US guidance on prepaid card sector tightens scrutiny on customers, audits for key players

New guidance on customer identification duties in the prepaid sector adds a fresh layer of complexity for banks, shifting from a focus on obligations bound by contracts and dollar thresholds to if the cards are reloadable, or have credit or overdraft privileges, regardless of value.

The interagency guidance – from the government agencies tasked with examining and enforcing for anti-money laundering (AML) compliance, including the US Treasury’s Financial Crimes Enforcement Network (FinCEN) and federal banking regulators, such as the Office of the Comptroller of the Currency – marks new scrutiny around prepaid products, which have in recent memory been tied to high profile terror attacks.

The guidance is also a continuation of recent FinCEN initiatives to button up outstanding vulnerabilities in the nation’s framework to fight financial criminals and thwart terror financiers.

In the last year, the agency has expanded its use of powerful geographic targeting orders at large trading hubs, finalized rules for investment advisers and proposed rules to require the value of prepaid cards be declared at border crossings if they breach $10,000, among other moves.

The potential misuse of prepaid cards, a sector subject to AML rules since 2011, was also a thorny issue threading through the US Money Laundering Risk Assessment, released in June, a sobering document timed to roughly coincide with a broad review of the country’s  financial crime, compliance and terror countermeasures by the Paris-based Financial Action Task Force.

The guidance “conceptually makes sense,” said Jeff Sklar, managing director of SHC Consulting Group in Bellmore, NY, adding that the US government, cognizant of the recent ISIS attacks in Europe, clearly has growing fears that compliance gaps in prepaid cards could allow them to be used by criminal or terror groups. “My concern is, is it implementable.”

With the new changes, any banks involved in the prepaid card space will have to update AML processes and procedures to somehow find a way to track customers who do, or could, trip the new CIP requirements, update software and hardware systems and tweak training for direct bank staff and other players in the prepaid transaction chain.

Some of the worries by FinCEN and the banking agencies have to do with the variety of physical locations, such as local bank branches, retail stores and supermarkets, which prepaid cards can be purchased.

However, the same functionalities that make prepaid cards attractive to consumers also pose risks for banks that issue prepaid cards and process prepaid card transactions.

“For example, easy access to prepaid cards, the ability to use them anonymously, and the potential for relatively high volumes of funds to flow through pooled prepaid access accounts, make prepaid cards potentially vulnerable to criminal abuse,” according to the guidance.

Moreover, the guidance states, that the controls put in place by issuing banks and the prepaid card industry, such as limits on card value and the frequency and amount of transfers, as well as appropriate due diligence on third parties and cardholders, have helped mitigate these risks.

“However, questions have arisen regarding the application of the CIP rule to prepaid cards issued by banks, including with respect to prepaid cards issued by banks under arrangements with third-party program managers,” according to the guidance.


What should a bank do to concretely convince regulators it understands the guidance and has made the appropriate changes to be in compliance? Here is the answer:

The issuing bank should enter into well-constructed, enforceable contracts with third-party program managers that clearly define the expectations, duties, rights, and obligations of each party in a manner consistent with this guidance. For example, a binding contract or agreement should, at a minimum:

  1. Outline CIP obligations of the parties;
  2. Ensure the right of the issuing bank to transfer, store, or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
  3. Provide for the issuing bank’s right to audit the third-party program manager and to monitor its performance (generally, banks need to ensure that periodic independent internal and external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations); and
  4. If applicable, indicate that, pursuant to the Bank Service Company Act (BSCA) or other appropriate legal authority, the relevant regulatory body has the right to examine the third-party program manager.

Prepaid activities mirroring classic account hallmarks

The reason for the new guidance is that “certain prepaid cards exhibit characteristics that are analogous to deposit accounts, such as checking or other types of transactional accounts,” according to the guidance. “Some of these cards are linked to, and permit use of, funds held by a bank, even though the funds may be managed by, or distributed through, a third-party program manager.”

