23 March 2016
Banks, sellers of bank-issued prepaid cards, and managers for bank-issued prepaid cards should review the interagency guidance released on March 21, 2016 by FinCEN and the federal bank regulators. The Guidance’s name is fairly descriptive: Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Cards. If you are a bank issuer, you need to be sure that your customer identification program (CIP) complies with the Guidance. If you are a program manager or seller of a bank-issued prepaid card that handles customer identification for the bank issuer, then you might see bank issuers refining CIP procedures that apply to you.
The Guidance begins by extolling the virtue of prepaid cards, including their ability to be used for a wide range of functions traditionally associated with other payment mechanisms such as paying bills, getting cash from ATMs, purchasing goods and services, and making P2P transfers. It then gets down to brass tacks: “Functionalities that make prepaid cards attractive to consumers also pose risks for banks that issue prepaid cards and process prepaid card transactions.” The Guidance identifies three features of prepaid cards that make them potentially vulnerable to criminal abuse: (1) their easy access; (2) the ability to use them anonymously; and (3) the potential for relatively high volumes of funds to flow through pooled prepaid access accounts.
The Guidance reminds issuing banks of their obligations to implement strong and effective controls to mitigate the risk of money laundering and other financial crimes. These include limits on card value and frequency and amount of transfers. They also include due diligence on third parties and cardholders. The Guidance says that these measures have helped mitigate the risk of prepaid cards being used for financial crimes. “However, questions have arisen regarding the application” to prepaid cards regarding the customer identification program rule issued jointly by the agencies in 2003 (the “CIP Rule”). The purpose of the Guidance is to answer these questions.
When Is Customer Identification Required?
The Guidance first identifies the circumstances under which a bank issuer must verify the identity of a prepaid card holder. The Guidance explains that, under the CIP Rule, a bank must obtain information sufficient to form a reasonable belief regarding the identity of each “customer” opening a new “account.” An “account” is, in pertinent part, “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions, including a deposit account, a transaction or asset account, a credit account or other extension of credit.” “Account” generally does not include “products and services for which a formal banking relationship is not generally established with a person, such as check cashing, wire transfer, or the sale of a check or money order.”
The Guidance says that a prepaid card relationship qualifies as an “account” for purposes of the CIP rule when one of two features is activated. First, a prepaid card relationship will become an “account” when the cardholder acquires the ability to reload funds. Second, a prepaid card relationship will become an “account” if the cardholder is granted access to a credit or overdraft feature.
The Guidance also clarifies the application of the CIP Rule to a nonreloadable temporary or starter cards that the cardholder can convert into a reloadable card by registering with the issuer. The Guidance says that an “account” is not established until a reload, credit, or overdraft feature is activated by cardholder registration. In other words, the issuer can integrate the customer verification process into the registration process to activate reload functionality (which is the usual practice for most large reloadable prepaid card programs that sell temporary nonreloadable cards at retail).
The Customer Generally Is the Cardholder—Not the Program Manager
Many prepaid cards use a pooled account structure pursuant to which a program manager will establish an omnibus account with the bank into which funds loaded onto the cards are deposited. The program manager uses the omnibus account to fund transactions with the cards. The omnibus account is in the name of the program manager, not any of the individual cardholders. However, the Guidance says that in this situation the bank’s customer is the underlying cardholder (assuming that the card is reloadable or has overdraft or credit features) —not the program manager. The program manager is the bank’s agent in this situation, says the Guidance. This means that “as with any other activity performed on behalf of the bank, the bank ultimately is responsible for compliance with the requirements of the bank’s CIP rule as performed by that agent or other contracted third party.”
If the card is not reloadable and does not have any credit or overdraft features, then the program manager (or other party) that holds the pooled account is appropriately regarded as the customer of the bank for purposes of the CIP Rule.
The Guidance also explains that the “customer” for purposes of a payroll card account established by an employer depends on whether the card can be reloaded from sources other than the employer. If the card can only be reloaded by the employer and the employee cannot use the card to access credit, then the employer is appropriately regarded as the customer. In this situation, the bank issuer does not need to verify the identity of each individual employee who receives a card. If the payroll card can be reloaded by sources other than the employer or can be used to access credit, however, then the employee is the bank’s customer and the bank must apply its CIP to each employee.
Government Benefit Cards
The rule for prepaid cards used to distribute government benefits is similar to the rule for payroll cards. If the card can only be loaded from government sources and cannot be used to access credit, then the bank is not required to apply its CIP to each cardholder. Conversely, the bank must apply its CIP to the cardholder if the card can be reloaded from non-governmental sources or be used to access credit. The Guidance also notes that US federal, state, and local government agencies are not “customers” under the CIP rule, and therefore not subject to the CIP Rule.
Health Benefit Cards
The Guidance says that the application of the CIP Rule to health benefit cards (cards that allow an employee to access funds set aside for health care expenses) depends on who establishes the account. If the account is a Health Savings Account, which an employee establishes at a bank of the employee’s choosing, the customer, for purposes of the CIP Rule, is the employee. If, however, the account is established pursuant to a Flexible Spending Arrangement or a Health Reimbursement Arrangement, the employer will establish the account and should be regarded as the bank’s customer for purposes of the CIP Rule.
Contracts with Third-Party Program Managers
The Guidance concludes by outlining requirements that contracts between banks and third-party program managers should satisfy. At a minimum, the contract should:
- outline CIP obligations of the parties;
- ensure the right of the issuing bank to transfer, store, or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
- provide for the issuing bank’s right to audit the third-party program manager and to monitor its performance (generally, banks need to ensure that periodic independent internal and external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations); and
- if applicable, indicate that, pursuant to the Bank Service Company Act (BSCA) or other appropriate legal authority, the relevant regulatory body has the right to examine the third-party program manager.