A few questions have arisen during an assessment of our Bank's privacy practices...

I know that to share info with non-affiliates, the Bank must have a redisclosure/reuse clause in all our agreements/contracts. Does this include folks like the credit bureaus?

Must the Bank have a written agreement/contract with Its affiliates with whom It shares and must the agreement contain this clause as well?

Some of these affiliates qualify as financial institutions under the regulatory definition. Is each FI required to adopt a separate privacy notice? If yes, and assuming the Bank agrees to combine the notices, and the policy and sharing practices are identical, must each entity to which the statement applies be disclosed separately or will reference to "affiliates listed herein" suffice?

Must each affiliate that qualifies as a FI follow the same process?

I know my opinion on these topics but would appreciate your input as well. Please reference 'chapter and verse' where possible.

Thanks in advance for your help!