[Federal Register Volume 60, Number 55 (Wednesday, March 22, 1995)]
[Rules and Regulations]
[Pages 15032-15033]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-6971]



=======================================================================
-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

12 CFR Part 205

[Regulation E; Docket No. R-0859]


Electronic Fund Transfers

AGENCY: Board of Governors of the Federal Reserve System.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Board is publishing a final rule amending Regulation E 
(Electronic Fund Transfers). The amendment eliminates the requirement 
that an electronic terminal receipt disclose a number or code that 
uniquely identifies the consumer, the consumer's account, or the access 
device. This requirement posed a significant security risk to consumers 
and financial institutions by making information accessible to 
criminals that could be used to make fraudulent fund withdrawals. To 
address this problem, the Board adopted an interim rule effective 
December 1, 1994. The Board also sought comments on the interim rule 
and is amending the rule to address the comments received.

EFFECTIVE DATE: April 24, 1995.

FOR FURTHER INFORMATION CONTACT: Jane Jensen Gell, Staff Attorney, 
Division of Consumer and Community Affairs, Board of Governors of the 
Federal Reserve System, Washington, DC 20551, at (202) 452-2412 or 
(202) 452-3667. For the hearing impaired only, contact Dorothea 
Thompson, Telecommunications Device for the Deaf (TDD), at (202) 452-
3544.

SUPPLEMENTARY INFORMATION:

I. Background

    The Board's Regulation E implements the Electronic Fund Transfer 
Act (EFTA). The EFTA provides a basic framework establishing the 
rights, liabilities, and responsibilities of participants in electronic 
fund transfer (EFT) systems. Types of transfers covered by the act and 
regulation include transfers initiated through an automated teller 
machine (ATM), point-of-sale terminal, automated clearinghouse, 
telephone bill-payment system, or home banking program. Regulation E 
establishes restrictions on the unsolicited issuance of ATM cards and 
other access devices; requires disclosure of terms and conditions of an 
EFT service; calls for documentation of EFTs through terminal receipts 
and periodic account statements; provides limitations on consumer 
liability for unauthorized transfers; and establishes procedures for 
error resolution.

II. Summary of Amendment

    In December 1994, the Board adopted an interim rule amending 
Regulation E (59 FR 61787, December 2, 1994). Comment was solicited on 
making the rule final; approximately 65 comments were received. All 
commenters strongly supported the Board's proposal.1 Commenters 
believed that the change would not significantly reduce the level of 
information provided to consumers regarding their ATM transactions and 
would continue to provide enough information for the consumer (and the 
financial institution) to identify the transaction.

    \1\Commenters included 39 financial institutions, six trade 
associations, five Federal Reserve Banks, and two law firms. No 
consumer groups commented on the interim rule.
---------------------------------------------------------------------------

    Based on the comments received and further analysis, the Board is 
adopting final amendments to Regulation E. Under the final rule, the 
card or account number identification on the receipt no longer has to 
be ``unique'' among the institution's customers and need not exceed 
four digits or letters. The number or code still has to distinguish the 
consumer's account(s) from other accounts of the same consumer at the 
institution, and to distinguish the access device from other access 
devices of the same consumer at the institution.

Section 205.9--Documentation of Transfers

Paragraph (a)--Receipts at Electronic Terminals
    Under the EFTA, when a consumer initiates a transfer at an 
electronic terminal, the financial institution must make a written 
receipt available to the consumer, identifying the consumer's account 
with the financial institution from which or to which funds are 
transferred. Under the regulation, institutions can comply with this 
[[Page 15033]] identification requirement by including a number or code 
on the receipt that identifies the access device used to initiate the 
transfer, the consumer initiating the transaction, or the consumer's 
account(s). The Board specified that the number or code should be 
``unique'' to ensure that the method used on the receipt adequately 
identifies the consumer.
    Over the years, many financial institutions met this requirement 
for unique identification by disclosing consumers' card or account 
numbers on the receipt, and doing so did not appear to represent a 
security risk. Recently, the requirement for a unique identification 
has resulted in serious and widespread ATM fraud carried out by 
individuals who observe--and often videotape--a consumer entering a 
personal identification number (PIN) on the ATM keypad. These persons 
retrieve terminal receipts that have been discarded at ATM locations to 
obtain the account or ATM card number. Using the combination of PIN and 
number, they then manufacture a counterfeit ATM card and use the card 
to withdraw funds from the consumer's account.
    To help protect consumers and financial institutions against this 
fraud, the Board adopted an interim rule effective December 1, 1994. 
The interim rule eliminated the requirement that an electronic terminal 
receipt uniquely identify the consumer's account or card. This change 
has allowed institutions to truncate the number printed on the receipt 
so that it will not contain enough information for a criminal to 
duplicate the card.
    The Board believes that the change does not substantially diminish 
consumer protections. The purpose of the receipt requirement is to 
allow consumers to verify transactions. Under the final rule, the 
receipt still provides sufficient information to allow the consumer to 
identify transfers: the date of the transfer; the amount of the 
transfer; the type of transfer and type of account; the location of the 
terminal; and the identification of any third party to or from which 
funds are transferred. Using this information, a consumer can match 
each transaction on the periodic statement with the receipt received at 
the time the transaction took place. In addition, a consumer has the 
necessary information to identify and resolve errors in documentation. 
Commenters agreed, noting that the amendment would not adversely effect 
their ability to comply with the error resolution procedures of 
Regulation E.

