Current through Register Vol. 46, No. 19, March 20, 2024
(1)
Performance examinations.
A central routing unit shall be subject to examination by the
administrators for the purpose of determining compliance with Iowa Code chapter
527. Such an examination may be conducted after the central routing unit is
operating under the approval of the administrators and shall be conducted at
the time the approval of the administrators is sought in accordance with rule
10.3(527).
(2)
Compliance
factors. A compliance examination of a central routing unit conducted
by the administrators shall consider the following factors to ensure that the
central routing unit and all other components of an electronic funds transfer
system are in full compliance with the requirements of Iowa Code chapter 527:
a.
Transaction charges. The
transaction charges paid to the central routing unit by each financial
institution which utilizes the central routing unit must be consistent with the
schedule of charges set forth in the application to operate a central routing
unit and must be consistent with the requirements of Iowa Code subsection
527.5(6).
b.
Transmission
capabilities. The central routing unit must be capable of accepting
and routing and, if approved to operate, is being operated to accept and route
transmissions of transaction data originating at any satellite terminal located
in the state, whether receiving transaction data from a satellite terminal or
from a data processing center or other central routing unit.
c.
Connections with data processing
centers. The central routing unit must be directly connected to every
data processing center that is directly connected to a satellite terminal
located in the state.
d.
Transaction requirements. A central routing unit must ensure
that an electronic funds transfer system consistently complies with the
following transaction requirements:
(1) All
cardholders initiating transactions at satellite terminals must use an access
device and an electronic personal identifier issued by the cardholder financial
institution, unless the use of an electronic personal identifier is not
required by Iowa Code chapter 527 for transactions initiated at specified types
of satellite terminals.
(2) All
transactions must originate at satellite terminals certified by a central
routing unit. Satellite terminals located in this state must meet all
applicable state and federal requirements.
(3) All transactions shall be authorized
either on an on-line real time basis or on a batch basis through a data
processing center or a central routing unit.
(4) If the establishing financial
institution's data processing center cannot authorize or reject a particular
transaction, then the transaction must be routed to a central routing
unit.
e.
Validation. A central routing unit must validate and edit all
transaction messages flowing through the electronic funds transfer system to
ensure transaction integrity.
f.
Error recovery.A central routing unit must be responsible for
error recovery of all of the central routing unit's owned or controlled
hardware, software, and communication facilities and must define all necessary
interface requirements for data processing centers, satellite terminals, and
financial institutions.
g.
Authorization services. A central routing unit shall provide
authorization services for all cardholder financial institutions which have
agreed to such authorization services if:
(1)
The cardholder financial institution's data processing center is unavailable or
is responding slowly; or
(2) The
cardholder financial institution's cardholder information is retained at the
central routing unit for card authorization services.
h.
Third-party audits.
Third-party audits of an electronic funds transfer system, including a central
routing unit, must be conducted at least annually to ensure adequate security
and controls and must be documented for review by the administrators, upon
request.
i.
Duplication of
critical processing hardware. A central routing unit must provide
duplication of critical processing hardware to ensure functional integrity of
the central routing unit.
j.
Electronic funds transfer system reliability standards. A
central routing unit must be available for processing transactions 99 percent
of the time, on an annual basis, during the schedule of operation established
by the central routing unit. To provide this continuous service to cardholders
and the respective cardholder financial institution, a central routing unit
must provide for data processing center backup service for all cardholder
financial institutions which utilize a data processing center. This may be
accomplished by either of the following:
(1)
Cardholder financial institutions may maintain a cardholder authorization file
at the central routing unit; or
(2)
A central routing unit may authorize transactions based on cardholder financial
institution's established parameters when the cardholder financial
institution's data processing center is responding slowly or is in an
inoperative state.
k.
Confidentiality.
(1) A
central routing unit shall not divulge specific transaction information to any
person or financial institution concerning any cardholder, or an establishing
or cardholder financial institution, unless such person or financial
institution is part of, or is necessary to effect, the specific transaction, or
unless disclosure of such information is required by applicable state or
federal law.
(2) A central routing
unit shall not divulge any statistics on the operations of any establishing or
cardholder financial institution to any third party without the written consent
of the particular financial institution.
(3) A central routing unit may disclose total
terminal statistics that are generic to the central routing unit and which do
not identify any particular financial institution or the operations of any
particular financial institution.
(4) A central routing unit may disclose
transaction(s) data to any federal or state regulatory authority as required by
law.
(3)
Certification processes of a central routing unit to demonstrate
compliance. To assist the administrators with compliance examinations
of a central routing unit, a central routing unit shall certify financial
institutions, satellite terminals located in the state, and data processing
centers directly connected to the central routing unit located in this state or
directly connected to cardholder financial institutions, to demonstrate that
satellite terminals located in this state and the central routing unit are
performing in accordance with the requirements of Iowa Code sections
527.5
and
527.9.
a.
Certification of financial
institutions. All establishing financial institutions and their data
processing centers must comply with the following procedures, which shall be
confirmed and certified by a central routing unit:
(1) The establishing financial institution
and its data processing center must ensure that all transaction data
transmitted by the establishing financial institution's data processing center
conforms to the central routing unit's electronic communication format
standards.
