On March 21, the Board of Governors of the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency (OCC), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (collectively, the Agencies) issued interagency guidance that clarifies the applicability of Customer Identification Program (CIP) requirements to prepaid cards issued by commercial banks, savings associations, credit unions or branches of foreign banks. The guidance provides that certain prepaid cards issued by banks are subject to the CIP rule, including when a bank issues prepaid cards under arrangements with third-party payment managers that sell, distribute, promote or market the prepaid cards issued by the bank. If a prepaid card is subject to the CIP rule under the guidance, the bank issuer is required to treat the underlying cardholder—not the third-party manager—as its customer.
The Agencies indicated that the guidance is applicable to other prepaid access products that meet the criteria described in the guidance, including prepaid access products offered through mobile phones or Internet sites.
According to the Agencies, CIP requirements apply where the issuance of a prepaid card results in the creation of an “account.” Under the CIP rule, an “account” is defined as “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions, including a deposit account, a transaction or asset account, a credit account or other extension of credit.”1 The guidance clarifies that a prepaid card that provides a cardholder with (1) the ability to reload funds or (2) access to credit or overdraft features is equivalent to opening an account for purposes of the CIP rule. If a general purpose prepaid card is sold without the reloadable functionality activated or credit or overdraft features enabled, an account is not opened until a reload, credit or overdraft feature is activated by cardholder registration.
According to the interagency guidance, third-party program managers should generally be treated as agents of the bank, and the bank is responsible for compliance with the requirements of the bank’s CIP rule as performed by that agent. If a general purpose prepaid card is reloadable or provides access to credit or overdraft features, the bank must comply with the CIP requirements with respect to a cardholder regardless of whether the third-party program manager holds funds on the cardholder’s behalf in a pooled account. By contrast, in the case of a general purpose prepaid card that is not reloadable and without credit or overdraft features, the bank’s customer is the third-party program manager, and the bank is not required to “look through” the program manager’s account to satisfy CIP requirements with respect to each cardholder.
The guidance outlines specific requirements for certain prepaid cards, including payroll cards, government benefit cards and health benefit cards. For payroll cards, when the employer is the only person that may deposit funds into the payroll card account, the employer (and not the employee cardholder) is considered the bank’s customer. In contrast, if employees can access credit through payroll cards or can reload the payroll card account from sources other than the employer, then such employees are customers of the bank. For government benefit cards, if only government funds are permitted to be loaded and access to credit is not provided, then no customer relationship is established between the bank and the cardholder. For health savings accounts, which are accounts established by employees, the employee cardholder is the customer. On the other hand, when the employer establishes the account, e.g., flexible spending arrangements and health reimbursement arrangements, the employer is the customer.
Finally, the guidance addresses contracts between issuing banks and third-party program managers. The guidance stresses that issuing banks should enter into well-constructed contracts with their third-party program managers that, at a minimum, (a) outline the CIP obligations of the parties; (b) ensure the issuing bank’s right to transfer, store or otherwise obtain immediate access to CIP information collected by the manager; (c) provide the issuing bank audit rights over the manager; and (d) indicate that relevant regulatory authorities have the right to examine the manager.