12 C.F.R. Subpart C—Exceptions
Title 12 - Banks and Banking
(a) General rule. (1) The opt out requirements in §§40.7 and 40.10 do not apply when a bank provides nonpublic personal information to a nonaffiliated third party to perform services for the bank or functions on the bank's behalf, if the bank: (i) Provides the initial notice in accordance with §40.4; and (ii) Enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the bank disclosed the information, including use under an exception in §40.14 or 40.15 in the ordinary course of business to carry out those purposes. (2) Example. If a bank discloses nonpublic personal information under this section to a financial institution with which the bank performs joint marketing, the bank's contractual agreement with that institution meets the requirements of paragraph (a)(1)(ii) of this section if it prohibits the institution from disclosing or using the nonpublic personal information except as necessary to carry out the joint marketing or under an exception in §§40.14 or 40.15 in the ordinary course of business to carry out that joint marketing. (b) Service may include joint marketing. The services a nonaffiliated third party performs for a bank under paragraph (a) of this section may include marketing of the bank's own products or services or marketing of financial products or services offered pursuant to joint agreements between the bank and one or more financial institutions. (c) Definition of joint agreement. For purposes of this section, joint agreement means a written contract pursuant to which a bank and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service. (a) Exceptions for processing transactions at consumer's request. The requirements for initial notice in §40.4(a)(2), the opt out in §§40.7 and 40.10 and service providers and joint marketing in §40.13 do not apply if the bank discloses nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with: (1) Servicing or processing a financial product or service that a consumer requests or authorizes; (2) Maintaining or servicing the consumer's account with a bank, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or (3) A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer. (b) Necessary to effect, administer, or enforce a transaction means that the disclosure is: (1) Required, or is one of the lawful or appropriate methods, to enforce the bank's rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or (2) Required, or is a usual, appropriate or acceptable method: (i) To carry out the transaction or the product or service business of which the transaction is a part, and record, service, or maintain the consumer's account in the ordinary course of providing the financial service or financial product; (ii) To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part; (iii) To provide a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; (iv) To accrue or recognize incentives or bonuses associated with the transaction that are provided by a bank or any other party; (v) To underwrite insurance at the consumer's request or for reinsurance purposes, or for any of the following purposes as they relate to a consumer's insurance: account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or State law; (vi) In connection with: (A) The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means; (B) The transfer of receivables, accounts, or interests therein; or (C) The audit of debit, credit, or other payment information. (a) Exceptions to opt out requirements. The requirements for initial notice to consumers in §40.4(a)(2), the opt out in §§40.7 and 40.10, and service providers and joint marketing in §40.13 do not apply when a bank discloses nonpublic personal information: (1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction; (2) (i) To protect the confidentiality or security of a bank's records pertaining to the consumer, service, product, or transaction; (ii) To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (iii) For required institutional risk control or for resolving consumer disputes or inquiries; (iv) To persons holding a legal or beneficial interest relating to the consumer; or (v) To persons acting in a fiduciary or representative capacity on behalf of the consumer; (3) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a bank, persons that are assessing the bank's compliance with industry standards, and the bank's attorneys, accountants, and auditors; (4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority's State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety; (5)(i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); or (ii) From a consumer report reported by a consumer reporting agency; (6) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or (7)(i) To comply with Federal, State, or local laws, rules and other applicable legal requirements; (ii) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities; or (iii) To respond to judicial process or government regulatory authorities having jurisdiction over a bank for examination, compliance, or other purposes as authorized by law. (b) Examples of consent and revocation of consent. (1) A consumer may specifically consent to a bank's disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to the bank for a mortgage so that the insurance company can offer homeowner's insurance to the consumer. (2) A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under §40.7(f).
Title 12: Banks and Banking
PART 40—PRIVACY OF CONSUMER FINANCIAL INFORMATION
Subpart C—Exceptions
§ 40.13 Exception to opt out requirements for service providers and joint marketing.
§ 40.14 Exceptions to notice and opt out requirements for processing and servicing transactions.
§ 40.15 Other exceptions to notice and opt out requirements.