(2) The establishing
financial institution's data processing center must be certified or recertified
to support new terminal types or models, to utilize any new satellite terminal
vendor, or to perform terminal hardware upgrades or software version updates,
prior to actual transmission of transaction data by that data processing center
to the central routing unit.
(3)
Use of any satellite terminal located in this state must be available to all
cardholders of cardholder financial institutions and other establishing
financial institutions on a nondiscriminatory basis. A cardholder financial
institution shall have the right to offer to its cardholders any type of
transaction which is supported by a central routing unit. Establishing
financial institutions must offer to all cardholders of any establishing or
cardholder financial institution the same type of transactions at their
satellite terminals located off the premises of the establishing financial
institution as are offered to cardholders of the establishing financial
institution.
(4) An electronic
personal identifier must be issued by a cardholder financial institution for
each cardholder access device. A central routing unit must provide for
cardholder entry of the electronic personal identifier for all transactions
transmitted to the central routing unit. The requirement to issue an electronic
personal identifier is not applicable to access devices which are only for use
at a limited function terminal, as defined by Iowa Code section
527.2.
(5) A central routing unit must approve
access devices displaying its logo or trade name which are issued by cardholder
financial institutions, including any access devices that are redesigned, so
that the central routing unit may control the operational quality of the access
devices and ensure uniform implementation of changes of such access
devices.
(6) A control record must
be maintained by a central routing unit for every satellite terminal deployed
by an establishing financial institution which participates with the central
routing unit.
(7) The establishing
financial institution's data processing center must be responsible for
forwarding transactions which it cannot authorize or reject to a central
routing unit for further routing. The establishing financial institution's data
processing center must set a timer for that particular transaction at the time
the transaction is forwarded to the central routing unit. If the establishing
financial institution's data processing center does not receive a transaction
transmission response from the central routing unit within the time frames
established by the central routing unit, then the establishing financial
institution's data processing center must immediately generate and transmit a
reversal for that particular transaction. The cardholder financial
institution's data processing center must accept the reversal from a central
routing unit and the cardholder financial institution must post valid reversals
to the particular cardholder's customer asset account. To monitor such
reversals, a central routing unit must log each transaction routed through the
central routing unit, validate each transaction's completion and ensure that
all transactions are sent to and received by the appropriate data processing
centers for both the cardholder financial institution and the establishing
financial institution.
(8) A
central routing unit must certify all satellite terminals (whether
switch-in-front or switch-behind) that an establishing financial institution
proposes to use in conjunction with the central routing unit. This
certification process shall test each satellite terminal for its ability to
satisfactorily perform all transaction functions supported by the central
routing unit in accordance with operational standards for satellite terminals
as established by the central routing unit.
(9) An establishing financial institution
must ensure that each of its satellite terminals provides a record of all
approved or denied transactions at the satellite terminal by either an audit
journal or the creation of duplicate receipts held within the satellite
terminal and must ensure that the satellite terminal generates a customer
receipt in compliance with
12 CFR
205.9 (Regulation E) and requirements
established by the central routing unit.
(10) Proper maintenance and service of
satellite terminals on both a regular and emergency basis are the
responsibilities of the establishing financial institution.
b.
Certification of data
processing centers. All data processing centers connected to a central
routing unit must comply with the following procedures and requirements, which
shall be confirmed by a central routing unit:
(1) A data processing center shall operate in
such a manner as to comply with all requirements established in Iowa Code
chapter 527.
(2) A data processing
center shall conform to a central routing unit's standards including, but not
limited to, the following:
1. Format and
message content.
2. Electronic
personal identifier encryption.
3.
Communications protocol.
4.
Certification of on-line transaction transmissions for data processing centers,
new terminals, and all establishing and cardholder financial institutions
directly or indirectly connected to the central routing unit.
(3) A data processing center must
meet minimum response time goals established by a central routing unit.
Satellite terminal transactions shall be handled on a first-in, first-out
basis. No data processing center may prioritize satellite terminal
transactions.
(4) Rescinded IAB
10/25/06, effective 11/29/06.
(5)
If a satellite terminal located in the state is not directly connected to an
approved central routing unit, then the satellite terminal must be directly
connected to a data processing center which is directly connected to an
approved central routing unit. A data processing center or central routing unit
is directly connected to a satellite terminal when a transaction transmission
from the satellite terminal is received by the data processing center or
central routing unit prior to being received or processed by or routed to any
other data processing center or facility which categorizes, separates or routes
the transaction transmission. A data processing facility certified by a central
routing unit and a front-end processor directly connected to an on-line
point-of-sale satellite terminal and directly linked to the data processing
facility both constitute a data processing center for purposes of this
paragraph.
(6) This subrule does
not limit the authority of a data processing center to authorize or reject
transactions requested by cardholders of a cardholder financial institution
pursuant to an agreement whereby the data processing center authorizes or
rejects requested transactions on behalf of the cardholder financial
institution and provides to the cardholder financial institution, on a batch
basis and not on an on-line real time basis, information concerning authorized
or rejected transactions of cardholders of the cardholder financial
institution.
c.
