OCC BULLETIN 2011-27
Subject: Prepaid Access Programs
Date: June 28, 2011
To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers, Department and Division Heads, and All Examining Personnel
Description: Risk Management Guidance and Sound Practices
This bulletin provides guidance to national banks for assessing and managing the risks associated with prepaid access programs.1 National banks that offer consumers access to prepaid funds are exposed to a variety of risks. These risks increase when the prepaid access program has more advanced functionality, such as international funds transfers, card-to-card funds transfers, Internet transfers, and mobile phone banking. When the program or any of its components is outsourced to a third-party service provider, the risks are often more challenging to manage, especially risks related to fraud, Bank Secrecy Act/Anti-Money Laundering (BSA/AML), and Office of Foreign Assets Control (OFAC) compliance requirements. National banks should use this guidance to develop and implement a comprehensive risk management program for prepaid products that reflects the nature and complexity of their activities. This bulletin supplements and should be used in conjunction with existing OCC guidance on retail payment systems, prepaid cards and third-party service providers.2
The prepaid access industry has grown rapidly in recent years, with programs and features increasingly being marketed to and used by consumers as an alternative or supplement to traditional bank accounts. Some banks are working with third-party service providers, who may own and operate the infrastructure used to deliver these products to consumers. Prepaid access products are attractive to the banking industry, particularly because they can be marketed not only to existing bank customers, but also to financially underserved consumers.
Prepaid access refers to a wide range of devices that facilitate consumers’ access to money electronically, including general purpose reloadable cards, payroll cards, government benefit cards, retail gift cards, mobile phones, and Internet sites. The consumer is able to add and store funds on the device, and use it to spend or withdraw the funds from a variety of sources.
Banks can offer access to prepaid funds to a wider range of customers because there is less credit or nonpayment risk than with other means of payment. Prepaid access devices also provide customers easy, anonymous access to funds when transactions are conducted through electronic channels (for example, the Internet). However, these arrangements increase the risk of fraud and money laundering, and make it more difficult for the bank to identify illicit transactions. When prepaid access devices are obtained using compromised or stolen credentials, law enforcement must trace transactions through prepaid networks. In addition, the ability of some prepaid devices to originate or accept funds transfers from other cards, from Internet accounts or from international sources presents novel and more challenging risks.3
While prepaid access devices can provide a potential new customer base and revenue source for national banks, they can also increase a national bank’s operational, compliance, strategic, and reputation risk if not implemented appropriately. National banks that offer prepaid access devices should have in place a comprehensive risk management program to mitigate the risks associated with these products. Ineffective systems and controls, or improper implementation of these systems and controls, may result in unsafe and unsound practices and may contribute to deterioration in the bank’s condition.
RISK MANAGEMENT EXPECTATIONS FOR PREPAID ACCESS PROGRAMS
National banks that offer prepaid access devices to consumers should have a comprehensive risk management program to identify, measure, monitor and control the risks related to these products. Components of a comprehensive risk management program include:
clearly defined objectives, expectations, and risk limits for the products offered;
Objectives and Risk Parameters
An effective prepaid program begins with a thorough assessment of how the product fits within the bank’s overall business strategy and risk appetite. The board of directors should ensure it understands how the program is expected to operate, the level and nature of risks it will bring to the bank, and its projected costs and revenues. In consultation with bank management, the board should establish risk limits for the program and outline expectations for compliance and performance reporting.
In setting risk limits and other program guidelines, the board of directors or its designee should:
consult with relevant functional areas within the bank to gather data sufficient to understand the program’s requirements, such as the need for expertise, staffing, and infrastructure, and the costs associated with these requirements. Relevant functional areas would include, for example, operations, information technology, audit, compliance and legal.
Policies, Procedures, and Due Diligence
A prepaid program should be governed by written policies and procedures that are well understood and accessible by those who implement the program as well as those who evaluate its effectiveness. Roles and responsibilities of affected personnel should be clearly defined. Procedures should include an exit strategy in the event the product fails to perform as expected.
If the program includes a third-party service provider, policies and procedures should guide the bank’s evaluation, selection, and oversight of the third party’s activities. National banks should perform a due diligence review of potential third-party service providers. Such a review would include a thorough background check of the third-party provider and its significant principals, evaluation of the company’s financial condition, assessment of operational and risk management processes, its history of regulatory compliance and prior banking relationships, and results of information security and business continuity testing.
Once the third-party service provider is selected, the arrangement with the third-party service provider should be governed by a well-constructed, enforceable service contract that clearly defines expectations, duties, rights, and obligations of each party. A binding contract or agreement should include, at a minimum,
the scope of the relationship and explicit details about all services to be performed by the service provider, including training of employees and customer service.
Audit and Compliance Functions
Before launching a prepaid program, a bank should review its audit and compliance functions to ensure they are sufficient to cover the risks posed by the new program. Facilitating access to prepaid funds has the potential to introduce new risks that require specific expertise, staffing levels, and audit/compliance testing to monitor for deficiencies and identify corrective action. For example, consumer protection and BSA/AML requirements can be very challenging to manage without the appropriate infrastructure. For some components outsourced to a third party, ensuring compliance may require a different approach and additional expertise beyond current bank staff knowledge.
When expanding audit and compliance functions to accommodate prepaid programs, national banks should:
Parameters for Reporting to the Board of Directors
The board of directors should receive periodic reports from bank management that allow the board to determine whether the prepaid access program is operating within established risk limits, and is achieving stated objectives and financial results. Such reports may include:
The OCC supports national banks’ participation in prepaid access programs to meet consumer needs and diversify sources of revenue. To limit potential risks to banks and consumers, however, national banks should implement comprehensive risk management programs that provide appropriate oversight and controls commensurate with the risk, complexity of the activities, and use of any third-party providers to facilitate the prepaid programs.
Please direct any questions or comments regarding this guidance to Operational Risk Policy at (202) 649-6550.
Carolyn G. DuChene
1A prepaid access program is an arrangement through which one or more persons acting together provide access to funds or the value of funds that have been paid in advance and can be retrieved or transferred at some point in the future through an electronic device or vehicle, such as a card, code, electronic serial number, mobile identification number, or personal identification number. This bulletin addresses guidance and sound practices relevant to any other electronic devices or vehicles that are in use, or that may be developed in the future. The terms banks and national banks refer to national banks and all other institutions for which the Office of the Comptroller of the Currency is the primary supervisor. Beginning July 21, 2011, this guidance will also apply to federal savings associations.
2 Related guidance is listed at the end of this bulletin.
3 Devices that receive funds transfers can be used by online hackers in account takeover fraud schemes that could result in loss to the bank.
4 Devices that receive Federal payments are subject to specific consumer protection guidelines established by the Financial Management Service of the U.S. Department of the Treasury. (See 31 CFR 210.5(b)(5)(i); 75 FR 80335). National banks are encouraged to follow, as a model, these guidelines when establishing program criteria for their prepaid access programs.
5 Financial Crimes Enforcement Network issued in the Federal Register a proposed rule on prepaid programs (75 FR 36589) that would impose BSA/AML compliance obligations on non-bank entities that are determined to be “providers of prepaid access.” This proposal and the anticipated final rule are significant regulatory developments in the prepaid industry.
6 Banks already have in place programs to respond to unauthorized access to customer information and identity theft prevention developed pursuant to section 501(b) of the GLBA and section 114 of the Fair and Accurate Credit Transactions Act of 2003. Banks may be able to use these existing programs when developing risk management systems for prepaid card programs. See 12 CFR 30, appendix B; 12 CFR 41.90 et seq.