The Supervisory and Regulation letter SR 16-7 of March 21, 2016, specifically addresses the treatment of prepaid cards issued by banks, savings associations, credit unions, and US branches and agencies of foreign banks (collectively, banks), including cards that are sold and distributed by third parties that design, manage, and operate prepaid card programs (third-party program managers), under CIP regulations.1  The Agencies2 require banks that issue prepaid cards and process prepaid card transactions, including banks issuing with third-party program managers, to implement strong and effective controls, to mitigate money laundering and other financial crimes.

In 2003, the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), Financial Crimes Enforcement Network (FinCEN), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and the Department of the Treasury (collectively, the Agencies), jointly adopted the final rules to the Customer Identification Program, 31 CFR 103.121, in efforts to mitigate financing of terrorist operations and money laundering.3  The Customer Identification Program (CIP) regulation, implements section 3261 of the USA PATRIOT Act requiring banks, savings associations, credit unions and certain non-federally regulated banks to have a Customer Identification Program, generally known as “Know Your Customer.”

Prepaid cards are widely used by individuals, corporations, governments and other private sector entities.  These cards can be used to perform a multitude of functions, including withdrawing cash from a tied bank account, paying bills, purchasing goods and services, and transferring funds to other cardholders and receiving funds transfers.  The functionalities of prepaid cards have also increased the risk to banks since they can be easily obtained, used anonymously and potentially used for relatively high volume of funds.

CIP Rule Overview

The CIP rule requires banks to obtain information sufficient to form a reasonable belief regarding the identity of each customer establishing a new account. Furthermore, banks were also mandated to implement a risk-based procedure for verifying their customers’ identities (to the extent reasonable and practical), in addition to the following:

  • “Include procedures for opening an account that, at a minimum, must include obtaining a name, date of birth, address, and identification number from a customer who is an individual.”4
  • “Include identity verification procedures that describe when and how the bank will verify the customer’s identity using documentary or non-documentary methods.”5
  • Account recordkeeping and notice requirements.6

Rule Applicability to Prepaid Card

View the image. Source: Accenture, analysis based upon publicly available documents.
View the image. Source: Accenture, analysis based upon publicly available documents.

Existence of an “Account”

The guidance offered in SR 16-7 provides specific determining factors concerning prepaid cards issued by a bank, that are subject to the bank’s CIP rules, including prepaid cards issued with third-party programs.  In order to determine if CIP requirements apply to purchasers of prepaid cards, the institution should first determine whether the issuance of a prepaid card to a purchaser results in the creation of an account; and if so, ascertain the identity of the institution’s customer.  The guidance states that “When a general purpose prepaid card issued by a bank allows the cardholder to conduct transactions evidencing a formal banking relationship, such as by adding monetary value or accessing credit, the cardholder should be considered to have established an account with the bank for purposes of the CIP rule.” 7

The “account” is defined as “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions, and includes the following account types:8

· Deposit Account · Asset Account · Credit Account · Credit Extension
· Safety Deposit · Safekeeping Services · Cash Management · Custodian/Trust Services

Additionally, General Prepaid Cards that provide for the following are subject to CIP rules:9

  • Ability to reload funds; or
  • Access to credit or overdraft features

Some General Purpose Prepaid cards may be sold without reloadable funds, access to credit, or overdraft functionalities activated or enabled. A purchaser or subsequent transferee of these cards can activate or enable these features only if they contact the issuing bank or third-party program manager.  Under the CIP rule, an account is not deemed established until a reload, credit, or overdraft feature is activated by the cardholder registration.10

Customer Identification

Once a prepaid card has been deemed an account, the bank must identify the customer for the purposes of the rule. A “customer” is defined as the person that opens a new account.11 However, the identification of a customer and application of the CIP rule may vary depending on the type of prepaid card:

Prepaid Cards and Third Parties12

  • For purposes of the CIP rule, third-party program managers should be treated as agents of the bank, rather than as the bank’s customer.
  • Ultimately, the bank is responsible for complying with the requirements of the bank’s CIP rule as performed by that agent or other contracted third party.
  • Pooled accounts may be established by third-party program managers in their names and for the purpose of holding funds “on behalf of” or “in trust for” cardholders, or for processing transactions on behalf of other issuing banks.
  • For closed-loop prepaid cards, the third-party program manager (under whose name the pooled account has been established) should be considered as the only customer of the issuing bank and subject to the requirements of the bank’s CIP policies and procedures. In these particular instances, the issuing bank is not required to “look through” the pooled account to verify the identity of each cardholder.

Payroll Cards13

  • When the employer, or the employer’s agent, is the only person capable of depositing funds into the payroll card account, for purposes of the CIP rule, it should be considered the bank’s customer. Under this scenario, the bank is not required to apply its CIP to each employee.
  • The employer should be considered the customer even when there are subaccounts which are attributable to each employee. It should be noted, in a situation where the employee has permission to access credit through the card (or reload the payroll card account from sources other than the employer), the employee should be considered the customer of the bank with the latter applying its CIP to the employee.

Government Benefits Cards14

  • For purposes of the CIP rule, no customer relationship is established between the bank and the beneficiary-cardholder when the government benefits card program permits only government funds to be loaded onto the card and does not provide access to credit.
  • If non-government funds can be loaded onto the card or the card provides access to credit, then a customer relationship is deemed to exist between the bank and the beneficiary-cardholder. In such a case the bank should collect CIP information from the beneficiary-cardholder.

