Background
Prepaid cards have become nearly ubiquitous in the payments marketplace. As the guidance highlights, functionalities that make prepaid cards attractive to consumers also pose risks for banks that issue them and process such transactions. For example, easy access to prepaid cards, the ability to use them anonymously and the potential for relatively high volumes of funds to flow through pooled prepaid access accounts make prepaid cards potentially vulnerable to criminal abuse. As a result, the Agencies have taken a position that banks that issue prepaid cards need to have in place controls to mitigate the risks. The guidance seeks to answer questions that have arisen regarding the application of the CIP Rule to prepaid cards issued by banks.
CIP Rule
In 2003, the Agencies issued the CIP Rule, which requires a bank to obtain information sufficient to form a reasonable belief regarding the identity of each “customer” opening a new “account.”5 The bank’s CIP must include risk-based procedures for verifying its customers’ identities to the extent reasonable and practicable. In particular, the CIP Rule requires banks to implement a CIP that includes certain minimum requirements. For example, a bank’s CIP must include:
- procedures for opening an account that, at a minimum, must include obtaining a name, date of birth, address and identification number from a customer who is an individual; and
- identity verification procedures that describe when and how the bank will verify the customer’s identity using documentary or non-documentary methods.
The guidance clarifies that certain prepaid cards issued by a bank should be subject to the bank’s CIP, including those prepaid cards issued through arrangements with third-party program managers when the bank has no other relationship with a cardholder. The guidance also clarifies that a bank’s obligations under the CIP Rule are distinct from any obligations of a program manager under other anti-money-laundering regulations. To determine if CIP requirements apply to holders of prepaid cards, the bank should first determine whether the issuance of a prepaid card results in the creation of an account and, if so, identify the bank’s customer for the account. These steps are discussed below.
Determining the Existence of an “Account”
The guidance states that prepaid cards should be treated as accounts if they provide a cardholder with either (1) the ability to reload funds or (2) access to credit or overdraft capability. The Agencies view these attributes as comparable to attributes of a deposit or loan product — both of which are accounts under the CIP Rule. The ability to reload funds is given general meaning by the Agencies in the guidance so that it includes the addition of funds to a card by consumers, corporate entities and governments, by P2P, ACH and any other method. The guidance does not discuss whether inadvertent overdrafts (e.g., resulting from below-floor-limit transactions) create an account relationship; however, references to “overdraft features” and “an overdraft line” in the guidance certainly suggest that the Agencies were focused on intentional overdraft capabilities.
General-purpose prepaid cards sold with reloadable capability or credit/overdraft features that can be activated only by registering with the issuer or the program manager do not constitute accounts for purposes of the CIP Rule until the reloadability and/or overdraft/credit feature is activated by cardholder registration. The guidance also provides that closed-loop prepaid cards (even when reloadable) do not result in an account because their attributes are not comparable to a deposit product. Specifically, closed-loop prepaid card funds may be used to make purchases only at a single merchant or group of affiliated merchants.
Customer Identification and Verification
If the issuance of a prepaid card is considered the opening of an account, the issuing bank must apply its CIP to the account customer.6 The guidance discusses how this requirement applies to common prepaid arrangements.
- Prepaid Cardholders and Third Parties. For general-purpose prepaid cards with reload functionality or access to credit or overdraft features, the bank’s customer is the cardholder. This is true even when funds are held in pooled accounts on behalf of a program manager for the benefit of the cardholders. For closed-loop prepaid cards and general-purpose prepaid cards without reload functionality or access to credit or overdraft features, the only account is the pooled account, and the bank’s customer is the program manager in whose name the pooled account has been established.
- Payroll Cards. If the employer (or the employer’s agent) is the only person who may deposit funds into the payroll card pooled account, the employer should be considered the bank’s customer, and the bank need not apply its CIP to each employee. By contrast, if the employee is permitted to access an overdraft or credit through the payroll card, or reload the payroll card account from sources other than the employer, the employee is the customer of the bank, and the bank should apply its CIP to the employee.
- Government Benefit Cards. Government benefit cards vary as to whether cardholders are permitted to load funds unconnected to the government benefit program onto the card and whether they provide access to overdrafts or credit. If the government benefit card program permits only government funds to be loaded onto the card and does not provide access to overdrafts or credit, the bank has no CIP obligations.7 If, however, the card allows non-government funds to be loaded onto the card or provides access to overdrafts or credit, then the cardholder is the bank’s customer, and the bank should perform its CIP on the cardholder.
- Health Savings Accounts. In the case of accounts established by an employee to pay or obtain reimbursement for qualifying medical expenses, the employee is the bank’s customer because he or she established the account.
- Flexible Spending Arrangements (FSAs) and Health Reimbursement Arrangements (HRAs). In the case of accounts established by an employer and funded by either voluntary withholdings from an employee’s salary (FSAs only) or through direct employer contributions (FSAs and HRAs), the employer should be considered the bank’s customer because no person other than the employer (or its agent) establishes and funds an account.
Contracts with Third-Party Program Managers
The guidance also advises banks to enter into well-constructed, enforceable contracts with third-party program managers that clearly define the expectations, duties, rights and obligations of each party in a manner consistent with the guidance. At a minimum, each such contract should:
- Outline the parties’ CIP obligations;
- Ensure the bank’s right to transfer, store or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
- Provide for the bank’s right to audit the third-party program manager and to monitor its performance (generally, banks need to ensure that periodic independent internal and external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations); and
- If applicable, indicate that, pursuant to the Bank Service Company Act or other appropriate legal authority, the relevant regulatory body has the right to examine the third-party program manager.
1 The federal banking agencies are the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA) and the Office of the Comptroller of the Currency (OCC).
2 For purposes of the guidance, the term “issuing bank” means the bank that authorizes use of the prepaid card. A bank is any commercial bank, savings association, credit union or U.S. branch of a foreign bank.
3 68 Fed. Reg. 25090 (May 9, 2003) codified at 31 C.F.R. § 1020.220 (FinCEN); 12 C.F.R. § 21.21 (OCC); 12 C.F.R. § 208.62(b)(2) and § 211.24(j)(2) (FRB); 12 C.F.R. § 326 (FDIC); and 12 C.F.R. § 748.2 (NCUA).
4 Prepaid cards include those sold and distributed by third-party program managers as well as cards that are used to provide employee wages, healthcare and government benefits.
5 31 C.F.R. § 1020.100(c), (a).
6 31 C.F.R. § 1020.100(c)(1)(i).
7 This results from the lack of a relationship having been established vis-à-vis the cardholder and the exemption from the definition of “customer” in the CIP Rule of any department or agency of the United States, of any state or any political subdivision of any state.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
Joel D. Feinberg
Partner
+1 202 736 8473
|
David E. Teitelbaum
Partner
+1 202 736 8683
|
Stanley J. Boris
Associate
+1 202 736 8227
|
Sidley Banking and Financial Services Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.