Coming Soon: New Regulations on Prepaid Debit Cards

Banks, retailers, and other companies that issue prepaid debit cards or gift cards in large amounts will soon find themselves in the middle of a regulatory battle against drug dealers and terrorists.

Efforts to curb international money laundering and fund transfers to rogue nations under sanctions are leading officials to implement new controls over increasingly popular cash alternatives, such as prepaid debit cards,  which will affect consumers, banks, and retailers.

The Treasury Department has said that in the coming year it will conduct a top-to-bottom review of existing money laundering initiatives. Its Financial Crimes Enforcement Network (FinCEN) is also considering a new anti-money laundering regulation that treats prepaid cards as “monetary instruments,” and requires anyone possessing cards with more than $10,000 in aggregate funds to declare them when entering or leaving the country.

“As you look at prepaid, mobile banking, remote deposit capture, and similar transactions, it is still all about risk assessment,” says John Byrne, executive vice president of the Association of Certified Anti-Money Laundering Specialists. “No matter what type of technology you are talking about, if it passes through a financial institution, you need to know what your risks, vulnerabilities, monitoring capabilities, and reporting obligations are.”

FinCEN will authorize the Department of Homeland Security to scan prepaid cards held by anyone entering the country. Officials expect to begin field testing specialized card readers at select border checkpoints this month.

With an amendment to the Bank Secrecy Act in June, FinCEN also put in place requirements for suspicious activity reporting, internal controls, and data collection for certain providers and sellers of prepaid products. The final rule targets retailers who sell prepaid products with features or high dollar amounts that pose heightened money laundering risks. The rules include exemptions, however, for prepaid products of $1,000 or less if they cannot be used internationally, as well as those that do not permit transfers among users and cannot be reloaded from a non-depository source. Also exempt are retailer-exclusive “closed loop” products—prepaid cards without a network affiliation (such as Visa, MasterCard, or American Express) that can only be used as a “gift card” at a specified store or chain—provided they are sold in amounts of $2,000 or less.

While sellers are not required to register with FinCEN, they must maintain an anti-money laundering program if a prepaid product can be used without an activation process that includes customer identification, or if they sell access to more than $10,000 in funds to any single person during one day.

Cross-border enforcement is also under consideration. Last month, government officials from the United States, Britain, Australia, and New Zealand convened in Canada to discuss cooperative efforts that could strengthen their ability to intercept illicit transactions. Because prepaid cards are not defined as monetary instruments, they cannot easily be seized from foreign travelers.

More CFPB Oversight

Aside from anti-money laundering efforts, the Consumer Finance Protection Bureau will soon exercise more authority over the marketplace. Under the Dodd-Frank Act, the CFPB has the authority to apply and revise Regulation E of the Electronic Fund Transfer Act (first signed into law in 1978 and frequently amended over the years). It recently issued an Advance Notice of Proposed Rulemaking and announced a plan to extend Regulation E protections to “open-loop” reloadable prepaid cards, those that are part of a retail electronic payments network and not limited to a specific merchant. Regulation E provides a variety of consumer protections for electronic money transfers (such as ATM transactions) that currently do not apply to prepaid cards, among them the ability to contest unauthorized charges, liability protections from fraudulent use, and the ability to request paper statements.

Its stated goal is to provide a set of minimum standards, force greater fee and term disclosures, and offer a framework for resolving errors and disputes about unauthorized charges similar to those already mandated of credit card companies. Like FinCEN, its review extends beyond just physical cards and includes such new technologies as smartphone apps and computer codes.

“No matter what type of technology you are talking about, if it passes through a financial institution, you need to know what your risks, vulnerabilities, monitoring capabilities, and reporting obligations are.”

—John Byrne,

EVP,

Association of Certified Anti-Money Laundering Specialists

In recent remarks, CFPB Director Richard Cordray said this oversight is necessary given the abundance of un-banked and under-banked families, estimated at 9 million and 21 million Americans respectively, who rely on these cards, as well as the tremendous growth of the marketplace, which has grown by 40 percent each year from 2010 to 2014.  An estimated $167 billion is expected to be loaded onto prepaid cards by 2014.

Judith Rinearson, a partner with the law firm Bryan Cave, is also chairman of the Government Relations Working Group of the Network Branded Prepaid Card Association. She has, thus far, been encouraged by the research-heavy approach the CFPB has taken.

Rinearson says the industry also understands the need for greater anti-money laundering efforts and is “doing everything it can” to cooperate. She is, however, “completely opposed” to FinCEN's plan to designate prepaid cards as monetary instruments that must be declared at border crossings.

