Recent Developments in Prepaid Access: Considerations for Deterring Money Laundering
Deloitte Insights Video
While prepaid cards and mobile technologies can make it easier for consumers to make purchases, they can also make it easier for criminals to move illicit funds. As with any innovation — especially within the financial services industry — new risks are a byproduct, followed by new regulations. Watch this episode of Deloitte Insights to learn how card issuers and financial institutions can strengthen their anti-money laundering programs.
Alan Sorcher, Director, Deloitte Financial Advisory Services LLP
Don Mosher, Partner, Schulte Roth & Zabel
Sean O’Grady (Sean): Hello and welcome to Insights where today we will be examining money laundering risks associated with prepaid cards and mobile payment technologies. Joining us here in the studio for this conversation are Don Mosher, a partner in New York-based law firm, Schulte Roth & Zabel, and we also have Alan Sorcher, a director within Deloitte Financial Advisory Services LLP. Now, gentlemen, I know that I have made purchases with prepaid cards and made online payments and I have never really batted an eye about legalities associated with those, and so I was wondering if you could briefly tell us about the money laundering risks that surrounds these technologies.
Don Mosher (Don): Sure Sean. You are not alone and I think most people would be surprised at the legal issues raised by and the breadth of regulation that has been developed around prepaid products, and we are talking about all different types of prepaid products, whether it is a closed loop that’s your typical product that could be a card, could be a virtual card, a code on a computer that is redeemable for the goods and services of the issuer, so the person who issued the product . It could be also redeemable for goods and services of affiliates of the issuer. So these would be your closed loop products, or if we are talking about your open loop general-purpose products, which are redeemable for goods and services, typically network branded and redeemable for goods and services of any merchant that accepts that particular card type and also, in many cases, they may have ATM access, and those are the types of products that are used by some as bank account substitute.
Sean: Thank you for that, Don. How about you, Alan, what kind of issues do you see surrounding these technologies?
Alan Sorcher (Alan): Let me to talk briefly about how prepaid cards differ from credit cards and debit cards, which I think there may be some misperceptions about. So, prepaid cards give you access to funds that are provided in advance, a credit card is funds that are provided later and you pay later, and a debit card is funds that are provided immediately, immediate debit to your bank account, and prepaid cards are not attached to a bank account or credit card account. I think the significant thing about prepaid cards is that we are rapidly seeing a dramatic increase in the amount and number of consumers using prepaid cards. I think today, there are over seven million consumers using some form of prepaid cards and I think we are rapidly seeing, in many ways, prepaid cards taking the place of cash. Turning to the money laundering risks, I think the most significant thing is that prepaid cards had not previously been covered by any AML, anti-money laundering, requirements, and there had been a view, I think, in industry and law enforcement community that there was a gap in our financial system because these cards were not covered, and that raised concerns of vulnerability to money laundering. I think particularly in the law enforcement community, there was concern about that, and I think the reason is because of the ability to move funds fast, rapidly, the transferability of the cards, and the lack of an audit trail for the cards. And I think, lastly, any time you have a new technology, or an innovation, or an advancement in technology, you have increased ability for bad guys and criminals to take advantage of that new technology, and I think prepaid cards present new ways for bad guys to move illicit funds.
Sean: So, gentlemen, I understand that the risk you just spoke of have prompted regulators to act and I am interested to know what some of those regulations are, both for the card issuers and the financial institutions, and also if there is anything that consumers need to know about these products.
