Issuing Access Devices

The rationale behind Regulation E’s restrictions on issuing access devices is that consumers who have not asked for and who do not want an access device should not have one imposed on them. Having the device brings with it the risk that the device will fall into someone else’s hands who could then use it to make unauthorized transfers, and financial institutions should not be able to unilaterally impose that risk on consumers.

One way the Regulation seeks to minimize this risk is by conditioning any consumer liability for unauthorized transfers made with the access device on the access device being “accepted.” If the device is not “accepted” by the consumer, the consumer cannot be liable for any unauthorized transfers made with it. [12 CFR 1005.6(a)] A second way the overall objective is furthered is by restrictions on the actual issuance of access devices. Let’s look first at what constitutes an “accepted” access device.

An access device is “accepted” if the consumer to whom it is issued:
  1. Requests and receives the device, signs the device, uses it, or authorizes another person to use it for the purpose of transferring money between accounts or to obtain money, property, labor, or services; or
  2. Requests that the device be “validated” (made capable of executing EFTs) if the device was issued to the consumer without the consumer’s request; or
  3. Receives the device as a renewal of or a substitute for an access device that was “accepted.”

[12 CFR 1005.2(a)(2)]

Unless one of these three events occurs, the access device is not accepted and the consumer will face no liability for the unauthorized use of the device.

Let’s look now at the restrictions on how you can issue access devices.

The general rule is that you can issue an access device in only two circumstances:

(1) when the device has been requested or applied for by the consumer; or (2) when you are issuing the device as a renewal of or a substitution for an accepted access device. [12 CFR 1005.5(a)(1)-(2)]

The exception to the general rule is that you may issue an access device on an unsolicited basis if you meet these conditions:
  1. The device is not validated (it is not capable of making EFTs);
  2. You also send along an explanation to the consumer of the fact that the device is not validated and how to dispose of the access device if the consumer does not want it;
  3. You send an initial disclosure along with the access device; and 4. You validate the device only if the consumer requests or applies for validation, and then only after you have verified the consumer’s identity by some reasonable means, such as by photograph, fingerprint, personal visit, or signature comparison.
  4. You validate the device only if the consumer requests or applies for validation, and then only after you have verified the consumer’s identity by some reasonable means, such as by photograph, fingerprint, personal visit, or signature comparison.

[12 CFR 1005.5(b)(1)-(4)]

These are the rules restricting your ability to issue access devices to consumers. We have a few more points to make before we’re finished, however.

First, any one consumer account holder of a joint account can request or apply for access devices for any or all of the account holders of the account, and you are permitted by the Regulation to issue devices to the account holders that that consumer specifies. [Commentary, 12 CFR 1005.5(a)(1)-1]

Second, if you want to change a consumer’s access device to allow it to access accounts in addition to the account it already can access, that change is considered by the Regulation the equivalent of issuing a new access device. Therefore, you either must receive a request or application for the change from the consumer, or you must meet the conditions for unsolicited issuance that we listed earlier. However, adding to an accepted access device the ability to make new types of EFTs is not considered the same as issuing a new device. Therefore, you can add this sort of capability to access devices on an unsolicited basis. But, you would have to send new initial disclosures at the time of the change—if the change causes the initial disclosures to be different from those you have previously given. [Commentary, 12 CFR 1005.5(a)(2)-1]

Third, the rules of Regulation E that restrict the issuance of access devices and the rules of Regulation Z (Truth in Lending) restricting the issuance of credit cards overlap to some extent when it comes to issuing an access device that also functions as a credit card. The two Regulations mesh in the following way. Regulation E applies to: (1) the issuance of access devices; (2) the addition to a credit card of the capability of making EFTs; and (3) the issuance of combination access devices/credit cards if the only credit feature of the card is in connection with an overdraft or minimum balance protection plan. [12 CFR 1005.12(a)(1)] Regulation Z, on the other hand, applies to: (1) the issuance of credit cards; (2) the addition of credit capabilities to an accepted access device; and (3) the issuance of combination access devices/credit cards where the credit capabilities include credit other than just overdraft or minimum-balance protection. [12 CFR 1005.12(a)(2)]