Interagency Guidance:

Applying Customer Identification Program Requirements to Holders of Prepaid Cards

March 2016

The NCUA, along with the other Federal Banking Agencies and the Financial Crimes Enforcement Network (FinCEN), disseminated guidance to “issuing banks” (including credit unions) pertaining to the application of their customer identification programs (CIP) to prepaid cards.  The guidance clarifies that a credit union should apply its CIP to certain prepaid cardholders.  To determine if CIP requirements apply to a particular prepaid card, a credit union should determine:

  • Whether the issuance of the prepaid card results in the creation of an account; and
  • If so, determine the identity of the credit union’s member

Determining the Existence of an Account:

  • The CIP rule defines an “account” as a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including deposit accounts, transaction accounts, asset accounts, credit accounts or extensions of credit. An “account” also includes safety deposit boxes or other safekeeping services or cash management, custodial or trust services.
  • An “account” does not include “products/services for which a formal banking relationship is not generally established with a person, such as check cashing, wire transfer or sales of checks or money orders.”
  • An “account” does not include “any account that the bank acquires or accounts opened to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.”
  • Credit unions may only serve individuals and entities within their approved field of membership.  Therefore, any credit union contemplating entering into an account relationship involving holders of prepaid cards sold and distributed by third parties is whether the customer with whom it intends to establish the relationship is within the field of membership it is authorized to serve.

Prepaid Cards that should be treated as accounts

In general, prepaid cards that provide a cardholder with (i) the ability to reload funds or (ii) access to credit or overdraft features should be treated as an account. 

  • Note: some prepaid cards may be sold without reloadable functionalities activated or overdraft features enabled.  However, a purchaser or subsequent transferee may activate these features by contacting the issuing credit union or third party program manager.  In such cases, the Agencies believe that an account has not been established until a reload, credit or overdraft feature is activated by the registered cardholder.

Identifying the Customer

Under the CIP rule, a person that opens a new account is deemed a “customer.” The CIP rule’s preamble provides that a credit union need only verify the identity of a named accountholder. 

Prepaid Cardholders

  • With regard to prepaid cardholders, the cardholder should be treated as the bank/credit union’s customer for purposes of the CIP rule.  This is true even if the cardholder is not the named accountholder but has obtained the card from an intermediary who uses a pooled account with the bank to fund credit union issued cards. 

Third Parties

  • With regard to third parties, third party program managers should be treated as agents of the bank for purposes of the CIP rule, rather than the credit union’s customer.  However, the guidance notes that “as with any other activity performed on behalf of the credit union, the credit union is ultimately responsible for compliance with the CIP requirements.”
  • Third party program managers may establish pooled accounts in their names for the purpose of holding funds “on behalf of” or “in trust for” cardholders or processing transactions on behalf of other issuing banks.  However, the fact that these funds are held in a pooled account should not affect the status of the cardholder as a bank customer, assuming the cardholder has established an account with the bank by activating the reloadable functionalities of a general purpose prepaid card or its credit or overdraft features. 
  • In the case of non-reloadable general purpose prepaid cards without credit or overdraft features, or other prepaid cards that do not have the identified features that establish an account for purposes of the CIP rule (such as closed-loop prepaid cards), the third party program manager in whose name a pooled account has been established should be considered the only customer of the issuing bank and should be subject to the institution’s CIP requirements.  In these cases, banks/credit unions are not required to “look through” the pooled account to verify the identity of each cardholder.

Payroll Cards

  • Typically, employers open an account with the bank and provide the employees with a card that can be used to access the account.  If only the employer (or the employer’s agent) can deposit funds to the payroll card account, the employer should be considered the institution’s customer. 
  • However, if the employee is permitted access to credit through the card or has the ability to reload the payroll card account from other sources (outside of the employer), the employee would be considered the credit union’s customer.

Government Benefit Cards

Government benefit cards (also called “Electronic Benefit Transfer” or “EBT” cards) are issued under government benefit programs to distribute benefits or other payments. 

  • If the government benefit card program permits only government funds to be loaded onto the card and not does provide access to credit—no customer relationship is established between the credit union and the beneficiary cardholder. 
  • If the card allows non-government funds to be loaded onto the card and provides access to credit, then a customer relationship has been established between the credit union and the beneficiary cardholder and the institution should obtain CIP information from the beneficiary cardholder.

Health Benefit Cards

  • Prepaid cards can be used to access funds in a Health Savings Account (HSA) or accounts established as part of a Flexible Spending Arrangement (FSA) or Health Reimbursement Arrangement (HRA).
  • Health Savings Accounts (HSAs) are established by an employee to pay or obtain reimbursement for qualifying medical expenses.  The employee establishing the account or the employer may contribute to the HSA.  Because the employee establishes the account, she/he will be considered the credit union’s customer for CIP purposes.
  • Flexible Spending and Health Reimbursement Arrangements (FSAs and HRAs) are established by the employer and funded by either voluntary withholding from an employee’s salary (FSAs only) or through direct employer contributions (both FSAs or HRAs).  In these instances, the employer should be considered the institution’s customer for CIP purposes because they establish the FSA or HRA, make deposits into the FSA or HRA and distribute funds from the FSA or HRA. 

Expectations for Contracts with Third Party Program Managers

The guidance advises credit unions to enter into “well-constructed, enforceable contracts with third party program managers that clearly define the expectations, duties, rights and obligations of each party.”  The institution’s third party contracts should at minimum:

  • Outline the CIP obligations of the parties;
  • Ensure the right of the credit union to transfer, store, or otherwise obtain immediate access to all CIP information collected by the third-party program manager on cardholders;
  • Provide for the credit union’s right to audit the third party program manager and to monitor its performance; and
  • If applicable, indicate that, pursuant to the Bank Service Company Act (BSCA) or other appropriate legal authority, the relevant regulatory body has the right to examine the third party program manager. 
  • The BSCA does not confer authority to the NCUA.  However, federally insured credit unions may refer to Letter to Credit Unions (07-CU-13) and associated enclosures for relevant guidance in addition to the FFIEC Information Technology Examination Handbook.