The federal banking agencies and the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) have issued guidance to banks to clarify how the Bank Secrecy Act's customer identification program (CIP) requirements apply to several types of prepaid access. In a separate release several days later, FinCEN issued five FAQs to provide additional guidance under its prepaid access rules addressing closed loop prepaid access and sellers of prepaid access.
For years, questions have been raised about how the CIP requirements apply to several types of prepaid card products issued by federally regulated banks and credit unions. In the face of an expanding international debate about the perceived anonymity of certain forms of prepaid access following the Paris terrorist attacks, and recognizing that "[f]unctionalities that make prepaid cards attractive to consumers also pose risks for banks that issue prepaid cards and process prepaid card transactions," on March 21, 2016, the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) with FinCEN issued Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Cards.
The agencies clarify in the guidance how the CIP requirements, added to the BSA by Section 326 of the USA PATRIOT Act, apply to certain prepaid cards, "including those that are sold and distributed by third-party program managers, as well as cards used to provide employee wages, healthcare, and government benefits."
The CIP rule, issued by the agencies in 2003, requires federally insured depository institutions to obtain information sufficient to form a reasonable belief regarding the identity of each "customer" opening a new "account." In addition to collecting four specific pieces of data about a customer at account opening (name, date of birth, address, and government identification number), the CIP must also include procedures for verifying the customer's identity verification, maintaining specific records and providing required notices.
To determine whether and how the CIP requirements apply to purchasers of prepaid cards, the bank must first determine whether the issuance of the prepaid card to a purchaser results in the creation of an account. This determination depends on the functionalities of the prepaid card issued. The guidance reviews prepaid card characteristics that are analogous to deposit accounts and states that those "prepaid cards that provide a cardholder with (1) the ability to reload funds or (2) access to credit or overdraft features should be treated as accounts."
Where general purpose prepaid cards are sold without the reloadable functionalities activated or credit or overdraft features enabled, the agencies said "an account is not established until a reload, credit, or overdraft feature is activated by a cardholder registration."
Once an account has been established, how does a bank identify who the customer is for purposes of the CIP rule? The CIP rule provides that a person who opens a new account is deemed the customer, but different types of prepaid cards complicate the process of determining who is the customer.
"When a general purpose prepaid card issued by a bank allows the cardholder to conduct transactions evidencing a formal banking relationship, such as by adding monetary value or accessing credit, the cardholder should be considered to have established an account with the bank for purposes of the CIP rule," the guidance explained. "Further, the cardholder should be treated as the bank's customer for purposes of the CIP rule, even if the cardholder is not the named accountholder, but has obtained the card from an intermediary who uses a pooled account with the bank to fund bank-issued cards."
Third-party program managers should generally be treated as agents of the bank for purposes of the CIP rule, rather than as the bank's customer, the agencies said. For payroll cards, if an employer is the only person that may deposit funds into the payroll card account, then the employer should be considered the bank's customer for purposes of the CIP rule and the bank is not required to apply its CIP to each employee. However, if the employee is permitted access to credit through the card, or has the ability to reload the payroll card account from sources other than the employer, the employee is the customer of the bank and the bank should apply its CIP to the employee, according to the guidance. A similar analysis applies to government benefit cards and health benefit cards.
With regard to third-party program managers, banks are reminded that they "should enter into well-constructed, enforceable contracts . . . that clearly define the expectations, duties, rights, and obligations of each party" in a manner consistent with the guidance, the agencies said. At a minimum, a binding contract should outline the CIP obligations of the parties, ensure the right of the bank to transfer, store, or otherwise obtain immediate access to CIP information collected by the third-party program manager, and provide for the issuing bank's right to audit the third-party program manager and monitor its performance.
Why it matters
The guidance's CIP clarification for prepaid access-issuing banks contains no surprises. In fact, there are questions as to why the agencies decided to issue it now as there is really nothing new in it. For those banks whose CIP procedures may not have been consistent with the guidance, there may be questions as to whether remedial efforts or program enhancements may be required to ensure that they are in compliance with the requirements of the CIP regulation before their next examination. The guidance also should be a useful reminder for banks as to their BSA obligations as they digest the final prepaid access rule expected from the Consumer Financial Protection Bureau in the near future.