M&T Securities, Inc.
One M&T _Plaza, Buffalo, NY 14023

Maureen W. Sullivan
Counsel's Office (716) 842-5705
Fax: (716) 842-5376



March 31, 2000

Securities and Exchange Commission
450 5th Street, NW
Washington, DC 205499-0609

Attention: Mr. Jonathan G. Katz,

Re: Proposed Regulations Relating to
Privacy of Consumer Financial Information
File No. S7-6-00

Ladies and Gentlemen:

M&T Securities, Inc. appreciates the opportunity to comment to the Securities and Exchange Commission ("Commission") on the proposed privacy regulations under Section 504 of the Gramm-Leach-Bliley Act ("GLBA").

M&T Securities, Inc. ("MTS") is a registered broker-dealer and a member of the NASD. It is a wholly-owned subsidiary of Manufacturers and Traders Trust Company, a New York State - chartered commercial bank. MTS respectfully submits the following comments in regard to the proposed privacy rules:

Effective Date

We request that, while the regulations may become effective six months following the adoption of the final rule, compliance with obligations under the rule be made voluntary until 12 months after the effective date. Sections 502 and 503 of the GLBA place numerous new obligations on financial institutions, many of which will be unknown to financial institutions until the final rule is released. Financial institutions will need adequate time to implement necessary operational changes to comply with many of these new obligations. Requiring financial institutions to complete all operational and systems changes within six months of adoption of the final rule is likely to result in mistakes, to the detriment of institutions and consumers alike.

Although voluntary compliance should apply to both new and existing customers, it is criticalthat the final rule at least adopt a voluntary compliance rule of 12 months with respect to existing customers. The proposed rule would require an institution to provide privacy notices to existing customers within 30 days of the effective date of the regulations. This is simply too short a time frame for an institution to provide the privacy notice to all of its existing customers, with many of whom they do not regularly correspond. Moreover, the proposed 30-day compliance period for notice to existing customers would result in customers being swamped with privacy policies and opt-out notices at the same time holiday mail, tax information reports and related mailings are received. If institutions are unable to reprogram systems so that only one notice is sent per household, the number of notices sent out would be tremendous.

Tremendous systems resources will be required to comply with the proposed rule. Not only will institutions have to reprogram their own systems, but many will also have to work with third party vendors to ensure proper interoperability between systems. Further, the new rule will require extensive training of personnel for proper compliance. A voluntary compliance period of 12 months would provide institutions with flexibility they need to develop and provide notices to all of their existing customers.

Agents, Processors and Service Providers

We suggest that the requirement of "full disclosure" included in Section 502(b) of the GLBA should only be applied to joint marketing arrangements, and not to agents, processors and service providers. Section 502(e) and Section 502(b)(2) clearly indicate that servicing activities are exempt from the opt-out and disclosure requirements. If agents, processors and service providers are included within the full disclosure requirement, institutions would be required to issue additional disclosures each time service contracts are modified. Requiring disclosures as a result of contractual arrangements with servicers would only cause confusion among consumers, who do not understand or care about these contracts but expect that their personal information must be provided to processors for their transactions to be processed. Further, since information-sharing with service providers is exempt from the opt-out provisions, requiring disclosure may cause additional confusion.

Notice of Change in Terms

We suggest that the final rule requiring revised disclosure and opt-out if the institution changes its privacy policies should incorporate the idea of materiality. Requiring institutions to frequently resend privacy notices if there is no material change in the institution's privacy policies would only confuse consumers while providing little benefit.

Annual Notice

The proposed rule requires institutions to provide annual notices within 12 months of establishing a customer relationship. We request that this be changed to allow institutions the flexibility to provide notices every calendar year following the year that the initial notice is provided. This will allow sufficient flexibility to allow institutions to provide the notices to all customers at one time. If the change is not adopted, institutions may not be able to send outprivacy notices at the same time as other mailings.

Information to be Included in the Privacy Notice

We feel that the examples set forth in the proposed rule would require an institution to include in its privacy notice so much detail about its policies on collecting, disclosing and protecting nonpublic personal information of consumers that such notices will not be meaningful to consumers. In addition, if such detail is required, the rule would impose substantial additional burdens on institutions. For example, the level of detail required by the proposed rule would make it very difficult for affiliated financial institutions to provide a joint privacy notice. Requiring detailed disclosures could also prevent an institution from using one privacy notice for all of its customers; it may be forced to provide different privacy notices for each of its product lines. Finally, requiring overly detailed disclosures would greatly increase the frequency with which institutions must provide notice of policy changes.

We request that institutions be required to provide only examples of the categories of information they collect or disclose, and should not be required to identify every possible category. We also suggest that institutions be allowed to categorize information collected or disclosed by type of source, by content, or by a combination of both

We view the proposed rules (which would require that we identify affiliates and nonaffiliated third parties with whom we may share nonpublic personal information by the types of businesses in which they are engaged) as being extremely burdensome, particularly as it relates to nonaffiliated third parties, since it would be practically impossible to account in our privacy policy for all lines of business of third parties with whom we may decide to share information at some point in the future. We believe that, at the very least, the regulations should allow us to describe nonaffiliated third parties in more generic terms (for example, third party service providers, consultants, analysts, telemarketers) but, even with the ability to use such generic descriptions, we see this disclosure requirement as a problem for the reason previously stated.

Alternatively, if institutions are required to categorize the nonaffiliated third parties to whom they disclose information, they should be allowed to categorize them by type of business in which such parties engage, by types of products they offer, or a combination of both.

