Federal regulators published guidance Monday regarding the application of customer identification program (CIP) requirements to holders of prepaid cards and other types of prepaid access. Although the guidance is meant to clarify longstanding CIP rules—issued in 2003 to implement USA PATRIOT Act amendments to the Bank Secrecy Act (BSA)—the guidance has the effect of setting new standards for banks that issue prepaid access. This includes prepaid cards that third-party program managers sell and distribute, as well as cards that are used to provide employee wages, healthcare, and government benefits.
Five federal agencies—the Federal Reserve, FDIC, OCC, NCUA, and FinCEN—issued the guidance to clarify when a bank (a term that, for BSA purposes, includes credit unions) should apply its CIP procedures for prepaid cardholders. The guidance states that when the issuance of a prepaid card results in the creation of an account at a bank, the bank must apply its CIP and verify the cardholder’s identity. The bank creates an account for the cardholder if the bank issues a prepaid card that 1) is reloadable or 2) provides access to credit or overdraft features. According to the agencies, these two features for prepaid access create a formal banking relationship between the bank and the cardholder that requires the bank to comply with the CIP rules.
Prepaid access offered through channels other than physical cards, such as through mobile phones or the Internet, is subject to the same rules and can also trigger banks’ obligations to comply with the CIP rules. Closed-loop prepaid cards and non-reloadable general purpose prepaid cards without credit or overdraft features would not, however, result in a formal banking relationship between the bank and cardholder and so would not require the bank to comply with the CIP rules or identify the cardholder.
The guidance elaborates on how the CIP rules apply to payroll, government benefit, and health benefit cards. For payroll cards, the issuing bank is required to verify the employee cardholder’s identity only if the employee will be able to access credit features through or reload funds (through sources other than the employer) to the payroll card. Likewise, banks are required to identify the cardholder for government benefit cards only if the prepaid card is reloadable or provides access to credit. For Health Savings Accounts, the bank is required to identify the employee because both the employer and the employee can contribute to the account; for Flexible Spending Arrangements and Health Reimbursement Arrangements, the bank is not required to identify the employee because only the employer can contribute.
Even if the bank utilizes a third-party program manager to sell and distribute prepaid cards that the bank issues, the bank is ultimately responsible for complying with the CIP rules. Additionally, third-party program managers are agents of the bank rather than the bank’s customer. For these reasons, the agencies state that the contract between a bank and its third-party prepaid card program manager should provide for the following:
- The parties’ CIP obligations;
- The issuing bank’s right to transfer, store, and immediately access all CIP information on cardholders that the third-party program manager collects;
- The issuing bank’s right to audit the third-party program manager and monitor the program manager’s performance; and
- Federal banking regulators’ right to examine the third-party program manager, if applicable.
Banks that issue reloadable prepaid access or prepaid access with credit or overdraft features should review their CIP procedures as well as their contracts with any third-party program managers. Regulators have been scrutinizing banks’ third-party relationships generally, as well as specifically in the prepaid space, and this guidance serves as a reminder to banks to shore up their oversight of their prepaid program managers. Banks should regularly audit and monitor those program managers, as the banks themselves will be held responsible for compliance with the CIP rules.
And note too, that while this particular interagency guidance addresses only CIP issues, the determination that a prepaid card account can establish a “formal banking relationship” with the issuing bank has potential ramifications under other laws and regulations. For instance, a “customer” relationship triggers obligations under the Gramm-Leach-Bliley Act (GLBA) rules, regarding matters such as privacy notices and practices regarding privacy and security.