[Federal Register: March 16, 2001 (Volume 66, Number 52)] [Rules and Regulations] [Page 15187-15195] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr16mr01-1] ======================================================================== Rules and Regulations Federal Register ________________________________________________________________________ This section of the FEDERAL REGISTER contains regulatory documents having general applicability and legal effect, most of which are keyed to and codified in the Code of Federal Regulations, which is published under 50 titles pursuant to 44 U.S.C. 1510. The Code of Federal Regulations is sold by the Superintendent of Documents. Prices of new books are listed in the first FEDERAL REGISTER issue of each week. ======================================================================== [[Page 15187]] FEDERAL RESERVE SYSTEM 12 CFR Part 205 [Regulation E; Docket No. R-1074] Electronic Fund Transfers AGENCY: Board of Governors of the Federal Reserve System. ACTION: Final rule; official staff interpretation. ----------------------------------------------------------------------- SUMMARY: The Board is adopting a final rule revising the Official Staff Commentary to Regulation E, which implements the Electronic Fund Transfer Act. The commentary interprets the requirements of Regulation E, to facilitate compliance by financial institutions that offer electronic fund transfer services to consumers. The final rule provides guidance on Regulation E coverage of electronic check conversion transactions and computer-initiated bill payments; authorization of recurring debits from a consumer's account; telephone-initiated transfers; and other issues. DATES: The rule is effective March 15, 2001; however, to allow time for any necessary operational changes, the mandatory compliance date is January 1, 2002. FOR FURTHER INFORMATION CONTACT: Natalie E. Taylor or John C. Wood, Counsel, or David A. Stein, Attorney, Division of Consumer and Community Affairs, Board of Governors of the Federal Reserve System, Washington, DC 20551, at (202) 452-2412 or (202) 452-3667. SUPPLEMENTARY INFORMATION: I. Background The Electronic Fund Transfer Act (EFTA or the act) (15 U.S.C. 1693 et seq.), enacted in 1978, provides a basic framework establishing the rights, liabilities, and responsibilities of participants in electronic fund transfer (EFT) systems. The EFTA is implemented by the Board's Regulation E (12 CFR part 205). Types of transfers covered by the act and regulation include transfers initiated through an automated teller machine (ATM), point-of-sale (POS) terminal, automated clearinghouse (ACH), telephone bill-payment plan, or remote banking program. The act and regulation require disclosure of terms and conditions of an EFT service; documentation of EFTs by means of terminal receipts and periodic account statements; limitations on consumer liability for unauthorized transfers; procedures for error resolution; and certain rights related to preauthorized EFTs. The act and regulation also prescribe restrictions on the unsolicited issuance of ATM cards and other access devices. The act's coverage is not limited to traditional financial institutions holding consumers' asset accounts. For EFT services made available by entities other than an account-holding financial institution, the act directs the Board to assure, by regulation, that the disclosures, responsibilities, and remedies of the act are made applicable. The Official Staff Commentary (12 CFR part 205 (Supp. I)) is designed to facilitate compliance and provide protection from civil liability, under Sec. 915(d)(1) of the act, for financial institutions that act in conformity with it. The commentary is updated periodically, as necessary, to address significant questions that arise. II. Summary of the Proposed and Final Revisions On June 29, 2000, the Board published proposed revisions to the Official Staff Commentary to Regulation E (65 FR 40061). The most significant issues addressed by the proposal were coverage of transactions that involve electronic check conversion, computer- initiated bill payments, and authorizations of recurring debits. The Board received more than 120 comment letters on the proposal. The majority of comments were from financial institutions, ACH associations, retailers, and their representatives. Overall, most commenters supported the Board's proposed revisions as necessary and helpful guidance. The Board is adopting the revisions to the official staff commentary substantially as proposed. Some modifications have been made to address comments about the need for consistency in the coverage of electronic check conversion transactions and the standard for electronic authorization of recurring transfers. Other comments have been modified to address commenters' requests for additional clarification. Electronic Check Conversion The proposal sought to clarify Regulation E coverage of transactions where a merchant at POS uses a consumer's blank, partially completed, or fully completed and signed check to obtain information for initiating a one-time ACH debit from the consumer's account. The National Automated Clearing House Association (NACHA) and other entities have, or are planning, programs that permit such transactions. In one type of program, known as ``consumer-as-keeper,'' after an EFT is initiated the merchant returns the check to the consumer. The proposal made clear that such transfers are covered by Regulation E. In another type of program, known as ``financial institution-as-keeper'' (which NACHA has not approved), the merchant or its financial institution retains the check. The supplementary information to the proposal indicated that Regulation E would cover the transfer where the check is blank or only partially completed. If, however, the check is fully completed and signed and retained by the merchant, the transfer would be excluded from coverage under Regulation E unless the consumer authorized an EFT. The Board solicited comment on this interpretation and the extent to which merchants are carrying out transactions under the ``financial institution-as-keeper'' model. The supplementary information also addressed transfers resulting from NACHA's lockbox program where a payee converts consumers' checks received by mail to ACH debits. Under that program, consumers are informed that the payments will be processed as EFTs. The proposal stated that these transactions would not be covered by Regulation E since transfers originated by check are excluded from coverage. Under the final rule, where a consumer authorizes a one-time EFT from the consumer's account using information from a check to initiate the transfer, the transaction is covered by Regulation E. Application of the rule is [[Page 15188]] consistent and the result is the same whether the check is blank, partially completed, or fully completed and signed; whether the check is presented at POS or mailed to a merchant or lockbox and later converted to an EFT; or whether the check is retained by the consumer, the merchant, or the merchant's financial institution. (See comment 3(b)-1(v) and supplementary information under the Section-by-Section Analysis. The term ``check'' is used for ease of reference; it is intended to include a draft.) The proposal also provided guidance on the coverage of ``re- presented check entry'' or ``RCK'' transactions, where a check used to pay for goods or services is subsequently returned for insufficient funds and the payee re-presents the check electronically through an ACH system. Under the proposal, an EFT resulting from the electronic re- presentment of the check would be the continuation of a transaction originated by check, and excluded from Regulation E coverage. A fee assessed by the payee for re-presentment, such as a collection fee, however, would be covered by the regulation if authorized by the consumer to be debited electronically from the consumer's account. Under the final rule, the comment is adopted substantially as proposed, with modifications that clarify the authorization requirements. (See comment 3(c)(1)-1.) Computer-Initiated Transfers The Board proposed revisions concerning the coverage of computer- initiated transfers pursuant to a bill-payment service. Under the proposal, such transfers would be covered unless the terms of the service agreement explicitly state that payments will be carried out solely by check, draft, or similar paper instrument. The final rule provides that computer-initiated payments are covered by the regulation unless the agreement with the consumer expressly states that all payments will be made by check, draft, or similar paper instrument, or specifically identifies payments that will be made by check, draft, or similar paper instrument. (See comment 3(b)-1(vi).) Authorization of Recurring Debits Section 205.10(b) requires that recurring electronic debits from a consumer's account be authorized ``only by a writing signed or similarly authenticated by the consumer.'' The Board proposed to revise comment 10(b)-5 to ensure that financial institutions had guidance on the flexibility of establishing authentication methods. When the proposal was issued, the Congress had passed, but the President had not yet signed into law, electronic commerce legislation that addressed, among other things, the use and acceptance of electronic signatures and records for electronic commerce in general. The Board noted in the supplementary information to the proposal that if the legislation became law, the ``similarly authenticated'' standard could become unnecessary. On June 30, 2000, the Electronic Signatures in Global and National Commerce Act (the E-Sign Act), 15 U.S.C. 7001, et seq., became law. The E-Sign Act provides that electronic documents and signatures have the same validity as paper documents and handwritten signatures. Most of the act's provisions took effect October 1, 2000. Under the final rule, revisions have been made to ensure consistency with the E-Sign Act and to provide flexibility. For example, the rule clarifies that the copy of the authorization returned to the consumer may be in paper or electronic form, and that a code used as a means to ``similarly authenticate'' an authorization need not originate with the paying institution. (See comment 10(b)-5). Other Issues The Board generally solicited comment on how aggregation services made available to consumers through an Internet web site currently operate or might operate in the future, and posed several questions about the services. Aggregation services permit consumers to view financial information consolidated from multiple sources, such as their credit card, securities, and deposit accounts at a number of institutions. Because the Board did not publish a proposed interpretation related to aggregation services, the final commentary does not address these issues. The Board will consider addressing these issues in a future proposal. The proposal also provided technical clarifications on various issues. They include exceptions from the periodic statement requirements, definition of an electronic terminal, timing of disclosures, and compulsory use. Revisions have been made in the final rule to address commenters' requests for additional clarification. III. Section-by-Section Analysis of the Final Rule Supplement I--Official Staff Interpretations Section 205.2--Definitions 2(a) Access Device Regulation E defines an ``access device'' as a card, code, or other means of access to a consumer's account, or any combination thereof, that may be used by the consumer to initiate EFTs. The proposed rule provided that in check conversion programs that allow a merchant to use a consumer's check to obtain the routing, account, and serial numbers to initiate a one-time EFT, the check is not an access device. Thus, it is not subject to limitations on issuance, for example. Comment 2(a)-2 is added as proposed with some modifications for clarity. (See also discussion under ``Electronic check conversion'' in Section II.) 2(h) Electronic Terminal Comment 2(h)-2 currently states that a POS terminal that captures data electronically is an electronic terminal if a debit card is used to initiate an EFT. Some have interpreted the provision narrowly to apply only when a debit card is used to initiate an EFT. Comment 2(h)-2 is revised, as proposed, to provide that a POS terminal that captures data electronically to initiate an EFT is an electronic terminal even if no access device is used, such as when a check is used to capture information to initiate a one-time EFT. Most commenters supported this revision. The receipt requirements of Sec. 205.9 apply whether a debit card or information from a check is used to initiate a transfer. A check used to capture information to initiate an EFT at POS itself may serve as the receipt in some cases if it meets the requirements of Sec. 205.9. A merchant does not meet the definition of ``financial institution'' under the act or regulation since the merchant does not hold the consumer's account or issue an access device and agree with the consumer to provide EFT services. But because the merchant is using an electronic terminal to capture information from the consumer's check to initiate an EFT, the merchant is providing an EFT service. A merchant participating in electronic check conversion transactions will likely use an electronic terminal for credit card and debit card transactions. Given that the merchant must comply with the receipt requirements of Sec. 205.9 of the regulation for debit card transactions, the Board believes the merchant will [[Page 15189]] similarly provide receipts for electronic check transactions. Consequently, the Board has not proposed to amend the regulation at this time to require merchants to provide receipts. Section 904(d) of the EFTA provides that ``[i]f electronic fund transfer services are made available to consumers by a person other than a financial institution holding a consumer's account, the Board shall by regulation assure that the disclosures, protections, responsibilities, and remedies created by [the EFTA] are made applicable to such persons and services.'' If the Board becomes aware that consumers are not receiving receipts in connection with check conversion transactions (or that merchants are not transmitting information needed for consumers' periodic statements), the Board will consider exercising its authority under Sec. 904 to require compliance by merchants. 2(k) Preauthorized Electronic Fund Transfer Section 205.2(k) defines a ``preauthorized electronic fund transfer'' as an EFT authorized in advance to recur at substantially regular intervals. Beyond that authorization, no further action by the consumer is required to initiate the transfer. Comment 2(k)-1 is added as proposed. Commenters supported the clarification. 