Skip to main content

Unsolicited Access Devices

Consumer Affairs Update - June 2014

June 18, 2014

Unsolicited Access Devices

The Consumer Financial Protection Bureau’s Regulation E—Electronic Fund Transfers Act limits the circumstances under which a financial institution may issue access devices, such as debit cards, to consumers. Examiners identified some errors at recent Federal Reserve consumer compliance examinations involving the issuance of unsolicited access devices. The errors occurred primarily because the bank did not realize its actions were covered by the requirements. In this update, we summarize the key points regarding unsolicited access device issuance.

What is an access device? A well-recognized example of an access device is a debit card that enables a consumer to initiate point-of-sale transactions to his/her transaction account. As defined in Regulation E, an access device is a card, code or other means of access to a consumer’s account that may be used by the consumer to initiate electronic fund transfers (EFTs). A less recognized example of an access device includes a personal identification number (PIN) used to access Internet banking or telephone banking services that enable the consumer to initiate transfers from an account.

What requirements apply to the unsolicited issuance of an access device? A financial institution must follow specific requirements for unsolicited issuance of access devices. Unsolicited issuance refers to any circumstances other than when a customer requests the device or it is issued as a renewal of or a substitute for an existing device.

A bank may distribute an unsolicited access device to a consumer if the device is

  1. not validated, meaning that it cannot be used to initiate an EFT;
  2. accompanied by the explanation that it is not validated and how the consumer can safely dispose of it if not desired;
  3. accompanied by complete disclosures explaining the consumer’s rights and liabilities that will apply if the device is validated; and
  4. validated only in response to the consumer’s request, after the institution reasonably verifies the consumer’s identity.

What is an example of unsolicited access device issuance? A common unsolicited access device is allowing a consumer to use the last four digits of his/her social security number (SSN) for initial access to telephone banking or Internet banking, including the ability to initiate fund transfers. To meet Regulation E requirements, the consumer must not be able to use the PIN (in this case the last four digits of the SSN) to initiate a transfer until he/she has requested validation and received the required disclosures.

What risks exist concerning the issuance of unsolicited access devices? The additional requirements applicable to unsolicited access devices serve to safeguard both the consumer and the bank from fraudulent transactions. Because the consumer is not expecting an unsolicited access device as he/she would in the case of a renewal, greater risk exists that the device will be used fraudulently. As a result, a consumer may only be held liable, within the limitations set by Regulation E, for unauthorized transfers involving an unsolicited access device if he/she requests validation. For more information on liability limits under Regulation E for unauthorized electronic fund transfers, refer to the fourth quarter 2012 Consumer Compliance Outlook article on the Philadelphia Fed's web site.


More On