Prepaid Access AML Compliance Considerations in a Digital World

By Samantha Samuel, Gregory Schwarz

The growth of digital technology continues to change the payment landscape, causing a significant evolution to the prepaid access1  market2. The projection of the prepaid industry trends towards exponential growth as a cashless, digital alternative. This trend had only been exacerbated during the COVID-19 pandemic, as sellers look to expand their businesses by growing their sales online and reaching a wider segment of customers. While revenue growth is desired,  the growth of digital payments and card-not-present transactions presents unique and challenging obstacles that prepaid providers and Sellers need to prepare for as they develop and enhance their Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) and Office of Foreign Assets Control (OFAC) compliance programs.


BSA/AML Regulation Overview

While the digital channel growth of prepaid access significantly increased in the last decade, BSA/AML regulations of prepaid access rules have remained largely unchanged since 2011. Within defined conditions, providers of prepaid access are required to register with FinCEN as Money Services Businesses (MSBs)3. For prepaid access providers that outsource to agents, or “Sellers,” that agent/Seller may trigger MSB requirements if the Seller allows access to a prepaid program before user identification is verified or does not have procedures in place to prevent the sale of more than $10,000 in pre-paid access per person per day. A Seller that falls within these specifications will need to develop and implement a risk-based AML program, report suspicious activity, and comply with recordkeeping requirements related to customer identifying information and transactional data4. Notably, however, Sellers are not required to register with FinCEN5.

Entities or sellers that do not fall within these conditions are not classified as MSBs, do not need to implement AML programs, and are only required to implement policies and procedures reasonably adapted to prevent the sale of more than $10,000 of prepaid access to an individual in any given day.  Also note that a seller of prepaid access is not classified as an MSB if the seller is selling/distributing prepaid access to other businesses for further distribution or sale to end-users/consumers, regardless of whether the prepaid access activity exceeded $10,000 to any person on any given day.6


Risk Management Considerations

While prepaid access regulations have not materially changed over the last decade to explicitly address growing digital online sales, FinCEN’s existing regulations can address changes in technology and growth in the industry. Each MSB’s AML program must be commensurate with the risks posed by the location and size of the particular MSB, and by the nature and volume of the financial services that it offers.7 The risk based nature of the AML program requirement is designed to give an MSB flexibility to tailor its AML program to its specific risk profile.8 Considering the recent trends and risk based requirements, Guidehouse recommends companies in the prepaid access supply chain pay special attention to is risk management protocols in the growing digital environment.

Automated Monitoring

As digital sales volumes increase, stakeholders should be cognizant of the unique risks of sales to a wider segment of customers. Depending on a seller’s volume, effective monitoring, an automated system may be necessary to consolidate and compare data points across transactions and customer profiles to identify customers attempting to circumvent or evade prepaid access thresholds. Effective monitoring systems can collect and compare personal identifiable information (PII) (e.g., name, address, phone number, etc.) and financial (e.g., credit card number, bank account number, etc.) data across customer profiles that alert on AML and fraud typologies. Such typologies may include, for example, attempts to structure transactions across separate prepaid products of different programs and across a seller’s points of sale (online and instore) system. Artificial intelligence, machine learning and behavioral analytics are tools that can monitor trends and patterns of customers more effectively than a manual review and can further analyze data points in a near-real time environment for customer deviations and suspicious transactions.

Additionally, nontraditional data points such as Internet Protocol (IP) addresses can be used to identify fraud and mitigate sanctions risk. With respect to fraud, effective alert scenarios may trigger when a customer purchases prepaid access and identifies themselves in one state while geolocation identifies them purchasing elsewhere, or the customer’s billing and shipping address are identified as different locations. With respect to sanctions, consideration should be given to tracking and blocking IP addresses of purchasers to ensure sales to sanctioned countries are not permitted.9

Bulk Sales

The bulk sale of prepaid access to resellers is a lucrative yet potentially riskier aspect of the prepaid market. Bulk sales of store valued instruments give illicit actors opportunities to layer and integrate large sums of money. In the digital context, this risk may be exacerbated given the limited face-to-face engagement with sellers and the ability to move large volumes of prepaid access at scales and speeds not possible with physical sales.

