[Code of Federal Regulations]
[Title 12 Volume 1]
[Revised as of January 1, 2004]
From the U.S. Government Printing Office via GPO Access
[CITE: 12CFR40.18]
[Page 373-375]
TITLE 12--BANKS AND BANKING
CHAPTER I--COMPTROLLER OF THE CURRENCY, DEPARTMENT OF THE TREASURY
PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION--Table of Contents
Subpart D--Relation to Other Laws; Effective Date
Sec. 40.18 Effective date; transition rule.
(a) Effective date. This part is effective November 13, 2000. In
order to provide sufficient time for banks to establish policies and
systems to comply with the requirements of this part, the OCC has
extended the time for compliance with this part until July 1, 2001.
(b)(1) Notice requirement for consumers who are the bank's customers
on the compliance date. By July 1, 2001, a bank must have provided an
initial notice, as required by Sec. 40.4, to consumers who are the
bank's customers on July 1, 2001.
(2) Example. A bank provides an initial notice to consumers who are
its customers on July 1, 2001, if, by that date, the bank has
established a system for providing an initial notice to all new
customers and has mailed the initial notice to all the bank's existing
customers.
(c) Two-year grandfathering of service agreements. Until July 1,
2002, a contract that a bank has entered into with a nonaffiliated third
party to perform services for the bank or functions on the bank's behalf
satisfies the provisions of Sec. 40.13(a)(1)(ii) of this part, even if
the contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information, as long
as the bank entered into the agreement on or before July 1, 2000.
Appendix A to Part 40--Sample Clauses
Financial institutions, including a group of financial holding
company affiliates that use a common privacy notice, may use the
following sample clauses, if the clause is accurate for each institution
that uses the notice. (Note that disclosure of certain information, such
as assets, income, and information from a consumer reporting agency, may
give rise to obligations under the Fair Credit Reporting Act, such as a
requirement to permit a consumer to opt out of disclosures to
[[Page 374]]
affiliates or designation as a consumer reporting agency if disclosures
are made to nonaffiliated third parties.)
A-1--Categories of information a bank collects (all institutions)
A bank may use this clause, as applicable, to meet the requirement
of Sec. 40.6(a)(1) to describe the categories of nonpublic personal
information the bank collects.
Sample Clause A-1:
We collect nonpublic personal information about you from the
following sources:
Information we receive from you on applications
or other forms;
Information about your transactions with us, our
affiliates, or others; and
Information we receive from a consumer reporting
agency.
A-2--Categories of information a bank discloses (institutions that
disclose outside of the exceptions)
A bank may use one of these clauses, as applicable, to meet the
requirement of Sec. 40.6(a)(2) to describe the categories of nonpublic
personal information the bank discloses. The bank may use these clauses
if it discloses nonpublic personal information other than as permitted
by the exceptions in Sec. Sec. 40.13, 40.14, and 40.15.
Sample Clause A-2, Alternative 1:
We may disclose the following kinds of nonpublic personal
information about you:
Information we receive from you on applications
or other forms, such as [provide illustrative examples, such as ``your
name, address, social security number, assets, and income''];
Information about your transactions with us, our
affiliates, or others, such as [provide illustrative examples, such as
``your account balance, payment history, parties to transactions, and
credit card usage'']; and
Information we receive from a consumer reporting
agency, such as [provide illustrative examples, such as ``your
creditworthiness and credit history''].
Sample Clause A-2, Alternative 2:
We may disclose all of the information that we collect, as described
[describe location in the notice, such as ``above'' or ``below''].
A-3--Categories of information a bank discloses and parties to whom the
bank discloses (institutions that do not disclose outside of the
exceptions)
A bank may use this clause, as applicable, to meet the requirements
of Sec. Sec. 40.6(a)(2), (3), and (4) to describe the categories of
nonpublic personal information about customers and former customers that
the bank discloses and the categories of affiliates and nonaffiliated
third parties to whom the bank discloses. A bank may use this clause if
the bank does not disclose nonpublic personal information to any party,
other than as permitted by the exceptions in Sec. Sec. 40.14, and
40.15.
