[Federal Register Volume 60, Number 55 (Wednesday, March 22, 1995)]
[Rules and Regulations]
[Pages 15032-15033]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-6971]
=======================================================================
-----------------------------------------------------------------------
FEDERAL RESERVE SYSTEM
12 CFR Part 205
[Regulation E; Docket No. R-0859]
Electronic Fund Transfers
AGENCY: Board of Governors of the Federal Reserve System.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Board is publishing a final rule amending Regulation E
(Electronic Fund Transfers). The amendment eliminates the requirement
that an electronic terminal receipt disclose a number or code that
uniquely identifies the consumer, the consumer's account, or the access
device. This requirement posed a significant security risk to consumers
and financial institutions by making information accessible to
criminals that could be used to make fraudulent fund withdrawals. To
address this problem, the Board adopted an interim rule effective
December 1, 1994. The Board also sought comments on the interim rule
and is amending the rule to address the comments received.
EFFECTIVE DATE: April 24, 1995.
FOR FURTHER INFORMATION CONTACT: Jane Jensen Gell, Staff Attorney,
Division of Consumer and Community Affairs, Board of Governors of the
Federal Reserve System, Washington, DC 20551, at (202) 452-2412 or
(202) 452-3667. For the hearing impaired only, contact Dorothea
Thompson, Telecommunications Device for the Deaf (TDD), at (202) 452-
3544.
SUPPLEMENTARY INFORMATION:
I. Background
The Board's Regulation E implements the Electronic Fund Transfer
Act (EFTA). The EFTA provides a basic framework establishing the
rights, liabilities, and responsibilities of participants in electronic
fund transfer (EFT) systems. Types of transfers covered by the act and
regulation include transfers initiated through an automated teller
machine (ATM), point-of-sale terminal, automated clearinghouse,
telephone bill-payment system, or home banking program. Regulation E
establishes restrictions on the unsolicited issuance of ATM cards and
other access devices; requires disclosure of terms and conditions of an
EFT service; calls for documentation of EFTs through terminal receipts
and periodic account statements; provides limitations on consumer
liability for unauthorized transfers; and establishes procedures for
error resolution.
II. Summary of Amendment
In December 1994, the Board adopted an interim rule amending
Regulation E (59 FR 61787, December 2, 1994). Comment was solicited on
making the rule final; approximately 65 comments were received. All
commenters strongly supported the Board's proposal.1 Commenters
believed that the change would not significantly reduce the level of
information provided to consumers regarding their ATM transactions and
would continue to provide enough information for the consumer (and the
financial institution) to identify the transaction.
\1\Commenters included 39 financial institutions, six trade
associations, five Federal Reserve Banks, and two law firms. No
consumer groups commented on the interim rule.
---------------------------------------------------------------------------
Based on the comments received and further analysis, the Board is
adopting final amendments to Regulation E. Under the final rule, the
card or account number identification on the receipt no longer has to
be ``unique'' among the institution's customers and need not exceed
four digits or letters. The number or code still has to distinguish the
consumer's account(s) from other accounts of the same consumer at the
institution, and to distinguish the access device from other access
devices of the same consumer at the institution.
Section 205.9--Documentation of Transfers
Paragraph (a)--Receipts at Electronic Terminals
Under the EFTA, when a consumer initiates a transfer at an
electronic terminal, the financial institution must make a written
receipt available to the consumer, identifying the consumer's account
with the financial institution from which or to which funds are
transferred. Under the regulation, institutions can comply with this
[[Page 15033]] identification requirement by including a number or code
on the receipt that identifies the access device used to initiate the
transfer, the consumer initiating the transaction, or the consumer's
account(s). The Board specified that the number or code should be
``unique'' to ensure that the method used on the receipt adequately
identifies the consumer.
Over the years, many financial institutions met this requirement
for unique identification by disclosing consumers' card or account
numbers on the receipt, and doing so did not appear to represent a
security risk. Recently, the requirement for a unique identification
has resulted in serious and widespread ATM fraud carried out by
individuals who observe--and often videotape--a consumer entering a
personal identification number (PIN) on the ATM keypad. These persons
retrieve terminal receipts that have been discarded at ATM locations to
obtain the account or ATM card number. Using the combination of PIN and
number, they then manufacture a counterfeit ATM card and use the card
to withdraw funds from the consumer's account.
To help protect consumers and financial institutions against this
fraud, the Board adopted an interim rule effective December 1, 1994.
