- Duties of Card Issuers Regarding Address Discrepancies
- Verifying Social Security Numbers
- Permitted Number of Transactions on Savings & MMDAs
1. Duties of Card Issuers Regarding Address Discrepancies
In my November and December articles I discussed the bank regulatory agencies’ recently-issued joint regulations concerning (1) identity theft red flags, and (2) a lender’s required response to a credit bureau’s notice of address discrepancy.
The same joint regulations include a provision relating to “duties of card issuers regarding changes of address.” The FDIC’s version of the regulations (which I will discuss here) applies to non-Fed-member state banks, and is 12 CFR Section 334.91. Each regulatory agency has its own identically worded section of this regulation, numbered differently. National banks are covered by the OCC’s new Section 41.91; Fed-member state banks must comply with the Federal Reserve’s Section 222.91; and thrifts have a new OTS Section 571.91.
The regulation requires issuers of debit or credit cards to take certain steps before issuing a new card, in situations where the card issuer (1) is given a notice of a change of address for the cardholder, and (2) simultaneously or within thirty days thereafter receives a request for an additional or replacement card on the account.
When these two requested changes occur closely together, the circumstances can be suspicious. Statistically there is a higher-than-normal risk that the card issuer may be dealing with an identity thief. The regulation requires the issuer of the card to take steps to determine the validity of the address change before issuing a replacement or additional card.
Like any new regulation, this one creates a new opportunity for possible compliance violations; and the card issuer might become liable to a “real” cardholder whose situation as a victim of identity theft is made worse by the card issuer’s failure to verify the cardholder’s change of address before issuing an additional or replacement card.
The regulation has an effective date of January 1, 2008, but compliance with the regulation is not mandatory until November 1, 2008.
1. Who Is Covered?
The regulation applies to issuers of credit cards or debit cards (or both). (Section 334.91(a).) Almost all Oklahoma banks offer debit cards, and will be required to follow the regulation carefully. Typically, the decision to issue a debit card to a consumer, or a replacement debit card, or an additional debit card (for an “authorized signer” on an account), is controlled by day-to-day procedures at the local bank, and not by a card processor. Nearly every bank will have to modify its normal daily process of ordering debit cards for consumers, to make sure the regulation’s requirements are met.
For credit cards the impact on the average Oklahoma bank may be quite different. Only a handful of Oklahoma banks issue their own credit cards—often relying instead on some larger (usually out-of-state) financial institution that is the actual issuer and processor of the cards–even if the local bank’s name is “branded” on the card. In most such cases, the larger financial institution would probably take on “front line responsibility” for complying with the new requirements before issuing replacement or additional credit cards.
2. Address Validation Requirements
The heart of this particular regulation is Section 334.91(c). It requires a card issuer (debit or credit card) to “establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer’s debit or credit card account and within a short period of time (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account.”
This subsection also contains a prohibition: A card issuer (debit or credit card) “may not issue an additional or replacement card” in the circumstances described above, until it has first taken certain steps “for the purpose of assessing the validity of the [consumer’s] change of address . . .”
The regulation gives two alternative methods of “assessing the validity of the change of address”: The first method is the “notice” method, while the second method uses “other” allowable means of assessing the validity of an address change. Each method is described in more detail below.
3. “Notice” Method
The “notice” method has two required parts: (a) notifying the cardholder that the card issuer has received the request (for change of address, and a replacement/additional card), and (b) giving the cardholder “a reasonable means of promptly reporting incorrect address changes.”
Section 334.91(c)(1)(i) outlines two ways to give the consumer this notice. The first is to mail a notice to “the cardholder’s former address.” The second method is to use “any other means of communication that the card issuer and cardholder have previously agreed to use.” (This would apply, for example, to the consumer who has agreed to receive notices and disclosures from the bank by e-mail.)
As stated, the notice must include “a reasonable means of promptly reporting incorrect address changes.” Here’s a rough example: “This is to confirm your recent request to us to issue a replacement/additional debit (credit) card on your account and to change the mailing address for the account to [_______]. If this information is not correct, you should immediately contact [our Customer Service Department] at [phone number].”
Section 334.91(e) states, “Any written or electronic notice that the card issuer provides . . . must be clear and conspicuous and provided separately from its regular correspondence with the cardholder.” To meet the “clear and conspicuous” standard, the notice should be “reasonably understandable and designed to call attention to the nature and significance of the information presented.” An appropriate heading might be desirable, and the type face should be easily readable.