Sample Clause A-3:
We do not disclose any nonpublic personal information about our
customers or former customers to anyone, except as permitted by law.
A-4--Categories of parties to whom a bank discloses (institutions that
disclose outside of the exceptions)
A bank may use this clause, as applicable, to meet the requirement
of Sec. 40.6(a)(3) to describe the categories of affiliates and
nonaffiliated third parties to whom the bank discloses nonpublic
personal information. The bank may use this clause if the bank discloses
nonpublic personal information other than as permitted by the exceptions
in Sec. Sec. 40.13, 40.14, and 40.15, as well as when permitted by the
exceptions in Sec. Sec. 40.14 and 40.15.
Sample Clause A-4:
We may disclose nonpublic personal information about you to the
following types of third parties:
Financial service providers, such as [provide
illustrative examples, such as ``mortgage bankers, securities broker-
dealers, and insurance agents''];
Non-financial companies, such as [provide
illustrative examples, such as ``retailers, direct marketers, airlines,
and publishers'']; and
Others, such as [provide illustrative examples,
such as ``non-profit organizations''].
We may also disclose nonpublic personal information about you to
nonaffiliated third parties as permitted by law.
A-5--Service provider/joint marketing exception
A bank may use one of these clauses, as applicable, to meet the
requirements of Sec. 40.6(a)(5) related to the exception for service
providers and joint marketers in Sec. 40.13. If a bank discloses
nonpublic personal information under this exception, the bank must
describe the categories of nonpublic personal information the bank
discloses and the categories of third parties with whom the bank has
contracted.
Sample Clause A-5, Alternative 1:
We may disclose the following information to companies that perform
marketing services on our behalf or to other financial institutions with
whom we have joint marketing agreements:
Information we receive from you on applications
or other forms, such as [provide illustrative examples, such as ``your
name, address, social security number, assets, and income''];
Information about your transactions with us, our
affiliates, or others, such as [provide illustrative examples, such as
``your account balance, payment history, parties to transactions, and
credit card usage'']; and
[[Page 375]]
Information we receive from a consumer reporting
agency, such as [provide illustrative examples, such as ``your
creditworthiness and credit history''].
Sample Clause A-5, Alternative 2:
We may disclose all of the information we collect, as described
[describe location in the notice, such as ``above'' or ``below''] to
companies that perform marketing services on our behalf or to other
financial institutions with whom we have joint marketing agreements.
A-6--Explanation of opt out right (institutions that disclose outside of
the exceptions)
A bank may use this clause, as applicable, to meet the requirement
of Sec. 40.6(a)(6) to provide an explanation of the consumer's right to
opt out of the disclosure of nonpublic personal information to
nonaffiliated third parties, including the method(s) by which the
consumer may exercise that right. The bank may use this clause if the
bank discloses nonpublic personal information other than as permitted by
the exceptions in Sec. Sec. 40.13, 40.14, and 40.15.
Sample Clause A-6:
If you prefer that we not disclose nonpublic personal information
about you to nonaffiliated third parties, you may opt out of those
disclosures, that is, you may direct us not to make those disclosures
(other than disclosures permitted by law). If you wish to opt out of
disclosures to nonaffiliated third parties, you may [describe a
reasonable means of opting out, such as ``call the following toll-free
number: (insert number)].
A-7--Confidentiality and security (all institutions)
A bank may use this clause, as applicable, to meet the requirement
of Sec. 40.6(a)(8) to describe its policies and practices with respect
to protecting the confidentiality and security of nonpublic personal
information.
Sample Clause A-7:
We restrict access to nonpublic personal information about you to
[provide an appropriate description, such as ``those employees who need
to know that information to provide products or services to you'']. We
maintain physical, electronic, and procedural safeguards that comply
with federal standards to guard your nonpublic personal information.
PARTS 41-199 [RESERVED]