Standards for Truncation

    Numerous commenters asked the Board to provide specific guidance to 
establish truncation standards for card number suppression. Several 
commenters requested that either the regulation or the Official Staff 
Commentary should provide a ``safe harbor'' for institutions, allowing 
them to truncate the identifying information on terminal receipts to as 
few as four digits or letters. An industry trade association, along 
with the major ATM networks, has developed and proposed a 4-digit 
standard for the industry. Although the account number printed on the 
receipt would be truncated under this standard, the necessary 
information to support research and reconciliation would be retained in 
the system. Commenters believed that a 4-digit standard would deter 
fraud and still provide sufficient identification.
    Commenters strongly supported establishing a standard at the 
network level. They believed that this standard would assure that 
cardholders are provided the same level of account protection at any 
network ATM they use. In addition, commenters noted that a financial 
institution could provide the same level of account protection to 
cardholders from other institutions who use their ATMs. Other 
commenters, while not opposing the proposed standard, asked the Board 
to provide flexibility for financial institutions to develop their own 
receipt identification methodology. The Board is amending the 
regulation to provide that institutions are in compliance with the 
terminal receipt account identification requirement when account 
numbers are truncated to four digits. This would create a safe harbor 
for compliance, allow for the establishment of an industry standard, 
and also allow an institution to develop its own requirements.
    The Board believes that the ATM fraud addressed by the rule is a 
serious problem that, absent Board action, would have continued to the 
detriment of consumers and financial institutions. The final rule 
reduces fraud without compromising consumers' ability to document their 
electronic fund transfers and provides specific guidance concerning 
compliance.
    This amendment to Regulation E supersedes a proposed change under 
the regulatory review project that was published for comment earlier 
this year (59 FR 10684, March 7, 1994).

III. Regulatory Flexibility Analysis

    The Board's Office of the Secretary has prepared an economic impact 
statement on the amendment to Regulation E. A copy of the analysis may 
be obtained from Publications Services, Board of Governors of the 
Federal Reserve System, Washington, DC 20551, at (202) 452-3245.

IV. Paperwork Reduction Act

    In accordance with section 3507 of the Paperwork Reduction Act of 
1980 (44 U.S.C. Ch. 35; 5 CFR 1320.13), the information collection has 
been reviewed by the Board under the authority delegated to the Board 
by the Office of Management and Budget after consideration of the 
comments received during the public comment period. The third party 
disclosure in this revision of Regulation E is in 12 CFR 205.9. 
Information is required as confirmation of transactions consumers 
perform at electronic terminals. The revision allows institutions to 
truncate the identifying number or code on receipts, thus deterring 
fraud. The revision is not estimated to change the amount of annual 
burden associated with Regulation E for state member banks, which is 
543,363 hours.

List of Subjects in 12 CFR Part 205

    Consumer protection, Electronic fund transfers, Federal Reserve 
System, Reporting and recordkeeping requirements.

    Accordingly, the interim rule amending 12 CFR part 205 which was 
published at 59 FR 61787 (December 2, 1994) is adopted as a final rule 
with the following changes:

PART 205--ELECTRONIC FUND TRANSFERS (REGULATION E)

    1. The authority citation for part 205 continues to read as 
follows:

    Authority: 12 U.S.C. 1693.

    2. Section 205.9 is amended by revising paragraph (a)(4), to read 
as follows:


Sec. 205.9  Documentation of transfers.

    (a) * * *
    (4) A number or code that identifies the consumer initiating the 
transfer, the consumer's account(s), or the access device used to 
initiate the transfer. The number or code need not exceed four digits 
or letters to comply with the requirements of this paragraph.
* * * * *
    By order of the Board of Governors of the Federal Reserve 
System.

    Dated: March 16, 1995.
Jennifer J. Johnson,
Deputy Secretary of the Board.
[FR Doc. 95-6971 Filed 3-21-95; 8:45 am]
BILLING CODE 6210-01-P