Health Benefits Cards15

  • Health Savings Account (HSA): The employer or employee establishing the account may contribute to the HSA. When the employee establishes the account, for purposes of the CIP rule, he/she is the issuing bank’s customer.
  • Flexible Spending Arrangements (FSA) and Health Reimbursement Arrangements (HRA): Since no person other than the employer or the employer’s agent can establish an FSA or HRA, make deposits into an FSA or HRA, and distribute funds from the FSA or HRA, for the purposes of the CIP rule, the employer should be considered the issuing bank’s customer.

Contracts with Third-Party Program Managers

When using third-party managers, the bank is the prepaid card issuer, but the third-party program manager administers and manages the card program for the bank in accordance with the bank’s specific requirements. Typically, the issuing bank holds the program manager liable for meeting these requirements, including all risk and compliance matters. Therefore, the issuing bank should enter into well-constructed, enforceable contracts with third-party program managers that clearly define the expectations, duties, rights, and obligations of each party in a manner consistent with this guidance.16

Binding contract or agreements should at a minimum include:17

  • “Outline the CIP obligations of the parties;
  • Ensure the right of the issuing bank to transfer, store, or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
  • Provide for the issuing bank’s right to audit the third-party program manager and to monitor its performance (generally, banks need to ensure that periodic independent internal and external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations); and
  • If applicable, indicate that, pursuant to the Bank Service Company Act (BSCA) or other appropriate legal authority, the relevant regulatory body has the right to examine the third-party program manager.”

Take-away for Clients

Generally prepaid card customers were not subject to CIP rules, however the new guidance describes when financial institutions should obtain information sufficient to reasonably verify the identity of the cardholder, in accordance with CIP rules.  Once determined that an account is opened, the institution should obtain the name, date of birth, address, and identification number, such as the Taxpayer Identification Number of the cardholder.  Reviews into CIP programs, policies, and systems should be conducted, as well as Anti-Money Laundering and Know Your Customer rules and policies to comply with the guidance across the organization.

References

  1. The term “issued by banks” means the bank authorizing the use of the prepaid card. Usually the issuing bank is the bank that has its name printed on the back of a prepaid card. See 31 CFR 1010.100(d). A third-party program manager is a company that designs, manages and operates a prepaid card program and contracts with a bank to issue prepaid cards under the program and to process transactions conducted using those cards. The third-party program manager also provides customer service and card distribution (sales). The third-party program manager may also be a “provider of prepaid access” under FinCEN’s rule. See 31 CFR 1010.100(ff)(4). “Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Access Cards,” Federal Reserve System, Supervisory and Regulation Letter SR 16-7, March 21, 2016. Access at: https://www.federalreserve.gov/bankinforeg/srletters/sr1607.pdf
  2. The agencies are: The Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN). See. “Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Access Cards,” Federal Reserve System, Supervisory and Regulation Letter SR 16-7, March 21, 2016. Access, Available at: https://www.federalreserve.gov/bankinforeg/srletters/sr1607.pdf
  3. 68 Federal Register (FR) 25090 (May 9, 2003) codified at 31 CFR 1020.220 (Treasury); 12 CFR 21.21 (OCC); 12 CFR 208.62(b)(2) and 211.24(j)(2) (FRB); 12 CFR 326 (FDIC); and 12 CFR 748.2 (NCUA). Access at: http://www.occ.treas.gov/news-issuances/federal-register/68fr25090.pdf
  4. “Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Access Cards,” Federal Reserve System, Supervisory and Regulation Letter SR 16-7, March 21, 2016. Access, Available at: https://www.federalreserve.gov/bankinforeg/srletters/sr1607.pdf
  5. Ibid
  6. Ibid
  7. “Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Access Cards,” Federal Reserve System, Supervisory and Regulation Letter SR 16-7, March 21, 2016. Access, Available at: https://www.federalreserve.gov/bankinforeg/srletters/sr1607.pdf
  8. Ibid
  9. An account is not established until a reload, credit, or overdraft feature is activated by cardholder registration.
  10. Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Access Cards,” Federal Reserve System, Supervisory and Regulation Letter SR 16-7, March 21, 2016. Access, Available at: https://www.federalreserve.gov/bankinforeg/srletters/sr1607.pdf
  11. Ibid
  12. Ibid
  13. Ibid
  14. Ibid
  15. Ibid
  16. “Printable Version of Outsourcing Technology Services IT Booklet” Available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf
  17. “Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Access Cards,” Federal Reserve System, Supervisory and Regulation Letter SR 16-7, March 21, 2016. Access, Available at: https://www.federalreserve.gov/bankinforeg/srletters/sr1607.pdf

Newsletter Author: Samantha Regan, Michael Kim, Jae Ko

Newsletter Contact Person: Craig Unterseher

Visit www.accenture.com/RegulatoryCompliance for latest insights on regulatory remediation and compliance transformation.

Disclaimer

This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.

About Accenture:

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 373,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Its home page is www.accenture.com.

Copyright © 2016 Accenture. All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.

If you require advice or further details on any matters referred to, please contact your Accenture representative.

Submit a Comment

Your email address will not be published. Required fields are marked *