A notice sent by e-mail (where that method is allowed) is particularly likely to reach the consumer. A mailed notice sent to the “former address” may seem unlikely to reach the consumer (if he has actually moved) unless the notice is forwarded. However, mailing to the “former address” is an excellent method of reaching the consumer in those cases where the consumer has not actually moved—in other words, where a fraudster is trying to “hijack” the account.
There’s always the possibility that mail sent to the “former address” may be intercepted by a new resident, if the address change was valid. For this reason it may be wise to limit the amount of information contained in the notice. For example, the notice probably should mention only the last four digits of the account number, if the account number is included at all.
4. “Other” Method
Although the “notice” approach is an acceptable method of assessing the validity of an address change, there is a second permissible method: Section 334.91(c)(2) allows a card issuer to “otherwise assess the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 334.90.” Basically, the bank would utilize the written procedures set out in its more general “identity theft prevention program” (see my November article and § 334.90) which are found to be adequate for customer-identification purposes in general.
Let’s say a consumer comes into the bank in person to request an address change on a checking account that is also accessible by debit card. The bank could use any of the various methods of customer identification that it has previously set out in its written procedures, in order to “assess the validity of an address change.” (If you are satisfied that the right person is giving you instructions, there is no further need to verify that an address change provided by that person is valid.)
As some examples, (1) the bank has already adopted a list of types of picture ID that are adequate to establish identity–and consulting any type of ID on the list in connection with an address change is sufficient. (2) Another way of verifying identity at the time of an address change is for the consumer to be “personally known to the bank officer”–and a notation of this fact should be made at the time of the transaction. (3) For banks that have set up certain “challenge questions” or “passwords” as a means of verifying the customer’s identity (for example, in a situation where a consumer contacts the customer service department by phone), the bank’s use of these already-established identification methods (mother’s maiden name; city of birth; Social Security number; etc.) would be a valid way of “assessing the validity of an address change.”
In writing its policy, a card issuer will probably find it useful to use the “other” method (checking the consumer’s ID; personal knowledge of who the person is; or challenge questions) to deal with customers who come to the bank or call to make an address change, while the first (“notice”) method would logically be reserved for customers who write to the bank—because there is no opportunity for direct interaction with them.
5. Timing for Compliance—Two Options
The regulation creates an unusual compliance problem: The requirements are triggered if two separate events occur, either simultaneously or up to thirty days apart. The first event is a notification to the card issuer of a change of address for the account. The second is a request for an additional or replacement card for the same account.
As one approach to compliance, a card issuer’s assessment of the circumstances can key off the second event (what might be called a “look-back” approach to compliance). If a card issuer receives a request for a replacement or additional card on an account, that issuer would have to consult its records to determine whether there has been a notice of change of address on the account within the previous thirty days. If not, nothing more is required. If yes, then the card issuer must “assess the validity of the change of address” before issuing an additional or replacement card.
One of the potential problems with this “look-back” approach is that the bank needs a means of determining whether the mailing address on the account has been changed, and whether that occurred within the previous thirty days. Some banks may be simply changing the address on a consumer’s account, upon request, without making a notation that the address has been changed, or recording the date of the change. In this situation, a bank would need to start making a note on each account that the address has been changed, and as of what date.
In a second possible approach (what might be called the “beforehand” compliance approach), a card issuer’s policy can key off the first of two events: A bank can simply “assess the validity of a change of address” every time it receives notice of a change of address. Instead of waiting to see whether there is a later request for a replacement/additional card, the bank can treat every change of address as an event for which the validity must be assessed—either by mailing notice to the “former address” or using “other” established identification methods, as outlined in Section 334.91(c).
Section 334.91(d) specifically allows this second approach. (If the card issuer assesses the validity of a particular address change when it receives that notice of address change, it doesn’t need to do anything more if it later receives a request for an additional or replacement card.)
Although it might be an excellent security procedure to follow the “beforehand” approach—to use a verification procedure in every situation where an account address is changing–the regulation does not require this much, and some banks might find this approach too cumbersome in relation to the bank’s customary method of operating.
2. Verifying Social Security Numbers
There are a variety of reasons why a bank needs to be confident that a Social Security number (SSN) presented to the bank by a consumer is valid:
(1) CIP rules require a financial institution to obtain each accountholder’s TIN for anti-money-laundering purposes. A bogus TIN evades this purpose.
(2) Many banks use a check-approval company, before opening new accounts, to learn about the individual’s account history at other banks. A fraudulent TIN may “wire around” the bank’s customer-approval guidelines. This in turn may lead to account losses.
