Account numbers on periodic statements: Can we truncate?

The recent discovery of one of the largest data breaches in history adds to a laundry list of breaches at major corporations just this year. In an anxious attempt to protect their member’s sensitive financial information, many credit unions have asked the NAFCU Compliance team whether the periodic statement requirements found in Regulation E permit the truncation of account numbers.

Surprisingly, there is not a lot of federal regulatory guidance with respect to the truncation of account numbers on statements and notices given to members. Section 1005.9(a)(4) of Regulation E allows credit unions to truncate account numbers on receipts available at electronic terminals, such as ATMs. In the preamble to the Federal Reserve Board’s version of Regulation E, which implemented the receipt requirement, the Board addressed ways in which to identify consumers conducting transactions at electronic terminals. Rather than requiring financial institutions to “uniquely” identify the consumer in the same way it would on a periodic statement, the Board allowed financial institutions to truncate the number on the receipt to help “protect consumers and financial institutions against fraudulent withdrawals.” 61 Fed. Reg. 19662, 19666 (May 2, 1996).

Unfortunately, the preamble to the rule offers no commentary to indicate that the Federal Reserve Board contemplated similar concern when requiring financial institutions to disclose account numbers on periodic statements. The rule itself appears to require the credit union to disclose the entire account number on a periodic statement and is silent about whether this could be accomplished by truncation:


continue reading »