Regulations last checked for updates: Apr 27, 2025

Title 28 - Judicial Administration last revised: Apr 18, 2025
All TitlesTitle 28Chapter IPart 202Subpart E - Subpart E—Exempt Transactions
View all text of Subpart E [§ 202.501 - § 202.511]
§ 202.505 - Financial services.

(a) Exemption. Subparts C, D, J, and K (other than § 202.1102 and § 202.1104) of this part do not apply to data transactions, to the extent that they are ordinarily incident to and part of the provision of financial services, including:

(1) Banking, capital-markets (including investment-management services as well as trading and underwriting of securities, commodities, and derivatives), or financial-insurance services;

(2) A financial activity authorized for national banks by 12 U.S.C. 24 (Seventh) and rules and regulations and written interpretations of the Office of the Comptroller of the Currency thereunder;

(3) An activity that is “financial in nature or incidental to such financial activity” or “complementary to a financial activity,” section (k)(1), as set forth in section (k)(4) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)(4)) and rules and regulations and written interpretations of the Board of Governors of the Federal Reserve System thereunder;

(4) The transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services (such as the purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces);

(5) The provision or processing of payments or funds transfers (such as person-to-person, business-to-person, and government-to-person funds transfers) involving the transfer of personal financial data or covered personal identifiers, or the provision of services ancillary to processing payments and funds transfers (such as services for payment dispute resolution, payor authentication, tokenization, payment gateway, payment fraud detection, payment resiliency, mitigation and prevention, and payment-related loyalty point program administration); and

(6) The provision of investment-management services that manage or provide advice on investment portfolios or individual assets for compensation (such as devising strategies and handling financial assets and other investments for clients) or provide services ancillary to investment-management services (such as broker-dealers or futures commission merchants executing trades within an investment portfolio based upon instructions from an investment advisor).

(b) Examples—(1) Example 1. A U.S. company engages in a data transaction to transfer personal financial data in bulk to a financial institution that is incorporated in, located in, or subject to the jurisdiction or control of a country of concern to clear and settle electronic payment transactions between U.S. individuals and merchants in a country of concern where both the U.S. individuals and the merchants use the U.S. company's infrastructure, such as an e-commerce platform. Both the U.S. company's transaction transferring bulk personal financial data and the payment transactions by U.S. individuals are exempt transactions because they involve access by a covered person to bulk personal financial data, but are ordinarily incident to and part of a financial service.

(2) Example 2. As ordinarily incident to and part of securitizing and selling asset-backed obligations (such as mortgage and nonmortgage loans) to a covered person, a U.S. bank provides bulk U.S. sensitive personal data to the covered person. The data transfers are exempt transactions because they involve access by a covered person to bulk personal financial data, but are ordinarily incident to and part of a financial service.

(3) Example 3. A U.S. bank or other financial institution, as ordinarily incident to and part of facilitating payments to U.S. persons in a country of concern, stores and processes the customers' bulk financial data using a data center operated by a third-party service provider in the country of concern. The use of this third-party service provider is a vendor agreement because it involves access by a covered person to personal financial data, but it is an exempt transaction that is ordinarily incident to and part of facilitating international payment.

(4) Example 4. Same as Example 3, but the underlying payments are between U.S. persons in the United States and do not involve a country of concern. The use of this third-party service provider is a vendor agreement, but it is not an exempt transaction because it involves access by a covered person to bulk personal financial data and it is not ordinarily incident to facilitating this type of financial activity.

(5) Example 5. As part of operating an online marketplace for the purchase and sale of goods, a U.S. company, as ordinarily incident to and part of U.S. consumers' purchase of goods on that marketplace, transfers bulk contact information, payment information (e.g., credit-card account number, expiration data, and security code), and delivery address to a merchant in a country of concern. The data transfers are exempt transactions because they involve access by a covered person to bulk personal financial data, but they are ordinarily incident to and part of U.S. consumers' purchase of goods.

(6) Example 6. A U.S. investment adviser purchases securities of a company incorporated in a country of concern for the accounts of its clients. The investment adviser engages a broker-dealer located in a country of concern to execute the trade, and, as ordinarily incident to and part of the transaction, transfers to the broker-dealer its clients' covered personal identifiers and financial account numbers in bulk. This provision of data is an exempt transaction because it involves access by a covered person to bulk personal financial data, but it is ordinarily incident to and part of the provision of investment-management services.

(7) Example 7. A U.S. company that provides payment-processing services sells bulk U.S. sensitive personal data to a covered person. This sale is prohibited data brokerage and is not an exempt transaction because it involves access by a covered person to bulk personal financial data and is not ordinarily incident to and part of the payment-processing services provided by the U.S. company.

(8) Example 8. A U.S. bank facilitates international funds transfers to foreign persons not related to a country of concern, but through intermediaries or locations subject to the jurisdiction or control of a country of concern. These transfers result in access to bulk financial records by some covered persons to complete the transfers and manage associated risks. Providing this access as part of these transfers is ordinarily incident to the provision of financial services and is exempt.

(9) Example 9. A U.S. insurance company underwrites personal insurance to U.S. persons residing in foreign countries in the same region as a country of concern. The insurance company relies on its own business infrastructure and personnel in the country of concern to support its financial activity in the region, which results in access to the bulk U.S. sensitive personal data of some U.S.-person customers residing in the region, to covered persons at the insurance company supporting these activities. Providing this access is ordinarily incident to the provision of financial services and is exempt.

(10) Example 10. A U.S. financial services provider operates a foreign branch in a country of concern and provides financial services to U.S. persons living within the country of concern. The financial services provider receives a lawful request from the regulator in the country of concern to review the financial activity conducted in the country, which includes providing access to the bulk U.S. sensitive personal data of U.S. persons resident in the country or U.S. persons conducting transactions through the foreign branch. The financial services provider is also subject to ongoing and routine reporting requirements from various regulators in the country of concern. Responding to the regulator's request, including providing access to this bulk U.S. sensitive personal data, is ordinarily incident to the provision of financial services and is exempt.

(11) Example 11. A U.S. bank voluntarily shares information, including relevant bulk U.S. sensitive personal data, with financial institutions organized under the laws of a country of concern for the purposes of, and consistent with industry practices for, fraud identification, combatting money laundering and terrorism financing, and U.S. sanctions compliance. Sharing this data for these purposes involves access by a covered person to bulk personal financial data, but is ordinarily incident to the provision of financial services and is exempt.

(12) Example 12. A U.S. company provides wealth-management services and collects bulk personal financial data on its U.S. clients. The U.S. company appoints a citizen of a country of concern, who is located in a country of concern, to its board of directors. In connection with the board's data security and cybersecurity responsibilities, the director could compel company personnel or influence company policies or practices to provide the director access to the underlying bulk personal financial data the company collects on its U.S. clients. The appointment of the director, who is a covered person, is a restricted employment agreement and is not exempt because the board member does not need to access, and in normal circumstances would not be able to access, the bulk financial data to perform his or her responsibilities. The board member's access to the bulk personal financial data is not ordinarily incident to the U.S. company's provision of wealth-management services.

authority: 50 U.S.C. 1701
source: 90 FR 1706, Jan. 8, 2025, unless otherwise noted.
cite as: 28 CFR 202.505
© 2014 CustomsMobile | Disclaimer | Privacy | About