Banks and credit unions that issue reloadable, general purpose prepaid cards must apply Customer Identification Program (CIP) procedures to those cardholders, according to guidance issued by the federal banking regulators and FinCEN on March 21, 2016 (Guidance).1 The Guidance requires banks to treat these cardholders as “customers” for CIP purposes, even if the cardholders are not named on any account at the bank.
The Guidance aims to standardize the practice of those issuing banks that already treat prepaid cardholders as their customers when conducting CIP. That “best practice” is now a universal requirement for banks issuing general purpose reloadable (GPR) prepaid cards (i.e., cards that are not restricted to a single merchant or group of affiliated merchants). GPR programs are frequently run by third-party program managers that partner with an issuing bank and serve as the nominal accountholder at the bank, often “for benefit of” the cardholders. Because CIP requirements often focus only on the named accountholder, some issuing banks may have treated only the program manager as a customer, and thus, have not applied formal CIP procedures to the underlying cardholder.
The agencies' announcement coincides with increased attention on the money laundering and terrorist financing risks associated with prepaid access products. French authorities say the November 13, 2015 Paris attacks were financed in part using reloadable prepaid cards, and the EU has already announced plans to implement stricter AML rules on these products.2 EU rules on prepaid cards are stricter than US law in some respects,3 so US regulators may be considering further AML obligations for prepaid products in the near future.
CIP rules require banks, credit unions and certain other financial institutions to collect and appropriately verify identifying information for each “customer” opening a new “account.”4 The rules define a bank “account” as “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions, including a deposit account, a transaction or asset account, a credit account or other extension of credit.”5
The FFIEC BSA/AML Examination Manual is silent on whether prepaid cardholders are “customers” opening “accounts” for CIP purposes.6 In other contexts (e.g., trusts, brokered deposits and omnibus accounts), FinCEN, banking and securities regulators have said many times that, at least absent indicia of higher money laundering risk, institutions are generally not required to look past the nominal accountholder to individuals who might be behind that account.7
Summary of the Guidance
The crux of the Guidance is that issuing banks enter into a “formal banking relationship” with GPR prepaid cardholders, and therefore the cardholders are “customers” of the bank for CIP purposes. The Guidance states that general purpose prepaid accounts—which can include cards or other access devices—exhibit characteristics that are analogous to deposit accounts, such as checking or other types of “transactional accounts” if either (1) they are reloadable, or (2) they provide access to credit/overdraft.8 Because reloading a prepaid card is similar to funding traditional deposit accounts, reloadable cards constitute a “formal banking relationship” and the holder of the card is a “customer.” Cards that are not reloadable are not “accounts” because they do not constitute a formal banking relationship. Temporary cards that can be converted to GPR cards (a common feature for cards sold at brick-and-mortar retailers, where gaining a customer's identification can be difficult) are not “accounts” until the reloadable feature is activated through a cardholder's registration.
The Guidance emphasizes that once an account is established by a cardholder, CIP is required on the cardholder even if the cardholder is not the named account holder and the cardholder's funds are held in an account titled in a third party's name (e.g., in the name of the program manager, possibly “for benefit of” the cardholders). Cardholders are also “customers” for CIP purposes even if the pooled account is set up as a trust, with the cardholders as beneficiaries (previously, FinCEN and the federal banking agencies had said that beneficiaries of a trust are not “customers” for CIP purposes.9).
The Guidance also addresses where specialized prepaid cards (e.g., payroll, government benefits) may require CIP. In general, these cardholders are considered “customers” for purposes of the CIP if the cardholders themselves can load funds independently and not through a program sponsor such as an employer or government entity.
According to the Guidance, banks may use third-party program managers or other third parties to conduct CIP on prepaid cardholders, but the bank is ultimately responsible for compliance with the CIP requirements. The Guidance states that third-party program managers are “agents” of the bank for CIP purposes. It adds that contracts between issuing banks and third-party program managers should include the following components:
- delegation of CIP obligations;
- a right for the issuing bank to obtain immediate access to all CIP information collected by the third-party program manager;
- a right for the issuing bank to periodically audit the third-party program manager and monitor its performance; and
- if applicable, a note that the relevant regulatory body has the right to examine the third-party program manager under the Bank Service Company Act.10
Implications and Open Questions
The Guidance fills in a potential gap in FinCEN's prepaid access regulations because in certain circumstances those regulations did not apply to GPR programs controlled by issuing banks. FinCEN's regulations generally state that the entity with “principal oversight and control” over a qualifying prepaid program is a “provider of prepaid access,” a type of Money Services Business (MSB).11 FinCEN requires MSBs to implement AML programs and follow other AML requirements. However, because banks by definition cannot be MSBs,12 FinCEN has said that there is no “provider of prepaid access” where the issuing bank has primary oversight and control over the program.13 The Guidance ensures that where there is no “provider” of prepaid access under FinCEN's rules, the issuing bank must fulfill a similar role by applying CIP procedures to GPR cardholders.
