OCC PREPAID ACCESS PROGRAMS GUIDANCE (NATIONAL BANKS)

I.        INTRODUCTION

The Office of the Comptroller of the Currency (OCC) has issued guidance for national banks on prepaid access programs.  National banks that offer consumers access to prepaid funds are exposed to a variety of risks, including potential fraud and money laundering, due to the complexity associated with the design, delivery, and increased functionality of prepaid access products.  When such products or any components supporting them are outsourced to a third-party service provider, the risks are often more challenging to manage, especially risks related to fraud, Bank Secrecy Act/Anti-Money Laundering (BSA/AML), and Office of Foreign Assets Control (OFAC) compliance requirements.  The bulletin provides guidance to banks to ensure they develop and implement a comprehensive risk management program that reflects the nature and complexity of prepaid access products, and the bulletin supplements and should be used in conjunction with existing OCC guidance on retail payment systems, prepaid cards and third-party service providers. 

Prepaid access refers to a wide range of devices that facilitate consumers’ access to money electronically, including general purpose reloadable cards, payroll cards, government benefit cards, retail gift cards, mobile phones, and Internet sites.  The consumer is able to add and store funds on the device and use it to spend or withdraw the funds from a variety of sources.

An effective prepaid access program begins with a thorough assessment of how the product fits within the bank’s overall business strategy and risk appetite.  The program should be governed by written policies and procedures that are well understood and accessible by those who implement the program as well as those who evaluate its effectiveness.  Facilitating access to prepaid funds has the potential to introduce new risks that require specific expertise, staffing levels, and audit and compliance testing.

II.        RISK MANAGEMENT EXPECTATIONS FOR PREPAID ACCESS PROGRAMS

National banks that offer prepaid access devices to consumers should have a comprehensive risk management program to identify, measure, monitor and control the risks related to these products.  Components of a comprehensive risk management program include:

  • clearly defined objectives, expectations, and risk limits for the products offered;
  • policies and procedures to govern the prepaid access program, including a due diligence process for selecting third-party service providers and an oversight process for monitoring performance, fraud losses, and suspicious activity;
  • policies and procedures to ensure all disclosures to consumers about pricing, fees, transaction limits, and other program requirements and restrictions are clearly outlined;
  • robust audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations; and
  • parameters for reporting to the bank’s board of directors, to enable the board to periodically evaluate management’s effectiveness in executing the prepaid program and to determine if the program is achieving stated objectives.

A.       Objectives and Risk Parameters

An effective prepaid program begins with a thorough assessment of how the product fits within the bank’s overall business strategy and risk appetite.  The board of directors should ensure it understands how the program is expected to operate, the level and nature of risks it will bring to the bank, and its projected costs and revenues.  In consultation with bank management, the board should establish risk limits for the program and outline expectations for compliance and performance reporting.

In setting risk limits and other program guidelines, the board of directors or its designee should:

  • consult with relevant functional areas within the bank to gather data sufficient to understand the program’s requirements, such as the need for expertise, staffing, and infrastructure, and the costs associated with these requirements.  Relevant functional areas would include, for example, operations, information technology, audit, compliance and legal.
     
  • identify specific program objectives, such as expected growth rates and size of the program in relation to the bank’s total assets or capital.
     
  • outline performance criteria, such as qualitative and quantitative benchmarks to evaluate success of the product; variance analyses (actual results versus projections) to detect and address adverse trends in a timely manner; and specific thresholds that, if met, would result in management taking action to change or discontinue the program.
     
  • require periodic review of the program by the board of directors to determine whether changes in product capabilities, regulatory requirements, competitive factors, or other aspects of the business model result in changes to the bank’s risk/reward analysis for the program.   

B.        Policies, Procedures, and Due Diligence

A prepaid program should be governed by written policies and procedures that are well understood and accessible by those who implement the program as well as those who evaluate its effectiveness.  Roles and responsibilities of affected personnel should be clearly defined.  Procedures should include an exit strategy in the event the product fails to perform as expected.

If the program includes a third-party service provider, policies and procedures should guide the bank’s evaluation, selection, and oversight of the third party’s activities.  National banks should perform a due diligence review of potential third-party service providers.  Such a review would include a thorough background check of the third-party provider and its significant principals, evaluation of the company’s financial condition, assessment of operational and risk management processes, its history of regulatory compliance and prior banking relationships, and results of information security and business continuity testing.

