OCC Bulletin 2011-27| June 28, 2011
Prepaid Access Programs: Risk Management Guidance and Sound Practices
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers, Department and Division Heads, and All Examining Personnel
Beginning on July 21, 2011, this guidance also applies to federal savings associations.
This bulletin provides guidance to national banks for assessing and managing the risks associated with prepaid access programs.1 National banks that offer consumers access to prepaid funds are exposed to a variety of risks. These risks increase when the prepaid access program has more advanced functionality, such as international funds transfers, card-to-card funds transfers, Internet transfers, and mobile phone banking. When the program or any of its components is outsourced to a third-party service provider, the risks are often more challenging to manage, especially risks related to fraud, Bank Secrecy Act/Anti-Money Laundering (BSA/AML), and Office of Foreign Assets Control (OFAC) compliance requirements. National banks should use this guidance to develop and implement a comprehensive risk management program for prepaid products that reflects the nature and complexity of their activities. This bulletin supplements and should be used in conjunction with existing OCC guidance on retail payment systems, prepaid cards and third-party service providers.2
The prepaid access industry has grown rapidly in recent years, with programs and features increasingly being marketed to and used by consumers as an alternative or supplement to traditional bank accounts. Some banks are working with third-party service providers, who may own and operate the infrastructure used to deliver these products to consumers. Prepaid access products are attractive to the banking industry, particularly because they can be marketed not only to existing bank customers, but also to financially underserved consumers.
Prepaid access refers to a wide range of devices that facilitate consumers’ access to money electronically, including general purpose reloadable cards, payroll cards, government benefit cards, retail gift cards, mobile phones, and Internet sites. The consumer is able to add and store funds on the device, and use it to spend or withdraw the funds from a variety of sources.
Banks can offer access to prepaid funds to a wider range of customers because there is less credit or nonpayment risk than with other means of payment. Prepaid access devices also provide customers easy, anonymous access to funds when transactions are conducted through electronic channels (for example, the Internet). However, these arrangements increase the risk of fraud and money laundering, and make it more difficult for the bank to identify illicit transactions. When prepaid access devices are obtained using compromised or stolen credentials, law enforcement must trace transactions through prepaid networks. In addition, the ability of some prepaid devices to originate or accept funds transfers from other cards, from Internet accounts or from international sources presents novel and more challenging risks.3
While prepaid access devices can provide a potential new customer base and revenue source for national banks, they can also increase a national bank’s operational, compliance, strategic, and reputation risk if not implemented appropriately. National banks that offer prepaid access devices should have in place a comprehensive risk management program to mitigate the risks associated with these products. Ineffective systems and controls, or improper implementation of these systems and controls, may result in unsafe and unsound practices and may contribute to deterioration in the bank’s condition.
RISK MANAGEMENT EXPECTATIONS FOR PREPAID ACCESS PROGRAMS
National banks that offer prepaid access devices to consumers should have a comprehensive risk management program to identify, measure, monitor and control the risks related to these products. Components of a comprehensive risk management program include:
clearly defined objectives, expectations, and risk limits for the products offered;
- policies and procedures to govern the prepaid access program, including a due diligence process for selecting third-party service providers and an oversight process for monitoring performance, fraud losses, and suspicious activity;
- policies and procedures to ensure all disclosures to consumers about pricing, fees, transaction limits, and other program requirements and restrictions4 are clearly outlined;
- robust audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations; and
- parameters for reporting to the bank’s board of directors, to enable the board to periodically evaluate management’s effectiveness in executing the prepaid program and to determine if the program is achieving stated objectives.
Objectives and Risk Parameters
An effective prepaid program begins with a thorough assessment of how the product fits within the bank’s overall business strategy and risk appetite. The board of directors should ensure it understands how the program is expected to operate, the level and nature of risks it will bring to the bank, and its projected costs and revenues. In consultation with bank management, the board should establish risk limits for the program and outline expectations for compliance and performance reporting.