Once the cards fall under the definition of “account,” they are subject to AML duties. But that term didn’t cover the sector writ large, only certain closed loop cards, such as a Chili’s gift card, or open loop cards, such as a branded card that can be used just as anyone would use a debit or credit card.

Prior to the guidance, banks needed only to worry about AML duties tied to prepaid cards when the transactions involved closed loops cards greater than $2,000, or open loop cards above $1,000, or open loop cards with international, person-to-person capabilities or could be reloaded at non-bank operations.

In some cases, depending on the setup of the payment chain, banks were not responsible for much of the AML burden of the prepaid products bearing their name and logos if a third-party company took on the mantle of “provider of prepaid access,” a dynamic created to allow for more flexibility with prepaid programs so banks weren’t always on the hook for program oversight when they might have very little to do with the underlying customers.

Now, with the new guidance, a key part of the AML program, customer identification program (CIP) requirements for prepaid cards will be foisted on issuing banks down to the cardholder level if the card “has the ability to reload funds or has access to credit or overdraft features,” according to the guidance.

Things can get more complicated, however, as the guidance notes that in some cases, general purpose prepaid cards may be sold without the reloadable functionalities activated or credit or overdraft features enabled.

A purchaser or subsequent transferee of these cards generally may activate any one of those features only if they contact the issuing bank or the third-party program manager, which is the nexus point where some form of customer quizzing could take place.

In such cases, for purposes of the CIP rule, the guidance states regulators believe that an account is not established until a reload, credit, or overdraft feature is activated by cardholder registration, according to the guidance.


Prepaid card cheat sheet

Covered

  •  Closed Loop>$2,000
  •  Open Loop>$1,000
  •  Open Loop with international capabilities, no minimum
  •  Open Loop with person to person capabilities, no minimum
  •  Open loop with non-depository loads, no minimum

Non-Covered

  •  Closed Loop≤$2,000
  •  Government Funded
  •  Flexible Spending and Dependent Care Funded
  •  Open Loop ≤ $1,000 with no international capabilities, or loads from non-depository sources
  •  Employment wages with no international capabilities, person to person, or loads from non-depository source

Source: FDIC.


Criminals increasingly turning to prepaid cards to move, launder illicit cash

The increasing intersections between criminals and prepaid cards have been highlighted by FinCEN in several publications.

When used for illicit purposes, branded general purpose reloadable prepaid debit cards have been associated with cashing out the proceeds of fraud and being used as an alternative to cash in much the same way that money orders, travelers’ checks, and nonbank wires are used, according to the US National Money Laundering Risk Assessment, released in June.

The hefty tome, at 100 pages, mentioned the term “prepaid” nearly 70 times across a broad swath of crimes, including:

  • In 2013, in Alabama, a woman and her son-in-law were convicted of an identity theft/tax refund fraud scheme in which the woman, who worked for a debt collection company, stole identity information and provided it to her son-in-law to use to file fraudulent tax refund claims. The pair directed the IRS to pay the refunds on prepaid debit cards.
  • In 2012, in Oregon, a woman pleaded guilty to tax evasion and fraud for claiming a $2.1 million refund on her state tax return, which the Oregon Department of Revenue allowed to be paid on a single Visa prepaid debit card. The refund payment went through three levels of approval.
  • In 2012, in Wisconsin, a man pleaded guilty to drug trafficking and money laundering. He used the proceeds from selling cocaine and marijuana to buy and add value to prepaid debit cards, which he then used to buy goods and services.
  • In 2008, in California, an indictment charging nine defendants with drug trafficking and money laundering cites the use of prepaid debit cards among the methods used to launder the drug proceeds. The group allegedly used the illicit proceeds to structure cash deposits to bank accounts, buy money orders, send wire transfers to foreign banks, and buy prepaid debit cards.
  • In 2007, in New York, 12 men were indicted for illegal gambling and money laundering in connection with a Costa Rica-based gambling website and call center, referred to as a “wire room,” which set odds and managed bets on behalf of U.S.-based sports bookies. The Costa Rican wire room charged the bookies a fee for each bet that was taken. The U.S.-based bookies paid the fee by cash, prepaid debit cards, and wire transfers. On one occasion, the wire room used a Pakistan-based hawala to move money collected from bookies in the United States.
  • In 2007, in Oregon, a man was convicted of Social Security number fraud and money laundering. He used fraudulent Turkish and Bulgarian passports and U.S. visas to obtain Social Security cards in false identities. Using the false identities he applied for and received credit cards, which he used to acquire prepaid debit cards and then abandoned the credit card debt.

