Remember to make sure that Information Security is addressed and not just Privacy. Two concepts that go together but are not the same.
Technically, if the 3rd party vendor receives the information under the section 14 or 15 exceptions, Privacy is not an issue that needs to be addressed. I think many banks throw that in anyways, but the main concern is the Information Security.
_________________________
CRCM,CAMS
Regulations are a poor substitute for ethics.
Just sayin'