Once the third-party service provider is selected, the arrangement with the third-party service provider should be governed by a well-constructed, enforceable service contract that clearly defines expectations, duties, rights, and obligations of each party.  A binding contract or agreement should include, at a minimum,

  • the scope of the relationship and explicit details about all services to be performed by the service provider, including training of employees and customer service.
     
  • a complete description of the costs and fees for services, the parties responsible for payment, and any conditions under which the cost structure may be changed or the relationship may be terminated without penalties.
     
  • responsibilities for providing and receiving information, including the frequency and types of reports, consumer complaints, materiality thresholds, and procedures in the event of service disruption or security breaches that pose a material risk to the bank.
     
  • plans for business resumptions, continuity, and contingencies in the event of problems affecting the third-party provider’s operations.  These plans should outline each party’s responsibilities, provide for testing of plans and the frequency of testing, and state the bank’s right to obtain the results of such tests.
     
  • a clause that outlines the BSA/AML and OFAC obligations of the parties, including monitoring and reporting suspicious activity.
     
  • a clause that provides for the national bank’s right to audit the third-party provider to monitor its performance.  Generally, banks need to ensure that periodic independent internal and/or external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations.
     
  • a clause outlining the OCC’s authority to examine the third-party service provider under the Bank Service Company Act, and assess the provider’s ability to perform under its contractual obligations.
     
  • a clause that defines (1) how the parties will share information about fraud losses and suspicious activity and (2) the process for sharing and/or indemnifying losses.
     
  • a clause outlining the authority of the national bank to terminate the relationship.

C.        Audit and Compliance Functions

Before launching a prepaid program, a bank should review its audit and compliance functions to ensure they are sufficient to cover the risks posed by the new program. Facilitating access to prepaid funds has the potential to introduce new risks that require specific expertise, staffing levels, and audit/compliance testing to monitor for deficiencies and identify corrective action.  For example, consumer protection and BSA/AML requirements can be very challenging to manage without the appropriate infrastructure. For some components outsourced to a third party, ensuring compliance may require a different approach and additional expertise beyond current bank staff knowledge.

When expanding audit and compliance functions to accommodate prepaid programs, national banks should:

  • ensure the audit and compliance functions provide for sufficient consumer protection transaction testing.  Testing should ensure all fees are clearly disclosed, and a sample of accounts should be tested to verify that fees are assessed as disclosed.  Such programs should also provide for testing of BSA/AML and OFAC compliance.  This testing should include samples from both in-house and outsourced components, and should broadly cover the number of alerts generated and suspicious activity report filings.  Banks may use existing fraud, Gramm-Leach-Bliley Act (GLBA), and OFAC monitoring programs to ensure appropriate coverage.
     
  • include procedures to evaluate any proposed changes or additions to the product prior to implementation, to ensure that all risks are considered.

D.        Parameters for Reporting to the Board of Directors

The board of directors should receive periodic reports from bank management that allow the board to determine whether the prepaid access program is operating within established risk limits, and is achieving stated objectives and financial results.  Such reports may include: 

  • performance benchmarks, such as Service Level Agreements and Key Performance Indicators, and the program’s performance against those measures. These benchmarks should include trends as well as point-in-time performance.
     
  • comparison of the program’s activity against board-established risk tolerances.
     
  • variance reports.
     
  • summaries of suspicious activity monitoring and reporting.
     
  • fraud loss reports, including volume and type of fraud (such as account takeover and identity theft).
     
  • results of audits and regulatory compliance reviews.
     
  • a summary of service disruptions or security breaches that occurred since the last report.

III.       CONCLUSION

The OCC supports national banks’ participation in prepaid access programs to meet consumer needs and diversify sources of revenue.  To limit potential risks to banks and consumers, however, national banks should implement comprehensive risk management programs that provide appropriate oversight and controls commensurate with the risk, complexity of the activities, and use of any third-party providers to facilitate the prepaid programs.

Compliance Handbook Search

STAY CONNECTED

Nebraska Bankers Association

233 South 13th Street, Suite 700
Lincoln, NE 68508
402-474-1555
​Digital Millennium Copyright Act Policy