Prepaid card industry faces tough compliance landscape as regulators increase scrutiny

(John Walsh, a member of the ACFCS Advisory Board and a leading financial crime expert, is CEO of the global risk management firm, SightSpan, Inc. He has years of experience advising prepaid card providers on anti-money laundering and compliance programs. He is one of the experts participating in the construction of the Certified Financial Crime Specialist (CFCS) certification. This piece is adapted from his article created  for the Fall 2012 issue of PayBefore. It examines the pressing compliance and regulatory challenges of the prepaid industry. For more information please visit www.paybefore.com)
Regulatory compliance is a moving target for the prepaid industry, with almost every company grappling with new regulatory requirements and trying to anticipate what’s next. Legal and regulatory compliance experts say the most critical challenge facing the prepaid industry in the US is the Consumer Financial Protection Bureau (CFPB).

There’s more at play than the bureau’s interest in general purpose reloadable (GPR) cards, for which it plans to issue rules. Professionals are closely watching how CFPB defines larger nonbank participants and its determination on federal preemption of state laws.

Not to be outdone, FinCEN’s Prepaid Access Rule has implications even for exempt businesses (and products). It is expected to issue a final rule that would define prepaid access as a monetary instrument subject to cross-border reporting, which raises a host of operational and privacy concerns.

An increase in identity theft and fraudulent tax refunds being loaded onto prepaid cards also is raising concerns among regulators and may lead to more stringent account-opening requirements. And, experts add, there is the added potential of federal and state legislation that could further raise the cost of offering prepaid products.

Consumer Financial Protection Bureau requests industry comments as it prepares rules

Since the Dodd-Frank Act laid the foundation in 2010 for the creation of this new agency, the prepaid industry has been anticipating its turn in the crosshairs. On May 23, the bureau released its first advance notice of proposed rulemaking (ANPR) targeting GPR prepaid cards.

It outlined 10 questions for public comment—on everything from how the CFPB might extend Regulation E to GPR cards and the timing and display of disclosures to linked savings and overdraft and credit facilities. Regulation E provides consumers with protections from losses in cases of fraud or account theft.

“What the CFPB will require in its proposed and final rules is at the top of the list,” says Judith Rinearson, a partner at Bryan Cave and chair of the Network Branded Prepaid Card Association’s (NBPCA) government relations working group and PayBefore contributing editor. “They’ve started by holding a hearing and asking for comments.

“They asked good questions, and I hope they’ll show creativity and flexibility in their rulemaking. But, I’m worried they could be too proscriptive about how fees are disclosed or what fees are charged.”

L. Richard (Rick) Fischer, partner at Morrison & Foerster, agrees that the CFPB’s ultimate regulation of GPR cards could have a big impact on program viability. “What the bureau does will dramatically affect what happens to the market, depending on how hard or flexible they are in their approach.”

Consumer protection on prepaid cards may have drastic industry consequences

If GPR cards are treated exactly like debit cards under Regulation E rather than like payroll cards, which benefit from modified disclosure and error resolution provisions, Fischer says, “the economics of prepaid cards would be completely blown.”

Requiring extensive disclosures at retail outlets could be challenging, and Fischer hopes the bureau will recognize that cards bought at retail are temporary. Cardholders must make a decision—and provide personal information—before receiving a permanent, reloadable card, providing an opportunity for disclosures.

John Hagy, chief legal officer for issuer MetaBank and its Meta Payment Systems division, is concerned about how far the rules may go. “There’s really no question that Reg. E consumer protections as applied to payroll will and should be applied to all GPR cards,” he says. “Should the CFPB restrict reasonable overdraft protection and small-dollar credit, however, consumers who seek these products to satisfy real life issues will be impacted.”

But Hagy says it is good news the “CFPB is taking a thoughtful and reasoned approach to rulemaking through discussions with industry and other stakeholders, conducting field hearings and acquiring data.”

CFPB seeks industry feedback, may expand regulatory oversight of prepaid providers

The CFPB received more than 200 comments on its ANPR, so the next step—issuing a proposed rule for comment—may take time. Any new regulation of the prepaid card industry could be delayed until at least early 2013, and likely beyond, while the agency sifts through comments and finalizes mortgage regulations mandated by Congress, according to Alan Kaplinsky, a partner at Ballard Spahr.

