On March 21, 2016, FinCEN and the federal bank regulatory agencies published Guidance to issuing banks on the CIP requirements applicable to prepaid cards. While the Guidance referred to “prepaid cards,” footnote 5 to the Guidance clarifies that it applies to other prepaid access products that otherwise meet the criteria described in the Guidance, including prepaid access products offered through mobile phones or Internet sites.
The Guidance reflects a common sense interpretation of existing BSA regulation, and it’s good to have this clear guidance. It also clarifies that, in many cases, the only “customer” on which CIP must be performed will be the employer, program manager or other third party that can reload the account. In those cases where the cardholder has access to credit through the card or can independently reload the card, the cardholder will be the customer, but in other cases a bank’s CIP obligations are simplified.
Consistent with existing CIP rules, whether CIP is required turns on whether the prepaid card is an “account” and, if so, who the customer is. Generally speaking, but as explained in more detail below, an account is established that triggers CIP if either the prepaid card may be reloaded or the cardholder has access to credit or overdraft features through the card.
The only question then is who the “customer” is, which is only a little more complicated. It appears that, if the cardholder can access credit or overdraft features, then the cardholder is the customer regardless of other facts. If the cardholder cannot access those credit features, then the question is whether the cardholder can independently reload the card or if the card can only be reloaded by a program manager, employer, governmental entity or other third party. In that latter case, the third party, and not the cardholder, is the customer. There are more complicated ways to think about this, but those bottom line rules basically cover it.
Now for the details.
Question One: Is There An “Account”
The Guidance states that, in order to determine if CIP requirements apply, a bank should first determine whether the issuance of a prepaid card results in the creation of an “account.” If so, the second step is to determine who the “customer” is.
The Guidance explains in detail how the BSA regulations define “account” and why and how the regulatory agencies are applying those definitions within the Guidance. The basic logic is that the CIP rule defines account as a “formal banking relationship established to provide or engage in services, dealings or other financial transactions.” If the prepaid card is analogous to a deposit account, then an “account” has been established for CIP purposes. In the end, the rule stated in the Guidance is simply this:
[F]or purposes of the CIP rule, prepaid cards that provide a cardholder with (1) the ability to reload funds or (2) access to credit or overdraft features should be treated as accounts.
Access to credit or overdraft features is straightforward. That creates an account for CIP purposes and is consistent with the existing definition of account in the BSA regulations.
With respect to the ability to reload funds, the question for determining whether there is an account is not who can reload funds, but only if funds can be reloaded to the card. Whether the loads can be made by the cardholder, the cardholder’s employer or any other third party on behalf of the cardholder, an account has been established because the card can be reloaded.
And in case you are already wondering, the regulators remembered to address prepaid cards that are issued without reloadable functionalities activated or credit or overdraft features enabled. Those prepaid cards do not result in an account unless and until the reload feature is activated or the credit or overdraft features are enabled. Accordingly, the prepaid cards commonly sold in pharmacies and grocery stores on an anonymous basis, and that cannot be reloaded when sold and do not have credit or overdraft features enabled when they are sold, do not result in an account unless and until those features are activated or enabled.
Question Two: Who Is The “Customer”
Once the bank has determined that there is an account for which CIP is triggered, the next question is who the “customer” is that must be subjected to CIP. If a consumer obtains the card directly from the bank and there is no program manager, employer or other third party between the cardholder and the bank, then the cardholder is the customer. When a third party is involved, additional facts need to be considered.
Pooled Third Party Accounts. The fact that the cardholder is not the named accountholder, but has obtained the card from an intermediary who uses a pooled account with the bank to fund the bank-issued cards, does not necessarily mean that the cardholder is not the customer. If the cardholder has established an account with the bank by activating reloadable functionalities or credit features, the cardholder is the customer even if the funds are held in a pooled account.
In contrast, if the card is not reloadable and has no credit or overdraft features, the third-party program manager in whose name the pooled account has been established is the bank’s only customer and should be subject to CIP. The bank is not required to “look through” the pooled account to verify the identity of individual cardholders.
Payroll Cards. If the employer or the employer’s agent is the only person that may deposit funds into the payroll card account, and the employee is not permitted to access credit through the card, then only the employer is the bank’s customer. Again, the bank does not need to look through the relationship and CIP each employee.
However, if the employee can reload the card account from sources other than the employer, or if the employee can access credit through the card, then the employee is the bank’s customer that should be subjected to CIP.
Government Benefit Cards. The analysis here is the same as for payroll cards. If the card allows non-government funds to be loaded onto the card or provides access to credit, then the cardholder is the customer and the bank needs to collect CIP information on that person. If there are no credit features and only the government can load funds onto the card, then the government is the bank’s customer. The difference here from employer payroll cards is that the term “customer” for CIP purposes does not include a department or agency of the United States, of any state, or any political subdivision of any state, so the bank is not required to perform CIP on that governmental body.
Health Savings Accounts. HSAs are generally established by an employee to pay or obtain reimbursement for qualifying medical expenses, and either the employee or the employer may contribute funds to the HSA. The employee is the bank’s customer because the employee establishes the account and can contribute funds.
Flexible Spending and Health Reimbursement Arrangements. The Guidance assumes that in these arrangements only the employer or the employer’s agency establishes the FSA or HRA, makes deposits to the account and distributes funds from the account. On this basis, the Guidance concludes that the employer is the bank’s customer for CIP purposes.
As suggested in the introduction to this article, there really are two common sense questions: has a formal banking relationship been established and, if so, can the cardholder reload the card or access credit through the card. The formal banking relationship creates the CIP account, and whether the cardholder can reload the card or access credit determines whether the cardholder or a third party is the customer.