(a) Purpose.
This part governs the treatment of nonpublic personal information about consumers by the financial institutions listed in paragraph (b) of this section. This part:
(1)
Requires a financial institution to provide notice to customers about its privacy policies and practices;
(2)
Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
(3)
Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to the exceptions in §§ 40.13, 40.14, and 40.15.
(b) Scope.
(1)
This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to United States offices of entities for which the Office of the Comptroller of the Currency has primary supervisory authority. They are referred to in this part as “the bank.” These are national banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities except a broker or dealer that is registered under the Securities Exchange Act of 1934, a registered investment adviser (with respect to the investment advisory activities of the adviser and activities incidental to those investment advisory activities), an investment company registered under the Investment Company Act of 1940, an insurance company that is subject to supervision by a State insurance regulator (with respect to insurance activities of the company and activities incidental to those insurance activities), and an entity that is subject to regulation by the Commodity Futures Trading Commission.
(2)
Nothing in this part modifies, limits, or supersedes the standards governing individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-132 0d-8).
Code of Federal Regulations
[65 FR 35196, June 1, 2000, as amended at 73 FR 22252, Apr. 24, 2008]