I. INTRODUCTION
The Federal financial institution regulatory agencies (Agencies) have issued guidance clarifying the applicability of the Customer Identification Program (CIP) rule to prepaid cards issued by banks. The guidance applies to banks and savings associations. Prepaid cards include those that are sold and distributed by third-party program managers, as well as cards that are used to provide employee wages, healthcare, and government benefits.
The guidance clarifies that a bank’s CIP should apply to the holders of certain prepaid cards issued by the institution as well as holders of such prepaid cards purchased under arrangements with third-party program managers that sell, distribute, promote, or market the prepaid cards on the bank’s behalf. The guidance describes when, in accordance with the CIP rule, the bank should obtain information sufficient to reasonably verify the identity of the cardholder, including at a minimum, obtaining the name, date of birth, address, and identification number, such as the Taxpayer Identification Number of the cardholder.
In order to determine if CIP requirements apply to purchasers of prepaid cards, the bank should first determine whether the issuance of a prepaid card to a purchaser results in the creation of an account; and if so, ascertain the identity of the bank’s customer. As discussed below, these determinations depend on the functionalities of the prepaid card issued.
The Agencies have made clear that the money laundering and other financial crime risks faced by banks that issue prepaid cards and process prepaid card transactions require the implementation of strong and effective mitigating controls. Controls put in place by issuing banks and the prepaid card industry, such as limits on card value and the frequency and amount of transfers, as well as appropriate due diligence on third parties and cardholders, have helped mitigate these risks. However, questions have arisen regarding the application of the CIP rule to prepaid cards issued by banks, including with respect to prepaid cards issued by banks under arrangements with third-party program managers.
II. DETERMINING THE EXISTENCE OF AN "ACCOUNT"
An “account” is defined in the CIP rule as “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions, including a deposit account, a transaction or asset account, a credit account or other extension of credit.” An account also includes “a relationship established to provide a safety deposit box or other safekeeping services or to provide cash management, custodian, or trust services.” An account does not include “products and services for which a formal banking relationship is not generally established with a person, such as check cashing, wire transfer, or the sale of a check or money order.” For CIP purposes, an account does not include any account that the bank acquires, or accounts opened, to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.
Certain prepaid cards exhibit characteristics that are analogous to deposit accounts, such as checking or other types of transactional accounts (general purpose prepaid cards may include features that permit the cardholder to make and receive payments or transfers by non-card means, such as by Automated Clearing House (ACH), wire, check, or mobile phone message, activities that are also conducted through an account. For example, a cardholder may be able to pay a bill by logging on to the issuing bank’s Website and initiating an ACH payment to the biller. A cardholder also may be permitted to make and receive payments using a prepaid card, such as through a cardholder-to-cardholder transfer, a transfer to the cardholder’s savings account, or a transfer to another person’s transaction account at the issuing bank. If these features could result in the reloading of the general purpose prepaid card, then the card should be treated as an “account.”). Some of these cards are linked to, and permit use of, funds held by a bank, even though the funds may be managed by, or distributed through, a third-party program manager. For purposes of the CIP rule, prepaid cards that provide a cardholder with (1) the ability to reload funds or (2) access to credit or overdraft features should be treated as accounts.
A. General Purpose Prepaid Cards With the Ability to Reload Funds
General purpose prepaid cards may be reloaded by the cardholder or another party on behalf of the cardholder in a manner that is similar to the way in which funds can be added to a traditional deposit, asset, or transaction account. Therefore, the Agencies believe that issuing a general purpose prepaid card with those features creates a formal banking relationship and is equivalent to opening an account for purposes of the CIP rule. By contrast, the issuance of a general purpose prepaid card that, under the program’s terms, cannot be reloaded by a cardholder or another party on behalf of the cardholder, does not establish an account for CIP purposes. These cards do not bear the characteristics of a typical deposit, transaction, or asset account because they do not permit the cardholder or other party on behalf of the cardholder to reload funds. Therefore, the Agencies believe these cards do not create a formal banking relationship.
B. General Purpose Prepaid Cards With Access to Credit or Overdraft Features
General purpose prepaid cards may permit withdrawals in excess of the card balance and also may provide the cardholder with access to an overdraft line or an established line of credit similar to a lender/borrower or credit card relationship. The Agencies believe that a card that permits either functionality constitutes a formal banking relationship with the issuing bank and is an account for purposes of the CIP rule.
C. Activation of General Purpose Cards
In some cases, general purpose prepaid cards may be sold without the reloadable functionalities activated or credit or overdraft features enabled. A purchaser or subsequent transferee of these cards generally may activate any one of those features only if they contact the issuing bank or the third-party program manager. In such cases, for purposes of the CIP rule, the Agencies believe that an account is not established until a reload, credit, or overdraft feature is activated by cardholder registration.
III. IDENTIFYING THE CUSTOMER
Once an account has been established, the bank must identify the customer for purposes of the CIP rule. Under the CIP rule, a person that opens a new account is deemed a customer. To verify the identity of the person opening the account, the final CIP rule’s preamble explains that a bank need only verify the identity of the named accountholder. The following describes how these principles should apply to different types of prepaid cards.
A. Prepaid Cardholders and Third Parties
When a general purpose prepaid card issued by a bank allows the cardholder to conduct transactions evidencing a formal banking relationship, such as by adding monetary value or accessing credit, the cardholder should be considered to have established an account with the bank for purposes of the CIP rule. Further, the cardholder should be treated as the bank’s customer for purposes of the CIP rule, even if the cardholder is not the named accountholder, but has obtained the card from an intermediary who uses a pooled account with the bank to fund bank-issued cards.