Guidehouse notes that the bulk sale of prepaid access from seller-to-business does not trigger AML requirements for sales exceeding $10,000 in a single day, so long as the sales from seller-to-business are for further distribution or sales to end-users/consumers. Simply, in this scenario, a seller does not trigger Seller requirements, and therefore, would not be a designated MSB requiring the implementation of a risk-based AML program. Nonetheless, Guidehouse advises companies, even if they are a non-regulated seller under the BSA, to consider implementing robust risk-based know-your-customer controls.

While many sellers are not regulated MSBs, it is still a criminal offense to facilitate laundering the proceeds of crime, regardless of compliance program regulatory requirements.10 Therefore, implementation of risk-based customer due diligence (e.g., obtaining ultimate beneficial ownership, nature of business, negative media screening, etc.) on business purchasers is a reasonable measure. Guidehouse, therefore suggests that clients ensure that businesses purchasing bulk quantities of prepaid access (>$10,000) are legitimate, and are not shell companies.


How Can Guidehouse Help

Guidehouse can help MSBs, including sellers, assess their compliance programs to navigate these regulatory risks, including developing and implementing updates to operations, policies, procedures, controls, and technology.

Its areas of relevant expertise include the following:

  • AML and OFAC Advisory;
  • AML and OFAC program management outsourcing;
  • Strategic planning;
  • Risk management;
  • Vendor sourcing and governance; and
  • Executive training.

Guidehouse can review and assess your AML and OFAC compliance program to identify gaps or weaknesses, evaluate your transaction monitoring technology, or to conduct training on related AML and OFAC compliance.

Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.

1 Per 31 CFR § 1010.100, “prepaid access” is defined as the access to funds or the value of funds that have been paid in advance and can be retrieved or transferred at some point in the future through an electronic device or vehicle, such as a card, code, electronic serial number, mobile identification number, or personal identification number.
2  Press Release, Global Gift Card and Incentive Card Market Intelligence and Future Growth Dynamics Report 2021, February 12, 2021. Borasi, Pramod and Chabbra, Monica, “Prepaid Card Market by Card Type (Open Loop Prepaid Card and Closed Loop Prepaid Card), Usage (General-purpose Reloadable Card, Gift Card, Government Benefit/Disbursement Card, Payroll Card, and Others), and End User (Retail, Corporate Institutions, Government, and Financial Institutions): Global Opportunity Analysis and Industry Forecast, 2020–2027,” Allied Market Research, May 2020. PRNewswire, “United States Prepaid Cards Market 2020-2024: COVID-19 Pandemic Reshaping the Industry,” Published June 30, 2020. The Business Research Company, “Cards Global Market Report 2021: COVID 19 Impact And Recovery To 2030,” published January 2021.
3  31 CFR Parts 1010.100 (4)(iii)
31 CFR Parts 1010.100 (4)(iii)
5  Id.
6  Id.
7  Bank Secrecy Act / Anti-Money Laundering Examination Manual for Money Services Businesses, 2008, at pg.19.
8  Id.
9  In December 2020 OFAC entered a settlement with a technology firm regarding sanctions violations relating to customer use of a digital wallet. The firm failed to implement controls designed to prevent users with IP addresses located in sanctioned jurisdictions from accessing the firm’s services.
10  An adequate and effective compliance program is a factor that the Department of Justice uses to determine whether to bring charges, negotiate pleas, or other agreements (See U.S. Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs, June 2020.)

Let Us Help Guide You

Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.

Stay ahead of the curve with news, insights and updates from Guidehouse about issues relevant to your organization and its work.