Financial Crimes Enforcement Network Releases Final Rule Applying Bank Secrecy Act Regulations to Providers and Sellers of Prepaid Access Products

Financial Institutions Regulatory Update

On July 29, 2011, the Financial Crimes Enforcement Network (“FinCEN”) published a final rule (“Final Rule”) that revises the Bank Secrecy Act (“BSA”) requirements currently applicable to money services businesses (“MSBs”) with regard to stored value products and services. FinCEN published the Notice of Proposed Rulemaking on June 28, 2010 (“Proposed Rule”) and received 76 comment letters in response to the Proposed Rule. In the Final Rule, FinCEN indicates that it used the information provided in the comment letters to inform its final decisions. FinCEN’s stated goal for the Final Rule is to address regulatory gaps that have resulted from the proliferation of prepaid innovations over the last 12 years that increase the potential for using prepaid access to further money laundering, terrorist financing and other illicit transactions. FinCEN believes that the prepaid access market has matured and now warrants, at a minimum, regulation commensurate with other MSBs.

The Final Rule renames “stored value” as “prepaid access” and creates two new categories of MSBs – providers of prepaid access and sellers of prepaid access. The Final Rule requires providers of prepaid access to register as MSBs for the first time and imposes on both providers of prepaid access and sellers of prepaid access suspicious activity report (“SAR”) obligations, anti-money laundering (“AML”) program requirements, customer identification requirements and customer recordkeeping requirements. The Final Rule also imposes transaction recordkeeping requirements on providers of prepaid access. The Final Rule does not establish new requirements or change existing BSA requirements applicable either to banks or to entities regulated by the Securities and Exchange Commission or Commodity Futures Trading Commission. The Final Rule becomes effective on September 27, 2011, except that the requirement for providers of prepaid access to register with FinCEN does not become effective until January 29, 2012.

Prepaid Access

The Final Rule renames “stored value” as “prepaid access,” without narrowing or broadening the meaning of the term, but to describe more aptly the underlying activity, recognizing that value is not stored on the card. Specifically, the Final Rule defines “prepaid access” as “[a]ccess to funds or the value of funds that have been paid in advance and can be retrieved or transferred at some point in the future through an electronic device or vehicle, such as a card, code, electronic serial number, mobile identification number, or personal identification number.” The key parts of the definition are (1) funds have been paid in advance and (2) those funds can be retrieved or transferred in the future. FinCEN indicates that it believes the definition has the necessary regulatory elasticity to survive future technological advancements.

Providers of Prepaid Access

The Final Rule imposes the full panoply of BSA requirements on the entity identified as the “provider of prepaid access.” The Final Rule allows the participants in a “prepaid program” (discussed below) to determine which party among them will serve as the provider of prepaid access. Specifically, a provider of prepaid access is “the participant within a prepaid program that agrees to serve as the principal conduit for access to information from its fellow program participants. The participants in each prepaid access program must determine a single participant within the prepaid program to serve as the provider of prepaid access.” If one of the participants in a prepaid access program has failed to register as the provider of prepaid access, then the provider of prepaid access is the person with principal oversight and control over the prepaid program, as determined by FinCEN. This is a facts and circumstances determination. The Final Rule provides a non-exclusive list of five activities that indicate principal oversight and control:

  • Organizing the prepaid program;
  • Setting the terms and condition of the prepaid program and determining that the terms have not been exceeded;
  • Determining the other businesses that will participate in the prepaid program, which may include the issuing bank, the payment processor, or the distributor;
  • Controlling or directing the appropriate party to initiate, freeze or terminate prepaid access; and
  • Engaging in activity that demonstrates oversight and control of the prepaid program.

Sellers of Prepaid Access

In the Final Rule, FinCEN adopts a more limited definition of seller of prepaid access than as proposed in the Proposed Rule. FinCEN indicates that it has adopted a targeted approach to regulating sellers of prepaid access, focusing on those sales of prepaid access whose inherent features or high dollar amounts pose heightened money laundering risks. A seller of prepaid access is defined as “[a]ny person that receives funds or the value of funds in exchange for an initial loading or subsequent loading of prepaid access if that person (i) sells prepaid access offered under a prepaid program that can be used before verification of customer identification…; or (ii) sells prepaid access (including closed loop prepaid access) to funds that exceed $10,000 to any person during any one day, and has not implemented policies and procedures reasonably adapted to prevent such a sale.” In the first part of the definition (subsection (i) above), if the prepaid access is sold under an arrangement that fits into one of the exemptions from the term “prepaid program” (discussed below) or if the customer must go through the identification process before the card is activated, then there is no seller of prepaid access.