Nonsupport of a satellite terminal by a central routing unit.
A central routing unit has the authority to refuse or discontinue
support of any satellite terminal (either switch-in-front or switch-behind)
that is not established or maintained by the establishing financial institution
in accordance with the certification procedures and requirements of this
subrule if the central routing unit reasonably determines that initial or
continued support of the noncomplying satellite terminal may jeopardize the
safety and soundness of the operation of an electronic funds transfer system.
If such action is contemplated by a central routing unit, written notice of the
intended action and the reasons for not supporting particular satellite
terminals shall be sent by the central routing unit to the appropriate
establishing financial institution by certified or restricted certified mail,
with a copy provided to the administrator, within 30 days of the date such
action to discontinue support is to be taken, or within 10 days from the date
the central routing unit determines it appropriate to refuse initial support of
a newly established satellite terminal.
d.
Appeals to division
administrator.
(1) Whenever a
central routing unit provides notice concerning the nonsupport of any satellite
terminal located in the state upon the determination that the satellite
terminal will not be, or is not being, maintained by the establishing financial
institution in accordance with the requirements of this subrule and Iowa Code
chapter 527, the establishing financial institution has the right to file a
written appeal to the administrator within 30 days from the date the central
routing unit issued a written notice of such action. The written appeal shall
set forth any facts in dispute and shall state the reasons why the decision of
the central routing unit to refuse initial or continued support of its
satellite terminal or terminals should be reversed by the administrator. If the
establishing financial institution fails to file a written appeal to the
administrator, the financial institution is deemed to have consented to the
nonsupport of its satellite terminal or terminals by the central routing
unit.
(2) The administrator shall
conduct hearings and exercise any other appropriate authority conferred by Iowa
Code sections
527.3 and
527.5
regarding the operation or control of a satellite terminal which a central
routing unit has initially determined to be operating in a manner inconsistent
with the requirements of this subrule and Iowa Code chapter 527.
(3) Upon appeal, the administrator may
affirm, modify, or reverse the initial determination of a central routing unit
that a satellite terminal located in Iowa is not being operated or controlled
in accordance with the requirements of this subrule and Iowa Code chapter
527.
(4) In the event of consent by
the establishing financial institution, or if upon the record made at the
hearing the administrator affirms the initial determination of the central
routing unit, the administrator may initiate proceedings to revoke the
privilege of the establishing financial institution to continue operation and
control of the satellite terminal or terminals determined to be in
noncompliance in accordance with the procedures established in
paragraph"e " of this subrule, or may deny the initial
application to establish or operate such noncomplying satellite terminals in
accordance with rule 10.5(527).
(5)
If the initial determination of the central routing unit is either reversed or
modified, the administrator shall document the reasons for determining that the
satellite terminals in question comply with the requirements of this subrule
and Iowa Code chapter 527 or why the initial determination of the central
routing unit has been modified and shall deliver a copy of these findings to
the establishing financial institution and the appropriate central routing
unit. Any further proceedings or hearings on the same subject matter shall be
governed by the provisions of Iowa Code chapter 17A relating to contested
cases.
e.
Revocation of privilege.
(1)
Whenever the administrator determines, upon notice and hearing pursuant to Iowa
Code chapter 17A, that a satellite terminal located in this state, a data
processing center, or a central routing unit is being operated within an
electronic funds transfer system in violation of Iowa Code chapter 527 or the
compliance procedures and standards established by this subrule, the
administrator may revoke the approval to operate within the electronic funds
transfer system. If the administrator does not have any direct authority over
the facility because of the provisions of Iowa Code section
527.3, the
administrator may revoke with respect to any financial institution over which
the administrator does have direct authority the privilege to engage in
transactions through or with that facility. With respect to revocation of the
approval to operate a central routing unit, all of the administrators specified
in Iowa Code section
527.3 may jointly
participate, since all types of financial institutions may be served by the
central routing unit. All references to the term "administrator" in this
paragraph"e " shall signify all of the administrators with
respect to revocation of the approval to operate a central routing
unit.
(2) The administrator shall
have additional authority to cause such revocations as established in Iowa Code
section
527.12.
(3) If a central routing unit or satellite
terminal of an establishing financial institution is determined by the
administrator to fail to comply with the requirements of Iowa Code chapter 527
or this subrule at the time of application to the administrator, then the
application may be denied by the administrator without the need for notice or
opportunity for hearing.
(4) A
revocation by the administrator performed pursuant to this subrule shall be
effective when ordered by the administrator, anything in Iowa Code chapter 17A
to the contrary notwithstanding.
(5) The administrator may bring an action in
the district court in the name of the state to enjoin any financial institution
or other person who continues to utilize or to operate a satellite terminal,
data processing center, or central routing unit after the approval has been
revoked.
(6) The administrator may
bring an action to enjoin any person who fails to obtain any approval required
by Iowa Code chapter 527.