On July 29, 2011, the Financial Crimes Enforcement Network (“FinCEN”), a bureau of the U.S. Department of the Treasury, issued a final rule (the “Prepaid Access Rule” or the “Rule”), amending the Bank Secrecy Act (“BSA”) rules relating to prepaid access.[1] In particular, the Prepaid Access Rule (i) renames “stored value” as “prepaid access” and defines that term; (ii) deletes the terms “issuer” and “redeemer” of stored value; (iii) imposes suspicious activity reporting and customer and transactional information collection requirements on both providers and sellers of prepaid access, as well as a registration requirement on providers only; and (iv) exempts certain categories of prepaid access products and services posing lower risks of money laundering and terrorist financing from certain BSA requirements.

Separately, on July 21, 2011, FinCEN published a final rule, revising the regulations regarding money services businesses (“MSBs”) to clarify those activities which subject a person to the BSA rules pertaining to MSBs and subjecting certain foreign-located MSBs with a U.S. presence to the BSA rules (the “MSB Rule”).[2] A separate Client Alert addressing the MSB Rule was issued on Oct. 26, 2011.[3]

On Sept. 9, 2011, as a result of industry comment, FinCEN issued Notice 2011-3 (the “Notice”), extending the effective date of the Prepaid Access Rule for sellers and providers of prepaid access, and the date that providers of prepaid access must comply with the registration requirement under the Rule.[4] As a result of this Notice, FinCEN expects providers of prepaid access to comply with the following requirements of the Prepaid Access Rule by Sept. 27, 2011:

  • Development of an AML program that is risk-based and commensurate with the location, size and types of financial services offered (31 C.F.R. §1022.210 (a) and (b));
  • Reporting of suspicious transactions (31 C.F.R. §1022.320); and
  • Maintenance of additional records by providers and sellers of prepaid access (31 C.F.R. §1022.420).

Pursuant to this Notice, FinCEN gave providers of prepaid access an extension of time until March 31, 2012 to comply with all remaining aspects of the Rule. The Notice also provides sellers of prepaid access with an extension of time until March 31, 2012 to comply with the requirements of the Rule.

In the Notice, FinCEN indicated that it would not initiate any compliance matter or enforcement action against providers and sellers of prepaid access prior to March 31, 2012 for violations of the Prepaid Access Rule, nor assess any civil monetary penalties for violations of the Rule that occurred prior to March 31, 2012.

We address first the new anti-money laundering regulatory requirements for providers and sellers of prepaid access and then discuss the definitions relating to the Prepaid Access Rule. In doing so, we also review FinCEN’s publication of frequently asked questions on Nov. 2, 2011 (the “FinCEN Guidance”) and information provided during FinCEN’s webinar on Nov. 11, 2011.[5]

Requirements Relating to Providers and Sellers of Prepaid Access

The Registration Requirement: Pursuant to the Prepaid Access Rule, each MSB (whether or not licensed as a MSB by any state), including but not limited to providers of prepaid access, and excepting agents and sellers of prepaid access, must register with FinCEN by completing FinCEN Form 107, Registration of MSB. As part of its registration, each MSB must maintain a list of its agents.[6]

Compliance with the requirement that a complete list of prepaid programs be submitted with registration will require a change to FinCEN Form 107, Registration of MSB. Accordingly, the Rule provides that compliance with the registration requirements set forth in 31 C.F.R. §1022.380 is not required until six months after the date of publication of the Rule, March 31, 2012, by which time the revised FinCEN Form 107 is expected to be final.[7]

Anti-Money Laundering (“AML”) Program: Each MSB, as defined by 31 C.F.R. §1010.100(ff), which includes, among others, sellers and providers of prepaid access, is required to “develop, implement, and maintain an effective anti-money laundering program … that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities.”[8] Pursuant to the AML program requirements of the Rule, a provider or seller of prepaid access must:

  • Establish procedures to verify the identity of a person who obtains prepaid access under a prepaid program; and
  • Obtain identifying information concerning such a person, including name, date of birth, address and identification number.[9]

A seller of prepaid access must also establish procedures to verify the identity of a person who obtains prepaid access to funds that exceed $10,000 during any one day and obtain identifying information concerning such a person, including name, date of birth, address, and identification number. The identifying information must be retained for five years from the date of the sale of the prepaid access device or vehicle. For a provider of prepaid access, the identifying information must be retained for five years after the last use of the prepaid access device or vehicle.