The Final Rule treats the seller as an agent under the MSB rules and does not require the seller to register as an MSB. However, as the party with face-to-face purchaser contact, and therefore the ability to capture unique information in the course of completing the transaction, a seller of prepaid access is subject to various BSA requirements, which are described below.

Prepaid Programs and Exclusions

The Final Rule defines a prepaid program as “an arrangement under which one or more persons acting together provide(s) prepaid access” and provides several exemptions as described below. Specifically, an arrangement is not a prepaid program if it only involves:

  • Closed-loop prepaid access devices that have a maximum value of $2,000 or less on any day;
  • Prepaid access to funds provided by a federal, state, local, territory and insular possession or tribal government agency;
  • Prepaid access to funds from a pre-tax flexible spending account for health care and dependent care expenses or from a Health Reimbursement Arrangement (“HRA”) as defined in the Internal Revenue Code for healthcare expenses; or
  • Prepaid access to employment benefits, incentives, wages or salaries, or prepaid access with a maximum value of $1,000 or less at all times; if, in either case, the prepaid access device does not permit (1) funds or value may be transmitted internationally, (2) transfers between or among users within a prepaid program, such as person-to-person transfers or (3) loading additional funds or value from a non-depository source, such as a retail reload location.

FinCEN explains that the healthcare-related exemption does not include Health Savings Accounts because such accounts allow commingling of health and non-healthy related funds and do not contain the strict limitations inherent in HRAs. In addition, FinCEN clarifies that funds are deemed to be transmitted internationally if the merchant or ATM is located outside of the U.S., irrespective of whether transactions are conducted in-person or not (e.g., Internet transactions).

BSA Requirements Applicable to Providers and Sellers of Prepaid Access

Under current regulations, issuers and sellers or redeemers of stored value are required to file Currency Transaction Reports and to establish written AML programs (if they transact amounts greater than $1,000 per person per day), but are not required to register as MSBs, file SARs or perform customer identification. The Final Rule revises the BSA regulatory regime to impose the following requirements on providers and sellers of prepaid access:

  • MSB Registration. Providers of prepaid access are required to register with FinCEN as MSBs and identify in the registration each prepaid program for which they are the provider of prepaid access. Sellers of prepaid access are treated as agents of the providers, and are not themselves required to register. Compliance with the requirement that a complete list of prepaid programs be submitted with the registration will require a change to FinCEN Form 107. Accordingly, compliance with the registration requirement is not required until January 29, 2012.
  • SARs. Providers and sellers of prepaid access are subject to SAR requirements.
  • Customer Identification and Recordkeeping. Providers and sellers of prepaid access must, as part of their AML program, establish procedures to verify the identity of a person obtaining prepaid access under a prepaid program and obtain indentifying information, including name, date of birth, address and identification number. Providers of prepaid access must retain access to identifying information for five years after the last use of the prepaid access device or vehicle. Sellers of prepaid access must retain identifying information for five years from the date of the sale of the prepaid access device or vehicle. If both the provider and seller of prepaid access are required to collect identifying information, they may agree as to which entity will collect the information.
  • Transactional Reporting. Providers of prepaid access are required to maintain access, for five years, to transactional records generated in the ordinary course of business that would be needed to reconstruct prepaid access activation, loads, reloads, purchases, withdrawals, transfers and other prepaid-related transactions. These records would routinely reflect: (1) type of transaction (ATM withdrawals, point-of-sale purchase, etc.), (2) amount and location of transaction, (3) date and time of transaction and (4) any other unique identifiers related to transactions. The records need not be kept in any particular format but must be easily accessible and retrievable upon the appropriate request of FinCEN, law enforcement or judicial order.

If you have any questions regarding this update, please contact Joel Feinberg (+1.202.736.8473,, David Teitelbaum (+1.202.736.8683,, Ming-Hsuan Elders (+1.202.736.8801, or the Sidley lawyer with whom you usually work.

The Financial Institutions Regulatory Practice of Sidley Austin LLP

The Financial Institutions Regulatory Practice group offers counseling, transaction and litigation services to depository and nondepository financial institutions and their holding companies. Our lawyers assist domestic and non-U.S. financial institutions and their holding companies, and electronic payment systems, as well as securities, insurance, finance, mortgage and other diversified financial services companies. We represent financial services clients before the U.S. Department of the Treasury, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and state bank regulatory agencies. In addition, we represent clients before the United States Supreme Court, the federal courts of appeal, federal district courts and state courts.

To receive future copies of this and other Sidley updates via email, please sign up at

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

Prior results do not guarantee a similar outcome.