1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.
2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.
3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:
Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice;
Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out;
Appropriately honoring consumer opt out directions;
Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
Disclosing account numbers only according to the limits in the regulations.
4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.