Skip to Content
Client Alerts Print PDF

Guidance Issued on Applying CIP Requirements to Holders of Prepaid Cards

May 11, 2016

Federal banking regulators have issued guidance on the applicability of customer identification program (“CIP”) regulations to prepaid cards (the “Interagency Guidance”). Among other things, the Interagency Guidance clarifies that an institution’s CIP policy applies to general purpose prepaid cards that can be reloaded or that permit access to credit or overdraft features. As a result, financial institutions must properly identify individuals purchasing these types of cards.  

The Interagency Guidance was issued by the Board of Governors of the Federal Reserve System (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), the Office of the Comptroller of the Currency (“OCC”), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) (collectively, the “Agencies”), and applies to “Issuing Banks.” An Issuing Bank is any national or commercial bank, savings association or credit union (or branch of a foreign bank located in the United States) which issues prepaid cards. The guidance requires that Issuing Banks apply the CIP requirements set forth in Section 326 of the USA Patriot Act (the “Patriot Act”) and related regulations to certain customers who are issued a prepaid card by the Issuing Bank and/or by certain third-party program managers. 

What is the CIP?

CIP regulations require a financial institution to obtain information sufficient to form a reasonable belief regarding the identity of each “customer” opening a new “account.” As defined in the CIP regulations, a customer is “a ‘person’ (an individual, a corporation, partnership, a trust, an estate or any other entity recognized as a legal person) who opens a new account, an individual who opens a new account for another individual who lacks the legal capacity to do so, and an individual who opens a new account for an entity that is not a legal person (e.g., a civic club).”  An account is a “defined formal banking relationship to provide or engage in services, dealings or other financial transactions, and includes a deposit account, a transaction or asset account, a credit account, or another extension of credit.”

Under the Patriot Act, an institution’s CIP must use risk-based procedures to verify the customer’s identity, including obtaining certain customer information upon opening an account (e.g., a customer’s name, date of birth, address and tax identification number), and applying an identity verification procedure that describes how the institution will verify the customer’s identity.

Applying an Issuing Bank’s CIP to Prepaid Cards

Prepaid Cards

The Interagency Guidance states that prepaid cards have become mainstream financial products, widely used by individuals, corporations, and other private sector entities, as well as state, federal and local governments.  Some of the reasons why these prepaid cards are so desirable are:

  • They can be used almost anywhere, including multiple and unaffiliated merchants;
  • They can be utilized as debit or credit cards;
  • They can be linked to one’s checking and other banking accounts;
  • They allow a cardholder to withdraw cash from ATMs, including non-affiliated ATMs;
  • They can be utilized to pay online bills and purchase various goods and services;
  • The cardholder can transfer and receive funds with another cardholder; and
  • They are easy to purchase from both online and physical merchants as well as financial institution branches.

The benefits to the customer associated with prepaid cards, in turn, create potential issues for the Issuing Banks. According to the Interagency Guidance, the ease at which a prepaid card can be obtained, the anonymity associated with its purchase and use, and a large number of funds that can be accessed by the card have fostered an environment for potential fraud and criminal abuse.  

Applying CIP to Prepaid Cards

The Agencies have determined that any prepaid cards that allow cardholders to reload funds or access an Issuing Bank’s credit or overdraft features (“general purpose prepaid cards”) should be treated as “accounts” under the CIP since such cards exhibit the same characteristics as standard bank accounts.  These general purpose prepaid cards can be reloaded by the cardholder, or another person on behalf of the cardholder, similarly to how funds may be deposited into a deposit, asset or transaction account.  Thus, the Agencies have determined that a general purpose prepaid cardholder meets the definition of a “customer” under the CIP as the cardholder has successfully opened an “account” with the Issuing Bank. Under the CIP regulations, this requires the Issuing Bank to apply its identification and verification procedures to the issuance of these general purpose prepaid cards.

Prepaid Cards and Third Parties

Often the supplier of general purpose prepaid cards is a third-party program manager under an arrangement with a financial institution [4]. According to the Interagency Guidance, such a third-party program manager should be treated as an agent of the Issuing Bank in this situation, and the Issuing Bank is ultimately responsible for complying with CIP and Patriot Act obligations for general purpose prepaid cards issued by the third party. In order for the Issuing Bank to comply with its CIP requirements when dealing with third-party program managers, the Issuing Bank should ensure it enters into a contract with the third-party program manager describing in detail the manager’s obligations under the CIP requirements, as well as other responsibilities and expectations. The Interagency Guidance specifically states that an Issuing Bank’s contract with a third-party program manager should:

  • Outline the CIP obligations of the parties;
  • Ensure the right of the Issuing Bank to transfer, store or otherwise obtain immediate access to all CIP information collected by third-party program managers on cardholders;
  • Provide for the Issuing Bank’s right to audit the third-party program manager and to monitor its performance (generally, banks need to ensure that periodic independent internal and external audits are conducted to ensure prudent operations and compliance with applicable laws and regulations); and
  • If applicable, indicate that pursuant to the Bank Service Company Act (BSCA) or other appropriate legal authority, the relevant regulatory body has the right to examine the third-party program manager.

Additional Information

The Interagency Guidance may be accessed through the following link:

If you have any questions regarding the Interagency Guidance or CIP requirements in general, please feel free to contact Kevin Patterson at 516-296-9196 or via email at, Joseph D. Simon at 516-357-3710 or via email at, or Jeff Fowler at 516-296-9134 or via email at

Share on Social Media

Related Attorneys

Related Practice Areas