The interim rule eliminated the requirement that an electronic terminal
receipt uniquely identify the consumer's account or card. This change
has allowed institutions to truncate the number printed on the receipt
so that it will not contain enough information for a criminal to
duplicate the card.
The Board believes that the change does not substantially diminish
consumer protections. The purpose of the receipt requirement is to
allow consumers to verify transactions. Under the final rule, the
receipt still provides sufficient information to allow the consumer to
identify transfers: the date of the transfer; the amount of the
transfer; the type of transfer and type of account; the location of the
terminal; and the identification of any third party to or from which
funds are transferred. Using this information, a consumer can match
each transaction on the periodic statement with the receipt received at
the time the transaction took place. In addition, a consumer has the
necessary information to identify and resolve errors in documentation.
Commenters agreed, noting that the amendment would not adversely effect
their ability to comply with the error resolution procedures of
Regulation E.
Standards for Truncation
Numerous commenters asked the Board to provide specific guidance to
establish truncation standards for card number suppression. Several
commenters requested that either the regulation or the Official Staff
Commentary should provide a ``safe harbor'' for institutions, allowing
them to truncate the identifying information on terminal receipts to as
few as four digits or letters. An industry trade association, along
with the major ATM networks, has developed and proposed a 4-digit
standard for the industry. Although the account number printed on the
receipt would be truncated under this standard, the necessary
information to support research and reconciliation would be retained in
the system. Commenters believed that a 4-digit standard would deter
fraud and still provide sufficient identification.
Commenters strongly supported establishing a standard at the
network level. They believed that this standard would assure that
cardholders are provided the same level of account protection at any
network ATM they use. In addition, commenters noted that a financial
institution could provide the same level of account protection to
cardholders from other institutions who use their ATMs. Other
commenters, while not opposing the proposed standard, asked the Board
to provide flexibility for financial institutions to develop their own
receipt identification methodology. The Board is amending the
regulation to provide that institutions are in compliance with the
terminal receipt account identification requirement when account
numbers are truncated to four digits. This would create a safe harbor
for compliance, allow for the establishment of an industry standard,
and also allow an institution to develop its own requirements.
The Board believes that the ATM fraud addressed by the rule is a
serious problem that, absent Board action, would have continued to the
detriment of consumers and financial institutions. The final rule
reduces fraud without compromising consumers' ability to document their
electronic fund transfers and provides specific guidance concerning
compliance.
This amendment to Regulation E supersedes a proposed change under
the regulatory review project that was published for comment earlier
this year (59 FR 10684, March 7, 1994).
III. Regulatory Flexibility Analysis
The Board's Office of the Secretary has prepared an economic impact
statement on the amendment to Regulation E. A copy of the analysis may
be obtained from Publications Services, Board of Governors of the
Federal Reserve System, Washington, DC 20551, at (202) 452-3245.
IV. Paperwork Reduction Act
In accordance with section 3507 of the Paperwork Reduction Act of
1980 (44 U.S.C. Ch. 35; 5 CFR 1320.13), the information collection has
been reviewed by the Board under the authority delegated to the Board
by the Office of Management and Budget after consideration of the
comments received during the public comment period. The third party
disclosure in this revision of Regulation E is in 12 CFR 205.9.
Information is required as confirmation of transactions consumers
perform at electronic terminals. The revision allows institutions to
truncate the identifying number or code on receipts, thus deterring
fraud. The revision is not estimated to change the amount of annual
burden associated with Regulation E for state member banks, which is
543,363 hours.
List of Subjects in 12 CFR Part 205
Consumer protection, Electronic fund transfers, Federal Reserve
System, Reporting and recordkeeping requirements.
Accordingly, the interim rule amending 12 CFR part 205 which was
published at 59 FR 61787 (December 2, 1994) is adopted as a final rule
with the following changes:
PART 205--ELECTRONIC FUND TRANSFERS (REGULATION E)
1. The authority citation for part 205 continues to read as
follows:
Authority: 12 U.S.C. 1693.
2. Section 205.9 is amended by revising paragraph (a)(4), to read
as follows:
Sec. 205.9 Documentation of transfers.
(a) * * *
(4) A number or code that identifies the consumer initiating the
transfer, the consumer's account(s), or the access device used to
initiate the transfer. The number or code need not exceed four digits
or letters to comply with the requirements of this paragraph.
* * * * *
By order of the Board of Governors of the Federal Reserve
System.
Dated: March 16, 1995.
Jennifer J. Johnson,
Deputy Secretary of the Board.
[FR Doc. 95-6971 Filed 3-21-95; 8:45 am]
BILLING CODE 6210-01-P
