Thank you, Mary Beth, for responding in this week's Guru answers to my earlier question about the uploading of all customers' statements to the internet banking vendor's servers. http://www.bankersonline.com/ebanking/gurus_eb050602d.html

Since submitting that question that I have taken another look at Section 216.13, commonly called the "joint marketing exception." However, upon re-reading it I see that it is a broader exception for using third-party servicers to "perform services for you or functions on your behalf." Since the internet banking vendor is contracted to perform this service on the bank's behalf, it appears that the exception applies.

Here is a quote from the regulation:
Sec. 216.13 Exception to opt out requirements for service providers and joint marketing.

(a) General rule. (1) The opt out requirements in §§ 216.7 and 216.10 do not apply when you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, if you:
(i) Provide the initial notice in accordance with § 216.4; and
(ii) Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in § 216.14 or 216.15 in the ordinary course of business to carry out those purposes.

I certainly agree that the exception in 216.13 permits the sharing of information with your Internet banking vendor without your having to give an opt-out right to the customers. It would also be covered under 216.14. The problem is that the Internet vendor is not providing a service as to the non-online customers. That's why I believe it is a potential privacy problem to share data of non-online customers with the eBanking service provider who doesn't have a need/use for that data.

Generally, you shouldn't share any customer NPI you don't need to share.