Skip to main content

Comment for 1005.5 Issuance of Access Devices

1. Coverage. The provisions of this section limit the circumstances under which a financial institution may issue an access device to a consumer. Making an additional account accessible through an existing access device is equivalent to issuing an access device and is subject to the limitations of this section.

5(a) Solicited Issuance

Paragraph 5(a)(1)

1. Joint account. For a joint account, a financial institution may issue an access device to each account holder if the requesting holder specifically authorizes the issuance.

2. Permissible forms of request. The request for an access device may be written or oral (for example, in response to a telephone solicitation by a card issuer).

Paragraph 5(a)(2)

1. One-for-one rule. In issuing a renewal or substitute access device, only one renewal or substitute device may replace a previously issued device. For example, only one new card and PIN may replace a card and PIN previously issued. A financial institution may provide additional devices at the time it issues the renewal or substitute access device, however, provided the institution complies with § 1005.5(b). See comment 5(b)-5. If the replacement device or the additional device permits either fewer or additional types of electronic fund transfer services, a change-in-terms notice or new disclosures are required.

2. Renewal or substitution by a successor institution. A successor institution is an entity that replaces the original financial institution (for example, following a corporate merger or acquisition) or that acquires accounts or assumes the operation of an EFT system.

5(b) Unsolicited Issuance

1. Compliance. A financial institution may issue an unsolicited access device (such as the combination of a debit card and PIN) if the institution's ATM system has been programmed not to accept the access device until after the consumer requests and the institution validates the device. Merely instructing a consumer not to use an unsolicited debit card and PIN until after the institution verifies the consumer's identity does not comply with the regulation.

2. PINs. A financial institution may impose no liability on a consumer for unauthorized transfers involving an unsolicited access device until the device becomes an “accepted access device” under the regulation. A card and PIN combination may be treated as an accepted access device once the consumer has used it to make a transfer.

3. Functions of PIN. If an institution issues a PIN at the consumer's request, the issuance may constitute both a way of validating the debit card and the means to identify the consumer (required as a condition of imposing liability for unauthorized transfers).

4. Verification of identity. To verify the consumer's identity, a financial institution may use any reasonable means, such as a photograph, fingerprint, personal visit, signature comparison, or personal information about the consumer. However, even if reasonable means were used, if an institution fails to verify correctly the consumer's identity and an imposter succeeds in having the device validated, the consumer is not liable for any unauthorized transfers from the account.

5. Additional access devices in a renewal or substitution. A financial institution may issue more than one access device in connection with the renewal or substitution of a previously issued accepted access device, provided that any additional access device (beyond the device replacing the accepted access device) is not validated at the time it is issued, and the institution complies with the other requirements of § 1005.5(b). The institution may, if it chooses, set up the validation procedure such that both the device replacing the previously issued device and the additional device are not validated at the time they are issued, and validation will apply to both devices. If the institution sets up the validation procedure in this way, the institution should provide a clear and readily understandable disclosure to the consumer that both devices are unvalidated and that validation will apply to both devices.