The OCC issued guidance, in OCC 2011-27, to financial institutions for assessing and managing the risks associated with prepaid access programs. Prepaid access products have grown rapidly in recent years and have proven to be attractive to the banking industry due, in large part, to the fact that they can be marketed to existing customers as well as a new customer base – financially underserved customers. Prepaid access refers to a host of devices that facilitate consumer’s access to money electronically such as general purpose reloadable cards, mobile phones, internet sites, retail gift cards, payroll cards and government benefit cards. These devices allow the consumer to add and store funds onto the device and use it to spend or withdraw the funds from a variety of sources.
The OCC cautions that while prepaid access devices can provide a potential new customer base and revenue source for financial institutions, such devices can also increase a financial institution’s operational, compliance, strategic and reputation risk if not implemented appropriately. A critical consideration in managing these risks arises when the prepaid access program or any of its components is outsourced to a third-party service provider.
With respect to prepaid access programs that include a third-party service provider, the OCC provides useful insight on the mechanics of the service contract that should govern the arrangement between the financial institution and the service provider. Specifically, the service contract should include, at a minimum, a clause that:
- establishes the scope of the relationship and explicit details about all service to be performed by the service provider (including training of employees and customer service);
- a complete description of the costs and fees for services, the parties responsible for payment, and any conditions under which the cost structure may be changed or the relationship may be terminated without penalties;
- establishes the parties respective responsibilities for providing and receiving information (including, but not limited to, the frequency and types of reports, consumer complaints, materiality thresholds, and procedures in the event of service disruption or security breaches that pose a material risk to the financial institution);
- solidifies the parties plans for business continuity, resumptions, and contingencies in the event of problems affecting the third-party provider’s operations;
- outlines the Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control (OFAC) compliance obligations of the parties, including monitoring and reporting suspicious activity;
- provides for the financial institution’s right to audit the third-party service provider to monitor its performance;
- outlines the OCC’s authority to examine the third-party service provider under the Bank Service Company Act, and assess the provider’s ability to perform under its contractual obligations;
- defines (1) how the parties will share information about fraud losses and suspicious activity and (2) the process for sharing and/or indemnifying losses; and
- establishes the financial institution’s termination rights.
See the full OCC Bulletin by clicking here.