In setting risk limits and other program guidelines, the board of directors or its designee should:
consult with relevant functional areas within the bank to gather data sufficient to understand the program’s requirements, such as the need for expertise, staffing, and infrastructure, and the costs associated with these requirements. Relevant functional areas would include, for example, operations, information technology, audit, compliance and legal.
- identify specific program objectives, such as expected growth rates and size of the program in relation to the bank’s total assets or capital.
- outline performance criteria, such as qualitative and quantitative benchmarks to evaluate success of the product; variance analyses (actual results versus projections) to detect and address adverse trends in a timely manner; and specific thresholds that, if met, would result in management taking action to change or discontinue the program.
- require periodic review of the program by the board of directors to determine whether changes in product capabilities, regulatory requirements, competitive factors, or other aspects of the business model result in changes to the bank’s risk/reward analysis for the program.
Policies, Procedures, and Due Diligence
A prepaid program should be governed by written policies and procedures that are well understood and accessible by those who implement the program as well as those who evaluate its effectiveness. Roles and responsibilities of affected personnel should be clearly defined. Procedures should include an exit strategy in the event the product fails to perform as expected.
If the program includes a third-party service provider, policies and procedures should guide the bank’s evaluation, selection, and oversight of the third party’s activities. National banks should perform a due diligence review of potential third-party service providers. Such a review would include a thorough background check of the third-party provider and its significant principals, evaluation of the company’s financial condition, assessment of operational and risk management processes, its history of regulatory compliance and prior banking relationships, and results of information security and business continuity testing.
Once the third-party service provider is selected, the arrangement with the third-party service provider should be governed by a well-constructed, enforceable service contract that clearly defines expectations, duties, rights, and obligations of each party. A binding contract or agreement should include, at a minimum,
the scope of the relationship and explicit details about all services to be performed by the service provider, including training of employees and customer service.
- a complete description of the costs and fees for services, the parties responsible for payment, and any conditions under which the cost structure may be changed or the relationship may be terminated without penalties.
- responsibilities for providing and receiving information, including the frequency and types of reports, consumer complaints, materiality thresholds, and procedures in the event of service disruption or security breaches that pose a material risk to the bank.
- plans for business resumptions, continuity, and contingencies in the event of problems affecting the third-party provider’s operations. These plans should outline each party’s responsibilities, provide for testing of plans and the frequency of testing, and state the bank’s right to obtain the results of such tests.
- a clause that outlines the BSA/AML and OFAC obligations of the parties, including monitoring and reporting suspicious activity.5
- a clause that provides for the national bank’s right to audit the third-party provider to monitor its performance. Generally, banks need to ensure that periodic independent internal and/or external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations.
- a clause outlining the OCC’s authority to examine the third-party service provider under the Bank Service Company Act, and assess the provider’s ability to perform under its contractual obligations.
- a clause that defines (1) how the parties will share information about fraud losses and suspicious activity and (2) the process for sharing and/or indemnifying losses.
- a clause outlining the authority of the national bank to terminate the relationship.
Audit and Compliance Functions
Before launching a prepaid program, a bank should review its audit and compliance functions to ensure they are sufficient to cover the risks posed by the new program. Facilitating access to prepaid funds has the potential to introduce new risks that require specific expertise, staffing levels, and audit/compliance testing to monitor for deficiencies and identify corrective action. For example, consumer protection and BSA/AML requirements can be very challenging to manage without the appropriate infrastructure. For some components outsourced to a third party, ensuring compliance may require a different approach and additional expertise beyond current bank staff knowledge.
When expanding audit and compliance functions to accommodate prepaid programs, national banks should:
- ensure the audit and compliance functions provide for sufficient consumer protection transaction testing. Testing should ensure all fees are clearly disclosed, and a sample of accounts should be tested to verify that fees are assessed as disclosed. Such programs should also provide for testing of BSA/AML and OFAC compliance. This testing should include samples from both in-house and outsourced components, and should broadly cover the number of alerts generated and suspicious activity report filings. Banks may use existing fraud, Gramm-Leach-Bliley Act (GLBA), and OFAC monitoring programs6 to ensure appropriate coverage.
- include procedures to evaluate any proposed changes or additions to the product prior to implementation, to ensure that all risks are considered.
