By the Division of Banks

Permissibility Of Pre-Setting Personal Identification Numbers For Bank Telephone Banking Services

A consumer's Social Security number cannot be used as a central information file number, personal identification number (PIN), primary financial account number, or a subpart thereof, under Mass. Gen. Laws chapter 167B § 14. However, it is the position of the Division of Banks that under the statute, a bank may pre-set the last four digits of a consumer's Social Security number as the initial PIN for its telephone banking service because four digits alone do not constitute a person's Social Security number. However, such bank practice could trigger significant privacy and security issues. For example, the Federal Financial Institutions Examination Council's Information Systems Handbook states that bank employees with access to PIN information must be subject to security clearance and be covered by an adequate surety bond. Such employees should not be involved in card issuance operations in any way. Therefore, banks intending to implement such practices should consult with their counsel to ensure compliance with any other applicable laws and regulations outside of the Division's jurisdiction.