Answer by Linda Westfall
I assume you are referring to confidentiality agreements as required by Reg P. You can find this addressed in Section 216.13.
You will have to determine which of the providers you share nonpublic personal information with in order to determine if this setion of the reg applies.
Answer by Lucy Griffin
You should also use your best judgement. It is prudent to have agreements with as many providers as possible, even though the ethics standards for that profession, such as legal, prohibit disclosures. As a compliance consultant, I believe I should be signing privacy agreements with any client.
While managing these agreements may prove difficult, you might think of nonrequired privacy agreements in a context like fair lending agreements a written understanding that both parties respect the privacy of the consumer. Having such agreements could be useful in demonstrating your standard of care if your practices are ever challenged.
Answer by Mary Beth Guard
In addition to the confidentiality agreement, don't forget that the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (aka the "InfoSec Guidelines") impose further requirements with respect to service providers. They mandate that you must equire your service providers by contract to implement appropriate information security measures designed to meet the objectives of theseGuidelines. Those guidelines define "service provider" to mean "any person or entity that maintains,processes, or otherwise is permitted access to customer information through its provision of services directly to you."
First published on BankersOnline.com 2/11/02