As a general matter, third-party program managers should be treated as agents of the bank for purposes of the CIP rule, rather than as the bank’s customer. The preamble to the final CIP rule makes clear that the rule does not affect a bank’s authority to contract for services to be performed by a third party either on or off the bank’s premises, nor does it alter a bank’s authority to use an agent to perform services on its behalf. However, as with any other activity performed on behalf of the bank, the bank ultimately is responsible for compliance with the requirements of the bank’s CIP rule as performed by that agent or other contracted third party.
Third-party program managers may establish pooled accounts in their names for the purpose of holding funds “on behalf of” or “in trust for” cardholders or processing transactions on behalf of other issuing banks. However, the fact that these funds are held in a pooled account should not affect the status of the cardholder as a bank customer, assuming the cardholder has established an account with the bank by activating the reloadable functionalities of a general purpose prepaid card, or its credit or overdraft features.
In the case of non-reloadable general purpose prepaid cards without credit or overdraft features, or other prepaid cards that do not have the identified features that establish an account for purposes of the CIP rule, such as closed-loop prepaid cards, the third-party program manager in whose name the pooled account has been established should be considered to be the only customer of the issuing bank and should be subject to requirements of the bank’s CIP policies and procedures. In these cases, the issuing bank need not “look through” the pooled account to verify the identity of each cardholder.
1. Payroll Cards
Payroll cards are cards that enable an employee to access funds in accounts that are established directly or indirectly by an employer and to which the employer (or a third party acting on the employer’s behalf) is able to transfer the employee’s wages, salary, bonuses, travel reimbursements, or other compensation. Typically, the employer (or the employer’s agent) opens an account with a bank and provides each of its employees with a card that can be used to access the employee’s share of the account. The employer (or the employer’s agent) then transfers the employee’s wages, salaries, or other compensation into the account or subaccount, rather than distributing a check to the employee.
If the employer (or the employer’s agent) is the only person that may deposit funds into the payroll card account, the employer should be considered the bank’s customer for purposes of the CIP rule. In that case, the bank need not apply its CIP to each employee. The employer should be considered to be the customer even if there are subaccounts that are attributable to each employee. By contrast, if the employee is permitted to access credit through the card, or reload the payroll card account from sources other than the employer, the employee should be the customer of the bank and the bank should apply its CIP to the employee.
2. Government Benefit Cards
Government benefit cards (also referred to as Electronic Benefit Transfer Cards) are cards issued under government benefit programs to distribute government benefits or other payments. Government benefit programs vary as to whether beneficiary-cardholders are permitted to load funds unconnected to the government benefit program onto the card, and whether they provide access to credit. If the government benefits card program permits only government funds to be loaded onto the card and does not provide access to credit, no customer relationship is established between the bank and the beneficiary-cardholder for purposes of the CIP rule. In addition, since the term “customer” does not include a department or agency of the United States, of any state, or any political subdivision of any state, a bank that issues such a government benefit card is not required to apply its CIP to the government agency establishing the benefit card account. If, however, the card allows non-government funds to be loaded onto the card or provides access to credit, then a customer relationship is established between the bank and the beneficiary-cardholder and the bank should collect CIP information from the beneficiary cardholder.
3. Health Benefit Cards
Prepaid cards can also be used to access funds in a Health Savings Account (HSA), or accounts established as part of a Flexible Spending Arrangement (FSA) or Health Reimbursement Arrangement (HRA). While HSAs, FSAs, and HRAs are all used to set aside tax-exempt funds for certain medical expenses, these arrangements may differ with respect to who may establish the account, deposit funds into the account, or access funds in the account. Therefore, the person or entity that should be considered to be the issuing bank’s customer for CIP purposes will differ.
Health Savings Accounts are accounts established by an employee to pay or obtain reimbursement for qualifying medical expenses. Such reimbursement may be issued on a prepaid card. The employee establishing the account or the employer may contribute to the HSA. Because the employee establishes the account, the employee is the issuing bank’s customer for purposes of the CIP rule.
Flexible Spending Arrangements and Health Reimbursement Arrangements are established by an employer and funded by either voluntary withholdings from an employee’s salary (in the case of FSAs only) or through direct employer contributions (in the case of FSAs and HRAs). The employee may use a debit card, credit card, or prepaid card for certain qualified medical expenses. Because no person other than the employer (or employer’s agent) establishes an FSA or HRA, makes deposits into the FSA or HRA, and distributes funds from the FSA or HRA, the employer should be the issuing bank’s customer for purposes of the CIP rule.
IV. CONTRACTS WITH THIRD-PARTY PROGRAM MANAGERS
The issuing bank should enter into well-constructed, enforceable contracts with third-party program managers that clearly define the expectations, duties, rights, and obligations of each party in a manner consistent with this guidance. For example, a binding contract or agreement should, at a minimum:
a. outline CIP obligations of the parties;
b. ensure the right of the issuing bank to transfer, store, or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
c. provide for the issuing bank’s right to audit the third-party program manager and to monitor its performance (generally, banks need to ensure that periodic independent internal and external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations); and
d. if applicable, indicate that, pursuant to the Bank Service Company Act (BSCA) or other appropriate legal authority, the relevant regulatory body has the right to examine the third-party program manager.