12 U.S.C. 93a; 15 U.S.C. 6801
(a)
(1) Requires a financial institution to provide notice to customers about its privacy policies and practices;
(2) Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
(3) Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to the exceptions in §§ 40.13, 40.14, and 40.15.
(b)
(2) Nothing in this part modifies, limits, or supersedes the standards governing individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
The examples in this part and the sample clauses in appendix A of this part are not exclusive. Compliance with an example or use of a sample clause, to the extent applicable, constitutes compliance with this part.
As used in this part, unless the context requires otherwise:
(a)
(b)(1)
(2)
(A) Presents the information in the notice in clear, concise sentences, paragraphs, and sections;
(B) Uses short explanatory sentences or bullet lists whenever possible;
(C) Uses definite, concrete, everyday words and active voice whenever possible;
(D) Avoids multiple negatives;
(E) Avoids legal and highly technical business terminology whenever possible; and
(F) Avoids explanations that are imprecise and readily subject to different interpretations.
(ii)
(A) Uses a plain-language heading to call attention to the notice;
(B) Uses a typeface and type size that are easy to read;
(C) Provides wide margins and ample line spacing;
(D) Uses boldface or italics for key words; and
(E) In a form that combines the bank's notice with other information, uses distinctive type size, style, and graphic devices, such as shading or sidebars, when you combine your notice with other information.
(iii)
(A) Places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
(B) Places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature, and relevance of the notice.
(c)
(d)
(e)(1)
(2)
(ii) An individual who provides nonpublic personal information to a bank in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended.
(iii) An individual who provides nonpublic personal information to a bank in connection with obtaining or seeking to obtain financial, investment, or economic advisory services is a consumer regardless of whether the bank establishes a continuing advisory relationship.
(iv) If a bank holds ownership or servicing rights to an individual's loan that is used primarily for personal, family, or household purposes, the individual is the bank's consumer, even if the bank holds those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which a bank has ownership or servicing rights is the bank's consumer, even if the bank, or another institution with those rights, hires an agent to collect on the loan.
(v) An individual who is a consumer of another financial institution is not a bank's consumer solely because the bank acts as agent for, or provides processing or other services to, that financial institution.
(vi) An individual is not a bank's consumer solely because he or she has designated the bank as trustee for a trust.
(vii) An individual is not a bank's consumer solely because he or she is a beneficiary of a trust for which the bank is a trustee.
(viii) An individual is not a bank's consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that the bank sponsors or for which the bank acts as a trustee or fiduciary.
(f)
(g)
(1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the OCC determines.
(h)
(i)(1)
(2)
(A) Has a deposit or investment account with the bank;
(B) Obtains a loan from the bank;
(C) Has a loan for which you own the servicing rights;
(D) Purchases an insurance product from the bank;
(E) Holds an investment product through the bank, such as when the bank acts as a custodian for securities or for assets in an Individual Retirement Arrangement;
(F) Enters into an agreement or understanding with the bank whereby the bank undertakes to arrange or broker a home mortgage loan for the consumer;
(G) Enters into a lease of personal property with the bank; or
(H) Obtains financial, investment, or economic advisory services from the bank for a fee.
(ii)
(A) The consumer obtains a financial product or service only in isolated transactions, such as using the bank's ATM to withdraw cash from an account at another financial institution or purchasing a cashier's check or money order;
(B) The bank sells the consumer's loan and does not retain the rights to service that loan; or
(C) The bank sells the consumer airline tickets, travel insurance, or traveler's checks in isolated transactions.
(j)
(1) The Board of Governors of the Federal Reserve System;
(2) The Office of the Comptroller of the Currency;
(3) The Board of Directors of the Federal Deposit Insurance Corporation;
(4) The Director of the Office of Thrift Supervision;
(5) The National Credit Union Administration Board; and
(6) The Securities and Exchange Commission.
(k)(1)
(2)
(i) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1
(ii) The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001
(iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
(l)(1)
(2)
(m)(1)
(i) A bank's affiliate; or
(ii) A person employed jointly by a bank and any company that is not the bank's affiliate (but
(2)
(n)(1)
(i) Personally identifiable financial information; and
(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
(2)
(i) Publicly available information, except as included on a list described in paragraph (n)(1)(ii) of this section; or
(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.
