[Federal Register Volume 59, Number 231 (Friday, December 2, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-29625]


[[Page Unknown]]

[Federal Register: December 2, 1994]


=======================================================================
-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

12 CFR Part 205

[Regulation E; Docket No. R-0859]

 

Electronic Fund Transfers

AGENCY: Board of Governors of the Federal Reserve System.

ACTION: Interim rule with request for comments.

-----------------------------------------------------------------------

SUMMARY: The Board is publishing an interim rule amending Regulation E 
(Electronic Fund Transfers). The amendment eliminates the requirement 
that an electronic terminal receipt disclose a number or code that 
uniquely identifies the consumer, the consumer's account, or the access 
device. This requirement currently poses a significant security risk 
for consumers and financial institutions by making information 
accessible to criminals that they then use to withdraw funds from 
consumers' accounts. The Board has adopted an interim rule that deletes 
the requirement for a unique identification, thus enabling institutions 
to truncate card or account numbers. The Board seeks public comment on 
the interim rule, which the Board will adopt in final following the 
close of the comment period.

DATES: Interim rule effective December 1, 1994; comments must be 
received on or before February 1, 1995.

ADDRESSES: Comments should refer to Docket No. R-0859 and be sent to 
William W. Wiles, Secretary, Board of Governors of the Federal Reserve 
System, Washington, D.C. 20551. They may also be delivered to Room B-
2222 of the Eccles Building between 8:45 a.m. and 5:15 p.m. weekdays, 
or to the guard station in the Eccles Building courtyard on 20th 
Street, N.W. (between Constitution Avenue and C Street) at any time. 
Comments received will be available for inspection in Room MP-500 of 
the Martin Building between 9:00 a.m. and 5:00 p.m. weekdays, except as 
provided in 12 CFR 261.8 of the Board's rules regarding availability of 
information.

FOR FURTHER INFORMATION CONTACT: Jane Jensen Gell or Kyung Cho-Miller, 
Staff Attorneys, Division of Consumer and Community Affairs, Board of 
Governors of the Federal Reserve System, Washington, DC 20551, at (202) 
452-2412 or (202) 452-3667. For the hearing impaired only, contact 
Dorothea Thompson, Telecommunications Device for the Deaf (TDD), at 
(202) 452-3544.

SUPPLEMENTARY INFORMATION:

I. Background

    The Board's Regulation E implements the Electronic Fund Transfer 
Act (EFTA). The EFTA provides a basic framework establishing the 
rights, liabilities, and responsibilities of participants in electronic 
fund transfer (EFT) systems. Types of transfers covered by the act and 
regulation include transfers initiated through an automated teller 
machine (ATM), point-of-sale terminal, automated clearinghouse, 
telephone bill-payment system, or home banking program. Regulation E 
establishes restrictions on the unsolicited issuance of ATM cards and 
other access devices; requires disclosure of terms and conditions of an 
EFT service; calls for documentation of EFTs through terminal receipts 
and periodic account statements; provides limitations on consumer 
liability for unauthorized transfers; and establishes procedures for 
error resolution.

