(A) Transactions made under this rule are subject to the Electronic Fund Transfer Act ( 15 U.S.C. section 1693 et seq.) and regulation E of the federal reserve board ( 12 C.F.R. section 205.2 ).
(B) As used in this rule:
(1) "Generic data" means statistical information which does not identify any individual accountholder.
(2) "Personal security identifier (PSI)" means any word, number, or other security identifier essential for an accountholder to gain access to an account.
(3) "Remote service unit (RSU)" means an information processing device, including associated equipment, structures and systems, by which information relating to financial services rendered to the public is stored and transmitted, instantaneously or otherwise, to a financial institution. Any such device not on the premises of an association that, for activation and account access, requires use of a machine-readable instrument and PSI in the possession and control of an accountholder, is an RSU. The term includes, without limitation, point-of-sale terminals, merchant-operated terminals, cash-dispensing machines, and automated teller machines. It excludes automated teller machines on the premises of an association, unless shared with other financial institutions. An RSU is not a branch, or other type of facility or agency of an association under Chapter 1151. of the Revised Code .
(4) "RSU account" means a savings or loan account or demand account that may be accessed through use of an RSU.
(C) An association may establish or use RSUs and participate with others in RSU operations; however, no RSU may be used to enable accountholders to open a savings account or demand account or to establish a loan account.
(D) An association shall provide a PSI to each accountholder and require its use to gain access to an RSU; it may not employ RSU-access techniques that require the accountholder to disclose a PSI to another person. The association must inform each accountholder that the PSI is for security purposes and shall not be disclosed to third parties. Any device used to activate an RSU shall bear the words "NOT TRANSFERABLE" or the equivalent. A passbook may not be such a device.
(E) An association shall allow accountholders to obtain any information concerning their RSU accounts. Except for generic data or data necessary to identify a transaction, no association may disclose account data to third parties, other than the superintendent or his representatives, unless written consent of the accountholder is given, or applicable law requires. Information disclosed to the superintendent will be kept in a manner to ensure compliance with any applicable privacy law. An association may operate an RSU according to an agreement with a third party or share computer systems, communications facilities, or services of another financial institution only if such third party or institution agrees to abide by this rule as to information concerning RSU accounts in the association.
(F) An association shall take all steps necessary to protect its interest in financial services processed at each RSU, including obtaining available fidelity, forgery, and other appropriate insurance.
(G) All associations shall comply with security requirements of their insuring or guaranteeing agency or as may be required by their surety bond carrier, and shall protect electronic data against fraudulent alterations or disclosure.
(H) An association may share an RSU controlled by an institution not subject to examination by a federal or state regulatory agency only if such institution has agreed in writing that the RSU is subject to such examination by the division of financial institutions.