By Samantha Samuel, Gregory Schwarz
The growth of digital technology continues to change the payment landscape, causing a significant evolution to the prepaid access1 market2. The projection of the prepaid industry trends towards exponential growth as a cashless, digital alternative. This trend had only been exacerbated during the COVID-19 pandemic, as sellers look to expand their businesses by growing their sales online and reaching a wider segment of customers. While revenue growth is desired, the growth of digital payments and card-not-present transactions presents unique and challenging obstacles that prepaid providers and Sellers need to prepare for as they develop and enhance their Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) and Office of Foreign Assets Control (OFAC) compliance programs.
While the digital channel growth of prepaid access significantly increased in the last decade, BSA/AML regulations of prepaid access rules have remained largely unchanged since 2011. Within defined conditions, providers of prepaid access are required to register with FinCEN as Money Services Businesses (MSBs)3. For prepaid access providers that outsource to agents, or “Sellers,” that agent/Seller may trigger MSB requirements if the Seller allows access to a prepaid program before user identification is verified or does not have procedures in place to prevent the sale of more than $10,000 in pre-paid access per person per day. A Seller that falls within these specifications will need to develop and implement a risk-based AML program, report suspicious activity, and comply with recordkeeping requirements related to customer identifying information and transactional data4. Notably, however, Sellers are not required to register with FinCEN5.
Entities or sellers that do not fall within these conditions are not classified as MSBs, do not need to implement AML programs, and are only required to implement policies and procedures reasonably adapted to prevent the sale of more than $10,000 of prepaid access to an individual in any given day. Also note that a seller of prepaid access is not classified as an MSB if the seller is selling/distributing prepaid access to other businesses for further distribution or sale to end-users/consumers, regardless of whether the prepaid access activity exceeded $10,000 to any person on any given day.6
While prepaid access regulations have not materially changed over the last decade to explicitly address growing digital online sales, FinCEN’s existing regulations can address changes in technology and growth in the industry. Each MSB’s AML program must be commensurate with the risks posed by the location and size of the particular MSB, and by the nature and volume of the financial services that it offers.7 The risk based nature of the AML program requirement is designed to give an MSB flexibility to tailor its AML program to its specific risk profile.8 Considering the recent trends and risk based requirements, Guidehouse recommends companies in the prepaid access supply chain pay special attention to is risk management protocols in the growing digital environment.
As digital sales volumes increase, stakeholders should be cognizant of the unique risks of sales to a wider segment of customers. Depending on a seller’s volume, effective monitoring, an automated system may be necessary to consolidate and compare data points across transactions and customer profiles to identify customers attempting to circumvent or evade prepaid access thresholds. Effective monitoring systems can collect and compare personal identifiable information (PII) (e.g., name, address, phone number, etc.) and financial (e.g., credit card number, bank account number, etc.) data across customer profiles that alert on AML and fraud typologies. Such typologies may include, for example, attempts to structure transactions across separate prepaid products of different programs and across a seller’s points of sale (online and instore) system. Artificial intelligence, machine learning and behavioral analytics are tools that can monitor trends and patterns of customers more effectively than a manual review and can further analyze data points in a near-real time environment for customer deviations and suspicious transactions.
Additionally, nontraditional data points such as Internet Protocol (IP) addresses can be used to identify fraud and mitigate sanctions risk. With respect to fraud, effective alert scenarios may trigger when a customer purchases prepaid access and identifies themselves in one state while geolocation identifies them purchasing elsewhere, or the customer’s billing and shipping address are identified as different locations. With respect to sanctions, consideration should be given to tracking and blocking IP addresses of purchasers to ensure sales to sanctioned countries are not permitted.9
The bulk sale of prepaid access to resellers is a lucrative yet potentially riskier aspect of the prepaid market. Bulk sales of store valued instruments give illicit actors opportunities to layer and integrate large sums of money. In the digital context, this risk may be exacerbated given the limited face-to-face engagement with sellers and the ability to move large volumes of prepaid access at scales and speeds not possible with physical sales.
Guidehouse notes that the bulk sale of prepaid access from seller-to-business does not trigger AML requirements for sales exceeding $10,000 in a single day, so long as the sales from seller-to-business are for further distribution or sales to end-users/consumers. Simply, in this scenario, a seller does not trigger Seller requirements, and therefore, would not be a designated MSB requiring the implementation of a risk-based AML program. Nonetheless, Guidehouse advises companies, even if they are a non-regulated seller under the BSA, to consider implementing robust risk-based know-your-customer controls.
While many sellers are not regulated MSBs, it is still a criminal offense to facilitate laundering the proceeds of crime, regardless of compliance program regulatory requirements.10 Therefore, implementation of risk-based customer due diligence (e.g., obtaining ultimate beneficial ownership, nature of business, negative media screening, etc.) on business purchasers is a reasonable measure. Guidehouse, therefore suggests that clients ensure that businesses purchasing bulk quantities of prepaid access (>$10,000) are legitimate, and are not shell companies.
Guidehouse can help MSBs, including sellers, assess their compliance programs to navigate these regulatory risks, including developing and implementing updates to operations, policies, procedures, controls, and technology.
Its areas of relevant expertise include the following:
Guidehouse can review and assess your AML and OFAC compliance program to identify gaps or weaknesses, evaluate your transaction monitoring technology, or to conduct training on related AML and OFAC compliance.
Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.