(3)
(ii) Nonpublic personal information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
(o)(1)
(i) A consumer provides to a bank to obtain a financial product or service from the bank;
(ii) About a consumer resulting from any transaction involving a financial product or service between a bank and a consumer; or
(iii) The bank otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.
(2)
(A) Information a consumer provides to a bank on an application to obtain a loan, credit card, or other financial product or service;
(B) Account balance information, payment history, overdraft history, and credit or debit card purchase information;
(C) The fact that an individual is or has been one of the bank's customers or has obtained a financial product or service from the bank;
(D) Any information about the bank's consumer if it is disclosed in a manner that indicates that the individual is or has been the bank's consumer;
(E) Any information that a consumer provides to a bank or that the bank or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
(F) Any information the bank collects through an Internet “cookie” (an information collecting device from a web server); and
(G) Information from a consumer report.
(ii)
(A) A list of names and addresses of customers of an entity that is not a financial institution; and
(B) Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
(p)(1)
(i) Federal, State, or local government records;
(ii) Widely distributed media; or
(iii) Disclosures to the general public that are required to be made by Federal, State, or local law.
(2)
(i) That the information is of the type that is available to the general public; and
(ii) Whether an individual can direct that the information not be made available to the general public and, if so, that the bank's consumer has not done so.
(3)
(ii)
(iii)
(B) A bank has a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if the bank has located the telephone number in the telephone book or the consumer has informed you that the telephone number is not unlisted.
(a)
(1)
(2)
(b)
(1) The bank does not disclose any nonpublic personal information about the consumer to any nonaffiliated third party, other than as authorized by §§ 40.14 and 40.15; and
(2) The bank does not have a customer relationship with the consumer.
(c)
(2)
(3)(i)
(A) Opens a credit card account with the bank;
(B) Executes the contract to open a deposit account with the bank, obtains credit from the bank, or purchases insurance from the bank;
(C) Agrees to obtain financial, economic, or investment advisory services from the bank for a fee; or
(D) Becomes the bank's client for the purpose of the bank's providing credit counseling or tax preparation services.
(ii)
(A) Originates the loan to the consumer; or
(B) Purchases the servicing rights to the consumer's loan.
(d)
(1) The bank may provide a revised privacy notice, under § 40.8, that covers the customer's new financial product or service; or
(2) If the initial, revised, or annual notice that the bank most recently provided to that customer was accurate with respect to the new financial product or service, the bank does not need to provide a new privacy notice under paragraph (a) of this section.
(e)
(i) Establishing the customer relationship is not at the customer's election; or
(ii) Providing notice not later than when the bank establishes a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time.
(2)
(ii)
(A) The bank and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service; or
(B) The bank establishes a customer relationship with an individual under a program authorized by Title IV of the Higher Education Act of 1965 (20 U.S.C. 1070
(iii)
(f)
(a)(1)
(2)
(b)(1)
(2)
(i) In the case of a deposit account, the account is inactive under the bank's policies;
(ii) In the case of a closed-end loan, the customer pays the loan in full, the bank charges off the loan, or the bank sells the loan without retaining servicing rights;
(iii) In the case of a credit card relationship or other open-end credit relationship, the bank no longer provides any statements or notices to the customer concerning that relationship or the bank sells the credit card receivables without retaining servicing rights; or
(iv) The bank has not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material.
(c)
(d)
(a)
(1) The categories of nonpublic personal information that the bank collects;
(2) The categories of nonpublic personal information that the bank discloses;
(3) The categories of affiliates and nonaffiliated third parties to whom the bank discloses nonpublic personal information, other than those parties to whom the bank discloses information under §§ 40.14 and 40.15;
(4) The categories of nonpublic personal information about the bank's former customers that the bank discloses and the categories of affiliates and nonaffiliated third parties to whom the bank discloses nonpublic personal information about the bank's former customers, other than those parties to whom the bank discloses information under §§ 40.14 and 40.15;
(5) If a bank discloses nonpublic personal information to a nonaffiliated third party under § 40.13 (and no other exception in §§ 40.14 or 40.15 applies to that disclosure), a separate statement of the categories of information the bank discloses and the categories of third parties with whom the bank has contracted;
(6) An explanation of the consumer's right under § 40.10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;
(7) Any disclosures that the bank makes under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
(8) The bank's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
(9) Any disclosure that the bank makes under paragraph (b) of this section.