II. Summary of Amendment

Section 205.9--Documentation of Transfers

Paragraph (a)--Receipts at Electronic Terminals
    Under the EFTA, when a consumer initiates an EFT at an electronic 
terminal, the financial institution must make a written receipt 
available to the consumer. The receipt must identify in some way the 
consumer's account with the financial institution from or to which 
funds are transferred.
    Under the Board's Regulation E, institutions can comply with this 
identification requirement by including a number or code on the receipt 
that identifies the access device used to initiate the transfer, the 
consumer initiating the transaction, or the consumer's accounts. To 
ensure adequate identification, the Board's regulation specifies that 
the number or code should be ``unique.''
    This identification requirement was adopted in 1979, and over the 
years many financial institutions have met the requirement by 
disclosing consumers' card or account numbers on the receipt; until 
recently, doing so did not appear to represent a security risk for 
financial institutions. Now, a large number of institutions are 
reporting that the requirement for a unique identification poses a 
significant security risk for consumers and financial institutions. 
These institutions, together with trade associations, have asked that 
the Board revise the rule to prevent ATM fraud by persons who observe--
and often videotape--a consumer entering a personal identification 
number (PIN) on the ATM keypad. These persons retrieve terminal 
receipts that have been discarded at ATM locations to obtain the 
consumer's account or ATM card number. They then manufacture a 
counterfeit ATM card and use the combination of PIN and card withdraw 
funds from the consumer's account. One estimate places the industry 
losses at an annual cost between 25 and 40 million dollars, and 
climbing; others believe this estimate is understated. Data verifying 
the extent of institutions' fraud losses due to this problem are 
publicly unavailable because the data are proprietary in nature. But 
several large financial institutions indicate they have sustained 
losses of as much as a million dollars in one week.
    Institutions say that truncating the consumer's account or card 
number on the receipt would help to counter the problem. Under the 
current receipt provision in Regulation E, however, they cannot readily 
do so because of the likelihood that the identification number on the 
receipt no longer would be ``unique'' among the institution's 
customers. Institutions have considered other ways to reduce risk, 
including retrofitting terminals to uniquely identify a consumer by a 
means other than a card or account number. Another approach would be 
for the terminal to give customers the option not to receive a receipt, 
for customers who might otherwise tend to discard their receipts at the 
ATM. While these approaches could help reduce fraud, they would be 
extremely costly to implement. Educational efforts to encourage 
consumers not to discard their receipts at the ATM site generally have 
been unsuccessful.
    The interim rule eliminates the requirement for a unique number or 
code, and thus allows institutions to truncate the account or card 
number disclosed on ATM receipts. With a truncated number, it becomes 
less feasible for a criminal to duplicate a card with an account number 
that matches the consumer's PIN. For the consumer's purposes, the 
printed number would continue to provide enough information for the 
consumer (and the financial institution) to identify the transaction.
    The Board believes that the change will not substantially diminish 
consumer protections. The purpose of the receipt requirement is to 
allow consumers to verify transactions. Under the amendment, the 
receipt will still provide sufficient information to allow the consumer 
to identify transfers: the date of the transfer; the amount of the 
transfer; the type of transfer and type of account; the location of the 
terminal; and identification of any third party to or from which funds 
are transferred. Using this information, a consumer could match each 
transaction on the periodic statement with the receipt received at the 
time the transaction took place. In addition, a consumer would have the 
necessary information to identify and resolve errors in documentation.
    Ordinarily the Board publishes proposed rules for a public comment 
period before their adoption. In the present case, the Board believes 
the situation represents a serious fraud problem for consumers and 
financial institutions, and that it is important to act expeditiously 
in amending the current rule. The Board believes also that the 
amendment being adopted will reduce fraud without compromising 
consumers' ability to identify their EFT transactions at ATMs. Delay in 
the adoption of this amendment would cause continued losses to 
consumers and financial institutions, which is contrary to the public 
interest.
    Furthermore, the amendment relieves the restriction that the 
account number be ``unique,'' and does not require institutions to take 
any action to implement the amended regulation. Modification of the 
identification number on the receipt is discretionary to the 
institution. Thus, the Board finds that good cause exists for the 
adoption of an interim rule without prior comment, pursuant to the 
Administrative Procedure Act (5 U.S.C. 553(b)(3)(B)). Accordingly, the 
Board is adopting an interim rule that takes effect immediately, and 
publishing that interim rule for public comment for a 60-day period, 
after which the Board will adopt a final rule that takes into account 
any comment that may be received.
    The amendment to Regulation E set forth below does not expressly 
refer to truncation of the account number. The Board notes, however, 
that it plans to codify the permissibility of truncation in the 
Official Staff Commentary to Regulation E, following the Board's final 
action on this interim rule. (This amendment of Regulation E supersedes 
a proposed change under the regulatory review project that was 
published for comment earlier this year (59 FR 10684, March 7, 1994).)

III. Form of Comment Letters

    Comment letters should refer to Docket No. R-0859. The Board 
requests that, when possible, comments be prepared using a standard 
``Courier'' typeface with a type size of 10 or 12 characters per inch. 
This will enable the Board to convert the text into machine-readable 
form through electronic scanning, and will facilitate automated 
retrieval of comments for review. Comments may also be submitted on 
computer diskettes, using either the 3.5'' or 5.25'' size, in any IBM-
compatible DOS-based format. Comments on computer diskettes must be 
accompanied by a hard copy version.

IV. Regulatory Flexibility Analysis and Paperwork Reduction Act

    The amendment to Regulation E will provide more flexibility to 
financial institutions in complying with the EFT Act requirements for 
identifying a transaction on receipts provided at electronic terminals.
    In accordance with section 3507 of the Paperwork Reduction Act of 
1980 (44 U.S.C. 35; 5 CFR 1320.13), the revision will be reviewed by 
the Board under the authority delegated to the Board by the Office of 
Management and Budget after consideration of comment received during 
the public comment period. Nevertheless, given that the amendment 
provides for more flexibility in complying with the law, the Board 
believes there is a negligible impact on the paperwork burden for state 
member banks and institutions supervised by other agencies.

List of Subjects in 12 CFR Part 205

    Consumer protection, Electronic fund transfers, Federal Reserve 
System, Reporting and recordkeeping requirements.

    For the reasons set forth in the preamble, the Board amends 12 CFR 
part 205 as set forth below:

PART 205--ELECTRONIC FUND TRANSFERS (REGULATION E)

    1. The authority citation for part 205 continues to read as 
follows:

    Authority: 12 U.S.C. 1693.

    2. Section 205.9 is amended by revising paragraph (a)(4), to read 
as follows:


Sec. 205.9   Documentation of transfers.

    (a) * * *
    (4) A number or code that identifies the consumer initiating the 
transfer, the consumer's account(s), or the access device used to 
initiate the transfer.
* * * * *
    By order of the Board of Governors of the Federal Reserve 
System, November 28, 1994.
William W. Wiles,
Secretary of the Board.
[FR Doc. 94-29625 Filed 12-1-94; 8:45 am]
BILLING CODE 6210-01-P