Adopted Amendments to 7 TAC §3.92

Title 7. Banking and Securities
Part 1. Finance Commission of Texas
Chapter 3. State Bank Regulation
Subchapter E. Banking House and Other Facilities
7 TAC §3.92

The Finance Commission of Texas (the commission), on behalf of the Texas Department of Banking (the department), adopts amendments to §3.92, concerning user safety at unmanned teller machines, typically referred to as automated teller machines or ATMs, with changes to the proposed text as published in the December 26, 2014, issue of the Texas Register (39 TexReg 10117).

The amended rule will reduce regulatory burden while still providing important protections to consumers, by eliminating repetitive annual notice requirements and by authorizing delivery of notice by electronic means in certain circumstances. In addition, the recommended basic safety precautions in subsection (e) have been updated to address security issues that have emerged in recent years.

Subsection (e) formerly required a bank, at the time the initial disclosure of terms and conditions is provided to the customer, to furnish its customers with a printed notice of basic safety precautions that a customer should employ while using an ATM, and subsequently furnish the same notice at least annually. This requirement has remained in place since 1996, despite significant public experience gained in almost 20 years of ATM usage and the proliferation of electronic communications between consenting parties.

As amended, §3.92(e) requires a bank to provide notice of basic ATM safety precautions to its customer whenever an access device (e.g., an ATM card or debit or credit card) is issued or renewed, and an annual notice is no longer required. Further, the notice can be delivered to a customer electronically if the customer has agreed to conduct transactions by electronic means, and only one notice is required in the event the bank furnishes an access device to more than one customer on the same account.

In addition, the example list of possible safety precautions in §3.92(e)(2) has been updated to mention online fraud and other relatively new cyber threats, and other ATM risks, important information for bank customers.

The Department received one comment supporting the proposed amendments from the Independent Bankers Association of Texas (IBAT), a trade association representing over 400 independent, community banks domiciled in Texas. IBAT also offered two suggestions for improving the proposal.

IBAT noted that the requirement to re-send the notice every time an access device is replaced is not necessary or required by statute. Finance Code 59.309 does not actually require the notice of safety precautions to be sent more than once. IBAT recommended that the notice should only be required when the access device is issued or renewed, and not when the access device is replaced. In support, IBAT observed that significant security breaches at major retailers have recently caused banks to replace debit cards multiple times in the same year, and providing the notice of user safety each time is both burdensome and duplicative. In addition, IBAT requested additional clarification that the notice may be included in an initial or periodic disclosure statement and need not be in a stand-alone mailing, citing Finance Code §59.309(c) in support. The commission concurs with and accepts both suggestions, and has modified the amendments to §3.92(e) accordingly.

The amendments are adopted pursuant to Finance Code, §59.310, which provides the commission with authority to adopt rules to implement Subchapter D of Finance Code, Chapter 59 (§§59.301 - 59.310).

§3.92.User Safety at Unmanned Teller Machines.

(a) - (d) (No change.)

(e) Notice. An issuer of access devices shall furnish its customers with a notice of basic safety precautions that each customer should employ while using an unmanned teller machine. The notice must be personally delivered or sent to each customer whose mailing address is in this state, according to records for the account to which the access device relates, and may be included with other disclosures related to the access device, including an initial or periodic disclosure statement furnished under the Electronic Fund Transfer Act (15 U.S.C. §1693 et seq.). The notice may be delivered electronically if permissible under Business & Commerce Code, §322.008.

(1) When notice is required. The issuer must furnish the notice to its customer whenever an access device is issued or renewed. If the issuer furnishes an access device to more than one customer on the same account, the issuer is not required to furnish the notice to more than one of the customers.

(2) Content of notice. The notice of basic safety precautions required by this subsection may include recommendations or advice regarding:

(A) security at walk-up and drive-up unmanned teller machines, such as recommendations that the customer should:

(i) remain aware of surroundings and exercise caution when withdrawing funds;

(ii) inspect an unmanned teller machine before use for possible tampering, or for the presence of an unauthorized attachment that could capture information from the access device or the customer's personal identification number;

(iii) refrain from displaying cash and put it away as soon as the transaction is completed; and

(iv) wait to count cash until the customer is in the safety of a locked enclosure, such as a car or home;

(B) protection of the customer's code or personal identification number, such as a recommendation that the customer ensure no one can observe entry of the customer's code or personal identification number;

(C) safeguarding and protection of the customer's access device, such as a recommendation that the customer treat the access device as if it were cash, and if the access device has an embedded chip, that the customer keep the access device in a safety envelope to avoid undetected and unauthorized scanning;

(D) procedures for reporting a lost or stolen access device and for reporting a crime;

(E) reaction to suspicious circumstances, such as a recommendation that a customer who observes suspicious persons or circumstances, while approaching or using an unmanned teller machine, should not use the unmanned teller machine at that time or, if the customer is in the middle of a transaction, should cancel the transaction, take the access device, leave the area, and come back at another time, or use an unmanned teller machine at another location;

(F) safekeeping and secure disposition of unmanned teller machine receipts;

(G) the inadvisability of surrendering information about the customer's access device over the telephone or over the Internet, unless to a trusted merchant in a call or transaction initiated by the customer;

(H) protection against unmanned teller machine fraud, such as a recommendation that the customer promptly review the customer's monthly statement and compare unmanned teller machine receipts against the statement;

(I) protection against Internet fraud, such as a recommendation that the customer, if purchasing online with the access device, should end transactions by logging out of websites instead of just closing the web browser; and

(J) other recommendations that the issuer reasonably believes are appropriate to facilitate the security of its unmanned teller machine customers.

(f) - (h) (No change.)