She says these products are not truly monetary instruments, as the value isn't actually on the card and funds are elsewhere in a bank account.  “Having the card is not the same as holding currency or travelers checks, where the product is a bearer instrument that can be easily transferred,” she says.

Rinearson adds that cardholders have a right to financial privacy. “When you take a plane into or out of the U.S., no one asks you what the credit line on your credit card is, or how much is in your bank account,” she says. “Now, all of a sudden, you will be getting out of a plane and law enforcement has this little device that can swipe your card and they can freeze your funds.”

Alan Sorcher, director of Deloitte Financial Advisory Services, says efforts to better regulate the prepaid card industry go as far back as 1999, but failed to gain traction. That changed when the Patriot Act of 2001 required all sectors of the financial service industry—including banks, broker-dealers, mutual funds, and insurance companies—to have anti-money laundering protections imposed upon them by respective regulators. Requirements in the Credit Card Accountability Responsibility and Disclosure Act of 2009 set the stage for FinCEN's recent rules, which were guided by law enforcement concerns about the ability to move funds rapidly and lack of an audit trail.

RECOMMENDED PRACTICES

The following is from “Recommended Practices for Anti-Money Laundering Compliance for U.S.-Based Prepaid Card Programs,” a publication of the Network Branded Prepaid Card Association.

RISK ASSESSMENT

A risk assessment is the cornerstone of a financial institution's BSA/AML compliance program. Although attempts to launder money, finance terrorism, or conduct other illegal activities can emanate from many different sources, certain products, services, customers, and geographic locations may be more vulnerable and have been historically abused by money launderers and criminals. Depending on the specific characteristics of the particular product, service, or customer, the risks are not always the same.

Identifying the money laundering and terrorist financing risks of products, customers and/or transactions enables financial institutions to determine and implement proportionate measures and controls to mitigate these risks. Risks for some customers may become evident only once the customer has commenced using the prepaid card (or, for merchants, selling)—making transaction monitoring a fundamental component of a risk-based approach. Money laundering risks may be measured using various criteria.

Product/Services Risk

Determining the potential money laundering risks presented by products and services offered by a financial institution also assists in overall risk assessment. A financial institution should consider the following issues and features in assessing the money laundering risks related to its prepaid card products:

How are prepaid cards distributed?

Who is the customer (e.g., governmental agency, business, or consumer; is there an existing relationship with the customer) for the cards?

How are the cards funded?

What is the expected level of prepaid activity?

Are the prepaid cards reloadable?

Are value load sources restricted?

Can the prepaid cards be used to obtain cash (at ATMs, at point of sale, or through a cash advance transaction)?

Can funds be transferred from one prepaid card to another prepaid card or other financial account?

Are bulk purchases of Cards permitted?

Are multiple distribution channels allowed (i.e., Internet)? Can the card be used internationally?

Source: Network Branded Prepaid Card Association.

“I think there had ben some hesitancy before that point in time because regulators didn't want to come out with a rule that could impede innovation,” Sorcher says.

He says sellers need to carefully assess whether they fall under FinCEN rules. If they are exempt, staying that way will require internal controls to, for example, not exceed the daily value limit per customer. Providers should similarly assess their need for an anti-money laundering program and what controls and compliance efforts are necessary to mitigate risk. Banks need to ensure that their suspicious activity detection system addresses the risks of prepaid products.

Byrne says the scrutiny on prepaid cards, as well as similar emerging technologies like mobile payments, mean banks have to reassess their approach to risk and compliance. “Regulators have made it pretty clear that the risk factors for these products are different than your normal face-to-face transactions,” Byrne says. “Years ago, if you transacted business outside of your geographic region it was seen as suspicious. Now, that happens all the time and it is no longer a red flag.”

The focus has therefore shifted from hard cash to electronic access.

These needs have encouraged banks to bring in the next generation of analysts, investigators, and compliance officers. “Financial institutions are looking for more people with technological and banking backgrounds that go beyond compliance, accounting, and law,” he says.

Compliance is also better integrated with product launches and upgrades. “You used to hear horror stories where the compliance office would be contacted on a Friday that on Monday the bank was going to release a product,” Byrne says. “The key is not just trying to figure out how to market it, but what's the potential vulnerability for misuse and any sort of criminal activity. If you get the compliance people at the table throughout the process—and they are not just there to say ‘no, no, no'—they can help mitigate those risks.”

Banks must also adapt training programs at all levels to strengthen their prepaid and electronic products. “It is not enough to tell senior management, ‘Hey, a competing institution received a pretty dramatic penalty,'” Byrne says. “You have to take that enforcement action, break it down, and use it to show where your potential gaps may be. That way, hopefully, senior management will get it.”