(b)
(c)
(i) Information from the consumer;
(ii) Information about the consumer's transactions with the bank or its affiliates;
(iii) Information about the consumer's transactions with nonaffiliated third parties; and
(iv) Information from a consumer reporting agency.
(2)
(ii) If a bank reserves the right to disclose all of the nonpublic personal information about consumers that it collects, it may simply state that fact without describing the categories or examples of the nonpublic personal information it discloses.
(3)
(i) Financial service providers;
(ii) Non-financial companies; and
(iii) Others.
(4)
(i) Lists the categories of nonpublic personal information it discloses, using the same categories and examples the bank used to meet the requirements of paragraph (a)(2) of this section, as applicable; and
(ii) States whether the third party is:
(A) A service provider that performs marketing services on the bank's behalf or on behalf of the bank and another financial institution; or
(B) A financial institution with whom the bank has a joint marketing agreement.
(5)
(6)
(i) Describes in general terms who is authorized to have access to the information; and
(ii) States whether the bank has security practices and procedures in place to ensure the confidentiality of the information in accordance with the bank's policy. The bank is not required to describe technical information about the safeguards it uses.
(d)
(2) A short-form initial notice must:
(i) Be clear and conspicuous;
(ii) State that the bank's privacy notice is available upon request; and
(iii) Explain a reasonable means by which the consumer may obtain that notice.
(3) The bank must deliver its short-form initial notice according to § 40.9. The bank is not required to deliver its privacy notice with its short-form initial notice. The bank instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a
(4)
(i) Provides a toll-free telephone number that the consumer may call to request the notice; or
(ii) For a consumer who conducts business in person at the bank's office, maintain copies of the notice on hand that the bank provides to the consumer immediately upon request.
(e)
(1) Categories of nonpublic personal information that the bank reserves the right to disclose in the future, but do not currently disclose; and
(2) Categories of affiliates or nonaffiliated third parties to whom the bank reserves the right in the future to disclose, but to whom the bank does not currently disclose, nonpublic personal information.
(f)
(a) (1)
(i) That the bank discloses or reserves the right to disclose nonpublic personal information about its consumer to a nonaffiliated third party;
(ii) That the consumer has the right to opt out of that disclosure; and
(iii) A reasonable means by which the consumer may exercise the opt out right.
(2)
(A) Identifies all of the categories of nonpublic personal information that it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the bank discloses the information, as described in § 40.6(a)(2) and (3), and states that the consumer can opt out of the disclosure of that information; and
(B) Identifies the financial products or services that the consumer obtains from the bank, either singly or jointly, to which the opt out direction would apply.
(ii)
(A) Designates check-off boxes in a prominent position on the relevant forms with the opt out notice;
(B) Includes a reply form together with the opt out notice;
(C) Provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the bank's web site, if the consumer agrees to the electronic delivery of information; or
(D) Provides a toll-free telephone number that consumers may call to opt out.
(iii)
(A) The only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or
(B) The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the bank provided with the initial notice but did not include with the subsequent notice.
(iv)
(b)
(c)
(d)
(2) Any of the joint consumers may exercise the right to opt out. The bank may either:
(i) Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
(ii) Permit each joint consumer to opt out separately.
(3) If a bank permits each joint consumer to opt out separately, the bank must permit one of the joint consumers to opt out on behalf of all of the joint consumers.
(4) A bank may not require
(5)
(i) Send a single opt out notice to John's address, but the bank must accept an opt out direction from either John or Mary.
(ii) Treat an opt out direction by either John or Mary as applying to the entire account. If the bank does so and John opts out, the bank may not require Mary to opt out as well before implementing John's opt out direction.
(iii) Permit John and Mary to make different opt out directions. If the bank does so:
(A) It must permit John and Mary to opt out for each other;
(B) If both opt out, the bank must permit both of them to notify it in a single response (such as on a form or through a telephone call); and
(C) If John opts out and Mary does not, the bank may only disclose nonpublic personal information about Mary, but not about John and not about John and Mary jointly.
(e)
(f)
(g)
(2) When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal information that the bank collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the bank, the opt out direction that applied to the former relationship does not apply to the new relationship.
