§ 1005.5 Issuance of access devices.
(a) Solicited issuance. Except as provided in paragraph (b) of this section, a financial institution may issue an access device to a consumer only:
(1) In response to an oral or written request for the device; or
1. Joint account. For a joint account, a financial institution may issue an access device to each account holder if the requesting holder specifically authorizes the issuance.
2. Permissible forms of request. The request for an access device may be written or oral (for example, in response to a telephone solicitation by a card issuer).
(2) As a renewal of, or in substitution for, an accepted access device whether issued by the institution or a successor.
1. One-for-one rule. In issuing a renewal or substitute access device, only one renewal or substitute device may replace a previously issued device. For example, only one new card and PIN may replace a card and PIN previously issued. A financial institution may provide additional devices at the time it issues the renewal or substitute access device, however, provided the institution complies with § 1005.5(b). See comment 5(b)-5. If the replacement device or the additional device permits either fewer or additional types of electronic fund transfer services, a change-in-terms notice or new disclosures are required.
2. Renewal or substitution by a successor institution. A successor institution is an entity that replaces the original financial institution (for example, following a corporate merger or acquisition) or that acquires accounts or assumes the operation of an EFT system.
(b) Unsolicited issuance. A financial institution may distribute an access device to a consumer on an unsolicited basis if the access device is:
1. Compliance. A financial institution may issue an unsolicited access device (such as the combination of a debit card and PIN) if the institution's ATM system has been programmed not to accept the access device until after the consumer requests and the institution validates the device. Merely instructing a consumer not to use an unsolicited debit card and PIN until after the institution verifies the consumer's identity does not comply with the regulation.
2. PINs. A financial institution may impose no liability on a consumer for unauthorized transfers involving an unsolicited access device until the device becomes an “accepted access device” under the regulation. A card and PIN combination may be treated as an accepted access device once the consumer has used it to make a transfer.
3. Functions of PIN. If an institution issues a PIN at the consumer's request, the issuance may constitute both a way of validating the debit card and the means to identify the consumer (required as a condition of imposing liability for unauthorized transfers).
4. Verification of identity. To verify the consumer's identity, a financial institution may use any reasonable means, such as a photograph, fingerprint, personal visit, signature comparison, or personal information about the consumer. However, even if reasonable means were used, if an institution fails to verify correctly the consumer's identity and an imposter succeeds in having the device validated, the consumer is not liable for any unauthorized transfers from the account.
5. Additional access devices in a renewal or substitution. A financial institution may issue more than one access device in connection with the renewal or substitution of a previously issued accepted access device, provided that any additional access device (beyond the device replacing the accepted access device) is not validated at the time it is issued, and the institution complies with the other requirements of § 1005.5(b). The institution may, if it chooses, set up the validation procedure such that both the device replacing the previously issued device and the additional device are not validated at the time they are issued, and validation will apply to both devices. If the institution sets up the validation procedure in this way, the institution should provide a clear and readily understandable disclosure to the consumer that both devices are unvalidated and that validation will apply to both devices.
(1) Not validated, meaning that the institution has not yet performed all the procedures that would enable a consumer to initiate an electronic fund transfer using the access device;
(2) Accompanied by a clear explanation that the access device is not validated and how the consumer may dispose of it if validation is not desired;
(3) Accompanied by the disclosures required by § 1005.7, of the consumer's rights and liabilities that will apply if the access device is validated; and
(4) Validated only in response to the consumer's oral or written request for validation, after the institution has verified the consumer's identity by a reasonable means.