(3) A wrong SSN on a deposit account would result in a name/number mismatch on an annual 1099 filed with the IRS, and a $50 fine to the bank.
(4) A wrong SSN provided with a correct customer name may turn up “no credit history” from a credit bureau. The bank might make a small loan in this situation, where it clearly would not make any loan at all if the customer’s real credit history were known.
(5) When a customer fraudulently uses someone else’s SSN (and someone else’s name) in applying for a loan, the wrong person’s credit gets reviewed, and the bank’s process of evaluating credit goes completely off the track. With only incorrect identifying information in its file, the bank has at best very limited ability to collect on the loan when it goes bad. There is both a fraudulent loan application (a federal crime) and identity theft (a crime under Oklahoma law).
(6) Perhaps the most “innocent” case of presenting a fraudulent SSN to the bank is the illegal immigrant, who has no TIN and needs to do banking business. Maybe (but not always) he is well-intentioned and fully intends to handle his bank account responsibly, repay his loan, etc. However, by providing a fraudulent SSN he is still avoiding the CIP rules, as well as providing a TIN that cannot be used accurately for either reviewing or reporting his credit. Normally a bank would not lend to anyone if it could not obtain his “real” credit report and if it also had no TIN under which it could later report bad credit, if any. As a matter of risk, a customer who will not provide a real TIN is someone with whom the bank simply cannot do business.
As indicated, there are many cases where it is extremely important for the bank to verify, if possible, that the SSN provided by a particular individual actually belongs to that individual. Of course, a bank can review third-party information (such as a credit report) that includes the individual’s SSN; and by checking a valid picture identification (name and address) against the credit report’s name, address, and SSN information, a bank may become reasonably comfortable that the SSN does, in fact, belong to the individual.
The situation is more difficult if someone is applying to open a bank account (and no credit report is obtained), or if a credit report is requested but the person has no credit history. What can a bank do in such cases to determine that the SSN that was provided actually belongs to the individual?
There is no single fool-proof way to verify a person’s SSN, but several “partial methods” can help a bank to gain confidence that an SSN really belongs to the person presenting it. I will discuss three of these methods:
First, it is possible to verify that a particular SSN does not belong to a dead person. The Social Security Death Index can be accessed in several ways. One is by going to http://ssdi.rootsweb.com and filling in nothing but the particular SSN, then hitting “search” (for example, using an SSN that is provided by a new account or loan applicant). If the SSN belongs to someone who is dead, the search will disclose the name of the deceased person—and it won’t be the bank’s “new customer.”
For any deceased person, searching the SSN alone will disclose (1) the name of the person to whom the SSN belongs, (2) the place of last residence, (3) the state where the SSN was issued, and (4) the dates of birth and death. (Such information gets added to the Social Security Death Index within a couple of months after a particular individual dies.)
If your customer says his SSN is 480-07-7456, and you search this number, you will learn that it belongs to a former President, Ronald Wilson Reagan, and that he died in 2004.
(The Social Security Death Index is also useful if the bank has lost track of an elderly customer, and you suspect that he may have died because there have been no transactions on his account. If you search his SSN and he is dead, his name, date of death, and place of last residence will be revealed by the search.)
It should be emphasized that searching the Social Security Death Index will yield nothing if the person to whom an SSN belongs is living; and it also will yield nothing if the SSN is a “dummy” that has never been issued to anyone.
Second, another website allows anyone to verify that a SSN is “valid” and that it is “active,” but does not disclose the name of the person to whom that SSN belongs. Go to www.searchbug.com and click on “Verify SSN” under “Other Tools.” (This website allows as many as ten free SSN searches per day.)
If the SSN that you search is a “dummy” (never actually issued to anyone), the response to the search will be “not valid.” This is an excellent way of discovering that an SSN does not exist. But a randomly chosen ‘bogus” SSN not really belonging to the individual could just as easily be one belonging to someone else who is living, or someone who has died.
If the SSN that is searched on www.searchbug.com belongs to someone who is dead, the search results will indicate that the number is “valid” (actually issued to someone). However, the search will also indicate that the number is “not active” (in other words, it belongs to a deceased person).
If the SSN belongs to someone who is living, the search will show that the number is “valid” and “active,” and will also indicate the state where the SSN was issued. This search engine will not give the date when an “active” SSN was issued—and by itself gives no indication of the individual’s approximate age.