(h)
(a)
(1) The bank has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;
(2) The bank has provided to the consumer a new opt out notice;
(3) The bank has given the consumer a reasonable opportunity, before the bank discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) The consumer does not opt out.
(b)
(i) Discloses a new category of nonpublic personal information to any nonaffiliated third party;
(ii) Discloses nonpublic personal information to a new category of nonaffiliated third party; or
(iii) Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
(2) A revised notice is not required if the bank discloses nonpublic personal information to a new nonaffiliated third party that the bank adequately described in its prior notice.
(c)
(a)
(b) (1)
(i) Hand-delivers a printed copy of the notice to the consumer;
(ii) Mails a printed copy of the notice to the last known address of the consumer;
(iii) For the consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service;
(iv) For an isolated transaction with the consumer, such as an ATM transaction, posts the notice on the ATM screen and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.
(2)
(i) Only posts a sign in its branch or office or generally publish advertisements of its privacy policies and practices;
(ii) Sends the notice via electronic mail to a consumer who does not obtain a financial product or service from the bank electronically.
(c)
(1) The customer uses the bank's web site to access financial products and services electronically and agrees to receive notices at the web site and the bank posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or
(2) The customer has requested that the bank refrain from sending any information regarding the customer relationship, and the bank's current privacy notice remains available to the customer upon request.
(d)
(e)
(2)
(i) Hand-delivers a printed copy of the notice to the customer;
(ii) Mails a printed copy of the notice to the last known address of the customer; or
(iii) Makes its current privacy notice available on a web site (or a link to another web site) for the customer who obtains a financial product or service electronically and agrees to receive the notice at the web site.
(f)
(g)
(a)(1)
(i) The bank has provided to the consumer an initial notice as required under § 40.4;
(ii) The bank has provided to the consumer an opt out notice as required in § 40.7;
(iii) The bank has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(iv) The consumer does not opt out.
(2)
(3)
(i)
(ii)
(iii)
(b)
(2) Unless a bank complies with this section, the bank may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer that the bank has collected, regardless of whether the bank collected it before or after receiving the direction to opt out from the consumer.
(c)
(a)(1)
(i) The bank may disclose the information to the affiliates of the financial institution from which the bank received the information;
(ii) The bank may disclose the information to its affiliates, but the bank's affiliates may, in turn, disclose and use the information only to the extent that
(iii) The bank may disclose and use the information pursuant to an exception in §§ 40.14 or 40.15 in the ordinary course of business to carry out the activity covered by the exception under which the bank received the information.
(2)
(b)(1)
(i) To the affiliates of the financial institution from which the bank received the information;
(ii) To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the bank can disclose the information; and
(iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the bank received the information.
(2)
(i) The bank may use that list for its own purposes; and
(ii) The bank may disclose that list to another nonaffiliated third party only if the financial institution from which the bank purchased the list could have lawfully disclosed the list to that third party. That is, the bank may disclose the list in accordance with the privacy policy of the financial institution from which the bank received the list, as limited by the opt out direction of each consumer whose nonpublic personal information the bank intends to disclose and the bank may disclose the list in accordance with an exception in §§ 40.14 or 40.15, such as to the bank's attorneys or accountants.
(c)
(1) The third party may disclose the information to the bank's affiliates;
(2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(3) The third party may disclose and use the information pursuant to an exception in §§ 40.14 or 40.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(d)
(1) To the bank's affiliates;
(2) To the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
(3) To any other person, if the disclosure would be lawful if the bank made it directly to that person.
(a)
(b)
(1) To the bank's agent or service provider solely in order to perform marketing for the bank's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; or
(2) To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
(c)
(2)
(a)
(i) Provides the initial notice in accordance with § 40.4; and
(ii) Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the bank disclosed the information, including use under an exception in § 40.14 or 40.15 in the ordinary course of business to carry out those purposes.
