We are struggling with the model form. The lack of information that we can gather from the customer could really make it difficult to identify the appropriate person. On page 38 of the final rule, last paragraph it states, " Of course, any opt-out means provided - including any information requirements imposed on consumer - must be reasonable under the privacy rule and reasonable under the affilate marketing rule".
Are we prohibited from asking for the last four digits of a SS#? It does not appear to expressly prohibit that we collect this. Rather it "stongly encourages" the use of some other identifier.
Also, we are going to offer a link on our website for opt-out. Since the customer will receive the notice, via mail, is it necessary to re-print it in its entirety on the website, or can we just include: a link, instructions and the fields to be completed? I don't want to put the whole notice out there, as we are not able to accommodate the new format on our website.

We don't share info. - so we won't be using the Opt-Out version, but had we needed to offer this, I'd have suggested we use the customer's CIF number/client code our core processor issues per SSN. If you have this type of customer numbering system, it should be unique for your bank's use only and not be something meaningful to a fraudster. If someone calls into your bank's Customer Service area and has only this number for ID -- cannot seem to recall thier SSN, you should instruct your Call Center reps. to only accept Opt-Out information from that caller and NOT provide any customer balance or account number info. -- ever!