Don: Sure, last year FinCEN, which is the Financial Crimes Enforcement Network of Treasury issued regulations for the FinCEN prepaid access rules that impose anti-money laundering program requirements on providers and sellers of prepaid access. The rule defines the provider of prepaid access as someone as the participant in a prepaid card program that has agreed to act as a conduit for the access of information from the other participants and that particular person, that company, would then register as an MSB as a provider and identify the program and that would enable law enforcement to know who to go to if there is alleged criminal activity implicated by a user of that card or by one of the cards. The sellers of prepaid access are persons who sell these products, and it is important to understand what products we are talking about because some products are carved out of a lot of the requirements of the rules. These products have been the ones determined by FinCEN to be of lower risk for money laundering or terrorist financing, and that would be products on the closed loop side would be gift card products that are under $2000 in value and on the open loop side, it would be products that are under a $1000 or less and that have certainly restrictions, including no ability to be used internationally, no ability to be loaded at a non-depository source, and no ability for card-to-card transfers from one person in the program to another person in the program. So, if the particular product, the prepaid product, is excluded from the definition of prepaid program, then you wouldn’t have a provider. A seller of prepaid access would be someone who sells one of the products that are included in the definition of prepaid program if the product can be used before verification of the customer’s information. There is also a provision, which a lot of sellers need to be concerned with, any retailer that sells prepaid cards, even if there are selling cards that are excluded from the definition, if they sell a total of $10,000 in aggregate prepaid products, excluded products and non-excluded products, to anyone person in one day, they would be a seller of prepaid card access and covered by the rule. If you are covered by the rule, then exception there is, unless they had policies and procedures that were reasonably adapted to prevent sales of over $10,000 to any person in one day. So, we strongly recommend any retailer who sells prepaid products to make sure that they have such policies and procedures adapted to prevent sales of $10,000 or more to any one person in one day, if they would like to avoid being subject to these requirements on that rule.
Sean: Thank you for that. It makes sense. And how about you Alan, your perspective on this.
Alan: Well, my perspective. I will step back, as I think these recent rules issued by FinCEN, which is part of the Treasury Department, need to be looked at as one more set of rules in a long line of rules that started in 2001 with the passage of the United States Patriot Act, which was the piece of legislation passed in the wake of 9/11. That legislation put in place requirement that all sectors of the financial service industry would, over time, have anti-money laundering requirements imposed on those sectors, and at this point in time, most, if not all, the majors of the financial service industry have had anti-money laundering program requirements imposed. Banks have requirements, broker-dealers have requirements, mutual funds have requirements, insurance companies have requirements, and now we have this new rule that imposes requirements on prepaid providers and sellers. I think the other significant thing that is worth mentioning is that these new rules mark somewhat of a change in policy by the Treasury Department. Back in 1999, the Treasury looked at prepaid cards, which were then referred to a stored value, and maybe the determination that the technology with those cards was advancing so rapidly that they felt that coming out with a rule back then that would cover prepaid or stored value, a rule could quickly become out of date or could stifle innovation. So the Treasury Department made a decision in 1999 for the most part not to cover prepaid products. Now, we see in 2011 a reversal of that decision made in 1999, a decision made to cover prepaid products require anti-money laundering programs and a recognition that prepaid products do involve vulnerabilities for money laundering that now need to be covered by rules.
Sean: So now that it has been established that the problems are there, what might a provider have to do to ensure that they have a strong anti-money laundering practice in place?
Alan: I think there are four basic things that a provider should do to make sure that it has a strong anti money laundering program. These are four basic things. It is very simple. You need to really look at the rules and requirements and make sure your organization is covered as a provider under the rule. It could be that you are not covered, and therefore, the rules requirements don’t apply. 1) Make sure you are covered, the definition applies, and therefore, you have to abide by the requirements. 2) Conduct a thorough risk assessment. An organization has to look at their business model, the risks that arise because of the kinds of business lines you are involved in, and the risks that prepaid products bring about. So conduct a thorough risk assessment and look carefully at what controls and compliance requirements would be helpful to mitigate the risk. 3) They need to implement adequate and thorough internal controls, procedures, and policies that require at a minimum customer identification and verification, suspicious activity reporting, and also a recordkeeping. And the last, 4), it is No. 4, but in some ways, it is probably the most important and that’s training. Organizations need to train their staff particularly when it is a new requirement like the prepaid rules, so training is critical. Train them on the rules and requirements, how prepaid transactions work and operate, and what the risks are. Any good compliance program is always dependent on the quality and training of its people and that’s especially when a product is new and the rules are new.
Sean: Thank you. Don, you agree?