If you are suspicious of the identification information provided by a new customer, the “state where the SSN was issued” (assuming that it is not Oklahoma) can be used as a “challenge question” to further satisfy yourself that you are dealing with the right person. For example, if www.searchbug.com tells you that a particular SSN was issued in Ohio, you can ask the person in what state his SSN was issued. As long as the correct answer is a state other than Oklahoma, it will be difficult for an impostor to guess the answer.
(Note that this may not do much good in the case of true “identity theft,” because the “victim” probably lives in Oklahoma, and is likely to have obtained an SSN here. An identity thief in Oklahoma would have an excellent chance of guessing right if he said “Oklahoma” in response to the question, “Where was this SSN issued?”)
Third, there are some complicated rules and procedures under which SSN’s have been issued by the Social Security Administration. Understanding these rules can help you make conclusions as to whether an SSN actually belongs to your new customer. Knowing just a few brief points can be helpful to verify an SSN in some cases.
Every SSN has nine digits, of course. The first three numbers—before the first hyphen—are called the “area-state” designation. These three numbers tell you where the SSN was issued. For example, did you know that all SSN’s issued in Oklahoma will start with a three-digit number between 440 and 448? If someone gives you a SSN not starting with 440 to 448 and you ask him where the SSN was issued, he should be able to give a quick answer—but if he says “Oklahoma,” he is lying.
Without getting into what “states of issuance” are indicated by various other three-digit prefixes at the beginning of an SSN, it’s helpful just to know that certain three-digit combinations have not been used by the Social Security Administration at all, and therefore are always an indication of a fraudulent SSN.
For example, the prefixes 666, 680-699, 729-765, and 773-999 have been reserved for future use, and do not indicate valid SSN’s. Also, the prefixes 700-728 were issued only to railroad workers through 1963, and then were discontinued. (For any valid SSN beginning with 700-728, the individual probably has an age today at least in the mid-60’s.)
The middle two numbers of an SSN—between the hyphens—are called the “group number.” The group number is related to the numerical order in which SSNs have been issued in each specific geographical area. Therefore, the “group number” on an SSN may give a rough indication of whether a particular SSN was issued a long time ago (to an older individual), or more recently, or has never been validly issued.
The last four numbers of an SSN are called “serial numbers.” Each group number will have 9999 possible four-digit serial numbers following it, and all of those serial numbers are used up sequentially for a particular group number before a higher group number is started within the same prefix.
With each three-digit “area-state” prefix in the U.S., the group numbers (the two numbers between the hyphens) have been issued in the following order: (1) odd numbers, 01 to 09; then (2) even numbers, 10 to 98; then (3) even numbers, 02 to 08; and finally (4) odd numbers, 11 to 99.
Before 1965, the only group numbers used were those within the first two categories above. Due to differences in population growth, some parts of the country worked their way through the available group numbers under their area’s particular prefixes, faster than other areas did. It’s an “imperfect science” to try to guess when a particular group number was issued within a particular area. Nevertheless, certain “rough” conclusions are valid.
For example, the very earliest group numbers—01, 03, 05, 07 and 09—were used up first, and in almost all cases will represent an SNN issued before the 1950’s. All persons with these particular groups numbers should be of retirement age and beyond. If a younger person shows up with a group number within this range (01, 03, 05, 07 or 09), the SSN will almost always be fraudulent. The exception to this is certain states that have used up all of the three-number prefixes for their areas and have had to begin with a new group of prefixes, starting again with very low “odd” group numbers. (These states are SC, GA, FL, MS, AR, LA, TX, CO, NM, AZ, UT and CA.)
Within the second category of group numbers above (even numbers, 10 to 98), it’s probably safe to guess that at least the bottom half of that range of even numbers (and maybe more) was used up more than forty years ago—again, indicating a person who is not very young. If a young person shows up with an SSN that has a group number in the lower half of this range of even numbers (10 to 98), it’s probably not the right SSN. (Again, an exception applies for the same twelve states listed above where additional new prefixes had to be used.)
In Oklahoma (as in other states), SSNs are issued by using up the lowest available sequential group number, in rotating order, within all “area-state designation” prefixes that apply to this state. As of December 3, 2007, for Oklahoma prefixes 440 through 447, the highest-issued group number in each is 23 (from within the fourth category above), and for prefix 448 the highest-issued group number is 21. (As of December, SSNs were being issued in Oklahoma within prefix 447, group 23. When that group number is used up under prefix 47, SSNs will start being issued for group 23 under prefix 48. Then SSNs will start using group number 25 in 440, and so on, using group number 25 in turn throughout prefixes 441 to 448.)
Referring to the four categories above for order of group numbers, any Oklahoma-issued SSN (prefix 440 to 448) with an “odd” group number higher than 23 is not valid at this time. But SSNs in Oklahoma will continue to be issued in future, working up numerically through odd group numbers above 23.
To determine what is the highest group number (following the ranking in the four-group sequence above) that has been issued for any particular SSN prefix in any state, you can go to www.ssa.gov/employer/highgroup.txt. Of course, as explained earlier, simply searching an SSN at www.searchbug.com will tell you the same information—that a group number on a card is a number too high in sequence, and therefore does not indicate a valid, issued SSN.
3. Permitted Number of Transactions on Savings & MMDAs
Federal Reserve Regulation D limits the number of permitted transactions on any “savings deposit,” including regular savings and “money market deposit accounts” (MMDAs).
The specific provision, in 12 CFR Section 204.2(d)(2), is just about the most poorly worded and difficult-to-understand language in any regulation. Still, banks are expected to interpret this language correctly and apply its restrictions.
The regulation has been in effect for a very long time, but the questions about how to interpret it seem never to stop. The limit on number of transactions applies both to ordinary savings and MMDAs, but most banks have problems with excess transactions on MMDAs, not savings.
There are several reasons why customers wanting to make “too many” transactions are drawn to MMDAs, instead of savings or NOW accounts: (1) MMDAs pay higher interest than either savings or NOW accounts. (2) Depending on the bank, many types of transactions may be available on an MMDA that are not permitted on ordinary savings—checking, ATM, debit card, and ACH payments. (3) Customers not eligible for a NOW account (LLCs, partnerships, and for-profit business corporations) tend to flock to MMDAs because they want a way to write checks while also earning interest on their money. (Particularly for various business entities that are ineligible to hold a NOW account, the bank should strongly emphasize the limitation on transactions.)
There are two technical legal problems with not enforcing the transaction limits on an MMDA (or ordinary savings account): (1) On a call report, a bank cannot include an MMDA within the dollar totals for time and savings deposits, unless the limit on transactions is strictly enforced. If the limits are not enforced, an MMDA must be classified instead as a “transaction account.” The difference in classification changes the amount of reserves that the bank is required to maintain. (2) It is illegal for a bank to pay interest on an MMDA if the transaction limits are not followed and the bank does not bring the customer back into compliance.
I will now discuss the specific “transaction limits” set out in the regulation:
1. Number of Allowed Transactions
On a savings deposit (including MMDA) the regulation permits “no more than six transfers and withdrawals, or a combination of such transfers and withdrawals, per calendar month or statement cycle of at least four weeks.” (There are also further limitations on what the six transactions can include, and also exceptions that do not count against the total of six, as explained below.)
The regulation allows two methods of measuring the time period for the permitted number of transactions—either (a) per calendar month, or (b) per statement cycle.
A bank is permitted to measure the number of transactions per period either (1) by looking at the date as of which each item is authorized, or (2) looking at the date when each item is presented. Whichever approach a bank takes, it must do so consistently. From a practical standpoint, items would have to be manually examined in order to use the first method, and therefore only the second approach is feasible. (This makes the process more difficult for the customer, who probably will not be counting transactions in the same way that the bank does.)
What transactions can have a combined total of up to six per calendar month or statement period? The regulation allows three types: (1) Transfers “to another account (including a transaction account) of the depositor at the same institution.” (This does not allow a transfer to an account of a different depositor—such as “corporation to individual” or vice versa.) (2) Transfers “to a third party by means of a preauthorized or automatic transfer.” (This would include any kind of automatic loan payment to another bank, or a recurring ACH for utility bills, monthly insurance payments, etc.) (3) Transfers by “telephonic (including data transmission) agreement, order or instruction.” (Note that online “bill pay” transactions fall into this category.)
There are other transactions that, combined, cannot total more than three per calendar month or other statement period—and the total of transactions within these additional categories still must be counted against the larger total of six transactions per month. Within this “three per period” category are transfers “made by check, draft, debit card, or similar order made by the depositor and payable to third parties.” A maximum of three checks per period (even assuming that other, competing types of transactions are not used at all) is so restrictive that most customers will have difficult staying within it—unless they access the account only very infrequently. And a debit card on an MMDA is almost always a bad idea. It’s highly unrealistic to expect a person to use a debit card (combined with checks) for a total of only three times per month.
The regulation next lists certain types of transactions (outlined below) that do not count at all against the limits of six and three per month. These transactions are unlimited in amount, and important to understand, but not nearly as flexible as what the customer typically expects and wants:
(1) “An arrangement that permits transfers for the purpose of repaying loans and associated expenses at the same depository institution (as originator or servicer).” (Any number of automatic deductions set up to pay loans at the same institution will be allowed.)
