Bank Secrecy Act
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with electronic cash (e-cash), and management’s ability to implement effective monitoring and reporting systems.
E-cash (e-money) is a digital representation of money. E-cash comes in several forms, including computer-based, mobile telephone-based, and prepaid cards. Computer e-cash is accessed through personal computer hard disks via a modem or stored in an online repository. Mobile telephone-based e-cash is accessed through an individual’s mobile telephone. Prepaid cards, discussed in more detail below, are used to access funds generally held by issuing banks in pooled accounts.
In the case of computer e-cash, monetary value is electronically deducted from the bank account when a purchase is made or funds are transferred to another person. Additional information on types of e-cash products is available in the FFIEC Information Technology Examination Handbook.197
Transactions using e-cash may pose the following unique risks to the bank:
- Funds may be transferred to or from an unknown third party.
- Customers may be able to avoid border restrictions as the transactions can become mobile and may not be subject to jurisdictional restrictions.
- Transactions may be instantaneous.
- Specific cardholder activity may be difficult to determine by reviewing activity through a pooled account.
- The customer may perceive the transactions as less transparent.
Banks should establish BSA/AML monitoring, identification, and reporting for unusual and suspicious activities occurring through e-cash. Useful MIS for detecting unusual activity on higher-risk accounts include ATM activity reports (focusing on foreign transactions), funds transfer reports, new account activity reports, change of Internet address reports, Internet Protocol (IP) address reports, and reports to identify related or linked accounts (e.g., common addresses, phone numbers, e-mail addresses, and taxpayer identification numbers). The bank also may institute other controls, such as establishing transaction and account dollar limits that require manual intervention to exceed the preset limit.
Prepaid Cards/Stored Value Cards
Consistent with industry practice, the term “prepaid card” is primarily used in this document. Although some sources use the term “stored value card” more broadly, it most commonly refers to cards where the monetary value is physically stored on the card. The term “prepaid card” generally refers to an access device linked to funds held in a pooled account, which is the type of product most frequently offered by U.S. banking organizations. Prepaid cards can cover a variety of products, functionalities, and technologies. Prepaid cards operate within either an “open” or “closed” system. Open-system prepaid cards can be used for purchases at any merchant or to access cash at any automated teller machine (ATM) that connects to the affiliated global payment network. Examples of open system cards are payroll cards and gift cards that can be used anywhere a credit card can be used. Some prepaid cards may be reloaded, allowing the cardholder to add value. Closed-system cards generally can only be used to buy goods or services from the merchant issuing the card or a select group of merchants or service providers that participate in a specific network. Examples of closed system cards include merchant-specific retail gift cards, mall cards, and mass transit system cards.
Some prepaid card programs may combine multiple features, such as a flexible spending account card that can be used to purchase specific health services as well as products at a variety of merchants. These programs are often referred to as “hybrid” cards.
Prepaid cards provide a compact and transportable way to maintain and access funds. They also offer individuals without bank accounts an alternative to cash and money orders. As an alternate method of cross-border funds transmittal, prepaid card programs may issue multiple cards per account, so that persons in another country or jurisdiction can access the funds loaded by the original cardholder via ATM withdrawals of cash or merchant purchases.
Many banks that offer prepaid card programs do so as issuer or issuing bank. Most payment networks require that their branded prepaid cards be issued by a bank that is a member of that payment network. In addition to issuing prepaid cards, banks may participate in other aspects of a card program such as marketing and distributing cards issued by another financial institution. Banks often rely on multiple third parties to accomplish the design, implementation, and maintenance of their prepaid card programs. These third parties may include program managers, distributors, marketers, merchants, and processors. Under payment network requirements, the issuing bank may have due diligence and other responsibilities relative to these third parties.
Each relationship that a U.S. bank has with another financial institution or third party as part of a prepaid card program should be governed by an agreement or a contract describing each party’s responsibilities and other relationship details, such as the products and services provided. The agreement or contract should also consider each party’s BSA/AML and OFAC compliance requirements, customer base, due diligence procedures, and any payment network obligations. The issuing bank maintains ultimate responsibility for BSA/AML compliance whether or not a contractual agreement has been established.
Money laundering, terrorist financing, and other criminal activity may occur through prepaid card programs if effective controls are not in place. Law enforcement investigations have found that some prepaid cardholders used false identification and funded their initial deposits with stolen credit cards or purchased multiple cards under aliases. In the placement phase of money laundering, because many domestic and offshore banks offer cards with currency access through ATMs internationally, criminals may load cash from illicit sources onto prepaid cards through unregulated load points and send the cards to their accomplices inside or outside the country. Investigations have disclosed that both open and closed system prepaid cards have been used in conjunction with, or as a replacement to, bulk cash smuggling. Third parties involved in prepaid card programs may or may not be subject to regulatory requirements, oversight, and supervision. In addition, these requirements may vary by party.
Prepaid card programs are extremely diverse in the range of products and services offered and the customer bases they serve. In evaluating the risk profile of a prepaid card program, banks should consider the program’s specific features and functionalities. No single indicator is necessarily determinative of lower or higher BSA/AML risk. Higher potential money laundering risk associated with prepaid cards results from the anonymity of the cardholder, fictitious cardholder information, cash access of the card (especially internationally), and the volume of funds that can be transacted on the card. Other risk factors include type and frequency of card loads and transactions, geographic location of card activity, relationships with parties in the card program, card value limits, distribution channels, and the nature of funding sources.
Banks that offer prepaid cards or otherwise participate in prepaid card programs should have policies, procedures, and processes sufficient to manage the related BSA/AML risks. Guidance provided by the Network Branded Prepaid Card Association is an additional resource for banks that provide prepaid card services.198 Customer due diligence is an important mitigant of BSA/AML risk in prepaid card programs. A bank’s CDD program should provide for a risk assessment of all third parties involved in the prepaid card program, considering all relevant factors, including, as appropriate:
- The identity and location of all third parties involved in the prepaid card program, including any subagents.
- Corporate documentation, licenses, references (including independent reporting services), and, if appropriate, documentation on principal owners.
- The nature of the third-parties’ businesses and the markets and customer bases served.
- The information collected to identify and verify cardholder identity.
- The type, purpose, and anticipated activity of the prepaid card program.
- The nature and duration of the bank’s relationship with third parties in the card program.
- The BSA/AML and OFAC obligations of third parties.
As part of their system of internal controls, banks should establish a means for monitoring, identifying, and reporting suspicious activity related to prepaid card programs. This reporting obligation extends to all transactions by, at, or through the bank, including those in an aggregated form. Banks may need to establish protocols to regularly obtain card transaction information from processors or other third parties. Monitoring systems should have the ability to identify foreign card activity, bulk purchases made by one individual, and multiple purchases made by related parties. In addition, procedures should include monitoring for unusual activity patterns, such as cash card loads followed immediately by withdrawals of the full amount from another location.
Card features can provide important mitigation to the BSA/AML risks inherent in prepaid card relationships and transactions and may include:
- Limits or prohibitions on cash loads, access, or redemption.
- Limits or prohibitions on amounts of loads and number of loads/reloads within a specific time frame (velocity or speed of fund use).
- Controls on the number of cards purchased by one individual.
- Maximum dollar thresholds on ATM withdrawals and on the number of withdrawals within a specific time frame (velocity or speed of fund use).
- Limits or prohibitions on certain usage (e.g., merchant type) and on geographic usage, such as outside the United States.
- Limits on aggregate card values.