While it may close a gap in the application of FinCEN's regulations to certain prepaid programs, the Guidance also raises some challenges.
- The regulators' position on this issue was published as Guidance, and therefore is effective immediately. It remains to be seen whether examiners will allow for an adjustment period for those banks that have been taking a different approach.
- Issuing banks that have not yet applied CIP procedures to GPR cardholders may encounter challenges complying with the Guidance. For example, the Guidance does not address whether banks may continue servicing GPR cards held by cardholders who have not been processed through their CIP procedures. If regulators were to require suspension of card use or reload functions for these existing accounts, unexpected hardship to customers could result.
- Finally, the reasoning in the Guidance for extending CIP obligations to GPR cardholders could be applied in other contexts. Many FinTech companies use pooled accounts and bank partnerships to provide payment or other financial services to their customers. If these services allow customers to load funds or perform other bank-like functions, they too may be deemed to create a “formal banking relationship” that may require the partner bank to apply CIP procedures to those underlying customers.
1 See OCC Bulletin 2016-10, Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements for Holders of Prepaid Cards (Mar. 21, 2016).
2 See Alexander Starr, In Wake of Attacks, France Moves to Regulate Prepaid Bank Cards, NPR (Nov. 24, 2015).
3 In Europe, in some cases, identification is required to obtain non-reloadable cards, see Prepaid cards used by Paris attackers to rent hotel rooms, Hindustan Times (Nov. 29, 2015), (“In Europe it is currently possible to use without showing identification non-rechargeable cards for payments of up to 250 euros ($265) or up to 2,500 euros per year for rechargeable cards.”), while in the United States there is no requirement to show identification for non-reloadable cards.
4 See e.g. 31 C.F.R. §1020.220(a)(1) (banks); 31 C.F.R. §1023.220(a)(1) (broker-dealers).
5 31 C.F.R. §1020.100(a)(1).
6 See FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual, p. 47-55 (Customer Identification Program) and p. 227-234 (Prepaid Access).
7 See, e.g., Joint Final Rule, Customer Identification Programs for Banks, Savings Associations, Credit Unions and Certain Non-Federally Regulated Banks, 68 Fed. Reg. 25,090, 25,094 (May 9, 2003) (CIP on trusts and brokered deposits).
8 Overdraft cards are not common, so, as a practical matter, the Guidance mainly applies to reloadable cards.
9 See Final Rule, Customer Identification Programs for Banks, Savings Associations, Credit Unions and Certain Non-Federally Regulated Banks, 68 Fed. Reg. 25,090, 25,094 (May 9, 2003) (“For example, in the case of a trust account, the “customer” would be the trust.”).
10 See 12 U.S.C. §1867(c).
11 The prepaid access rules are complex and are subject to many exemptions. In general, however, companies that issue or sell “closed-loop” prepaid access of less than $2,000 per device per day—such as store-branded gift cards only usable at particular retailers—are not covered by the prepaid access rules. General purpose, or “open-loop” prepaid access under $1,000, is generally exempt if it was not reloadable (without prior customer verification) and could not be used internationally or support peer-to-peer transfers. See 31 C.F.R. §1010.100(ff)(4)(iii)(D) (providing full details of these exceptions).
12 See 31 C.F.R. §1010.100(ff)(8)(i).
13 See FIN-2012-R003, Application of the Prepaid Access Rule to Bank-Controlled Programs (May 23, 2012). FinCEN's regulations also deem MSBs as “sellers” of prepaid access, but often a GPR program does not have “sellers” because retail merchants sell only “temporary” prepaid cards that, before activation, lack reloadability or other features that would subject them to FinCEN's rules.