Welcome to the Community! I don't have any references for you, but I went ahead and sent a tweet out of this post. Hopefully we'll hear something soon.
Have you asked CC for a report on their security. A company the size of CC should be able to provide you with SAS 70 type 2 report the expresses an independent third party opinion on the controls and safeguards that CC has in place. This would be stronger than references from three banks. However, having managed compliance and worked closely with regulators for decades, I understand your compliance officer's need for comfort. In my opinion relying other bank recommendations provides a false sense of security. Investigate CC and work with your compliance officer to draw your own conclusion. Be sure to gather and assemble the evidence to support it.
Certified Public Accountant
If you find my post helpful and it answers your question, please mark it as an accepted solution!
A SAS-70 is used when a 3rd party is retaining financial or other sensitive information of another. Constant Contact Inc. is hosting your contact information lists (mainly their name, email address and correspondence. No credit card details.) In section 9.4 of our Terms and Conditions http://www.constantcontact.com/uidocs/CCSiteOwnerA
"In using the varied features of the Products, you may provide information about yourself or your employer (such as name, contact information, or other registration information) to Constant Contact. Constant Contact may use this information and any technical information about your use of the Products to tailor its presentations to you, facilitate your movement through the Product, or communicate separately with you. If you accessed the Products as a result of solicitation by a marketing partner of Constant Contact, Constant Contact may share your information with the marketing partner and the marketing partner may share related information with Constant Contact. Except as described above. Constant Contact will not provide your information, including your contact and account information, to third parties who you have not authorized to receive such information, except (i) as required by law or court order, including without limitation judicial process and law enforcement, or in the good-faith belief that such action is necessary to comply with law or a court order or (ii) if your Constant Contact account was terminated due to unsolicited commercial email being sent from your Constant Contact account. Constant Contact will never sell or rent your contact lists to anyone without your permission, and will never utilize your subscriber or contact list for internal marketing or promotional purposes or for any purpose other than providing the service. Constant Contact acknowledges your ownership right in your contact lists. In the event Constant Contact amends or revises the policy described in the immediately preceding sentence, it will provide advance notice of such amendment or revision."
Constant Contact, Inc. as a publicly traded company is required by law to have controls in place over its financial and production environments, Documentation regarding these controls can be found at the S.E.C website at http://sec.gov/edgar/searchedgar/companysearch.htm
Please also feel free to view our FAQ 'How is data security managed on Constant Contact servers?'