thief stealing cardThis article was originally published on CUInsight.

As financial institutions become ever more vigilant in monitoring for suspicious activity, it seems that criminals find ever more inventive ways to launder money and commit financial crimes. One of the more recent tactics involves using “dirty” money to purchase prepaid cards that can then be used by, sold by, or transferred to other parties.
As a result, federal regulatory agencies recommend financial institutions apply their Customer Identification Program (CIP) when they issue prepaid cards.

A Joint Guidance

On March 21, the federal financial regulatory agencies issued a joint guidance entitled Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Cards. The writers of the guidance acknowledge that prepaid cards have become mainstream and warrant close monitoring.
More importantly, they acknowledge that cards are being used to perform similar functions as accounts at financial institutions. Therefore, prepaid cards that allow the cardholder the ability to reload funds or access credit or overdraft features should be treated in the same manner as accounts for the purpose of CIP.
The Guidance excludes cards that don’t allow either or both of the two activities; such cards do not trigger the need to apply your CIP. It’s also important to know that a footnote in the Guidance states that the term “prepaid card” also includes other similar devices, such as certain prepaid access products offered through mobile or internet sites that can be used to access funds.

Two Questions

In order to understand the guidelines, you need to know the answer to two questions:
(1) Which prepaid cards are covered by the guidelines, and
(2) How do you determine where to apply your CIP procedures?

Which Prepaid Cards Are Covered in the Guidelines?

The guidelines cover a number of different prepaid card products, which include general-purpose prepaid cards that can be used at multiple, unaffiliated merchant locations and allow the cardholder to perform a variety of transactions, such as ATM withdrawals, point of sale purchases, bill payment, and transferring to and/or receiving funds from other cardholders.
Prepaid cards include the payroll cards used by some employers to pay employees and provide other benefits, such as pre-tax flexible spending arrangements for healthcare or dependent care expenses. The Electronic Benefit Cards (EBTs) used by government agencies to distribute benefit payments, as well as prepaid cards attached to Health Savings Accounts and other similar accounts, also fall under this Guidance’s coverage.
In addition, financial institutions are not only expected to apply their CIP to covered prepaid cards they issue, they are also responsible for applying those same CIP procedures to prepaid cards issued under an arrangement with a third-party program manager, even if the actual collection of the CIP documentation is performed by the third-party.

On Whom Do I Apply My CIP?

That brings us to the second important question—how to determine the correct party on whom to apply your CIP procedures in these various circumstances; how do you to identify the “C” of “CIP”? The CIP rule tells us that the Customer should be the named accountholder. But who is the named accountholder? The Guidance provides a discussion of various scenarios.
Here is a quick reference guide:

  • For general-purpose prepaid cards issued by the financial institution, the cardholder should be considered the named accountholder;
  • If the prepaid card is issued by a third-party program manager, but the cardholder has the ability to reload the card or has access to credit or overdraft features, the cardholder should be considered the named accountholder, even if the third-party program manager established a pooled account with your institution in which the funds are held on behalf of the cardholders;
    • If the prepaid cards issued by a third-party program manager are non-reloadable and do not include credit or overdraft features, then the third-party program manager in whose name the pooled account has been established should be considered the named accountholder. And thus, in this case, the CIP should be applied to the third-party;
  • For payroll cards, the CIP procedures should be applied to the employer who has established the payroll account at the financial institution, as long as the employer is the only party who can deposit funds to the account.
    • If individual employees are permitted to access credit through the payroll card or in order to reload the payroll card, the CIP should then be applied to each individual employee.

A similar analysis applies to EBTs.

  • If the government agency is the only party that can deposit funds to the account and the recipient is not provided with access to credit or overdraft services, no CIP needs to be conducted, as government agencies are exempt from the CIP rule.
    • However, if the recipient can load non-government funds on the card or has access to credit or overdraft services, then the recipient must be identified under CIP.
  • Health Savings Accounts are established by the employee, and either the employee or the employer may contribute to the account. Your CIP procedures should be applied to the employee;
  • Flexible Spending Arrangements (FSAs) and Health Reimbursement Arrangements (HRAs) are also established by the employer and can be funded by the employee or through direct employer contributions. Because these accounts are established by the employer (or the employer’s agent), the CIP should be applied to the employer only.

Think of it this way: whoever has access to credit, reloading, or overdraft features should be the named accountholder in your CIP.

Minimum Requirements When Third-Party Program Managers Handle Your Prepaid Cards

The Guidance provides minimum standards that contracts with third-party program managers must meet. When financial institutions want to enter into such a contract, they must identify:

  • The CIP obligations of the parties;
  • The right of the issuing financial institution to transfer, store, or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
  • The right of the issuing financial institution to audit the third-party program manager and to monitor its performance; and
  • If applicable, whether or not the relevant regulatory body has the right to examine the third-party program manager.

For more information, the complete text of the Guidance can be found here.

Jane Pannier
Prior to joining AffirmX July 2012, Ms. Pannier was President and CEO of a federal credit union. Ms. Pannier also previously served as Senior Compliance Counsel for the National Association of Federal Credit Unions (NAFCU) and Director of its Regulatory Compliance Department.
In addition to her expertise in the legal and regulatory fields, Ms. Pannier has 20 years of credit union operational experience having previously served in a variety of capacities, such as Credit Manager, Director of Research and Development, and Vice President of Marketing.
Ms. Pannier holds a Bachelor of Science degree in Economics from Towson University and a Juris Doctorate from the University of Maryland School of Law. Ms. Pannier is a member of the Maryland Bar Association and the American Bar Association and has served on the faculty of the NAFCU Compliance School, the CUNA Mortgage Lending School and the Credit Union Executive Society School of Business Lending.