2(m) Unauthorized Electronic Fund Transfer Certain payments often are made to a consumer's account through the ACH, such as direct deposits of payroll or government benefits. NACHA rules permit reversal of payments made in error in limited circumstances. Comment 2(m)-5 is added, with some modifications from the proposal, to clarify that reversals of certain direct deposits that were made in error are not ``unauthorized'' EFTs. The last sentence in paragraph (iii) of the proposed comment, referring to a dispute about whether the account holder is entitled to a certain amount, has been deleted as unnecessary. Section 205.3--Coverage 3(b) Electronic Fund Transfer The EFTA excludes from coverage any transaction ``originated by check, draft, or similar paper instrument.'' 15 U.S.C. 1693a. The proposed rule addressed the coverage of electronic check conversion transactions based on several pilots introduced by NACHA and others. In such transactions, the merchant obtains information from a consumer's check at POS to initiate a one-time ACH debit from the consumer's account. The merchant electronically scans and captures the MICR (Magnetic Ink Character Recognition) encoding on the check for the routing, account, and serial numbers, and enters the amount to be debited from the consumer's account. Under the Board's proposal, an EFT resulting from the ``consumer- as-keeper'' program would be covered by the regulation. Likewise, an EFT resulting from the ``financial institution-as-keeper'' program would be covered by Regulation E where the consumer provides a blank or partially completed check as a source document. Where the check is completed and signed by the consumer and retained by the merchant, the transaction arguably could be viewed as originating by check. Therefore, the supplementary information to the proposal stated that the transaction would be an EFT (and thus covered by Regulation E) only if the consumer authorized it as such. Finally, under the proposal, transfers resulting from the ``lockbox'' program would have been excluded from coverage as having originated by check. (See discussion under ``Electronic check conversion'' in Section II.) The majority of commenters believed that Regulation E should cover check conversion transactions under the ``consumer-as-keeper'' program, but disagreed with coverage of these transactions under the ``financial institution-as-keeper'' program. Some commenters believed that consumers would be confused because they would be providing a check to the merchant and at the same time authorizing the transaction as an EFT. Some commenters suggested that the rules should not be based on the characteristics of the various programs; instead, the Board should establish a bright-line test that provides certainty and consistency. Regarding the authorization requirement, some commenters believed the Board was imposing a written authorization requirement for transactions under the financial institution-as-keeper model. The supplementary information to the proposed rule stated that where a consumer provides a completed and signed check, a transfer under this model would be an EFT if the consumer ``authorizes it as such.'' Other commenters expressed concern about the inconsistent treatment of transfers under the ``financial institution-as-keeper'' program (which would generally be covered by Regulation E under the proposal) and those resulting from ``lockbox'' transactions (which would not be covered). The Board is adopting an interpretation based on a consumer's authorization of a transaction as an EFT to clarify the rights, liabilities, and responsibilities of participants in check conversion programs. Under this approach, Regulation E coverage does not depend on the characteristics of a particular program. The final rule provides that where a consumer authorizes the use of a check for initiating an EFT, the transaction is not deemed to be originated by check. The transaction is covered by Regulation E. Comment 3(b)-1(v), as adopted, makes clear that the rule applies whether the check is blank, partially completed, or fully completed and signed; whether it is presented at POS or mailed to a merchant or lockbox and later converted to an EFT; or whether it is retained by the consumer or the merchant (or the merchant's financial institution). The proposed rule was not intended to require a separate written authorization for electronic check conversion transactions. (Under the EFTA and Sec. 205.10(b) of Regulation E, written authorization is required only for recurring transfers.) Section 205.3 of Regulation E provides that the regulation applies to ``any electronic fund transfer that authorizes a financial institution to debit or credit a consumer's account.'' A merchant or other payee offering the check conversion services discussed above is providing an EFT service, and therefore should obtain the consumer's authorization to initiate an EFT. In the context of check conversion, authorization takes place if the consumer engages in the transaction after receiving notice that the transaction will be treated as an EFT. New comment 3(b)-3 is added to provide this guidance. (NACHA Operating Rules currently provide greater consumer protections in that they require written authorizations even for one- time conversion transactions.) Section 904(d)(1) of the EFTA provides that ``[i]f electronic fund transfer services are made available to consumers by a person other than a financial institution holding a consumer's account, the Board shall by regulation assure that the disclosures, protections, responsibilities, and remedies created by [the EFTA] are made applicable to such persons and services.'' While the Board did not propose to amend the regulation at this time to require compliance by merchants or other payees with the Regulation E authorization requirement, [[Page 15190]] the Board fully expects them to obtain a consumer's authorization to initiate an EFT from the consumer's account. If, however, the Board becomes aware that authorizations are not being obtained in connection with check conversion transactions, the Board will consider exercising its authority under Sec. 904 to require compliance by the merchants or other payees. (Also see discussion under ``2(h) Electronic Terminal'' regarding compliance with terminal-receipt requirements.) Comment 3(b)-1(vi) is added, with some modifications from the proposal, to provide guidance on the regulation's coverage of bill- payment services where a consumer initiates payments via computer (or other electronic means). Generally, the definition of ``electronic fund transfer'' in Sec. 205.3(b) covers these payments. The comment as proposed would result in total exemption or total coverage of a bill- payment service. Commenters supported the proposal with some requests for modification. They suggested an approach that would only exclude payments to particular payees made solely by check. The comment has been revised to provide that computer-initiated payments are covered by the regulation unless the service agreement explicitly states that all payments, or all payments to identified payees, will be made solely by check, draft or similar paper instrument drawn on the consumer's account. 