1. Compliance. A financial institution may issue an unsolicited access device (such as the combination of a debit card and PIN) if the institution's ATM system has been programmed not to accept the access device until after the consumer requests and the institution validates the device. Merely instructing a consumer not to use an unsolicited debit card and PIN until after the institution verifies the consumer's identity does not comply with the regulation.
2. PINs. A financial institution may impose no liability on a consumer for unauthorized transfers involving an unsolicited access device until the device becomes an “accepted access device” under the regulation. A card and PIN combination may be treated as an accepted access device once the consumer has used it to make a transfer.
3. Functions of PIN. If an institution issues a PIN at the consumer's request, the issuance may constitute both a way of validating the debit card and the means to identify the consumer (required as a condition of imposing liability for unauthorized transfers).
4. Verification of identity. To verify the consumer's identity, a financial institution may use any reasonable means, such as a photograph, fingerprint, personal visit, signature comparison, or personal information about the consumer. However, even if reasonable means were used, if an institution fails to verify correctly the consumer's identity and an imposter succeeds in having the device validated, the consumer is not liable for any unauthorized transfers from the account.
5. Additional access devices in a renewal or substitution. A financial institution may issue more than one access device in connection with the renewal or substitution of a previously issued accepted access device, provided that any additional access device (beyond the device replacing the accepted access device) is not validated at the time it is issued, and the institution complies with the other requirements of § 1005.5(b). The institution may, if it chooses, set up the validation procedure such that both the device replacing the previously issued device and the additional device are not validated at the time they are issued, and validation will apply to both devices. If the institution sets up the validation procedure in this way, the institution should provide a clear and readily understandable disclosure to the consumer that both devices are unvalidated and that validation will apply to both devices.
See interpretation of 5(b) Unsolicited Issuance
in Supplement I