The ANPR is significant, but it is only part of the picture. Some observers believe that when the CFPB defines “larger participants” in other financial services, something it did for the credit reporting industry, some nonbank prepaid participants will be subject to CFPB supervision for the first time.

“Most people think the CFPB will eventually include some prepaid card providers and servicers within the definition of larger participants under Dodd-Frank,” notes Stefanie Jackman, an associate at Ballard Spahr, in Atlanta. “We expect an interim notice of proposed rulemaking on this… by the end of this year or early next.

“Industry participants need to take steps now to prepare through self-assessments and internal audits.” Jackman says companies need to have written policies and procedures for dealing with consumer disputes and ensuring their marketing is clear.

CFPB emerges as ‘new breed’ of aggressive regulator

Another issue is how CFPB will determine if companies are engaging in unfair, deceptive or abusive acts and practices (UDAAP), terms which it has yet to define. “The agency hasn’t given any guidance as to what those terms mean,” says Jackman. And, if you’re a financial services provider, the CFPB could take enforcement action for engaging in what it considers to be UDAAP.

“The CFPB is showing itself to be a new breed of regulator,” she adds. “It actively seeks out violations and takes a more aggressive approach to enforcement than prior regulators.”

The July joint enforcement effort by the CFPB and the Office of the Comptroller of the Currency (OCC) against Capital One, which paid $140 million in refunds to consumers as well as a $25 million penalty, could be a sign of things to come.

While the case focused on the credit market, Fischer says it is likely to influence how prepaid issuers choose partners. “The bureau and the OCC are saying— and it’s something regulatory agencies have emphasized before — if you’re a regulated entity, you are responsible for your service providers,” Fischer said. “If you see the [penalties] in that enforcement order, it shouldn’t come as a surprise that banks are going to be more careful about who their partners are. Partners hold not only their own fate but the bank’s in their hands. Ultimately, it may be more difficult for some program managers to find issuing banks.”

FinCEN’s rules still reach exempt businesses

Another regulatory issue facing prepaid companies is FinCEN’s Prepaid Access Rule, which requires providers and sellers of prepaid access, among to file suspicious activity reports (SARs), collect and retain customer and transactional information and maintain an anti-money laundering (AML) program, among other things.

Even if programs or participants are exempt from the rule, which took effect in March 31, 2012, companies still must maintain the exemptions. For example, one exemption excludes a retailer from being classified as a seller of prepaid access if it does not sell, in aggregate, more than $10,000 in prepaid access to one person in one day. It is not enough for a retailer to say it won’t exceed the threshold. Policies and procedures must ensure that it doesn’t.

“On the exemption policies and procedures, you’re required to document program specifics to show you have met your obligations,” says Elish Meyers, vice president of retail and government relations at Card Compliant. “That’s what FinCEN will look for, so it’s important to document any changes as well as existing processes that ensure compliance.”

Rinearson says large parts of the Prepaid Access Rule “were pretty balanced and recognized the difference between bank-centered and program manager-centered programs. It seemed like FinCEN [which produced FAQs and held a Webinar to explain the rule] was trying to come up with a legal approach that wouldn’t cripple the industry but would give law enforcement what it needed,” she adds.

Proposed cross-border reporting rule raises operational, privacy concerns

“We’ve heard complaints about the rule, but overall it hasn’t turned out to be a huge blow. And, I think the industry is recognizing that AML compliance is not only important but good for the industry,” Rinearson adds.

Of greater concern to many experts is FinCEN’s proposed rule, announced in October 2011, to add prepaid access devices to the list of currency and monetary instruments that individuals and businesses must report on the Currency and Monetary Instruments Report (CMIR) if they exceed $10,000 when arriving in or departing from the US. Few persons expect FinCEN to back down.

“This is so operationally unworkable, but I get the sense FinCEN doesn’t care,” says Rinearson. Fischer says the privacy concerns alone may make consumers “drop these products like a hot potato.”

“We’re talking about taking plastic out of purses and wallets at the airport or at border crossings, and the government looking into your accounts. You can’t do this without violating privacy laws,” he adds.

Fischer says in many cases you can’t tell a prepaid card from a debit card, which could also complicate matters. Instead of focusing on reloadable products, which are subject to customer identification procedures, Fischer says it would be more effective to focus on anonymous cards.

FinCEN received comments on its proposal in December 2011, but has not issued a final rule on the cross-border reporting of prepaid access.