3(c) Exclusions From Coverage 3(c)(1)--Checks Comment 3(c)(1)-1 provides guidance on NACHA's re-presented check entry (RCK) program, in which merchant payees (or their financial institutions or agents) re-present returned checks electronically. Written authorization from the consumer for the RCK debit is not obtained, although the merchant payee usually has provided notice at POS that any returned item may be collected electronically if returned for insufficient funds. The comment clarifies that an RCK transaction is not covered by Regulation E because the transaction was originated by check. In some cases, a payee may impose a fee on the consumer because the consumer's check was returned. NACHA rules provide that the RCK debit must be in the amount of the original check; therefore, the amount may not be increased to include a fee. The payee would have to initiate a separate debit to collect the fee electronically. Because an electronically debited fee meets the definition of an EFT under Regulation E, it is covered by the regulation and must be authorized (in this case, by notice to the consumer). Most commenters agreed with the proposed rule excluding coverage of the RCK. A number of commenters disagreed with the proposal to cover any additional fee debited electronically from the consumer's account. Since the fee is based on the original transaction, these commenters believe the fee is likewise covered by the Uniform Commercial Code (UCC), which permits incidental damage fees. The Board views, as separate transactions, the RCK and any fee assessed and debited from the consumer's account as a result of insufficient funds, whether or not the fee is permitted by the UCC to cover incidental damages. Authorization is required to electronically debit the fee from the consumer's account, but because the transfer is nonrecurring, notice to the consumer is sufficient for purposes of compliance with the regulation. (NACHA Operating Rules currently provide greater consumer protections in that they require written authorizations.) Comment 3(c)(1)-2 is added as proposed to cross reference comment 3(b)-1(v), which provides guidance on the regulation's coverage of an EFT where a consumer's check is used to capture information for initiating the transfer. 3(c)(6)--Telephone-Initiated Transfers A transfer initiated by telephone is covered by Regulation E if it occurs pursuant to a telephone bill-payment or other written plan that contemplates that the consumer will initiate transfers from time to time. Comment 3(c)(6)-1 is revised, as proposed, to provide additional guidance on what constitutes a written plan. Comment 3(c)(6)-2(v) is added, as proposed, to clarify coverage of transfers initiated by audio- or voice-response telephone systems. Section 205.6--Liability of Consumer for Unauthorized Transfers 6(b) Limitations on Amount of Liability 6(b)(1)--Timely Notice Given Section 205.6 provides rules concerning a consumer's liability for an unauthorized transfer. The limitation on the consumer's liability depends, in part, on whether the unauthorized transfer takes place within or after two business days of the consumer's learning of the loss or theft of the access device. Comment 6(b)(1)-3 is added to clarify how to count the two-business-day period. The comment has been modified from the proposal to provide further clarity. Most commenters generally supported the addition of the comment. A number of commenters expressed concern that use of the term ``midnight'' made the proposed comment unclear, and suggested alternative language. To avoid confusion, the reference to ``midnight'' has been deleted and the comment reworded. Section 205.7--Initial Disclosures 7(a) Timing of Disclosures Regulation E generally requires that disclosures be provided at the time the consumer contracts for an EFT service or before the first transfer is made to or from the consumer's account. Comment 7(a)-2 is revised, as proposed, to provide an exception to the disclosure timing rules when the consumer has authorized a third party to debit or credit the consumer's account, on either a one-time or recurring basis, and the institution has not received prior notice of the transfer. In these circumstances, the institution must provide the Regulation E disclosures as soon as reasonably possible after the first transfer. Before this revision, comment 7(a)-2 provided this disclosure timing exception only for direct deposits. Most commenters who addressed this issue supported the proposed revision and the regulatory relief provided. 7(b) Content of Disclosures 7(b)(10) Error Resolution Under Sec. 205.7, a financial institution must provide an error resolution notice with the initial disclosures, and under Sec. 205.8, must also do so annually or with each periodic statement. Under comment 7(b)(10)-2, a financial institution must have disclosed in its initial disclosures the longer error resolution time periods (applicable to foreign-initiated and POS debit card transactions) for resolving errors under Sec. 205.11(c)(3) in order to use the longer periods. In 1998, Sec. 205.11(c)(3) was amended to extend the error resolution time periods for new accounts (63 FR 52115, September 29, 1998). Comment 7(b)(10)-2 is revised as proposed to reflect the amendment to Sec. 205.11(c)(3). Section 205.11(c)(3) treats an account as a new account for a period of 30 days after the first deposit to the account is made. In the September 1998 amendment, the Board explained that, to provide consistency and ease regulatory compliance, the rule tracked the definition of ``new account'' in Regulation CC (Availability of Funds and Collection of Checks, 12 CFR 229.13(a)(2)), including the staff commentary to Regulation CC. Thus, for example, an account is not considered [[Page 15191]] a new account if a customer has had another account relationship with the financial institution for at least 30 calendar days. To clarify this point, a cross-reference to the Regulation CC definition of ``new account'' has been added to comment 7(b)(10)-2. An update to the error resolution model forms in Appendix A, paragraph A-3 (to reflect the extended time periods applicable to foreign-initiated transactions, POS debit card transactions, and new accounts) is pending. In September 1999, the Board proposed amendments to the model forms along with other proposed Regulation E amendments on the electronic delivery of disclosures (64 FR 49699, September 14, 1999). The Board is expected to consider final action on the amendments in the near future. Section 205.8--Change-in-Terms Notice; Error Resolution Notice 8(b) Error Resolution Notice The Board proposed to add new comment 8(b)-2 to cross-reference comment 7(b)(10)-2, which states that, with regard to the initial error resolution notice, an institution seeking to use the longer error resolution time periods in Sec. 205.11(c)(3) must have disclosed them. A few commenters agreed with the requirement to disclose the longer time periods for new accounts in the initial error resolution notice, but questioned whether disclosure in the annual notice would serve a useful purpose. These commenters noted that in practice, it is unlikely that an account would still qualify as new when the annual notice is provided. An annual error resolution notice need not contain a reference to the longer time periods for new accounts, and the final comment has been revised accordingly. (The notice must refer, however, to the longer time periods for foreign-initiated and POS debit card transactions if the institution wishes to take advantage of these extended periods.) In addition, the final comment is revised to reflect that disclosure of the longer time periods for new accounts is not required in the error resolution notice that may be provided with each periodic statement as an alternative to the annual error resolution notice. Section 205.9--Receipts at Electronic Terminals; Periodic Statements 9(a) Receipts at Electronic Terminals 9(a)(5)--Terminal Location Section 205.9(a)(5) requires that an ATM or POS terminal receipt contain the location of the terminal where the transfer is initiated, or an identification such as a code or terminal number. Comment 9(a)(5)-1 is revised, as proposed, to clarify that either a code or location may be disclosed. Comments 9(a)(5)(iv)-1 and -2 are redesignated as comments 9(a)(5)-3 and -4. 