(2)
(b)
(c)
(a)
(1) Servicing or processing a financial product or service that a consumer requests or authorizes;
(2) Maintaining or servicing the consumer's account with a bank, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
(3) A proposed or actual securitization, secondary market sale (including sales of servicing rights), or
(b)
(1) Required, or is one of the lawful or appropriate methods, to enforce the bank's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(2) Required, or is a usual, appropriate or acceptable method:
(i) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer's account in the ordinary course of providing the financial service or financial product;
(ii) To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part;
(iii) To provide a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker;
(iv) To accrue or recognize incentives or bonuses associated with the transaction that are provided by a bank or any other party;
(v) To underwrite insurance at the consumer's request or for reinsurance purposes, or for any of the following purposes as they relate to a consumer's insurance: account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or State law;
(vi) In connection with:
(A) The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means;
(B) The transfer of receivables, accounts, or interests therein; or
(C) The audit of debit, credit, or other payment information.
(a)
(1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
(2) (i) To protect the confidentiality or security of a bank's records pertaining to the consumer, service, product, or transaction;
(ii) To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
(iii) For required institutional risk control or for resolving consumer disputes or inquiries;
(iv) To persons holding a legal or beneficial interest relating to the consumer; or
(v) To persons acting in a fiduciary or representative capacity on behalf of the consumer;
(3) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a bank, persons that are assessing the bank's compliance with industry standards, and the bank's attorneys, accountants, and auditors;
(4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401
(5)(i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. 1681
(ii) From a consumer report reported by a consumer reporting agency;
(6) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or
(7)(i) To comply with Federal, State, or local laws, rules and other applicable legal requirements;
(ii) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities; or
(iii) To respond to judicial process or government regulatory authorities having jurisdiction over a bank for examination, compliance, or other purposes as authorized by law.
(b)
(2) A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under § 40.7(f).
Nothing in this part shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 1681
(a)
(b)
(a)
(b)(1)
(2)
(c)
Financial institutions, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.)
A bank may use this clause, as applicable, to meet the requirement of § 40.6(a)(1) to describe the categories of nonpublic personal information the bank collects.
We collect nonpublic personal information about you from the following sources:
• Information we receive from you on applications or other forms;
• Information about your transactions with us, our affiliates, or others; and
• Information we receive from a consumer reporting agency.
A bank may use one of these clauses, as applicable, to meet the requirement of § 40.6(a)(2) to describe the categories of nonpublic personal information the bank discloses. The bank may use these clauses if it discloses nonpublic personal information other than as permitted by the exceptions in §§ 40.13, 40.14, and 40.15.
We may disclose the following kinds of nonpublic personal information about you:
• Information we receive from you on applications or other forms, such as [
• Information about your transactions with us, our affiliates, or others, such as [
• Information we receive from a consumer reporting agency, such as [
We may disclose all of the information that we collect, as described [
A bank may use this clause, as applicable, to meet the requirements of §§ 40.6(a)(2), (3), and (4) to describe the categories of nonpublic personal information about customers and former customers that the bank discloses and the categories of affiliates and nonaffiliated third parties to whom the bank discloses. A bank may use this clause if the bank does not disclose nonpublic personal information to any party, other than as permitted by the exceptions in §§ 40.14, and 40.15.
We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law.
A bank may use this clause, as applicable, to meet the requirement of § 40.6(a)(3) to describe the categories of affiliates and nonaffiliated third parties to whom the bank discloses nonpublic personal information. The bank may use this clause if the bank discloses nonpublic personal information other than as permitted by the exceptions in §§ 40.13, 40.14, and 40.15, as well as when permitted by the exceptions in §§ 40.14 and 40.15.
We may disclose nonpublic personal information about you to the following types of third parties:
• Financial service providers, such as [
• Non-financial companies, such as [
• Others, such as [
We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law.
A bank may use one of these clauses, as applicable, to meet the requirements of § 40.6(a)(5) related to the exception for service providers and joint marketers in § 40.13. If a bank discloses nonpublic personal information under this exception, the bank must describe the categories of nonpublic personal information the bank discloses and the categories of third parties with whom the bank has contracted.
We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements:
• Information we receive from you on applications or other forms, such as [
• Information about your transactions with us, our affiliates, or others, such as [
• Information we receive from a consumer reporting agency, such as [
We may disclose all of the information we collect, as described [
A bank may use this clause, as applicable, to meet the requirement of § 40.6(a)(6) to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. The bank may use this clause if the bank discloses nonpublic personal information other than as permitted by the exceptions in §§ 40.13, 40.14, and 40.15.
If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [
A bank may use this clause, as applicable, to meet the requirement of § 40.6(a)(8) to describe its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
We restrict access to nonpublic personal information about you to [