Don: I do. And I would like to emphasize the training aspect because many of these prepaid products are distributed through retailers and it is very important to train those retailers on the policies and the procedures and the legal requirements that apply to the products. The retailers may also be sellers under the rule, so the provider of prepaid access should make sure that the retailer understands what the rule requirements are, is the retailer a seller of prepaid access under the rule, what does that mean to the seller, are they complying, and do some diligence and monitoring to make sure that the retailer is complying with the rule. It also recommends that providers of prepaid access or even companies that are providing prepaid products but are not providers of prepaid access because the program that they are providing is excluded from the definition, such as some of the gift cards that I talked about earlier or some of the lower value open loop products, that they communicate to their retailers who are selling those products that they could still end up being a seller of prepaid access if they end up selling more than $10,000 in total of prepaid products to any single person in a single day and they need without having policies and procedures reasonably adopted and to help the seller come up with those policies.
Sean: Thank you very much for that. Let’s round out our remarks with banks because we have been talking about the seller or the provider, but how might a bank that is involved with prepaid cards or mobile payments, how could they make their program stronger?
Alan: This gets a little bit technical because prepaid programs that are controlled by banks are technically outside the rules requirements and that’s because banks are already covered by the anti money laundering requirements by a rule that applies to banks that has been in place for some time. So, I think banks in general are well set up to deal with these new rules because they have been dealing with anti-money laundering issues, rules, and requirements for quite some time. Nonetheless, I think there are some basic things that a bank could even do to help its program. No. 1, I would say is a bank should consider whether its suspicious activity detection system addresses appropriately the risks that arise by prepaid products. It could be that a bank previously hadn’t dealt with prepaid and now it has. It needs to make sure it’s suspicious activity monitoring system has addressed those changes. No. 2, I mentioned it before and that’s training. Banks are big on training in general but I think again when you have new products or a drastic increase in new products like prepaid, you need to make sure your employees, your staff, your compliance staff are aware of the new products, are aware how they operate, are aware how the bank interfaces with those, and are aware of the new requirements. So, there is no substitute for good training. And last, I think a bank needs to really review and assess its policies and procedure dealing with vendors and other outside parties. Banks typically do this any way, but when you have a prepaid program where a bank is interfacing with other parties, many of them who may not be regulated, I think a bank needs to assess and do some due diligence on who those parties are, who those vendors are, and who those entities involved in the prepaid program may be.
Sean: Thank you very much for that. Don, final thoughts over to you on banks in strengthening their programs.
Don: I think a couple of points. 1) the banks are excepted from that rule because they cannot be MSBs and in order for the bank program to qualify to be outside of the rule, it would have to be what they refer to as a bank-centric program. So, that means the bank really has to have the oversight and control over the program. What would happen then is there would be no MSB registration. There is a provision in the rule that says in the absence of an MSB registration for the particular prepaid card program, FinCEN can make a determination on who is the provider of prepaid access based on a number of control factors, who has set the program up, who has selected the participants, who has the right to change the terms and conditions and a number of other factors that can point to oversight and control. In that case, if FinCEN would make that determination and determine that its not the bank that is really in the oversight and control of the program, but another participant, then that participant could be viewed as in violation of the rule because they would have been a provider of prepaid access and likely wouldn’t have been complying with the rule and wouldn’t have had the MSB registration. So, I think that Point 1. Point 2, when the bank is dealing, when you have a bank in a prepaid product, then you are going to have banks in prepaid product programs; in virtually all cases where there is an open loop product, you are going to need network participation because that’s your entry into the network. They need to make sure that the participants have in fact selected or determined who is the provider of prepaid access and that company that is the provider of prepaid access is in fact in compliance. So as Alan mentioned, there is quite a bit of diligence and monitoring to make sure that they are complying with the FinCEN prepaid access rule.
Sean: Gentlemen, thank you very much for your diligence with spelling all this out for us. Clearly this is a complex and growing issue. So, I thank you both for your time today. We have been discussion anti-money laundering with prepaid cards and online payments with Don Mosher, a partner in New York-based law firm, Schulte Roth & Zabel, and Alan Sorcher, a director within Deloitte Financial Advisory Services.
If you would like to learn more about Don, Alan, or any of the topics discussed on today’s broadcast, you can find that information on our website. It is Deloitte.com/us/insights. For all the good folks here at Insights, I am Sean O’Grady. We will see you next time.