9(b) Periodic Statements Comment 9(b)-4 currently provides that an institution may permit, but not require, consumers to ``call for'' periodic statements. The Board proposed to change the reference ``call for'' to ``pick up.'' The comment is adopted as proposed. 9(c) Exceptions to the Periodic Statement Requirements for Certain Accounts 9(c)(1)--Preauthorized Transfers to Accounts Section 205.9(c) lists the circumstances in which a periodic statement for EFT transactions is not required (or is not required to be provided monthly). Comment 9(c)(1)-1 is added as proposed to provide further guidance on the exceptions to the periodic statement requirements. Comment 9(c)(1)-2 is added as proposed to clarify that the exceptions in Sec. 205.9(c) apply despite the occurrence of reversals of deposits made in error. (See also comment 2(m)-5.) Section 205.10--Preauthorized Transfers 10(b) Written Authorization for Preauthorized Transfers From Consumer's Account Section 205.10(b) provides that recurring electronic debits from a consumer's account ``may be authorized only by a writing signed or similarly authenticated by the consumer.'' The phrase ``similarly authenticated'' was added in 1996 (61 FR 19678, May 2, 1996), and was intended to permit electronic authorizations; comment 10(b)-5 was added to the staff commentary to provide guidance. Since that time, the issues of electronic authorization and authentication methods have been further addressed in Regulation E rulemakings published in March 1998 (63 FR 14528, March 25, 1998) and September 1999 (64 FR 49699, September 14, 1999), and commenters have made suggestions and sought further guidance. In addition, the Electronic Signatures in Global and National Commerce Act, 15 U.S.C 7001 et seq., (the E-Sign Act) addresses, among other things, the use and acceptance of electronic signatures for electronic commerce in general. The Board proposed to revise comment 10(b)-5 to clarify that institutions have flexibility in establishing electronic authentication methods. Under the proposal, any authentication mechanism that provides assurance similar to a paper-based signature (such as a mechanism that verified the consumer's identity and evidenced the consumer's assent to the authorization) would satisfy the ``similarly authenticated'' standard. Also, for consistency with Board rulemakings permitting the electronic delivery of disclosures, the comment would be revised to permit the person obtaining the authorization to provide a copy of the authorization to the consumer either in paper form or electronically (the existing comment requires that a paper copy be provided). Most commenters addressing this issue supported the proposed revision. Several commenters were concerned, however, that the comment could be interpreted to impose requirements on electronic authorizations that exceed those set forth in the E-Sign Act. Accordingly, they urged that the Board delete the comment or modify it for consistency with the E-Sign Act. Comment 10(b)-5 was not intended to impose stricter requirements than the E-Sign Act; rather the comment was intended to provide guidance so that a payee obtaining a consumer's authorization for recurring debits can be assured of compliance with Sec. 205.10(b). The final comment has been modified to ensure consistency with the requirements of the E-Sign Act. First, the introductory sentence has been deleted as no longer necessary. It has been replaced with guidance on the ``similarly authenticated'' standard. Second, references to the definition of an electronic record and an electronic signature in the E-Sign Act have been added. Third, the authorization standard has been clarified to state that the process should evidence the consumer's identity and assent to the authorization. Fourth, the language discussing the requirement to provide a copy of the authorization to the consumer has been revised to clarify that the copy may be either paper or electronic. Finally, the supplemental information to the proposed revision to comment 10(b)-5 stated that a security code used as the authentication method need not originate with the paying institution, if the code meets the general standards for ``similar authentication.'' This interpretation has been incorporated into the text of the comment. New comment 10(b)-7 is adopted as proposed. The comment addresses a situation where a consumer, by telephone or on-line, authorizes [[Page 15192]] recurring charges against an account, but where it may not be clear to the payee whether a credit card or debit card is involved. Unlike Regulation E, Regulation Z does not require a written, signed or ``similarly authenticated'' authorization for recurring charges to a consumer's credit card account. The comment clarifies that when recurring charges in fact involve a debit card, the payee is required to obtain an authorization in accordance with Sec. 205.10(b). The payee may rely on the bona fide error provision in section 915(c) of the EFTA, provided procedures are in place to prevent such errors from occurring. Some commenters believed that the standards set forth in the comment would be burdensome. They suggested that the comment not be adopted, or that the final comment omit the conditions that the failure to obtain written authorization be unintentional and that reasonable procedures be maintained to avoid such an error. The requirement to obtain written authorization for recurring electronic debits is statutory, as are the conditions concerning unintentional failure and reasonable procedures. Therefore, the comment is adopted as proposed. Where the authorization occurs on-line, payees have the option to ensure compliance by obtaining electronic authorizations in all cases, following the procedures set forth in comment 10(b)-5 or in the E-Sign Act. Some commenters requested guidance on what procedures should be used to avoid errors regarding the type of card used by a consumer to authorize recurring charges. To ensure flexibility in this area, however, as other commenters urged, the comment as finally adopted does not specify any particular procedures. 10(e) Compulsory Use 10(e)(2)--Employment or Government Benefit Section 205.10(e)(2) provides that a financial institution may not require a consumer to establish an account for receipt of EFTs with a particular institution as a condition of employment. Comment 10(e)(2)-1 is revised as proposed to clarify that an employer (including a financial institution) may provide for having employees' salary deposited at a particular institution designated by the employer, if employees are given the option to receive their salary by check or cash. Commenters generally supported the revision. Section 205.11--Procedures for Resolving Errors 11(a)--Definition of Error Section 205.11 sets forth procedures for resolving errors. In defining ``error'' and the types of transfers or inquiries covered, the regulation also sets forth types of inquiries that are not covered. Sec. 205.11(a)(2). Existing comment 11(a)-2 provides that if a consumer merely calls to verify whether a deposit (made via ATM, preauthorized transfer, or other electronic means) was credited, without asserting an error, the error resolution procedures are not triggered. Under the proposal, comment 11(a)-2 was broadened to provide that consumer inquiries to verify account payments, as well as account deposits, without the assertion of any error, would not trigger the error resolution procedures. Commenters generally supported the proposed revision. In response to comments, the proposed phrase ``if the consumer calls'' has been replaced by ``if the consumer contacts,'' to reflect that these routine consumer inquiries are not limited to telephone inquiries; and the comment adopted clarifies that an inquiry about a ``payment'' includes an inquiry about other EFTs debited to the account. Section 205.12--Relation to Other Laws 12(a) Relation to Truth in Lending Comment 12(a)-1 is revised as proposed to distinguish between two types of unauthorized transfers: those where a consumer's access device is used to withdraw funds from a checking account with an overdraft protection feature, and those where the consumer's access device is also a credit card separately used to obtain cash advances. Examples illustrate how these rules apply in various situations. The majority of commenters addressing this subject supported the proposed revision. List of Subjects in 12 CFR Part 205 Consumer protection, Electronic fund transfers, Federal Reserve System, Reporting and recordkeeping requirements. For the reasons set forth in the preamble, the Board amends the Official Staff Commentary, 12 CFR part 205, as set forth below. PART 205--ELECTRONIC FUND TRANSFERS (REGULATION E) 1. The authority citation for part 205 is revised to read as follows: Authority: 15 U.S.C. 1693b. 2. In Supplement I to Part 205, the following amendments are made: a. Under Section 205.2--Definitions, under 2(a) Access Device, a new paragraph 2. is added; b. Under Section 205.2--Definitions, under 2(h) Electronic Terminal, paragraph 2. is revised; c. Under Section 205.2--Definitions, a new heading 2(k) Preauthorized Electronic Fund Transfer, and a new paragraph 1. are added; d. Under Section 205.2--Definitions, under 2(m) Unauthorized Electronic Fund Transfer, a new paragraph 5. is added; e. Under Section 205.3--Coverage, under 3(b) Electronic Fund Transfer, new paragraphs 1.v., 1.vi., and 3. are added; f. Under Section 205.3--Coverage, under 3(c) Exclusions from Coverage, a new heading ``Paragraph 3(c)(1)--Checks'' is added; g. Under Section 205.3--Coverage, under 3(c) Exclusions from Coverage, under newly added heading Paragraph 3(c)(1)--Checks, paragraphs 1. and 2. are added; h. Under Section 205.3--Coverage, under 3(c) Exclusions from Coverage, under Paragraph 3(c)(6)--Telephone--Initiated Transfers, paragraph 1. is revised and paragraph 2.v. is added; i. Under Section 205.6--Liability Of Consumer For Unauthorized Transfers, under Paragraph 6(b)(1)--Timely Notice Given, new paragraph 3. is added; j. Under Section 205.7--Initial Disclosures, under 7(a) Timing of Disclosures, paragraph 2. is revised; k. Under Section 205.7--Initial Disclosures, under Paragraph 7(b)(10) Error Resolution, paragraph 2. is revised; l. Under Section 205.8--Change-In-Terms Notice; Error Resolution Notice, under 8(b) Error Resolution Notice, a new paragraph 2. is added; m. Under Section 205.9--Receipts At Electronic Terminals; Periodic Statements, under Paragraph 9(a)(5)--Terminal Location, paragraph 1. is revised; n. Under Section 205.9--Receipts At Electronic Terminals; Periodic Statements, under Paragraph 9(a)(5)(iv), paragraphs 1. and 2. are redesignated as paragraphs 3. and 4. under paragraph 9(a)(5) and republished; o. Under Section 205.9--Receipts At Electronic Terminals; Periodic Statements, Paragraph 9(a)(5)(iv) is removed; p. Under Section 205.9--Receipts At Electronic Terminals; Periodic Statements, under 9(b) Periodic Statements, paragraph 4. is revised; q. Under Section 205.9--Receipts At Electronic Terminals; Periodic [[Page 15193]] Statements, under 9(c) Exceptions to the Periodic Statement Requirements for Certain Accounts, a new heading, Paragraph 9(c)(1)-- Preauthorized Transfers to Accounts is added and new paragraphs 1. and 2. are added to the newly designated heading; r. Under Section 205.10--Preauthorized Transfers, under 10(b) Written Authorization for Preauthorized Transfers from Consumer's Account, paragraph 5. is revised, and new paragraph 7. is added; s. Under Section 205.10--Preauthorized Transfers, under Paragraph 10(e)(2)--Employment or Government Benefit, paragraph 1. is revised; t. Under Section 205.11--Procedures For Resolving Errors, under 11(a) Definition of Error, paragraph 2. is revised; and u. Under Section 205.12--Relation To Other Laws, under 12(a) Relation to Truth in Lending, paragraph 1. is revised. SUPPLEMENT I TO PART 205--OFFICIAL STAFF INTERPRETATIONS Section 205.2--Definitions 2(a) Access Device * * * * * 2. Checks used to capture information. The term ``access device'' does not include a check or draft used to capture the MICR (Magnetic Ink Character Recognition) encoding to initiate a one-time ACH debit. For example, if a consumer authorizes a one-time ACH debit from the consumer's account using a blank, partially completed, or fully completed and signed check for the merchant to capture the routing, account, and serial numbers to initiate the debit, the check is not an access device. (Although the check is not an access device under Regulation E, the transaction is nonetheless covered by the regulation. See comment 3(b)-1(v).) * * * * * 2(h) Electronic Terminal * * * * * 2. POS terminals. A POS terminal that captures data electronically, for debiting or crediting to a consumer's asset account, is an electronic terminal for purposes of Regulation E even if no access device is used to initiate the transaction. (See Sec. 205.9 for receipt requirements.) * * * * * 2(k) Preauthorized Electronic Fund Transfer 1. Advance authorization. A ``preauthorized electronic fund transfer'' under Regulation E is one authorized by the consumer in advance of a transfer that will take place on a recurring basis, at substantially regular intervals, and will require no further action by the consumer to initiate the transfer. In a bill-payment system, for example, if the consumer authorizes a financial institution to make monthly payments to a payee by means of EFTs, and the payments take place without further action by the consumer, the payments are preauthorized EFTs. In contrast, if the consumer must take action each month to initiate a payment (such as by entering instructions on a touch-tone telephone or home computer), the payments are not preauthorized EFTs. * * * * * 