In the Preamble to the Prepaid Access Rule, Treasury explains that these “requirements are intended to mirror the customer identification programs required of other financial institutions and draws on the explanations and interpretations issued with respect to those requirements.”[10]

Reports of Suspicious Transactions: The Rule requires a provider and seller of prepaid access to file with Treasury, to the extent and manner required under 31 C.F.R. §1022.320, “a report of any suspicious transactions relevant to a possible violation of law or regulation.” Providers and sellers of prepaid access will use FinCEN Form 109, the same SAR form that all MSB filers use.[11]

Additional Recordkeeping Requirements: The Rule requires that each provider of prepaid access “shall maintain access to transactional records generated in the ordinary course of business that would be needed to reconstruct prepaid access activation, loads, purchases, withdrawals, transfers, or other prepaid-related transactions” for a period of five years.[12]

These records would routinely reflect (i) the type of transaction (e.g., ATM withdrawal and point-of-sale purchase; (ii) the amount and location of the transaction; (iii) the date and time of the transaction; and (iv) any other unique identifiers related to the transaction. These records need not be kept in any particular format, or by any particular participant in the prepaid program. However, the provider of prepaid access is responsible for complying with these recordkeeping requirements. The records must be easily accessible and retrievable upon the request of FinCEN, law enforcement or judicial order.[13]

Definitions Relating to Prepaid Access Rule

Provider of Prepaid Access: Treasury defines a provider of prepaid access as “the participant within a prepaid program that agrees to serve as the principal conduit for access to information from its fellow program participants.” Specifically, the Prepaid Access Rule provides that “[t]he participants in each prepaid program must determine a single participant within the prepaid program to serve as the provider of prepaid access,” and that each of the participants within a prepaid program must contractually agree who among the group will be designated as the provider of prepaid access.[14] Under this approach, the designated provider of prepaid access is responsible for managing the prepaid program in a way that complies with the regulatory requirements.[15] In the absence of a participant being designated and registering as a provider of prepaid access, “the provider of prepaid access is the person with principal oversight and control over the prepaid program.”[16]

The determination of the person who exercises “principal oversight and control over the prepaid program is a matter of facts and circumstances.” The activities that indicate principal oversight and control include:

  • Which entity organized the prepaid program;
  • Which entity sets the terms and conditions of the prepaid program and determines that the terms have not been exceeded;
  • Which entity determines the other businesses that will participate in the prepaid program, which may include the issuing bank, the payment processor or the distributor;
  • Which entity controls or directs the appropriate party to initiate, freeze or terminate prepaid access; and
  • Which entity engages in activity that demonstrates oversight and control of the prepaid program.[17]

FinCEN recognizes that each of the foregoing may not be present in any single participant.

Banks serving in a role that could otherwise fit the definition of a provider of prepaid access are not subject to the Prepaid Access Rule because FinCEN has excluded banks from its definition of MSBs.[18] In situations in which a bank exercises “principal oversight and control” over a prepaid program, no participant is required to register as the provider of prepaid access. However, if a participant other than a bank chooses to register, that participant is considered the provider of prepaid access and has the responsibilities under the Rule, notwithstanding the bank’s participation in the prepaid program. The Rule does not relieve banks of any of their existing BSA obligations, including those with respect to prepaid programs with which they are involved.[19]

Seller of Prepaid Access: Treasury defines a seller of prepaid access as any person that receives funds or the value of funds in exchange for an initial loading or subsequent loading of prepaid access, if that person:

  • Sells prepaid access offered under a prepaid program that can be used before verification of customer identification under 31 C.F.R. §1022.210(d)(1)(iv); or
  • Sells prepaid access (including closed loop prepaid access) to funds that exceed $10,000 to any person during any one day,[20] and has not implemented policies and procedures reasonably adapted to prevent such a sale.[21]

Addressing the second prong above, the FinCEN Guidance provides that there is no one set of policies and procedures that is “reasonably adapted” to prevent sales of prepaid access that exceed $10,000 to any person during any one day. Such policies and procedures must be risk-based and appropriate to the particular retailer in question, taking into account facts such as its typical customers, its location(s), and the volume of its prepaid access sales.

The FinCEN Guidance clarifies that the Prepaid Access Rule is not intended to cover the distribution of prepaid access products to other businesses for further distribution or sale to end users/consumers by those other businesses, regardless of whether the activity exceeded $10,000 to one business (i.e., person) in one day. Rather, FinCEN explains that the definition is intended to address sales to the end user/consumer of the prepaid access product, not businesses in the distribution channels that move the prepaid access products to the market.[22]

Treasury provides definitions for the terms “prepaid access” and “prepaid program,” which are set forth below.

Prepaid Access: Treasury defines “prepaid access” as including “[a]ccess to funds or the value of funds that have been paid in advance and can be retrieved or transferred at some point in the future through an electronic device or vehicle, such as a card, code, electronic serial number, mobile identification number, or personal identification number.”[23] Treasury explained in its press release that the Prepaid Access Rule would cover prepaid devices such as “plastic cards, mobile phones, electronic serial numbers, key fobs and/or other mechanisms that provide a portal to funds that have been paid for in advance and are retrievable and transferable.”

