Federal Banking Agencies and FinCEN Issue Guidance on Applying CIP Rule to Prepaid Cards

On March 21, the federal banking agencies and the Financial Crimes Enforcement Network (collectively, the Agencies) published interagency guidance to issuing banks on the application of the joint regulations implementing the customer identification program (CIP) requirements set forth in Section 326 of the USA PATRIOT Act (the CIP Rule) to their prepaid cards. The guidance clarifies that a bank should apply its CIP to the cardholders of certain prepaid cards issued by the bank and other prepaid access devices that meet the criteria in the guidance. The guidance is largely consistent with current industry practice.


Prepaid cards have become nearly ubiquitous in the payments marketplace. As the guidance highlights, functionalities that make prepaid cards attractive to consumers also pose risks for banks that issue them and process such transactions. For example, easy access to prepaid cards, the ability to use them anonymously and the potential for relatively high volumes of funds to flow through pooled prepaid access accounts make prepaid cards potentially vulnerable to criminal abuse. As a result, the Agencies have taken a position that banks that issue prepaid cards need to have in place controls to mitigate the risks. The guidance seeks to answer questions that have arisen regarding the application of the CIP Rule to prepaid cards issued by banks.

CIP Rule

In 2003, the Agencies issued the CIP Rule, which requires a bank to obtain information sufficient to form a reasonable belief regarding the identity of each “customer” opening a new “account.” The bank’s CIP must include risk-based procedures for verifying its customers’ identities to the extent reasonable and practicable. In particular, the CIP Rule requires banks to implement a CIP that includes certain minimum requirements. For example, a bank’s CIP must include:

  • procedures for opening an account that, at a minimum, must include obtaining a name, date of birth, address and identification number from a customer who is an individual; and
  • identity verification procedures that describe when and how the bank will verify the customer’s identity using documentary or non-documentary methods.

The guidance clarifies that certain prepaid cards issued by a bank should be subject to the bank’s CIP, including those prepaid cards issued through arrangements with third-party program managers when the bank has no other relationship with a cardholder. The guidance also clarifies that a bank’s obligations under the CIP Rule are distinct from any obligations of a program manager under other anti-money-laundering regulations. To determine if CIP requirements apply to holders of prepaid cards, the bank should first determine whether the issuance of a prepaid card results in the creation of an account and, if so, identify the bank’s customer for the account. These steps are discussed below.

Determining the Existence of an “Account”

The guidance states that prepaid cards should be treated as accounts if they provide a cardholder with either (1) the ability to reload funds or (2) access to credit or overdraft capability. The Agencies view these attributes as comparable to attributes of a deposit or loan product — both of which are accounts under the CIP Rule. The ability to reload funds is given general meaning by the Agencies in the guidance so that it includes the addition of funds to a card by consumers, corporate entities and governments, by P2P, ACH and any other method. The guidance does not discuss whether inadvertent overdrafts (e.g., resulting from below-floor-limit transactions) create an account relationship; however, references to “overdraft features” and “an overdraft line” in the guidance certainly suggest that the Agencies were focused on intentional overdraft capabilities.

General-purpose prepaid cards sold with reloadable capability or credit/overdraft features that can be activated only by registering with the issuer or the program manager do not constitute accounts for purposes of the CIP Rule until the reloadability and/or overdraft/credit feature is activated by cardholder registration. The guidance also provides that closed-loop prepaid cards (even when reloadable) do not result in an account because their attributes are not comparable to a deposit product. Specifically, closed-loop prepaid card funds may be used to make purchases only at a single merchant or group of affiliated merchants.

Customer Identification and Verification

If the issuance of a prepaid card is considered the opening of an account, the issuing bank must apply its CIP to the account customer. The guidance discusses how this requirement applies to common prepaid arrangements.

  • Prepaid Cardholders and Third Parties. For general-purpose prepaid cards with reload functionality or access to credit or overdraft features, the bank’s customer is the cardholder. This is true even when funds are held in pooled accounts on behalf of a program manager for the benefit of the cardholders. For closed-loop prepaid cards and general-purpose prepaid cards without reload functionality or access to credit or overdraft features, the only account is the pooled account, and the bank’s customer is the program manager in whose name the pooled account has been established.
  • Payroll Cards. If the employer (or the employer’s agent) is the only person who may deposit funds into the payroll card pooled account, the employer should be considered the bank’s customer, and the bank need not apply its CIP to each employee. By contrast, if the employee is permitted to access an overdraft or credit through the payroll card, or reload the payroll card account from sources other than the employer, the employee is the customer of the bank, and the bank should apply its CIP to the employee.
  • Government Benefit Cards. Government benefit cards vary as to whether cardholders are permitted to load funds unconnected to the government benefit program onto the card and whether they provide access to overdrafts or credit. If the government benefit card program permits only government funds to be loaded onto the card and does not provide access to overdrafts or credit, the bank has no CIP obligations. If, however, the card allows non-government funds to be loaded onto the card or provides access to overdrafts or credit, then the cardholder is the bank’s customer, and the bank should perform its CIP on the cardholder.
  • Health Savings Accounts. In the case of accounts established by an employee to pay or obtain reimbursement for qualifying medical expenses, the employee is the bank’s customer because he or she established the account.
  • Flexible Spending Arrangements (FSAs) and Health Reimbursement Arrangements (HRAs). In the case of accounts established by an employer and funded by either voluntary withholdings from an employee’s salary (FSAs only) or through direct employer contributions (FSAs and HRAs), the employer should be considered the bank’s customer because no person other than the employer (or its agent) establishes and funds an account.

Contracts with Third-Party Program Managers

The guidance also advises banks to enter into well-constructed, enforceable contracts with third-party program managers that clearly define the expectations, duties, rights and obligations of each party in a manner consistent with the guidance. At a minimum, each such contract should:

  • Outline the parties’ CIP obligations;
  • Ensure the bank’s right to transfer, store or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
  • Provide for the bank’s right to audit the third-party program manager and to monitor its performance (generally, banks need to ensure that periodic independent internal and external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations); and
  • If applicable, indicate that, pursuant to the Bank Service Company Act or other appropriate legal authority, the relevant regulatory body has the right to examine the third-party program manager.