2(m) Unauthorized Electronic Fund Transfer * * * * * 5. Reversal of direct deposits. The reversal of a direct deposit made in error is not an unauthorized EFT when it involves: i. A credit made to the wrong consumer's account; ii. A duplicate credit made to a consumer's account; or iii. A credit in the wrong amount (for example, when the amount credited to the consumer's account differs from the amount in the transmittal instructions). * * * * * Section 205.3--Coverage * * * * * 3(b) Electronic Fund Transfer 1. Fund transfers covered. * * * v. A transfer via ACH where a consumer has provided a check to enable the merchant or other payee to capture the routing, account, and serial numbers to initiate the transfer, whether the check is blank, partially completed, or fully completed and signed; whether the check is presented at POS or is mailed to a merchant or other payee or lockbox and later converted to an EFT; or whether the check is retained by the consumer, the merchant or other payee, or the payee's financial institution. vi. A payment made by a bill payer under a bill-payment service available to a consumer via computer or other electronic means, unless the terms of the bill-payment service explicitly state that all payments, or all payments to a particular payee or payees, will be solely by check, draft, or similar paper instrument drawn on the consumer's account, and the payee or payees that will be paid in this manner are identified to the consumer. * * * * * 3. Authorization of one-time EFT initiated using MICR encoding on a check. A consumer authorizes a one-time EFT (in providing a check to a merchant or other payee for the MICR encoding), where the consumer receives notice that the transaction will be processed as an EFT and completes the transaction. Examples of notice include, but are not limited to, signage at POS and written statements. * * * * * 3(c) Exclusions From Coverage Paragraph 3(c)(1)--Checks 1. Re-presented checks. The electronic re-presentment of a returned check is not covered by Regulation E because the transaction originated by check. Regulation E does apply, however, to any fee authorized by the consumer to be debited electronically from the consumer's account because the check was returned for insufficient funds. Authorization occurs where the consumer has received notice that a fee imposed for returned checks will be debited electronically from the consumer's account. 2. Check used to capture information for a one-time EFT. See comment 3(b)-1(v). * * * * * Paragraph 3(c)(6)--Telephone-Initiated Transfers 1. Written plan or agreement. A transfer that the consumer initiates by telephone is covered by Regulation E if the transfer is made under a written plan or agreement between the consumer and the financial institution making the transfer. A written statement available to the public or to account holders that describes a service allowing a consumer to initiate transfers by telephone constitutes a plan--for example, a brochure, or material included with periodic statements. The following, however, do not by themselves constitute a written plan or agreement: i. A hold-harmless agreement on a signature card that protects the institution if the consumer requests a transfer. ii. A legend on a signature card, periodic statement, or passbook that limits the number of telephone-initiated transfers the consumer can make from a savings account because of reserve requirements under Regulation D (12 CFR part 204). iii. An agreement permitting the consumer to approve by telephone the rollover of funds at the maturity of an instrument. 2. Examples of covered transfers. * * * v. The consumer initiates the transfer using a financial institution's audio-response or voice-response telephone system. * * * * * Section 205.6--Liability of Consumer for Unauthorized Transfers * * * * * 6(b) Limitations on Amount of Liability * * * * * Paragraph 6(b)(1)--Timely Notice Given * * * * * 3. Two-business-day rule. The two-business-day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24- hour periods, without regard to the financial institution's business hours or the time of day that the consumer learns of the loss or theft. For example, a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two-business-day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution's business day on Monday. * * * * * Section 205.7--Initial Disclosures 7(a) Timing of Disclosures * * * * * 2. Lack of advance notice of a transfer. Where a consumer authorizes a third party to debit or credit the consumer's account, an account-holding institution that has not [[Page 15194]] received advance notice of the transfer or transfers must provide the required disclosures as soon as reasonably possible after the first debit or credit is made, unless the institution has previously given the disclosures. * * * * * Paragraph 7(b)(10)--Error Resolution * * * * * 2. Extended time-period for certain transactions. To take advantage of the longer time periods for resolving errors under Sec. 205.11(c)(3) (for new accounts as defined in Regulation CC (12 CFR part 229), transfers initiated outside the United States, or transfers resulting from POS debit-card transactions), a financial institution must have disclosed these longer time periods. Similarly, an institution that relies on the exception from provisional crediting in Sec. 205.11(c)(2) for accounts subject to Regulation T (12 CFR part 220) must have disclosed accordingly. Section 205.8--Change-in-Terms Notice; Error Resolution Notice * * * * * 8(b) Error Resolution Notice * * * * * 2. Exception for new accounts. For new accounts, disclosure of the longer error resolution time periods under Sec. 205.11(c)(3) is not required in the annual error resolution notice or in the notice that may be provided with each periodic statement as an alternative to the annual notice. Section 205.9--Receipts at Electronic Terminals; Periodic Statements 9(a) Receipts at Electronic Terminals * * * * * Paragraph 9(a)(5)--Terminal Location 1. Options for identifying terminal. The institution may provide either: i. The city, state or foreign country, and the information in Secs. 205.9(a)(5) (i), (ii), or (iii), or ii. A number or a code identifying the terminal. If the institution chooses the second option, the code or terminal number identifying the terminal where the transfer is initiated may be given as part of a transaction code. * * * * * 3. Omission of state. The state may be omitted from the location information on the receipt if: i. All the terminals owned or operated by the financial institution providing the statement (or by the system in which it participates) are located in that state, or ii. All transfers occur at terminals located within 50 miles of the financial institution's main office. 4. Omission of city and state. The city and state may be omitted if all the terminals owned or operated by the financial institution providing the statement (or by the system in which it participates) are located in the same city. * * * * * 9(b) Periodic Statements * * * * * 4. Statement pickup. A financial institution may permit, but may not require, consumers to pick up their periodic statements at the financial institution. * * * * * 9(c) Exceptions to the Periodic Statement Requirements for Certain Accounts * * * * * Paragraph 9(c)(1)--Preauthorized Transfers to Accounts 1. Accounts that may be accessed only by preauthorized transfers to the account. The exception for ``accounts that may be accessed only by preauthorized transfers to the account'' includes accounts that can be accessed by means other than EFTs, such as checks. If, however, an account may be accessed by any EFT other than preauthorized credits to the account, such as preauthorized debits or ATM transactions, the account does not qualify for the exception. 