In a recent webinar, Duncan Douglass and Ethan Millar,
partners at Alston & Bird LLP, along with AFP's Tom Hunt, CTP, director of
Treasury Services, and David Bellinger, CTP, director of Payments &
Electronic Commerce, weighed in on new regulations on prepaid access from the
Financial Crimes Enforcement Network (FinCEN).
In 1999, FinCEN issued a series of requirements for money
services businesses (MSBs). However, the
regulations deferred requirements related to prepaid access, or access to the
value of funds paid in advance and receivable or transferable by an electronic
device or vehicle. Issuers, sellers and redeemers of prepaid access (then
referred to as stored value) were not required to register with FinCEN or file
Suspicious Activity Reports (SARs), though they were required to file Currency
Transaction Reports (CTRs) and establish Anti-Money Laundering (AML) programs.
Additionally, issuers and sellers of closed loop stored value (access to funds
or the value of funds that can be used only for goods or services in
transactions involving a particular merchant or location) were exempted from
these rules completely
FinCEN’s final rule expands the definition of MSBs to
include providers and sellers of prepaid access. However, the rule only applies
to prepaid access that is part of a prepaid program; an arrangement under which
one or more entities acting together provides prepaid access. Notable
exclusions include:
- Programs that provide closed loop prepaid access
to funds less than $2,000 that can be associated with a prepaid access device
or vehicle on any day,
- Prepaid access provided by a government agency,
- Prepaid access from pre-tax flexible spending
arrangements pertaining to health care,
- Prepaid access solely to employment benefits,
incentives, wages, or salaries.
Compliance requirements that both providers and sellers must
now abide by include implementing an effective AML program, complying with
customer recordkeeping requirements, filing SARs and responding to law
enforcement requests. There are also some requirements unique to both groups.
Providers must register themselves and their respective prepaid programs with
FinCEN, retain access to customer identifying information for five years following
the last use of a prepaid access device, and maintain access to transaction
records for five years. Sellers must maintain access to customer information
for five years after the sale of prepaid access. Additionally, seller
obligations pertain to sales that exceed $10,000, even if the prepaid access
sold is not part of a prepaid program.
Under the final rule, a provider of prepaid access is a
participant in a prepaid program that serves as the primary channel for access
to information from fellow participants. The provider also tends to maintain
oversight and control over the program and communicates with FinCEN, law
enforcement and other regulators.
FinCEN defines a seller of prepaid access as an entity that receives payment in exchange for an initial loading or subsequent loading of prepaid access if that entity sells prepaid access under a prepaid program that can be used before verification of customer identification, or prepaid access (including closed loop) to funds that exceed $10,000 to any person during any one day, and has not implemented policies and procedures reasonably adapted to prevent such a sale. According to a poll taken during the webinar, 49 percent of the listeners rarely exceed the $10,000 per day, per per person limit, while 39 percent said they never exceed that amount and 12 percent said they regularly do.
Three different entities must be cognizant of the
requirements:
- Financial institutions that issue prepaid
products,
- Third parties that manage prepaid programs,
- Retailers that act as providers, issuing non-exempt
closed-loop products and sellers, selling non-exempt open-loop products.
FinCEN planned to implement the final rule on September 27, but
extended the effective date to March 31, 2012 for sellers. For providers,
requirements to establish an AML program, report suspicious transactions and
maintain certain customer information took effect in September, while other
requirements were pushed back to March 31.