We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
08 April 2016
On March 21 2016 the federal banking agencies(1) and the Financial Crimes Enforcement Network (FinCEN) published interagency guidance to issuing banks(2) on the application of the joint regulations implementing the customer identification programme (CIP) requirements set out in Section 326 of the USA PATRIOT Act(3) to their prepaid cards.(4) The guidance – which is largely consistent with current industry practice – clarifies that a bank should apply its CIP to the cardholders of certain prepaid cards issued by the bank and other prepaid access devices that meet the criteria in the guidance.
Prepaid cards have become almost ubiquitous in the payments marketplace. As the guidance highlights, functionalities that make prepaid cards attractive to consumers also pose risks for the banks that issue them and process such transactions. For example, easy access to prepaid cards, the ability to use them anonymously and the potential for relatively high volumes of funds to flow through pooled prepaid access accounts make prepaid cards potentially vulnerable to criminal abuse. As a result, the agencies have taken the position that banks that issue prepaid cards must establish controls to mitigate the risks. The guidance seeks to answer questions that have arisen regarding the application of the CIP rule to prepaid cards issued by banks.
In 2003 the agencies issued the CIP rule, which requires a bank to obtain sufficient information to form a reasonable belief regarding the identity of each customer opening a new account.(5) The bank's CIP must include risk-based procedures for verifying its customers' identities to a reasonable and practicable extent. In particular, the CIP rule requires banks to implement a CIP that includes certain minimum requirements. For example, a bank's CIP must include:
The guidance clarifies that certain prepaid cards issued by a bank should be subject to the bank's CIP, including those prepaid cards issued through arrangements with third-party programme managers when the bank has no other relationship with a cardholder. The guidance also clarifies that a bank's obligations under the CIP rule are distinct from any obligations of a programme manager under other anti-money laundering regulations. To determine whether CIP requirements apply to holders of prepaid cards, the bank should first determine whether the issuance of a prepaid card results in the creation of an account and, if so, identify the bank's customer for the account.
The guidance states that prepaid cards should be treated as 'accounts' if they provide a cardholder with:
The agencies view these attributes as being comparable to those of a deposit or loan product – both of which are accounts under the CIP rule. The ability to reload funds is given general meaning by the agencies in the guidance so that it includes the addition of funds to a card by consumers, corporate entities and governments by any method (eg, peer-to-peer or automated clearing house). The guidance does not discuss whether inadvertent overdrafts (eg, resulting from below-floor-limit transactions) create an account relationship; however, references to "overdraft features" and "an overdraft line" in the guidance suggest that the agencies have focused on intentional overdraft capabilities.
General-purpose prepaid cards sold with reloading, credit or overdraft features that can be activated only by registering with the issuer or the programme manager do not constitute accounts for purposes of the CIP rule until the reloading, overdraft or credit feature is activated by cardholder registration. The guidance also provides that even when reloadable, closed-loop prepaid cards (ie, cards which may be used to make purchases only at a single merchant or group of affiliated merchants) do not result in an account because their attributes are not comparable to a deposit product.
If the issuance of a prepaid card is considered the opening of an account, the issuing bank must apply its CIP to the account customer.(6) The guidance discusses how this requirement applies to common prepaid arrangements.
Prepaid cardholders and third parties
For general-purpose prepaid cards with reload functionality or access to credit or overdraft features, the bank's 'customer' is the cardholder. This is true even when funds are held in pooled accounts on behalf of a programme manager for the benefit of the cardholders. For closed-loop prepaid cards and general-purpose prepaid cards without reload functionality or access to credit or overdraft features, the only 'account' is the pooled account, and the bank's customer is the programme manager in whose name the pooled account has been established.
If the employer (or the employer's agent) is the only party that may deposit funds into the payroll card pooled account, the employer should be considered the bank's customer and the bank need not apply its CIP to each employee. By contrast, if the employee is permitted to access an overdraft or credit through the payroll card or reload the payroll card account from sources other than the employer, the employee is the bank's customer and the bank should apply its CIP to the employee.
Government benefit cards
Government benefit cards vary as to whether cardholders may load funds unconnected to the benefit programme onto the card and whether they provide access to overdrafts or credit. If the programme permits only government funds to be loaded onto the card and does not provide access to overdrafts or credit, the bank has no CIP obligations.(7) However, if the programme allows non-government funds to be loaded onto the card or provides access to overdrafts or credit, the cardholder is the bank's customer, on whom the bank should perform its CIP.
Health savings accounts
In the case of accounts established by an employee to pay or obtain reimbursement for qualifying medical expenses, the employee is the bank's customer because he or she established the account.
Flexible spending arrangements (FSAs) and health reimbursement arrangements (HRAs)
In the case of accounts established by an employer and funded by either voluntary withholdings from an employee's salary (FSAs only) or through direct employer contributions (FSAs and HRAs), the employer should be considered the bank's customer because no party other than the employer (or its agent) establishes and funds an account.
The guidance also advises banks to enter into well-constructed, enforceable contracts with third-party programme managers that clearly define the expectations, duties, rights and obligations of each party in a manner consistent with the guidance. At a minimum, each such contract should:
For further information on this topic please contact Joel D Feinberg, David E Teitelbaum or Stanley J Boris at Sidley Austin LLP by telephone (+1 202 736 8000) or email (email@example.com, firstname.lastname@example.org or email@example.com). The Sidley Austin website can be accessed at www.sidley.com.
(1) The federal banking agencies are the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA) and the Office of the Comptroller of the Currency (OCC).
(2) For purposes of the guidance, the term 'issuing bank' means the bank that authorises use of the prepaid card. A 'bank' is any commercial bank, savings association, credit union or US branch of a foreign bank.
(3) 68 Fed Reg 25090 (May 9 2003) codified at 31 CFR Section 1020.220 (FinCEN); 12 CFR Section 21.21 (OCC); 12 CFR Sections 208.62(b)(2) and 211.24(j)(2) (FRB); 12 CFR Section 326 (FDIC); and 12 CFR Section 748.2 (NCUA).
(7) This results from the lack of a relationship having been established with the cardholder and the exemption from the definition of 'customer' in the CIP rule of any department or agency of the United States, of any state or political subdivision of any state.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.