Prepaid Access AML Compliance Considerations in a Digital World

Volume II

In our first installment, Prepaid Access AML Compliance Considerations in a Digital World, Guidehouse discussed Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and Office of Foreign Assets Control (OFAC) compliance considerations in a growing digital prepaid industry. Over the past year, Guidehouse continues to observe growing interest in prepaid services in the digital space, particularly by players in the cryptocurrency industry. In this second installment, we discuss this growing trend and outline unique prepaid risks and considerations for BSA/AML-regulated entities engaged in or exposed to this activity.

BSA/AML Regulation Overview

To refresh our previous discussion, it is important to outline key BSA/AML regulations.

  • Providers of Prepaid Access (Providers) are required to register with the Financial Crimes Enforcement Network (FinCEN) as Money Services Businesses (MSBs).1
  • Sellers may be classified as Sellers of Prepaid Access (Seller), if the seller:
  1. Sells prepaid access under a prepaid program before user’s identification is verified or its does not have policies and procedures in place that are reasonably adapted to prevent the sale of more than $10,000 of any type of prepaid access to any one person on any one day (i.e., entities or sellers that do not fall within these conditions are not classified as MSBs and do not need to implement AML programs to cover their prepaid sales).
  2. A Seller that falls within these specifications is a MSB and will need to develop and implement a risk-based AML program, report suspicious activity, and comply with recordkeeping requirements related to customer-identifying information and transactional data.2
  3. Sellers are also required to identify and verify the identity of a person (e.g., name, address, date of birth, and Social Security number): (1) who obtains prepaid access under a prepaid program that is not specifically exempt; or (2) if a person obtains prepaid access to funds that exceed $10,000 during any one day3. Notably, however, as agent MSBs, Sellers are not required to register with FinCEN.4
  • On March 24, 2016, in its Frequently Asked Questions Regarding Prepaid Access, FinCEN outlined its expectations regarding “policies and procedures reasonably adapted to prevent” sales of $10,000 of collective prepaid access. FinCEN expects that non-MSB sellers will: 
  1. Develop an internal policy regarding sales of prepaid access in excess of $10,000 to a single individual in a day. 
  2. Articulate this policy to the appropriate personnel within the organization.
  3. Monitor activity, through mechanisms appropriate to the retailer’s size and type of operating structure, to avoid sales in excess of $10,000 to a single individual in a day. 

The fact that a retailer sells more than $10,000 in prepaid access to one person in one day does not in and of itself mean that the retailer’s policies and procedures are not “reasonably adapted to prevent such a sale.”

Risk Management Considerations

In the past year, Guidehouse has observed an increasing amount of cryptocurrency exchanges selling prepaid access online and through third-party retail stores as: (1) a new product to customers; (2) to market the company brand; (3) to encourage new applicants; and (4) to provide an additional method for customers to load fiat currency into their accounts. While most activity involving prepaid access is lower risk, there are several unique risk and regulatory considerations that institutions should consider:

Purchases from Unhosted Wallets without Obtaining Know-Your-Customer (KYC) Data

Many of the cryptocurrency exchanges selling prepaid access online do so at limited levels to avoid being classified as a Seller of prepaid access. Such a classification would subject their prepaid sales to BSA/AML program requirements (e.g., transaction monitoring, record-keeping). However, while many exchanges attempt to comply with the “Reasonably Adapted” test by instituting lower limits on prepaid purchases, there is uncertainty as to whether this step, alone, is enough to meet the requisite standard under Prong 3 referenced above.  

Scenario A: Exchange ABC sells prepaid to anonymous buyers with a maximum limit of $1,000.00 of closed-loop prepaid access per wallet per day. Cards have a maximum load value of $500, and purchases can be made in cryptocurrency from unhosted wallets and delivered to the buyer’s provided email address.5 While Exchange ABC can monitor transactions limits by wallet, it does not obtain any identifying data points across multiple unhosted wallets to identify a single individual purchasing more than $10,000 in a given day from numerous wallets.

Ensuring that an exchange can reasonably guarantee that customers stay within the prescribed levels may not be feasible under the above scenario, even with lower limit thresholds. For example, actors can create unhosted wallets and email addresses quite easily, at scale, and with no oversight. The above scenario specific to unhosted wallets is different from physical and traditional online sales in at least two key respects: (1) physical sales require a buyer to be present in the store; however, when store locations are miles apart, structuring transactions through multiple locations at scale becomes unworkable; and (2) traditional online sales require a buyer to use a credit or debit card, which can only be obtained from BSA-regulated financial institutions that conduct KYC and who monitor the source of funds into said accounts.

Ultimately, a cryptocurrency exchange seller of prepaid access that does not obtain additional identifying information on purchasers in the above scenario may not be able to provide evidence that its controls are “reasonably adapted.”  Stated differently, an exchange may not be able to meet the requisite standard when it cannot effectively consolidate a customer’s purchases across numerous anonymous wallets. Without the ability to consolidate prepaid purchases across wallets, an institution may find itself facing regulatory scrutiny for operating a MSB (prepaid seller) without adequate AML program coverage and for failing to satisfy prepaid record-keeping requirements as defined by 31 CFR § 1022.210 (d)(iv).6

Guidehouse therefore recommends that exchanges that conduct sales of prepaid access in this manner and who are looking to maintain compliance with FinCEN’s Reasonably Adapted test, conduct a thorough risk evaluation and consider the data points they may need to collect from customers to prevent the sale of more than $10,000 of prepaid access to any individual in a given day.