Parameters for Reporting to the Board of Directors
The board of directors should receive periodic reports from bank management that allow the board to determine whether the prepaid access program is operating within established risk limits, and is achieving stated objectives and financial results. Such reports may include:
- performance benchmarks, such as Service Level Agreements and Key Performance Indicators, and the program’s performance against those measures. These benchmarks should include trends as well as point-in-time performance.
- comparison of the program’s activity against board-established risk tolerances.
- variance reports.
- summaries of suspicious activity monitoring and reporting.
- fraud loss reports, including volume and type of fraud (such as account takeover and identity theft).
- results of audits and regulatory compliance reviews.
- a summary of service disruptions or security breaches that occurred since the last report.
The OCC supports national banks’ participation in prepaid access programs to meet consumer needs and diversify sources of revenue. To limit potential risks to banks and consumers, however, national banks should implement comprehensive risk management programs that provide appropriate oversight and controls commensurate with the risk, complexity of the activities, and use of any third-party providers to facilitate the prepaid programs.
- FFIEC Information Technology Examination Handbook,” Retail Payment Systems Booklet,” February 2010; and “Outsourcing Technology Services Booklet,” June 2004.
- FFIEC BSA/AML Examination Manual, Electronic Banking, Electronic Cash, and Third-Party Payment Processors, April 2010.
- OCC Bulletin 2008-12, “Payment Processors: Risk Management Guidance,” April 24, 2008.
- OCC Bulletin 2006-34, “Gift Card Disclosures,” August 24, 2006.
- OCC Bulletin 2005-15, “Bank Secrecy Act/Anti-Money Laundering,” April 25, 2005.
- OCC Bulletin 2004-20, “Risk Management of New, Expanded, or Modified Bank Products and Services: Risk Management Process,” May 10, 2004.
- OCC Advisory Letter 2004-6, “Payroll Card Systems,” May 6, 2004.
- OCC Advisory Letter 2002-3, “Guidance on Unfair or Deceptive Acts or Practices,” March 22, 2002.
- OCC Bulletin 2001-47, “Third Party Relationships: Risk Management Principles,” November 1, 2001.
- OCC Bulletin 96-48, “Stored Value Card Systems,” September 10, 1996.
Please direct any questions or comments regarding this guidance to Operational Risk Policy at (202) 649-6550.
Carolyn G. DuChene
Deputy Comptroller for Operational Risk
1A prepaid access program is an arrangement through which one or more persons acting together provide access to funds or the value of funds that have been paid in advance and can be retrieved or transferred at some point in the future through an electronic device or vehicle, such as a card, code, electronic serial number, mobile identification number, or personal identification number. This bulletin addresses guidance and sound practices relevant to any other electronic devices or vehicles that are in use, or that may be developed in the future. The terms banks and national banks refer to national banks and all other institutions for which the Office of the Comptroller of the Currency is the primary supervisor. Beginning July 21, 2011, this guidance will also apply to federal savings associations.
2 Related guidance is listed at the end of this bulletin.
3 Devices that receive funds transfers can be used by online hackers in account takeover fraud schemes that could result in loss to the bank.
4 Devices that receive Federal payments are subject to specific consumer protection guidelines established by the Financial Management Service of the U.S. Department of the Treasury. (See 31 CFR 210.5(b)(5)(i); 75 FR 80335). National banks are encouraged to follow, as a model, these guidelines when establishing program criteria for their prepaid access programs.
5 Financial Crimes Enforcement Network issued in the Federal Register a proposed rule on prepaid programs (75 FR 36589) that would impose BSA/AML compliance obligations on non-bank entities that are determined to be “providers of prepaid access.” This proposal and the anticipated final rule are significant regulatory developments in the prepaid industry.
6 Banks already have in place programs to respond to unauthorized access to customer information and identity theft prevention developed pursuant to section 501(b) of the GLBA and section 114 of the Fair and Accurate Credit Transactions Act of 2003. Banks may be able to use these existing programs when developing risk management systems for prepaid card programs. See 12 CFR 30, appendix B; 12 CFR 41.90 et seq.