In response to continuing concerns about the vulnerability of prepaid cards to criminal and terrorist abuse, five regulators issued interagency joint guidance today clarifying bank obligations to identify prepaid card accountholders under the existing regulations implementing the “Customer Identification Program” or “CIP” requirements of the USA PATRIOT Act. The Agencies intend the guidance to remind banks that money laundering and other criminal risks related to prepaid cards “require the implementation of strong and effective mitigating controls.” The five regulators are the Federal Reserve Board, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Financial Crimes Enforcement Network (collectively, “the Agencies”).
The guidance makes clear that banks have a CIP obligation with respect to individual cardholders of generalpurpose prepaid cards that have features similar to a deposit account, regardless of whether the funds are held in a pooled account or whether the prepaid program is managed by the bank or by a third party on behalf of the bank. These clarifications should not be surprising to most prepaid program participants, as they are consistent with the purpose of the CIP regulations. But the increasing prevalence of prepaid products in the marketplace and some unspecified “questions [that] have arisen” led the Agencies to issue the guidance.
Under the guidance, a general-purpose prepaid card should be treated as an account subject to the CIP requirements if it provides a bank’s customer with (1) the ability to reload funds, or (2) access to credit or overdraft features. The guidance states that an account is not established until the feature is activated by cardholder registration. The guidance does not apply to non-reloadable prepaid cards or to government benefit or payroll cards that cannot be reloaded by other sources. According to the Agencies, banks should still conduct CIP on program managers or other business entities that provide non-reloadable prepaid access to end users, such as employers (except where the intermediary is a government agency).
In addition, the Agencies specify important provisions that banks should have in their contracts with third-party program managers, including ensuring that the bank has access to CIP information collected by the program manager and providing both the bank and the Agencies with the right to audit the program manager.
The guidance serves as a reminder of the seriousness with which the Agencies treat a bank’s CIP obligations. The Agencies have emphasized that collecting identifying information through CIP facilitates the other applicable anti-money laundering controls. In addition, the guidance highlights the importance of drafting prepaid program agreements that clearly delineate each party’s obligations with respect to anti-money laundering controls. Detailing bank and program manager obligations up front, and providing for audit rights to verify that those obligations are being performed, are critical to avoiding compliance problems down the road.