of the account information.
In other words, the bank does not need a signature from the customer to release information, but it must have certification that DHS or OHA has the signed release.
Recently, the State of Oregon outsourced account verification to a third party for processing. For whatever reason, some requests for verification, issued after the State outsourced the function, have not included certification that DHS or OHA has the required authorization, per ORS 192.588. That creates liability concerns for financial institutions responding to these requests. If a financial institution responds to a non-compliant request with customer account information, it violates ORS 192.586(1)(a), which provides that “Except as provided in ORS 192.588, . . . a) a financial institution may not provide financial records of a customer to a state or local agency.” “Financial records” is defined to include account information; and DHS and OHA are “state agencies.” A violation of ORS 192.586 could subject the financial institution to liability to its customer in the amount of any ascertainable loss or, if the violation is willful, $1,000 per violation if that is greater than the customer’s financial loss.
In summary, financial institutions should carefully review any request for account verification to confirm that the request complies with the statute.