The proposed rule requires an institution's privacy notice to include a detailed discussion of the institution's information sharing practices with respect to its affiliates, including information about the categories of information that may be disclosed, the categories of affiliates, and the opt-out notice required, if any, under the Fair Credit Reporting Act ("FCRA"). This does not appear to be consistent with Section 503 of the GLBA which provides that except for the FCRA opt-out notice, a financial institution is not otherwise required to include in its privacy notice information relating to the institution's information sharing practices with affiliates. We suggest that the final rule should be revised to provide that except for the FCRA opt-out notice, a financial institution is not otherwise required to provide information in its Section 503 privacy notice regarding information sharing practices with affiliates.


A. Financial Information. We believe that the rule interprets "financial information" in an overly broad manner. Section 509(4)(A) of the GLBA defines "nonpublic personal information" as information that is both personally identifiable and financial. The proposed rule defines "nonpublic personal information" to mean personally identifiable information, and defines "personally identifiable information" to mean, among other things, any information that is provided to a financial institution to obtain a financial product or service. This ignores the requirement in GLBA that nonpublic personal information be both personally identifiable and financial. If all types of information may be considered financial if provided to a financial institution, it raises questions why the GLBA specifically refers to "financial" information. We suggest that the final rule should adopt a narrower definition of "financial information," that is, only information that describes an individual's financial condition, such as an individual's assets, liabilities, income, account balances, payment history and overdraft history.

We also suggest that the mere fact of a customer relationship with an institution, without any indication of the nature of the relationship, should not be considered "financial information," because it contains no information regarding the consumer's "financial condition. Similarly, the final rule should make clear that identification information is not "financial information" under the rule.

B. Nonpublic Personal Information. We believe that the rules should treat information as publicly available so long as such information could be obtained from one of the public sources identified in the rules, without regard to whether or not such information is actually obtained from those sources. Moreover, we advocate and would urge your consideration of a safe harbor rule that treats a consumer's name, address and telephone number as publicly available information (and subject to financial institution disclosure to nonaffiliated third parties without regard to a consumer's opt-out of information sharing) in any and all circumstances.

Joint Accounts

In general, we believe that the unique nature of a joint account, or, for that matter, any other type of account where there are multiple parties to the account, warrants a rule that affords financial institutions flexibility to discharge its obligations to consumers inasmuch as any rule that is too narrowly drawn is not likely to be administratively feasible. We, therefore, offer the following observations and suggestions for addressing various issues associated with joint accounts:

A. Initial Privacy Opt-Out Notices. We would recommend a rule that permits a financial institution to discharge its obligation to provide the required notices in connection with the opening of a new account by delivering or mailing notices, as appropriate in the circumstances, to any one joint account party, unless the account relationship is established in person, with all joint account parties physically present at the financialinstitution, in which case, the financial institution's obligation to provide the required notices should extend to each account party.

B. Customer Opt-Outs. A customer's opt of information sharing should be personal to each customer, rather than account driven. The rules should, therefore, permit each customer to opt out of information sharing, without regard to whether or not another joint account party also opts out. To require all joint account parties to opt out as a condition for the opt out to be effective would result in a rule that may be unworkable, since one or more of the joint account parties could have other customer relationships with the financial institution. If, for example, a customer has already opted out of information sharing in connection with a previously established account relationship, presumably, there would be no need for the customer to sign any further opt-out forms to shield from information sharing any further information about the customer that may be obtained by the financial institution when the joint account is established. The customer's failure to sign another opt-out form when opening the joint account should not be treated as such customer's consent to the sharing of information associated with the joint account nor should it prejudice the other joint account party's right to the protections of the privacy statute.

We also request that institutions be provided the flexibility to deal with joint accounts appropriately. The unique circumstances concerning different products, services and customer relationships require such flexibility. For example, in the case of a guardianship account for a minor, or a trust account where the grantor does not wish to inform beneficiaries of their status regarding the account, it does not make sense to require that notice and opportunity to opt out be given to the minor or the beneficiaries.

C. General Exceptions to the Prohibition on Disclosure of Non-Public Personal Information. We note that section 502(e)(2) of the GLBA would permit a financial institution's disclosure of a consumer's nonpublic personal information with nonaffiliated third parties, notwithstanding the consumer's opt-out of information sharing, when the disclosure is made with the consent or at the direction of the consumer. It appears to us from our reading of this exception that it would not permit a financial institution to share joint account information with a nonaffiliated third party in cases where authorization for such information sharing is only obtained from one joint account party under circumstances where the other joint account party has opted out of information sharing. If our reading of this is correct, we view it as important that the consent exception be enlarged so as to allow disclosure of joint account information when such disclosure is made with the consent or at the direction of any one joint account party. We believe such a rule would be in keeping with laws that are applicable to a joint account (which permit a financial institution to process account transactions when authorized to do so by any one joint account party) as well as with accepted banking practice as it relates to a bank's dealings with joint account parties. We would point out that the rule we are advocating would be limited to the sharing of account information (such as account activity and balance information) and would not extend to the sharing of a nonconsenting joint account party's nonpublic personal information which we agree should be subject to theconfidentiality protections of the federal privacy statute where the nonconsenting joint account party has chosen to opt out of information sharing.

Restrictions on Sharing Account Number Information for Marketing Purposes. We urge the Commission to consider the adoption of a regulation that permits disclosure of account number and/or access code information to nonaffiliated third party service providers under the same parameters that apply to financial institution disclosure of nonpublic personal for use by a third party to perform services for, or functions on behalf of a financial institution under section 502(b)(2) of the GLBA, that is to say, that as long as a financial institution discloses in its privacy policy that such account number/access code information may be shared with third party service providers for marketing purposes and appropriate confidentiality agreements are obtained from such third party service providers, the disclosure of account number/access code information should be permitted.

We thank you for the opportunity to comment on the proposal and appreciate your consideration of our comments with regard to the same.

Very truly yours,

Maureen W. Sullivan