Find Laws Find Lawyers Free Legal Forms USA State Laws

CFR

40.11—Limits on redisclosure and reuse of information.

(a) (1) Information the bank receives under an exception. If a bank receives nonpublic personal information from a nonaffiliated financial institution under an exception in §§ 40.14 or 40.15 of this part, the bank's disclosure and use of that information is limited as follows:
(i) The bank may disclose the information to the affiliates of the financial institution from which the bank received the information;
(ii) The bank may disclose the information to its affiliates, but the bank's affiliates may, in turn, disclose and use the information only to the extent that the bank may disclose and use the information; and
(iii) The bank may disclose and use the information pursuant to an exception in §§ 40.14 or 40.15 in the ordinary course of business to carry out the activity covered by the exception under which the bank received the information.
(2) Example. If a bank receives a customer list from a nonaffiliated financial institution in order to provide account processing services under the exception in § 40.14(a), the bank may disclose that information under any exception in §§ 40.14 or 40.15 in the ordinary course of business in order to provide those services. For example, the bank could disclose the information in response to a properly authorized subpoena or to its attorneys, accountants, and auditors. The bank could not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.
(b) (1) Information a bank receives outside of an exception. If a bank receives nonpublic personal information from a nonaffiliated financial institution other than under an exception in §§ 40.14 or 40.15 of this part, the bank may disclose the information only:
(i) To the affiliates of the financial institution from which the bank received the information;
(ii) To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the bank can disclose the information; and
(iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the bank received the information.
(2) Example. If a bank obtains a customer list from a nonaffiliated financial institution outside of the exceptions in §§ 40.14 and 40.15 :
(i) The bank may use that list for its own purposes; and
(ii) The bank may disclose that list to another nonaffiliated third party only if the financial institution from which the bank purchased the list could have lawfully disclosed the list to that third party. That is, the bank may disclose the list in accordance with the privacy policy of the financial institution from which the bank received the list, as limited by the opt out direction of each consumer whose nonpublic personal information the bank intends to disclose and the bank may disclose the list in accordance with an exception in §§ 40.14 or 40.15, such as to the bank's attorneys or accountants.
(c) Information a bank discloses under an exception. If a bank discloses nonpublic personal information to a nonaffiliated third party under an exception in §§ 40.14 or 40.15 of this part, the third party may disclose and use that information only as follows:
(1) The third party may disclose the information to the bank's affiliates;
(2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(3) The third party may disclose and use the information pursuant to an exception in §§ 40.14 or 40.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(d) Information a bank discloses outside of an exception. If a bank discloses nonpublic personal information to a nonaffiliated third party other than under an exception in §§ 40.14 or 40.15 of this part, the third party may disclose the information only:
(1) To the bank's affiliates;
(2) To the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
(3) To any other person, if the disclosure would be lawful if the bank made it directly to that person.
Tips