Agencies and FinCEN issue guidance on applying CIP rule to prepaid cards

Introduction

On March 21 2016 the federal banking agencies(1) and the Financial Crimes Enforcement Network (FinCEN) published interagency guidance to issuing banks(2) on the application of the joint regulations implementing the customer identification programme (CIP) requirements set out in Section 326 of the USA PATRIOT Act(3) to their prepaid cards.(4) The guidance – which is largely consistent with current industry practice – clarifies that a bank should apply its CIP to the cardholders of certain prepaid cards issued by the bank and other prepaid access devices that meet the criteria in the guidance.

Prepaid cards

Prepaid cards have become almost ubiquitous in the payments marketplace. As the guidance highlights, functionalities that make prepaid cards attractive to consumers also pose risks for the banks that issue them and process such transactions. For example, easy access to prepaid cards, the ability to use them anonymously and the potential for relatively high volumes of funds to flow through pooled prepaid access accounts make prepaid cards potentially vulnerable to criminal abuse. As a result, the agencies have taken the position that banks that issue prepaid cards must establish controls to mitigate the risks. The guidance seeks to answer questions that have arisen regarding the application of the CIP rule to prepaid cards issued by banks.

CIP rule

In 2003 the agencies issued the CIP rule, which requires a bank to obtain sufficient information to form a reasonable belief regarding the identity of each customer opening a new account.(5) The bank's CIP must include risk-based procedures for verifying its customers' identities to a reasonable and practicable extent. In particular, the CIP rule requires banks to implement a CIP that includes certain minimum requirements. For example, a bank's CIP must include:

• procedures for opening an account that include, at a minimum, obtaining a name, date of birth, address and identification number from a customer who is an individual; and
• identity verification procedures that describe when and how the bank will verify the customer's identity using documentary or non-documentary methods.

The guidance clarifies that certain prepaid cards issued by a bank should be subject to the bank's CIP, including those prepaid cards issued through arrangements with third-party programme managers when the bank has no other relationship with a cardholder. The guidance also clarifies that a bank's obligations under the CIP rule are distinct from any obligations of a programme manager under other anti-money laundering regulations. To determine whether CIP requirements apply to holders of prepaid cards, the bank should first determine whether the issuance of a prepaid card results in the creation of an account and, if so, identify the bank's customer for the account.

Determining existence of 'account'

The guidance states that prepaid cards should be treated as 'accounts' if they provide a cardholder with:

• the ability to reload funds; or
• access to credit or overdraft capability.

The agencies view these attributes as being comparable to those of a deposit or loan product – both of which are accounts under the CIP rule. The ability to reload funds is given general meaning by the agencies in the guidance so that it includes the addition of funds to a card by consumers, corporate entities and governments by any method (eg, peer-to-peer or automated clearing house). The guidance does not discuss whether inadvertent overdrafts (eg, resulting from below-floor-limit transactions) create an account relationship; however, references to "overdraft features" and "an overdraft line" in the guidance suggest that the agencies have focused on intentional overdraft capabilities.

General-purpose prepaid cards sold with reloading, credit or overdraft features that can be activated only by registering with the issuer or the programme manager do not constitute accounts for purposes of the CIP rule until the reloading, overdraft or credit feature is activated by cardholder registration. The guidance also provides that even when reloadable, closed-loop prepaid cards (ie, cards which may be used to make purchases only at a single merchant or group of affiliated merchants) do not result in an account because their attributes are not comparable to a deposit product.

Customer identification and verification

If the issuance of a prepaid card is considered the opening of an account, the issuing bank must apply its CIP to the account customer.(6) The guidance discusses how this requirement applies to common prepaid arrangements.

Prepaid cardholders and third parties

For general-purpose prepaid cards with reload functionality or access to credit or overdraft features, the bank's 'customer' is the cardholder. This is true even when funds are held in pooled accounts on behalf of a programme manager for the benefit of the cardholders. For closed-loop prepaid cards and general-purpose prepaid cards without reload functionality or access to credit or overdraft features, the only 'account' is the pooled account, and the bank's customer is the programme manager in whose name the pooled account has been established.

Payroll cards

If the employer (or the employer's agent) is the only party that may deposit funds into the payroll card pooled account, the employer should be considered the bank's customer and the bank need not apply its CIP to each employee. By contrast, if the employee is permitted to access an overdraft or credit through the payroll card or reload the payroll card account from sources other than the employer, the employee is the bank's customer and the bank should apply its CIP to the employee.

Government benefit cards

Government benefit cards vary as to whether cardholders may load funds unconnected to the benefit programme onto the card and whether they provide access to overdrafts or credit. If the programme permits only government funds to be loaded onto the card and does not provide access to overdrafts or credit, the bank has no CIP obligations.(7) However, if the programme allows non-government funds to be loaded onto the card or provides access to overdrafts or credit, the cardholder is the bank's customer, on whom the bank should perform its CIP.

Health savings accounts

In the case of accounts established by an employee to pay or obtain reimbursement for qualifying medical expenses, the employee is the bank's customer because he or she established the account.

Flexible spending arrangements (FSAs) and health reimbursement arrangements (HRAs)

In the case of accounts established by an employer and funded by either voluntary withholdings from an employee's salary (FSAs only) or through direct employer contributions (FSAs and HRAs), the employer should be considered the bank's customer because no party other than the employer (or its agent) establishes and funds an account.

Contracts with third-party programme managers

The guidance also advises banks to enter into well-constructed, enforceable contracts with third-party programme managers that clearly define the expectations, duties, rights and obligations of each party in a manner consistent with the guidance. At a minimum, each such contract should:

• outline the parties' CIP obligations;
• ensure the bank's right to transfer, store or otherwise obtain immediate access to all CIP information on cardholders collected by the third-party programme manager;
• provide for the bank's right to audit the third-party programme manager and monitor its performance (generally, banks must ensure that periodic independent internal and external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations); and
• if applicable, indicate that, pursuant to the Bank Service Company Act or other appropriate legal authority, the relevant regulatory body has the right to examine the third-party programme manager.

For further information on this topic please contact Joel D Feinberg, David E Teitelbaum or Stanley J Boris at Sidley Austin LLP by telephone (+1 202 736 8000) or email ([email protected], [email protected] or [email protected]). The Sidley Austin website can be accessed at www.sidley.com.

Endnotes

(1) The federal banking agencies are the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA) and the Office of the Comptroller of the Currency (OCC).

(2) For purposes of the guidance, the term 'issuing bank' means the bank that authorises use of the prepaid card. A 'bank' is any commercial bank, savings association, credit union or US branch of a foreign bank.

(3) 68 Fed Reg 25090 (May 9 2003) codified at 31 CFR Section 1020.220 (FinCEN); 12 CFR Section 21.21 (OCC); 12 CFR Sections 208.62(b)(2) and 211.24(j)(2) (FRB); 12 CFR Section 326 (FDIC); and 12 CFR Section 748.2 (NCUA).

(4) Prepaid cards include those sold and distributed by third-party programme managers as well as cards that are used to provide employee wages, healthcare and government benefits.

(5) 31 CFR Sections 1020.100(c) and (a).

(6) 31 CFR Section 1020.100(c)(1)(i).

(7) This results from the lack of a relationship having been established with the cardholder and the exemption from the definition of 'customer' in the CIP rule of any department or agency of the United States, of any state or political subdivision of any state.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.