You are not going to find a black and white answer. In the preamble to the regulation, it was stated in this manner:
Others cited examples of entities seeking to verify funds availability or obtain loan payoff information as instances where a disclosure would fall within the exceptions described in proposed §l.10. The Agencies believe that disclosures to these types of professionals and under the circumstances posited by the commenters may be necessary to effect, administer, or enforce a transaction in a given situation. However, the Agencies have not listed specific types of disclosures in the regulation as necessarily falling within the scope of the exception because they are concerned that a general statement could be applied inappropriately to shelter disclosures that, in fact, are not necessary to effect, administer, or enforce a transaction.
In the Regulation P FAQs published Dec 2001, you will find:
I.8. We often receive phone calls from auto dealers or other financial institutions requesting loan pay-off amounts on our customers. May we respond to these requests without providing those customers with a reasonable opportunity to opt out of that kind of disclosure?
Yes, if the disclosure is in connection with servicing or processing a financial product or service from the third party that the customer has requested or authorized. In your case, for example, you may disclose loan pay-off information to a third party lender where your customer seeks to refinance the bank loan with the other lender. Alternatively, you may disclose nonpublic personal information that is required, or is a usual, appropriate or acceptable method to carry out the transaction that the ustomer has requested or authorized. § 216.14(a). This would be the case, for example, if the car dealer accepts your customer’s car as partial consideration for the purchase of another vehicle and wants to know the outstanding amount on the customer’s car loan with you.
As discussed in response to several of the questions above, you should be aware of the possibility that the caller may be attempting to obtain information about your customer through false or fraudulent statements to you. Toward this end, you must ensure that you respond to the caller in accordance with the controls you have implemented as part of your information security program.
The opinions expressed here should not be construed to be those of my employer: PPDocs.com