whole or in part.
(a) Privacy obligation policy
It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to
respect the privacy of its customers and to protect the security and confidentiality of those customers’
nonpublic personal information.
(b) Financial institutions safeguards
title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
22 INSTRUCTOR’S MANUAL FOR BUSINESS LAW: COMMERCIAL LAW FOR ACCOUNTANTS
whole or in part.
whole or in part.
whole or in part.
whole or in part.
(iii) Information about the consumer’s transactions with nonaffiliated third parties; and
(iv) Information from a consumer reporting agency.
(2) Categories of nonpublic personal information the bank discloses.
(i) A bank satisfies the requirement to categorize the nonpublic personal information that it discloses if the
bank lists the categories described in paragraph (e)(1) of this section, as applicable, and a few examples to
illustrate the types of information in each category.
(ii) If a bank reserves the right to disclose all of the nonpublic personal information about consumers that it
collects, it may simply state that fact without describing the categories or examples of the nonpublic
personal information it discloses.
(3) Categories of affiliates and nonaffiliated third parties to whom the bank discloses. A bank satisfies the
requirement to categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic
personal information if the bank lists the following categories, as applicable, and a few examples to illustrate
the types of third parties in each category:
(i) Financial service providers;
(ii) Non-financial companies; and
(iii) Others.
(4) Disclosures under exception for service providers and joint marketers. If a bank discloses nonpublic
personal information under the exception in § 40.13 to a nonaffiliated third party to market products or
services that it offers alone or jointly with another financial institution, the bank satisfies the disclosure
requirement of paragraph (a)(5) of this section if it:
(i) Lists the categories of nonpublic personal information it discloses, using the same categories and
examples the bank used to meet the requirements of paragraph (a)(2) of this section, as applicable; and
(ii) States whether the third party is:
(A) A service provider that performs marketing services on the bank’s behalf or on behalf of the bank and
another financial institution; or
(B) A financial institution with whom the bank has a joint marketing agreement.
(5) Simplified notices. If a bank does not disclose, and does not wish to reserve the right to disclose,
nonpublic personal information about customers or former customers to affiliates or nonaffiliated third
parties except as authorized under §§ 40.14 and 40.15, the bank may simply state that fact, in addition to
the information it must provide under paragraphs (a)(1), (a)(8), (a)(9), and (b) of this section.
(6) Confidentiality and security. A bank describes its policies and practices with respect to protecting the
confidentiality and security of nonpublic personal information if it does both of the following:
whole or in part.
(i) Describes in general terms who is authorized to have access to the information; and
(ii) States whether the bank has security practices and procedures in place to ensure the confidentiality of
the information in accordance with the bank’s policy. The bank is not required to describe technical
information about the safeguards it uses.
(d) Short-form initial notice with opt out notice for non-customers.
(1) A bank may satisfy the initial notice requirements in §§ 40.4(a)(2), 40.7(b), and 40.7(c) for a consumer
who is not a customer by providing a short– form initial notice at the same time as the bank delivers an opt
out notice as required in § 40.7.
(2) A short-form initial notice must:
(i) Be clear and conspicuous;
(ii) State that the bank’s privacy notice is available upon request; and
(iii) Explain a reasonable means by which the consumer may obtain that notice.
(3) The bank must deliver its short-form initial notice according to § 40.9. The bank is not required to deliver
its privacy notice with its short-form initial notice. The bank instead may simply provide the consumer a
reasonable means to obtain its privacy notice. If a consumer who receives the bank’s short-form notice
requests the bank’s privacy notice, the bank must deliver its privacy notice according to § 40.9.
(4) Examples of obtaining privacy notice. The bank provides a reasonable means by which a consumer may
obtain a copy of its privacy notice if the bank:
(i) Provides a toll-free telephone number that the consumer may call to request the notice; or
(ii) For a consumer who conducts business in person at the bank’s office, maintain copies of the notice on
hand that the bank provides to the consumer immediately upon request.
(e) Future disclosures. The bank’s notice may include:
(1) Categories of nonpublic personal information that the bank reserves the right to disclose in the future,
but do not currently disclose; and
(2) Categories of affiliates or nonaffiliated third parties to whom the bank reserves the right in the future to
disclose, but to whom the bank does not currently disclose, nonpublic personal information.
(f) Sample clauses. Sample clauses illustrating some of the notice content required by this section are
included in Appendix A of this part.
