Despite the myriad benefits that prepaid access devices offer to financial institutions and their clients, they come with a great deal of risk for the financial institution. Among the greatest risks are fraud, money laundering and the regulator risk that is associated with the failure to maintain an adequate compliance program for these products.
Risk Assessment
Before a
prepaid access program is implemented the financial institution should conduct
a risk assessment. How does the program
fit into the overall strategy of the institution? What is the level of risk that the
institution is willing to accept? What
are the parameters of the program in terms of individual customers? What are the internal needs of the financial
institution to be able to administrate the program? Will new staff need to be hired or will new
software be required? The Board should fully demonstrate that it has considered
all of the above and has made a determination of what the expectations for the program
are. In addition, specific metrics for
measuring the success or failure of the program should be in place long before
the products are offered. The Board of the
financial institutions should review the performance of the plan juxtaposed to the
goals established to determine its overall merits.
Third Party
Processors
In the very
likely event that the financial institution uses a third party processor to operate
the program, there are additional considerations. The financial institution must have a
vendor-review plan that clearly delineates the duties and liabilities of each
party. Most financial institution regulators
require that the third party vendor be audited by an independent third party at
least annually. [1] In addition, there must be a program to
review third party processors on a regular basis and to complete a due
diligence analysis of that processor.
Financial institutions are expected to know all they can about the vendors with whom
they conduct transactions.
Contracts with
Third Party Processors
Most regulatory
agencies have strict standards for the language that must be included in a
contract with the financial institution.
The contracts provisions that are most often required include:
1)
Provisions that clearly spell out the responsibilities
of the third party processor versus the Bank including who is responsible for
consumer disclosures, including fees and charges;
2)
The means for an annual independent review of
the third party processor, in particular for compliance with BSA/AML;
3)
A disaster recovery plan;
4)
Clear documentation of the customer
identification program being conducted by the third party processor;
5)
A clause that discusses how the parties will
share information about suspicious activity and/or fraud and how the parties
will share/indemnify each other for losses;
6)
A complete description of the reports and
information that the financial institution should receive from the third party
processor.
7)
A describe of the mechanisms available for
termination of the contract.
In the end, prepaid access programs can sometimes be a “shiny”
object that appears to be a solution to a multitude of concerns; and they can
be just that! However, these programs must be properly managed lest they become
a nightmare!
[1] Some
regulators such as the OCC require that its banks write into contract with
third party servicers that the regulators agency has the right to examine the third party vendor under
the Bank Service Company Act