2. Reversal of direct deposits. For direct-deposit-only accounts, a financial institution must send a periodic statement at least quarterly. A reversal of a direct deposit to correct an error does not trigger the monthly statement requirement when the error represented a credit to the wrong consumer's account, a duplicate credit, or a credit in the wrong amount. (See also comment 2(m)-5.) * * * * * Section 205.10--Preauthorized Transfers * * * * * 10(b) Written Authorization for Preauthorized Transfers From Consumer's Account * * * * * 5. Similarly authenticated. The similarly authenticated standard permits signed, written authorizations to be provided electronically. The writing and signature requirements of this section are satisfied by complying with the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. 7001 et seq., which defines electronic records and electronic signatures. Examples of electronic signatures include, but are not limited to, digital signatures and security codes. A security code need not originate with the account-holding institution. The authorization process should evidence the consumer's identity and assent to the authorization. The person that obtains the authorization must provide a copy of the terms of the authorization to the consumer either electronically or in paper form. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer. * * * * * 7. Bona fide error. Consumers sometimes authorize third-party payees, by telephone or on-line, to submit recurring charges against a credit card account. If the consumer indicates use of a credit card account when in fact a debit card is being used, the payee does not violate the requirement to obtain a written authorization if the failure to obtain written authorization was not intentional and resulted from a bona fide error, and if the payee maintains procedures reasonably adapted to avoid any such error. If the payee is unable to determine, at the time of the authorization, whether a credit or debit card number is involved, and later finds that the card used is a debit card, the payee must obtain a written and signed or (where appropriate) a similarly authenticated authorization as soon as reasonably possible, or cease debiting the consumer's account. * * * * * 10(e) Compulsory Use * * * * * Paragraph 10(e)(2)--Employment or Government Benefit 1. Payroll. An employer (including a financial institution) may not require its employees to receive their salary by direct deposit to any particular institution. An employer may require direct deposit of salary by electronic means if employees are allowed to choose the institution that will receive the direct deposit. Alternatively, an employer may give employees the choice of having their salary deposited at a particular institution (designated by the employer) or receiving their salary by another means, such as by check or cash. Section 205.11--Procedures for Resolving Errors 11(a) Definition of Error * * * * * 2. Verifying an account debit or credit. If the consumer contacts the financial institution to ascertain whether a payment (for example, in a home-banking or bill-payment program) or any other type of EFT was debited to the account, or whether a deposit made via ATM, preauthorized transfer, or any other type of EFT was credited to the account, without asserting an error, the error resolution procedures do not apply. * * * * * Section 205.12--Relation to Other Laws 12(a) Relation to Truth in Lending 1. Determining applicable regulation. i. For transactions involving access devices that also function as credit cards, whether Regulation E or Regulation Z (12 CFR part 226) applies depends on the nature of the transaction. For example, if the transaction solely involves an extension of credit, and does not include a debit to a checking account (or other consumer asset account), the liability limitations and error resolution requirements of Regulation Z apply. If the transaction debits a checking account only (with no credit extended), the provisions of Regulation E apply. If the transaction debits a checking account but also draws on an overdraft line of credit attached to the account, Regulation E's liability limitations apply, in addition to Secs. 226.13 (d) and (g) of Regulation Z (which apply because of the extension of credit associated with the overdraft feature on the checking account). If a consumer's access device is also a credit card and the device is used to make unauthorized withdrawals from a checking account, but also is used to obtain unauthorized cash advances directly from a line of credit that is separate from the [[Page 15195]] checking account, both Regulation E and Regulation Z apply. ii. The following examples illustrate these principles: A. A consumer has a card that can be used either as a credit card or a debit card. When used as a debit card, the card draws on the consumer's checking account. When used as a credit card, the card draws only on a separate line of credit. If the card is stolen and used as a credit card to make purchases or to get cash advances at an ATM from the line of credit, the liability limits and error resolution provisions of Regulation Z apply; Regulation E does not apply. B. In the same situation, if the card is stolen and is used as a debit card to make purchases or to get cash withdrawals at an ATM from the checking account, the liability limits and error resolution provisions of Regulation E apply; Regulation Z does not apply. C. In the same situation, assume the card is stolen and used both as a debit card and as a credit card; for example, the thief makes some purchases using the card as a debit card, and other purchases using the card as a credit card. Here, the liability limits and error resolution provisions of Regulation E apply to the unauthorized transactions in which the card was used as a debit card, and the corresponding provisions of Regulation Z apply to the unauthorized transactions in which the card was used as a credit card. D. Assume a somewhat different type of card, one that draws on the consumer's checking account and can also draw on an overdraft line of credit attached to the checking account. There is no separate line of credit, only the overdraft line, associated with the card. In this situation, if the card is stolen and used, the liability limits and the error resolution provisions of Regulation E apply. In addition, if the use of the card has resulted in accessing the overdraft line of credit, the error resolution provisions of Sec. 226.13(d) and (g) of Regulation Z also apply, but not the other error resolution provisions of Regulation Z. * * * * * By order of the Board of Governors of the Federal Reserve System, acting through the Director of the Division of Consumer and Community Affairs under delegated authority, March 12, 2001. Jennifer J. Johnson, Secretary of the Board. [FR Doc. 01-6560 Filed 3-15-01; 8:45 am] BILLING CODE 6210-01-P