(2) “An arrangement . . . that permits transfers of funds from this account to another account of the same depositor at the same institution . . . when such transfers . . . are made by mail, messenger, automated teller machine, or in person.” (Many people interpret this provision incorrectly because other language inserted in the middle—deleted here–confuses the meaning.)
This provision does not permit unlimited transfers of all kinds between accounts of the same depositor. For example, this does not allow unlimited online transfers between a person’s accounts (unless they are carried out through an ATM machine). It also does not allow unlimited transfers in a situation where a savings account or MMDA is linked to a transaction account so that overdrafts will automatically be paid from the linked account. If a transaction account is linked to an account (savings or MMDA) that has a maximum number of transactions, the overdraft transfer agreement must make clear that the bank does not agree to make the automatic transfer if the maximum number of transactions allowed by law on the linked account is exceeded. This regulation also does not allow unlimited transfers based on telephoned or faxed instructions.
Technically, the regulation does allow an unlimited number of transfers between accounts if the person actually comes into the bank in person (or sends a messenger to the bank) to request the transfer.
(3) “An arrangement . . . that permits withdrawals (payments directly to the depositor) from the account when such . . . withdrawals are made by mail, messenger, automated teller machine, or in person or when such withdrawals are made by telephone (via check mailed to the depositor) regardless of the number of . . . withdrawals.” The number of permitted withdrawals will be unlimited only if (a) the person (or messenger) comes directly to the bank to make the withdrawal, or (b) withdraws money through an ATM, or (c) withdraws money by calling the bank—but any money withdrawn based on telephoned instructions has to be mailed to the customer (not to anyone else) and must be in the form of a check.
These provisions would literally permit daily in-person (or ATM) withdrawals from a savings account or MMDA, without violating Regulation D. But most banks impose terms of their own on accounts, and a bank’s internal limits on the number of transactions certainly can be more restrictive than what Regulation D allows.
A bank also often imposes a penalty for every transaction exceeding the total that the bank’s account provisions would allow. Particularly when a bank’s limit on transactions (such as on a savings account) is more restrictive than Regulation D, the existence of the penalty may be an effective aid in keeping the account’s total transactions within the limit that Regulation D allows. However, fining an accountholder for excessive transactions that would violate Regulation D is not an acceptable substitute for forcing a customer to comply with the regulation’s limit on allowable transactions.
2. Eliminating Excess Transactions
In a footnote to Section 204.2(d)(2), the Federal Reserve sets out two ways that a bank can monitor the number of transactions on an account. The first method is to block excess transactions after the permitted number per period have occurred. (This would be difficult to administer and would be sure to make the customer mad. A bank would have to bounce the excess transactions—causing a check or automatic loan payment or other ACH not to pay, even though money is available in the account.)
The second permitted method of controlling the number of transactions is by counting them “after the fact.” If there are excess transactions in any period, the bank “must contact customers who exceed the established limits on more than an occasional basis.”
Most banks adopt the second method, but they sometimes fail to carry it out: (1) They describe the transaction limits when they open the account, but they stop monitoring the number of transactions; or (2) their data processing system tells them that an excess number of transactions is occurring, but they don’t send the required notices to customers; or (3) the bank regularly sends the required notices when excess transactions occur, but they just keep sending notices, with no action taken to stop the violation.
The regulation is explicit about what a bank must do if an accountholder continues to violate the transaction limits after being warned: “For customers who continue to violate those terms after they have been contacted by the depository institution, the depository institution must either  close the account and place the funds in another account that the depositor is eligible to maintain, or  take away the transfer and draft capacities of the account.”
If the customer is eligible to hold a NOW account, the easy solution is to convert the account to a NOW account. If the customer is not eligible to hold a NOW account, the account must be converted to a non-interest-bearing transaction account if the customer wishes to continue to making as many transactions. The alternative would be to block the account to transactions, except in person—cutting off the customer’s access to the account by check, debit card, online transfer, online bill pay, ACH, etc. This effectively converts it to the equivalent of a straight savings deposit.
These changes to the account are mandated by law, and not subject to the customer’s consent. A bank should send the consumer a revised Regulation DD “truth in savings” disclosure that describes the type of account to which the account has been converted—probably thirty days in advance of the change, to comply with Regulation DD’s advance notice requirement for changes in account terms that are adverse to the consumer.