<<PART 40—PRIVACY OF CONSUMER FINANCIAL INFORMATION>>
<Compliance to amendments appearing at 65 FR 35162 is optional until July 1, 2001.>
Copr. © West 2001 No Claim to Orig. U.S. Govt. Works
22 INSTRUCTOR’S MANUAL FOR BUSINESS LAW: COMMERCIAL LAW FOR ACCOUNTANTS
whole or in part.
whole or in part.
whole or in part.
whole or in part.
(iii) Information about the consumer’s transactions with nonaffiliated third parties; and
(iv) Information from a consumer reporting agency.
(2) Categories of nonpublic personal information the bank discloses.
(i) A bank satisfies the requirement to categorize the nonpublic personal information that it discloses if the
bank lists the categories described in paragraph (e)(1) of this section, as applicable, and a few examples to
illustrate the types of information in each category.
(ii) If a bank reserves the right to disclose all of the nonpublic personal information about consumers that it
collects, it may simply state that fact without describing the categories or examples of the nonpublic
personal information it discloses.
(3) Categories of affiliates and nonaffiliated third parties to whom the bank discloses. A bank satisfies the
requirement to categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic
personal information if the bank lists the following categories, as applicable, and a few examples to illustrate
the types of third parties in each category:
(i) Financial service providers;
(ii) Non-financial companies; and
(iii) Others.
(4) Disclosures under exception for service providers and joint marketers. If a bank discloses nonpublic
personal information under the exception in § 40.13 to a nonaffiliated third party to market products or
services that it offers alone or jointly with another financial institution, the bank satisfies the disclosure
requirement of paragraph (a)(5) of this section if it:
(i) Lists the categories of nonpublic personal information it discloses, using the same categories and
examples the bank used to meet the requirements of paragraph (a)(2) of this section, as applicable; and
(ii) States whether the third party is:
(A) A service provider that performs marketing services on the bank’s behalf or on behalf of the bank and
another financial institution; or
(B) A financial institution with whom the bank has a joint marketing agreement.
(5) Simplified notices. If a bank does not disclose, and does not wish to reserve the right to disclose,
nonpublic personal information about customers or former customers to affiliates or nonaffiliated third
parties except as authorized under §§ 40.14 and 40.15, the bank may simply state that fact, in addition to
the information it must provide under paragraphs (a)(1), (a)(8), (a)(9), and (b) of this section.
(6) Confidentiality and security. A bank describes its policies and practices with respect to protecting the
confidentiality and security of nonpublic personal information if it does both of the following:
whole or in part.
(i) Describes in general terms who is authorized to have access to the information; and
(ii) States whether the bank has security practices and procedures in place to ensure the confidentiality of
the information in accordance with the bank’s policy. The bank is not required to describe technical
information about the safeguards it uses.
(d) Short-form initial notice with opt out notice for non-customers.
(1) A bank may satisfy the initial notice requirements in §§ 40.4(a)(2), 40.7(b), and 40.7(c) for a consumer
who is not a customer by providing a short– form initial notice at the same time as the bank delivers an opt
out notice as required in § 40.7.
(2) A short-form initial notice must:
(i) Be clear and conspicuous;
(ii) State that the bank’s privacy notice is available upon request; and
(iii) Explain a reasonable means by which the consumer may obtain that notice.
(3) The bank must deliver its short-form initial notice according to § 40.9. The bank is not required to deliver
its privacy notice with its short-form initial notice. The bank instead may simply provide the consumer a
reasonable means to obtain its privacy notice. If a consumer who receives the bank’s short-form notice
requests the bank’s privacy notice, the bank must deliver its privacy notice according to § 40.9.
(4) Examples of obtaining privacy notice. The bank provides a reasonable means by which a consumer may
obtain a copy of its privacy notice if the bank:
(i) Provides a toll-free telephone number that the consumer may call to request the notice; or
(ii) For a consumer who conducts business in person at the bank’s office, maintain copies of the notice on
hand that the bank provides to the consumer immediately upon request.
(e) Future disclosures. The bank’s notice may include:
(1) Categories of nonpublic personal information that the bank reserves the right to disclose in the future,
but do not currently disclose; and
(2) Categories of affiliates or nonaffiliated third parties to whom the bank reserves the right in the future to
disclose, but to whom the bank does not currently disclose, nonpublic personal information.
(f) Sample clauses. Sample clauses illustrating some of the notice content required by this section are
included in Appendix A of this part.
<<PART 40—PRIVACY OF CONSUMER FINANCIAL INFORMATION>>
<Compliance to amendments appearing at 65 FR 35162 is optional until July 1, 2001.>
Copr. © West 2001 No Claim to Orig. U.S. Govt. Works