(A) Transactions made under this rule are subject to the Electronic Funds Transfer Act
(B) As used in this rule:
(1) "Generic data" means statistical information which does not identify any individual accountholder.
(2) "Personal security identifier" means any word, number, or other security identifier essential for an accountholder to gain access to an account.
(3) "Remote service unit" means an information processing device, including associated equipment, structures and systems, by which information relating to financial services rendered to the public is stored and transmitted, instantaneously or otherwise, to a financial institution.
Any such device not on the premises of a savings bank that, for activation and account access, requires use of a machine-readable instrument and personal security identifier in the possession and control of an accountholder, is a remote service unit.
The term includes, without limitation, point-of-sale terminals, merchant-operated terminals, cash-dispensing machines, and automated teller machines. It excludes automated teller machines on the premises of a savings bank, unless shared with other financial institutions. A remote service unit is not a branch, or other type of facility or agency of a savings bank under Chapter 1161. of the Revised Code.
(4) "Remote service unit account" means a savings or loan account or demand account that may be accessed through use of a remote service unit.
(C) A savings bank may establish or use remote service units and participate with others in remote service unit operations; however, no remote service unit may be used to enable accountholders to open a savings account or demand account or to establish a loan account.
(D) A savings bank shall provide a personal security identifier to each accountholder and require its use to gain access to a remote service unit; it may not employ remote service unit-access techniques that require the accountholder to disclose a personal security identifier to another person. The savings bank must inform each accountholder that the personal security identifier is for security purposes and shall not be disclosed to third parties. Any device used to activate a remote service unit shall bear the words "not transferable" or the equivalent. A passbook may not be such a device.
(E) A savings bank shall allow accountholders to obtain any information concerning their remote service unit accounts. Except for generic data or data necessary to identify a transaction, no savings bank may disclose account data to third parties other than the superintendent or his representatives, unless written consent of the accountholder is given or applicable law requires. Information disclosed to the superintendent will be kept in a manner to ensure compliance with any applicable privacy law. A savings bank may operate a remote service unit according to an agreement with a third party or share computer systems, communications facilities, or services of another financial institution only if such third party or institution agrees to abide by this rule as to information concerning remote service unit accounts in the savings bank.
(F) A savings bank shall take all steps necessary to protect its interest in financial services processed at each remote service unit, including obtaining available fidelity, forgery, and other appropriate insurance.
(G) All savings banks shall comply with security requirements of their insuring agency or as may be required by their surety bond carrier, and shall protect electronic data against fraudulent alterations or disclosure.
(H) A savings bank may share a remote service unit controlled by an institution not subject to examination by a federal or state regulatory agency only if such institution has agreed in writing that the remote service unit is subject to such examination by the division of financial institutions.
Cite as Ohio Admin. Code 1301:12-4-06