The Federal Reserve Board, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and National Credit Union Administration, together with the US Department of the Treasury’s Financial Crimes Enforcement Network (the Agencies), yesterday issued interagency guidance (Guidance) discussing the applicability of Customer Identification Program (CIP) requirements to holders of prepaid cards issued by banks.
The Agencies’ current CIP regulations require banks to obtain information sufficient to form a reasonable belief regarding the identity of each “customer” who opens a new “account” at the bank. Noting (i) the wide functionality and uses of prepaid cards, (ii) the ready access to prepaid cards, (iii) the ability to use prepaid cards anonymously, and (iv) the potential for high-volume cash flows through pooled prepaid card accounts, the Guidance reminds the financial community that banks that issue or process prepaid cards must have in place “strong and effective mitigating controls” to protect against money laundering and financial crimes risks.
The Guidance applies to banks, savings associations, US branches and agencies of foreign banks, and credit unions that issue prepaid cards, including cards distributed by third-party prepaid card program managers, that result in the creation of an “account” relationship between a bank and a prepaid card holder. In this regard, the applicability of the Guidance and the resulting applicability of the CIP regulations is determined by the functionality of a prepaid card: cards covered by the Guidance would include bank-issued general purpose (“open loop”) cards that can be used with multiple unaffiliated merchants and vendors, or allow the holder to conduct banking transactions with the card, including allowing card holder access to overdrafts or credit.
The Guidance broadly requires banks that have established an “account” relationship with a “customer” through the issuance of a prepaid card, consistent with the CIP regulations, to take measures to ascertain the card holder’s identity. The Guidance clarifies the applicability of the CIP requirements to specific types of cards, including payroll cards, government benefit cards, and healthcare-related cards:
- Banks that issue payroll cards to employers should treat the employer as the bank’s customer unless the employee can access credit through the card or reload the card account from nonemployer sources, in which case the employee is the “customer.”
- Government benefit cards that only allow government funds to be loaded onto the card and do not allow the card holder access to credit are not subject to CIP requirements.
- Banks that issue healthcare-related cards where the employee establishes the account (e.g., a Health Savings Account) should treat the employee as the account “customer,” whereas cards involving an account where the employer establishes the account (e.g., a Flexible Spending Account), the employer is treated as the account “customer.”
The Guidance also sets forth the Agencies’ expectations for prepaid cards sold through third-party program managers. The Agencies state that, in the case of general-purpose, reloadable cards or cards with credit or overdraft access, the ultimate cardholders, and not the program manager (which would act here as the bank’s agent), would be treated as a bank’s customers for CIP purposes, even where a card program manager may use pooled or omnibus accounts with a bank to manage a prepaid card program, provided that it is the card holder who can activate the card’s reload or credit/overdraft features. By contrast, nonreloadable general purpose cards that do not have credit or overdraft features generally would cause the program manager, and not the card holders, to be the bank’s CIP “customer.”
The Guidance further outlines minimum contractual requirements for business relationships between issuing banks and third-party program managers, stating that such relationships should “clearly define the expectations, duties, rights and obligations of each party” consistent with the Guidance. The Guidance provides that a bank’s agreement with a third-party program manager should (i) clearly define the CIP obligations of each party, (ii) allow immediate bank access to CIP information held by the manager, (iii) give the bank audit rights over the third-party manager, and (iv) give the bank’s regulators examination rights over the third-party manager.
The Guidance is effective immediately.