As well, in 2014, prepaid-related fraud activities saw an overall increase as compared to aggregated reports filed in 2012-2013 for the same activity type, according to a FinCEN analysis of SARs released last year. In 2014, in three of the four individual suspicious activity categories, references to Prepaid Access/Prepaid Card-related activity increased.

Contracts to require more third-party, regulatory oversight

One immediate outcome of the guidance is that contracts to delegate AML duties will have to be significantly changed, with a heightened emphasis on the bank and related regulatory bodies being able to get access to any CIP data held by third parties.

Banks now must clearly outline the CIP obligations of the parties, ensure that the issuing bank can obtain immediate access to all CIP information collected by the third-party program manager, provide the right for the issuing bank to audit the third-party program manager for compliance or that a relevant regulatory body can examine the third-party program manager, even if that entity is not a bank.

The guidance also makes clear that even if a bank has contracted with other groups to perform certain AML duties, the institution is still liable for failures.

“As with any other activity performed on behalf of the bank, the bank ultimately is responsible for compliance with the requirements of the bank’s CIP rule as performed by that agent or other contracted third party,” according to the guidance.

A key goal of the new guidance is to get more information for law enforcement so they can better monitor the cards most at risk for being used anonymously by criminals.

But how banks will audit third-parties or get them to audit themselves, particularly if these third-parties have never been covered fully by AML rules, could be a challenge for all parties in the prepaid payment chain, Sklar said.

As well, the push for greater prepaid oversight could tax the government in terms of finding qualified investigators. For instance, the group most likely to do the additional exam and audit work, the IRS AML division, is already stretched far too thin to easily absorb these latest duties.

Moreover, the guidance could also result in bank examiners scrutinizing the activities of third-parties just outside their realm of oversight.

But beyond the vexing issues of what regulatory group will examine prepaid card entities or review audit work, the bottom line is that the banks involved could face the brunt of any penalty pummeling.

The guidance reiterates that banks are still liable for CIP failures, even if another entity has taken responsibility for the prepaid AML program, Sklar said.

“Why would regulators let the guy with the biggest pockets off the hook,” he said.


Prepaid card compliance history

In July 2011, the US Treasury’s Financial Crimes Enforcement Network finalized rules for the prepaid card, termed prepaid access, sector by amending existing rules for money services businesses.

The rule put in place suspicious activity reporting, and customer and transactional information collection requirements on providers and sellers of certain types of prepaid access similar to other categories of MSBs.

FinCEN stated it adopted “a targeted approach to regulating sellers of prepaid access products, focusing on the sale of prepaid access products whose inherent features or high dollar amounts pose heightened money laundering risks.”

Key provisions of the final rule included:

  • That a “provider” must manage the AML program. A “Provider” of “Prepaid Access” for a prepaid access program can be designated by agreement among the participants in the program or will be determined by their degree of its oversight and control over the program – including organizing, offering, and administering the program. Providers are required to register with FinCEN.
  • The finalized rule exempts from the rule prepaid access products of $1,000 or less and pay roll products if they cannot be used internationally, do not permit transfers among users, and cannot be reloaded from a non-depository source.
  • Exempts closed loop prepaid access products sold in amounts of $2,000 or less.
  • Excludes government funded and pre-tax flexible spending for health and dependent care funded prepaid access programs.