32 CFR Appendix B to Part 275, Obtaining Customer Authorization
A. A DoD law enforcement office or personal security element seeking access to a person's financial records shall, when feasible, obtain the customer's consent.
B. Any authorization obtained under paragraph A. of this appendix, shall:
1. Be in writing, signed, and dated.
2. Identify the particular financial records that are being disclosed.
3. State that the customer may revoke the authorization at any time before disclosure.
4. Specify the purposes for disclosure and to which Governmental authority the records may be disclosed.
5. Authorize the disclosure for a period not in excess of 3 months.
6. Contain a “State of Customer Rights” as required by 12 U.S.C. Chapter 35 (see Appendix J to this part).
7. Contain a Privacy Act Statement as required by 32 CFR part 310 for a personnel security investigation.
C. Any customer's authorization not containing all of the elements listed in paragraph B. of this appendix, shall be void. A customer authorization form, in a format set forth in Appendix J to this part, shall be used for this purpose.
D. A copy of the customer's authorization shall be made a part of the law enforcement or personnel security file where the financial records are maintained.
E. A certificate of compliance stating that the applicable requirements of 12 U.S.C. Chapter 35 have been met (Appendix M to this part), along with the customer's authorization, shall be provided to the financial institution as a prerequisite to obtaining access to financial records.