Auditor is asking for policy and/or procedures under Right to Financial Privacy......... anyone have anything to share or reference to?

If you google "right to financial privacy act exam procedures", you can look at exam procedures based on who your regulator is. This is usually a good starting point to see what a policy/procedure should cover.

Here are the FDIC ones I found (from 2006), if it helps:

http://www.fdic.gov/regulations/compliance/manual/pdf/VIII-3.1.pdf

You are free to disagree with your auditor about the need for a policy on any topic where it is not mandated by law or regulation. A written RFPA policy is not a legal requirement and most community banks do not have one. It would only be cost justified if your bank received lots of demands for information from the federal government.

Your bank (every bank) does have a practical need for written procedures addressing how to handle third party demands for customer funds and information including demands and inquiries from law enforcement. Demands from the federal government should be included there, but there is no need to treat them separately - most of your procedures for delivering funds and information to third parties will be the same no matter who the third party is. The specific requirements of RFPA; e.g. obtaining certifications, will be no more than footnotes to your everyday procedures.

I agree with Ken. Unless the auditor has identified an issue (like you screwed one up) the recommendation (if any) should be for improved written procedures and not some formal policy document. What is the policy document going to say anyway beside we will comply with the regulation? Having policies for laws and regulations should be limited to where the bank has options within the regulations itself and then the board or management then states the official policy of the bank in relationship to those options. There are no options in the RFPA, you follow the regulation plain and simple. I audit many smaller community banks and I think I have seen one request that fell under the RFPA in the last five years.