Manufactured Spending

Some credit card companies are beginning to permit customers to pay their balances with cryptocurrency. This feature may expose card companies to manufactured spending, a type of customer payment activity that may carry risk if not adequately controlled. Manufactured spending is the act of artificially spending money solely for the purpose of generating rewards points or to accelerate meeting minimum spending requirements to reap advertised rewards points. Instead of purchasing traditional goods or services, it involves first buying gift cards from retail stores to maximize rewards points, then using those gift cards to purchase financial products (e.g., money orders), and finally using the money orders to pay off a credit card balance.

The diagram below illustrates the manufactured spending cycle:
 
Prepaid Payments
While not illegal, manufactured spending creates certain risks for the institutions processing the payments if not properly monitored and adequately controlled. More specifically, the circular flow of funds and artificial business purpose makes it difficult to identify and discern between legitimate versus illegitimate activity.

Guidehouse recommends that credit card companies and exchanges potentially exposed to manufactured spending implement robust controls to mitigate against these inherent risks. While the controls will be specific to each institution and the risks exposed by the manufactured spending scenarios, stakeholders should consider controls such as the following:

1. Cryptocurrency exchanges

  • Conduct thorough risk assessments and consider limiting the amount of redeemable prepaid access per customer at their exchange;
  • Monitor for high volumes of prepaid access redemptions that are followed by rapid external transfers; and
  • Leverage 314(b) information-sharing processes to communicate with partner companies where a money-laundering concern exists.

2. Credit card companies 

  • Implement robust blockchain-tracing controls to monitor for the source of payments involving cryptocurrency; and
  • Monitor for high and unusual payment volumes and ensure that funds emanate from identifiable and legitimate sources (as opposed to potentially high-risk sources such as unhosted wallets or darknet market).

Enhanced Due Diligence

Providers of prepaid access that contract with sellers (i.e., a principal/agent relationship) to sell their prepaid access products are required to have a risk-based agent oversight program.7 Such oversight may include conducting due diligence and monitoring to ensure that such agents are BSA/AML-compliant and do not expose the market to illicit activity.

Where providers contract with cryptocurrency exchanges as sellers of their prepaid access products, providers should implement enhanced due diligence  controls to assess the financial crime risk of each exchange. We suggest that providers consider reviewing a prospective cryptocurrency exchange agent’s on-chain activity both prior to and throughout an established relationship (even if the provider does not directly facilitate such on-chain activity). Enterprise blockchain analytics platforms, such as Chainalysis’ Reactor platform, may be a solution.

Such platforms provide transaction risk assessments by combining on-chain data with open-source intelligence and other methods to identify addresses and wallets that can be attributed with a high degree of certainty to a single controlling entity. This grouping is called “clustering.” Using these clusters, Chainalysis can illustrate an exchange’s overall counterparty risk and help illustrate whether an exchange has material counterparty exposure to, for example, high-risk entities such as mixing services, darknet markets, and high-risk exchanges. Such analysis can be used by providers of prepaid access as one data point in evaluating the effectiveness of a prospective seller/exchange’s financial crime controls.

How Guidehouse Can Help

Guidehouse can help credit card companies, cryptocurrency exchanges, and prepaid access providers and sellers, assess their compliance programs to navigate these regulatory risks, including developing and implementing updates to operations, policies, procedures, controls, and technology.

Its areas of relevant expertise include the following:

  • AML and OFAC Advisory.
  • AML and OFAC program management outsourcing.
  • Blockchain Tracing and Analytics.
  • Enhanced Due Diligence.
  • Strategic planning.
  • Risk management.
  • Vendor sourcing and governance.
  • Executive training.

Guidehouse can review and assess your AML and OFAC compliance program to identify gaps or weaknesses, evaluate your transaction monitoring technology, or to conduct training on related AML and OFAC compliance.

Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.


1 31 CFR Parts 1010.100 (4)(iii).
2 31 CFR Parts 1010.100 (4)(iii), Sellers of prepaid access must also establish procedures to verify the identity of a person who obtains prepaid access to funds that exceed $10,000 during any one day and obtain identifying information concerning such a person, including name, date of birth, address, and identification number.
3 31 CFR § 1022.210 (d)(iv).
4 See footnote 3
5 An unhosted wallet is not hosted by a third-party financial system. It can be very difficult or impossible to determine who is accessing or in control of the use of cryptocurrencies in an unhosted wallet. Unhosted wallets allow for anonymity and concealment of illicit financial activity. The US Treasury indicates that unhosted wallets enable terrorists, state-sponsored and transnational organized criminals, and cyber hackers and extortionists to quickly and covertly shift large sums of money across the globe to support their illegal activities
6 A MSB that is a provider or seller of prepaid access must establish procedures to verify the identity of a person who obtains prepaid access under a prepaid program and obtain identifying information concerning such a person, including name, date of birth, address, and identification number. Sellers of prepaid access must also establish procedures to verify the identity of a person who obtains prepaid access to funds that exceed $10,000 during any one day and obtain identifying information concerning such a person, including name, date of birth, address, and identification number…such information obtained by sellers of prepaid access must be retained for five years from the date of the sale of the prepaid access device or vehicle.
7 See 2008 MSB Manual

About the Experts

Back to top