Agency position on credit card names rankles

Originally published on VCOG's Substack newsletter

Dec. 16, 2021
By Megan Rhyne and Amanda Kastl*

This weekend, the Richmond Times-Dispatch published the alarming news that the Department of Accounts (DOA), a division of the Virginia Department of Finance, has been advising state agencies – in the interest of preventing identify fraud – to remove employee names from credit card statements someone might request through the Freedom of Information Act. Even more alarming is the news that this directive was based on advice from Bank of America, the issuer of the state's purchase cards.

To boil that down: a bank told a state agency created to provide "a unified financial accounting and control system for state funds" to tell other state agencies not to connect names with billing statements detailing expenditures of state funds.

Amanda Kastl is the FOIA officer for Fairfax County. I am the director of the FOIA-centric Virginia Coalition for Open Government. While we mostly agree on a lot, we don’t always see eye-to-eye on each and every FOIA issue. We were both taken aback by this news, however. That’s why we write together today to share our practical and philosophical concerns with the DOA's position on limiting the public’s access to information.

Let's start with the bank's advice. In a letter to the DOA in 2019, the bank said it would “not recommend providing any ‘Cardholder Data’ in a transaction file to anyone” and pointed to the Payment Card Industry Security Standards Council for guidance of what constitutes "cardholder data." The PCISSC says cardholder data, at a minimum is the full account number, but may include the full account number plus the cardholder name.

That “plus” matters. Account numbers are already exempt by VFOIA (2.2-3705.1(13)), so public bodies who are asked for credit card statements are already redacting account numbers, that is, “cardholder data.” No problem.

But ignoring PCISSC’s own definition, and clearly unaware of VFOIA, the Bank of America letter to the DOA nevertheless adds that the bank "would not recommend sending the account number or the cardholder name in a transaction file to anyone."

They flipped the switch to say account number PLUS the name on the card shouldn’t be released instead of account number OR the name, meaning, you can redact either or both the name and account number. Taken to its logical conclusion, and if the stated goal is to protect against identity theft, that could mean the employee's name on the very envelope containing the statement addressed should be redacted. Don’t release either, the bank says. 

And the DOA accepted that. In guidance issued to purchase card managers in February 2020, the DOA stated, "While there is no specific exemption for Cardholder Name we recommend withholding cardholder names. This is a recommended best practice from the Bank of America."

To be clear, not only is there “no specific exemption” for cardholder names, there is an actual FOIA provision that specifically mandates the disclosure of:

“records of the name, position, job classification, official salary, or rate of pay of, and records of the allowances of reimbursements for expenses paid to, any officer, official, or employee of a public body." — 2.2-3705.1(1)

FOIA's basic presumption is that all records are open unless a discretionary exemption or another law allows the records to be withheld. The DOA's advice is directly contrary to that presumption as well as with FOIA's policy statement (2.2-3700) to interpret exemptions narrowly.

The upshot, again, is that the agency has been recommending to other state agencies to leave the name off of credit card statements disclosed publicly, even when the account number has itself been redacted. That means that no one -- not the press, not the public, and presumably not even someone else in another government department -- can figure out whether it was OK for any given employee to spend taxpayer funds on any given item. 

From a process standpoint, Amanda, whose office took care of 766 of the 12,840 FOIA requests made in the county in FY2021, had these observations:

• I rely heavily on the county’s chief information security officer’s expertise on issues like identity fraud and network infrastructure security. But, public records that contain employee spending information are typically straightforward since no personally identifiable information (date of birth, social security number) about the employee is included. Redactions are only applied to bank account numbers and routing numbers.  

• Some government-issued credit cards do not contain names—they contain agency names. That can be important to know when expenses for a particular employee are asked for but that employee uses an agency card, not a card in his/her name.

• Certain payment information is prohibited from release. For example, housing vouchers, welfare payments, settlement amounts covered under court seal, and payments made for medical services.

• There's so much room for explanation and education when records are withheld or redacted. For instance, in this situation, maybe the name on the statement doesn't match the person who actually made the charge. OK, explain that to the requester. Or, maybe the request was for a bank statement that did not provide the level of detail the requester sought. OK, give the requester what they asked for but also inform the requester that more detailed information exists. 

• It is the FOIA officer’s responsibility to inform requesters how they can obtain the information they seek–even if it is not immediately available for release or wasn’t specifically requested in their FOIA request. 

• Savvy FOIA requesters, especially those with deep pockets or a legal background, will find a way to figure out who spent what. But FOIA shouldn't be an exercise in hide-and-seek when it comes to the expenditure of public funds.

Amanda's thorough advice is well taken. She is also more diplomatic than I am. I would go a step further to call out the really awful precedent set by a policy that decouples the who from the what.

Public records all over the country at the local and state levels and in the federal government exist in large measure to keep government accountable to the people in whose name those governments acts. It is an awesome job that we (capital "W" we) have delegated to our elected, appointed and employed officials. With delegation comes oversight. We need assurances that the use of our money is put towards our priorities and not misused or squandered.

We need to know if those with high levels of authority are using that authority properly. It's why we have conflicts of interest laws, laws against nepotism, and laws requiring disclosure of salary and expenditure data.

It's no criticism of government employees writ large to acknowledge that some of them play fast and loose with public money. Some have succumbed to graft. Some have embezzled. Those errant few should not escape scrutiny or blame when they make inappropriate charges that are hidden by a no-name policy.

On the other hand, there are legions of diligent, government employees above reproach, who would never so much as accept a coffee mug as a thank-you gift, much less misuse a credit card. Their integrity should not be imputed when anonymous, inappropriate charges are brought to light.

Yet that is exactly what happens -- with all due allowances pointed out by Amanda -- when names and expenditures are divorced from one another. 

Never did I think this basic point even needed elucidating. To a bank, maybe, but not to government officials.

*Amanda Kastl is Fairfax County’s FOIA Officer. The views expressed are her own and do not represent the views of Fairfax County Government.