September 19, 2011
The prepaid market: Growth and sophistication mean more risk
FinCEN has released its final rule on prepaid products, and a key feature expands the Bank Secrecy Act (BSA) compliance obligations to include providers and sellers of certain types of prepaid access devices. In March, we discussed FinCEN's proposed rule on prepaid products. The rule was drafted with the intent to address potential money laundering risks in prepaid access devices.
The final rule, released July 29, also replaces the term "stored value" with "prepaid access." The purpose of changing the nomenclature was to cast a broader net by covering not only prepaid access devices like cards, but also emerging prepaid access devices such as key fobs and mobile phones. The new definition is broad enough to cover any type of device that can serve as a portal to funds that have been paid for in advance and are retrievable and transferable.
Prepaid access devices are available in a wide variety of formats. Some types of prepaid access devices come in the typical card format, while others can exist in virtual form, such as an electronic serial number.
Growth of prepaid access
There is good reason for FinCEN's interest in prepaid products. Growth in consumer adoption and increased government activity (payout of government benefits, including unemployment and social security, among others) have accelerated the acceptance rate of prepaid products in recent years. Mercator Advisory Group predicts in its Seventh Annual Prepaid Market Forecast that the total dollars loaded onto prepaid cards may climb to $672 billion by 2013.
The Office of the Comptroller of the Currency (OCC) has also responded to the growth and sophistication of the prepaid market by releasing guidance to national banks that offer prepaid products with advanced functionality. The guidance advises national banks to develop comprehensive risk management policies and procedures to guard against potential fraud. The OCC expressed that prepaid products offering features such as international funds transfers, card-to-card transfers, and Internet transfers can potentially expose banks to a variety of risks that may not be in line with the banks' business strategies or risk appetites.
Newly regulated entities: Sellers and providers of prepaid access
Providers of prepaid access are now required to comply with the Bank Secrecy Act's regulations related to Money Services Business (MSB). Some of those requirements entail maintaining adequate anti-money laundering programs. The type of BSA program will depend on the risk appetite, size, customer base, and geography of the sellers and providers.
Under the new rule, prepaid access providers must retain transaction-specific records generated in the ordinary course of business for five years. The records collected must be easily accessible upon request from FinCEN or other law enforcement. Both providers and sellers of prepaid access are subject to Suspicious Activity Reporting (SAR) and Currency Transaction Reporting (CTR), but only providers are required to register with FinCEN once every two years.
Prepaid products exempted
For the first time, closed loop prepaid products are regulated if more than $2,000 can be loaded on the device on a given day. FinCEN acknowledged that although closed loop prepaid access is generally considered an unattractive, inefficient, and unlikely means of moving large sums of illicit money, law enforcement cautioned FinCEN that closed loop prepaid access in large dollar amounts can be vulnerable to criminal enterprises intending to launder funds. This partial exemption for closed loop prepaid access addresses law enforcement's money laundering concerns regarding a limited segment of closed loop prepaid access market, while still exempting the retail sale of closed loop prepaid of $2,000 or less.
Also regulated for the first time is low-value ($1,000 or less/day) open loop prepaid access, if it can be used internationally, transferred between or among other persons (P2P), or reloaded by a nonbank. The restrictions placed on the open loop prepaid access are based on the device's functionality and not on what it can be used to purchase.
Exempt from most of the new rule are prepaid access devices that FinCEN determined posed a decreased risk of money laundering, terrorist financing, and other criminal activities. Those devices include prepaid access to funds for payroll, government benefits, and incentives, so long as the funds cannot be used internationally, do not have P2P capabilities, and cannot be reloaded by a nonbank.
The rule's effective date is September 27, 2011. However, compliance for registration of MSBs does not take effect until January 29, 2012.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The prepaid market: Growth and sophistication mean more risk:
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- FFIEC Weighs In On Mobile Channel Risks
- Cash: Reports of Its Pending Death Are Greatly Exaggerated
- The 411 on Banning the RCC
- Surviving the Emerging Payments Providers
- Between a Rock and a Hard Place?
- There's an App for That!
- What Is GPR Feeding On? Part 2 of 2
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud