Section



[Code of Federal Regulations]
[Title 12 Volume 1]
[Revised as of January 1, 2004]
From the U.S. Government Printing Office via GPO Access
[CITE: 12CFR40.11]

[Page 369-370]
 
                       TITLE 12--BANKS AND BANKING
 
   CHAPTER I--COMPTROLLER OF THE CURRENCY, DEPARTMENT OF THE TREASURY
 
PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION--Table of Contents
 
                    Subpart B--Limits on Disclosures
 
Sec. 40.11  Limits on redisclosure and reuse of information.

    (a)(1) Information the bank receives under an exception. If a bank 
receives nonpublic personal information from a nonaffiliated financial 
institution under an exception in Sec. Sec. 40.14 or 40.15 of this 
part, the bank's disclosure and use of that information is limited as 
follows:
    (i) The bank may disclose the information to the affiliates of the 
financial institution from which the bank received the information;
    (ii) The bank may disclose the information to its affiliates, but 
the bank's affiliates may, in turn, disclose and use the information 
only to the extent that the bank may disclose and use the information; 
and
    (iii) The bank may disclose and use the information pursuant to an 
exception in Sec. Sec. 40.14 or 40.15 in the ordinary course of 
business to carry out the activity covered by the exception under which 
the bank received the information.

[[Page 370]]

    (2) Example. If a bank receives a customer list from a nonaffiliated 
financial institution in order to provide account processing services 
under the exception in Sec. 40.14(a), the bank may disclose that 
information under any exception in Sec. Sec. 40.14 or 40.15 in the 
ordinary course of business in order to provide those services. For 
example, the bank could disclose the information in response to a 
properly authorized subpoena or to its attorneys, accountants, and 
auditors. The bank could not disclose that information to a third party 
for marketing purposes or use that information for its own marketing 
purposes.
    (b)(1) Information a bank receives outside of an exception. If a 
bank receives nonpublic personal information from a nonaffiliated 
financial institution other than under an exception in Sec. Sec. 40.14 
or 40.15 of this part, the bank may disclose the information only:
    (i) To the affiliates of the financial institution from which the 
bank received the information;
    (ii) To its affiliates, but its affiliates may, in turn, disclose 
the information only to the extent that the bank can disclose the 
information; and
    (iii) To any other person, if the disclosure would be lawful if made 
directly to that person by the financial institution from which the bank 
received the information.
    (2) Example. If a bank obtains a customer list from a nonaffiliated 
financial institution outside of the exceptions in Sec. Sec. 40.14 and 
40.15:
    (i) The bank may use that list for its own purposes; and
    (ii) The bank may disclose that list to another nonaffiliated third 
party only if the financial institution from which the bank purchased 
the list could have lawfully disclosed the list to that third party. 
That is, the bank may disclose the list in accordance with the privacy 
policy of the financial institution from which the bank received the 
list, as limited by the opt out direction of each consumer whose 
nonpublic personal information the bank intends to disclose and the bank 
may disclose the list in accordance with an exception in Sec. Sec. 
40.14 or 40.15, such as to the bank's attorneys or accountants.
    (c) Information a bank discloses under an exception. If a bank 
discloses nonpublic personal information to a nonaffiliated third party 
under an exception in Sec. Sec. 40.14 or 40.15 of this part, the third 
party may disclose and use that information only as follows:
    (1) The third party may disclose the information to the bank's 
affiliates;
    (2) The third party may disclose the information to its affiliates, 
but its affiliates may, in turn, disclose and use the information only 
to the extent that the third party may disclose and use the information; 
and
    (3) The third party may disclose and use the information pursuant to 
an exception in Sec. Sec. 40.14 or 40.15 in the ordinary course of 
business to carry out the activity covered by the exception under which 
it received the information.
    (d) Information a bank discloses outside of an exception. If a bank 
discloses nonpublic personal information to a nonaffiliated third party 
other than under an exception in Sec. Sec. 40.14 or 40.15 of this part, 
the third party may disclose the information only:
    (1) To the bank's affiliates;
    (2) To the third party's affiliates, but the third party's 
affiliates, in turn, may disclose the information only to the extent the 
third party can disclose the information; and
    (3) To any other person, if the disclosure would be lawful if the 
bank made it directly to that person.