Prepaid Program: Treasury defines a “prepaid program” as “an arrangement under which one or more persons acting together provide(s) prepaid access.”[24] Prepaid access arrangements can vary greatly, ranging from travel programs to university campus programs to public transportation programs and many others, all with specific features and characteristics targeted to different audiences and activities.[25]

Exclusion From Prepaid Program: The Prepaid Access Rule excludes certain low-risk prepaid access arrangements from the definition of a prepaid program. Pursuant to 31 C.F.R. §1010.100(ff)(4)(iii), an arrangement is not a prepaid program if:

  • It provides closed loop prepaid access to funds not to exceed $2,000 maximum value that can be associated with a prepaid access device or vehicle on any day;[26]
  • It provides prepaid access solely to funds provided by a federal, state, local, territory and insular possession, or tribal government agency;
  • It provides prepaid access solely to funds from pre-tax flexible spending arrangements for health care and dependent care expenses, or from Health Reimbursement Arrangements (as defined in 26 U.S.C. §§105(b) and 125) for health care expenses; or
  • It (1) provides prepaid access solely to: (i) employment benefits, incentives, wages or salaries; or (ii) funds not to exceed $1,000 maximum value and from which no more than $1,000 maximum value can be initially or subsequently loaded, used, or withdrawn on any day through a device or vehicle (sometimes referred to as the “de minimis exception”); and (2) does not permit: (i) funds or value to be transmitted internationally; (ii) transfers between or among users of prepaid access within a prepaid program; or (iii) loading additional funds or the value of funds from non-depository sources.[27]

The FinCEN Guidance provides greater clarification concerning the above exclusions from the prepaid program. With respect to the first exclusion concerning the “closed loop prepaid access” provision in 31 C.F.R. §1010.100(ff)(iii)(A), FinCEN explains that a closed loop prepaid access below the $2,000 threshold even where it can be used internationally is not part of a prepaid program.[28] FinCEN also explains that the $2,000 threshold for closed loop prepaid access attaches to the device or vehicle, not the person, and that it does not require aggregation of all purchases of separate (i.e., distinct) closed-loop prepaid access devices or vehicles bought by an individual in a single day. FinCEN notes that businesses that sell more than $10,000 of any type of prepaid access to an individual in a day may be sellers of prepaid access under the Rule.[29]

Additionally, the FinCEN Guidance provides that no more than $2,000 can be associated with each closed loop prepaid access device or vehicle in one day. Accordingly, if the closed loop prepaid access arrangement permits either individual reloads of more than $2,000 per device, or cumulative reloads per device that total more than $2,000 in one day, the arrangement no longer qualifies for the “closed loop prepaid access” exception from the definition of a prepaid program under the Rule. For example, if a closed loop prepaid access device or vehicle has a value of $1,500, and the holder spends $1,000 and subsequently reloads $600 before the end of the day, this prepaid access would fall within the definition of a prepaid program because $2,100 has been associated with the prepaid access within one day.[30]

The “closed loop prepaid access” exception from the definition of a prepaid program under the Rule is no longer valid if a cash redemption is provided other than what is required by state law. For example, for customer service purposes, some companies may offer to send an unhappy customer a check for a de minimis amount of funds, such as $20.00, on their closed-loop card. Under that scenario, the arrangement would no longer qualify for the “closed loop prepaid access” exception from the definition of a prepaid program under the Rule. However, where state law requires, as a matter of law, de minimis payouts for closed-loop products, if a prepaid program complies with such state law, the “closed loop prepaid access” exception from the definition of a prepaid program under the Rule is still valid.[31]

With respect to the second exclusion concerning the prepaid access to government funds provision in 31 C.F.R. §1010.100(ff)(iii)(B), FinCEN explains that this exclusion is applicable to government agency sponsored cards, as well as loads from government entities, such as tax refunds from the Internal Revenue Service, social security payments, or federal payroll payments. So long as the prepaid access is limited to the initial loading of funds from a government entity, and no other funds can be accessed through that prepaid access, then that prepaid access arrangement is considered a solely government funded product and would fall under the second exclusion from the Rule. FinCEN cautions the industry that where programs allow the initial load from the government entity, but thereafter allow the consumer to continue to use the prepaid access with the feature that it can reload the prepaid access with funds not derived from the government, the commingling of government funds with non-government funds would cause the prepaid access no longer to fall under this second exclusion.[32] However, FinCEN explained that an exception does occur when an excluded prepaid access product that was initially limited to government funds, falling under the second exclusion, is subsequently converted to a different product that qualifies under a different exclusion.[33]

The FinCEN Guidance also addresses other scenarios which raise questions of whether certain prepaid access devices are prepaid programs under the Rule:

  • An arrangement that provides reloadable temporary prepaid access devices is excluded from the definition of a prepaid program, regardless of whether the temporary device is reloadable, so long as its maximum value, use, or withdrawal limit is less than $1,000 on any day, and it cannot be used internationally, reloaded at a non-depository source, or used to transfer value among users.[34]
  • A provider or seller of phone cards usable solely to obtain phone service is providing or selling closed loop prepaid access. A provider of closed loop prepaid access is not a prepaid program provider unless the amount of the closed loop prepaid access associated with any one prepaid access device exceeds $2,000. The ability to use the device internationally does not change the analysis for closed loop prepaid access.[35]

Many devices sold for future access to products or services (e.g., songs, iTunes, telephone minutes, megabytes, wireless top-up, games, software, etc.) would likely be considered prepaid access devices under a prepaid program subject to the Rule. Depending on the structure of the program, they would probably be considered closed loop prepaid access and as such would not be part of a prepaid program under the Rule unless they allowed maximum value or loads above the $2,000 threshold.[36]