The Office of the Comptroller of the Currency (OCC) has issued guidance for use by national banks in developing and implementing a comprehensive risk management program for prepaid access programs. Beginning July 21, 2011, the guidance will also apply to federal savings associations.
The guidance, issued on June 29, 2011, describes prepaid access programs as providing electronic access to funds or the value of funds that have been paid in advance through devices such as a card, code, serial number, mobile ID number, or personal ID number. It cautions that banks are exposed to an increased risk of fraud and money laundering when such programs have more advanced functionality, such as the ability to conduct card-to-card, Internet, mobile phone, or international funds transfers.
Although its coverage is broad, the guidance is very general in nature. According to the guidance, to identify, measure, monitor, and control the risks related to prepaid access products, a bank should have a comprehensive risk management program that includes the following components:
- The bank’s board of directors, in consultation with management, should establish risk limits and outline expectations for compliance and performance reporting. The board must understand how a prepaid program is expected to operate, the level and nature of its risks, its projected costs and revenues, and its requirements, such as the need for expertise in the areas of operations, information technology, audit, compliance, and legal.
- Written policies and procedures should govern a prepaid program, including the evaluation, selection, and oversight of third-party service providers. A thorough due diligence review of any potential third-party service provider is critical. Also, third-party arrangements should be governed by “a well-constructed, enforceable service contract that clearly defines expectations, duties, rights, and obligations of each party.” Nine items, “at a minimum,” should be included in the contracts, such as clauses (1) outlining the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) obligations of the parties, (2) outlining the OCC’s authority to examine the service provider, and (3) defining how the parties will share information about fraud losses and suspicious activity and the process for sharing and/or indemnifying losses.
- The bank’s audit and compliance functions should test that fees are clearly disclosed to consumers and assessed as disclosed, and should also provide for testing of BSA/AML and OFAC compliance for both in-house and outsourced components of a prepaid program.
- The bank’s board of directors should receive periodic reports from management to evaluate whether a prepaid program is operating within established risk limits and achieving stated objectives and financial results. Those reports may include such items as summaries of suspicious activity monitoring and reporting, fraud loss reports, and results of audits and regulatory compliance reviews.
Given that third-party service provider contracts are a significant focus of the guidance, it seems likely those contracts will receive increased scrutiny in OCC examinations. Accordingly, banks should carefully review their third-party service provider contracts with counsel to ensure that they satisfy guidance requirements.