stored value cars as a business opportunity
Post on 12-Jan-2016
4 Views
Preview:
DESCRIPTION
TRANSCRIPT
Stored Value Cards as a Business Opportunity
Submitted by:
Christie LaDestro
December 13, 2004
Dr. D. Stephen Rockwood Graduate Business Program Mount St. Mary’s University
Emmitsburg, Maryland
Christie LaDestro MBA599 Fall 2004
Page 1 of 53
I. Introduction.......................................................................................2 II. Stored Value Cards- Defined ...........................................................7
A. Definition .......................................................................................7
B. Types of Stored Value Cards ........................................................9
1. Proprietary/gift card..................................................................10
2. MasterCard/Visa ......................................................................11
3. Middle Decision........................................................................12
C. Stored Value Card Market...........................................................14 III. Legal and Regulatory Issues with Stored Value Cards ...............17
A. Money Services Businesses: ......................................................17
B. Regulation E................................................................................20
C. Gramm-Leach-Bliley Act .............................................................27
1. Gramm-Leach-Bliley Act - Privacy Rule ...................................28
2. Gramm-Leach-Bliley Act - Safeguards Rule ............................31
3. Gramm-Leach-Bliley Act - Pretexting .......................................34
D. Bank Secrecy Act ........................................................................36
1. USA Patriot Act ........................................................................37
E. OFAC- Office of Foreign Assets Control .....................................45
F. Federal Deposit Insurance Corp (FDIC)......................................47 IV. Conclusion...................................................................................49
Christie LaDestro MBA599 Fall 2004
Page 2 of 53
I. Introduction This paper will explore the area of “stored value cards.” Stored value cards
are usually issued by financial institutions; it is possible for non-financial institutions
to issue a stored value card.
Many important legal and regulatory concerns need to be considered before
issuing a stored value card. The discussion will include explanations for Money
Services Businesses; Regulation E; Gramm-Leach-Bliley Act (the Gramm-Leach-
Bliley Act includes three sections: Privacy, Safeguards, and Pretexting); Bank
Secrecy Act (the Bank Secrecy Act will include the USA Patriot Act); Office of
Foreign Asset Control (OFAC); and finally the Federal Depository Insurance
Corporation (FDIC).
A stored value card is a money services business and subject to its
regulations. Any money services business is required to obtain a money transmitter
license. This license usually requires minimal capitalization and renewal filing fees.
Regulation E applies when a financial institution contracts with a consumer to
provide electronic fund transfer services. A stored value card would utilize
electronic fund transfer services when accepting funds from the consumer and
when processing payment for the merchant. Complying with Regulation E can be
cumbersome. Financial institutions are required to issue access devices,
Christie LaDestro MBA599 Fall 2004
Page 3 of 53
disclosures notices, and notify of any account changes. Steep penalties can be
imposed for non-compliance.
An issuer of stored value cards may be subject to the Gramm-Leach-Bliley
Act. The Gramm-Leach-Bliley Act limits disclosing of nonpublic personal
information. The requirements of the Gramm-Leach-Bliley act include the privacy
rule, the safeguard rule, and the pretexter rule. The privacy rule discusses how the
financial institution gathers nonpublic personal information and how it processes
that information. The safeguard rule discusses how the financial institution will
ensure nonpublic personal information is protected on the financial institution’s
computer hardware and software. The pretexter rule discusses how the financial
institution will gather nonpublic personal information without using false statements
or documents.
Since a stored value card provider has the possibility of being seen as a
financial institution, they must comply with the Bank Secrecy Act. The Bank
Secrecy Act was initially passed to help stop money laundering and drug trafficking.
Since September 11, 2001, Congress enacted the USA Patriot Act as part of the
Bank Secrecy Act. The USA Patriot Act is designed to track the money flow of
terrorists. A financial institution now has more compliance than before. The Patriot
Act has four broad categories of compliance: enhanced due diligence/know your
customer, currency transaction reporting/suspicious activity report, monetary
instruments sale, and funds transfer recordkeeping.
Christie LaDestro MBA599 Fall 2004
Page 4 of 53
The USA Patriot Act was enacted to help stop terrorist financing. Especially
because of September 11, 2001, financial institutions are also required to abide by
the Office of Foreign Assets Control (OFAC) regulations. OFAC compiles a list of
suspected countries and/or persons who are thought to be terrorists. OFAC also
places economic sanctions on countries based on foreign policy and national
security concerns. A financial institution is obligated not to maintain accounts with
persons/countries on the OFAC list. They also must be aware of any Specially
Designated Nationals and not conduct business with these either.
Certain types of stored value cards can be construed as a bank account.
Because of this, there is the possibility that Federal Deposit Insurance Corp (FDIC)
may apply. The FDIC is assurance to the individual that if the bank were to go out
of business, the customer’s funds are secured up to $100,000. Since a stored
value card may be considered a bank account, then pass through FDIC can comply.
This issue is fairly new and will be evaluated in the near future.
Sodexho USA is the leading provider of food and facilities management in
the United States, with $5.8 billion in annual revenue and 110,000+ employees.
Sodexho USA offers innovative outsourcing solutions in food service,
housekeeping, grounds keeping, plant operations and maintenance, asset
management, and laundry services to more than 6,000 corporations, health care,
long term care and retirement centers, schools, college campuses, military and
Christie LaDestro MBA599 Fall 2004
Page 5 of 53
remote sites in North America. Headquartered in Gaithersburg, MD, Sodexho USA
proudly serves as the official food service provider for the US Marine Corps
As part of its operations in the higher education (colleges and universities)
segment, Sodexho attempts to anticipate the needs if its clients and students by
offering innovative programs and services to improve the quality of daily life for
those on campus.
Historically, college students buy board meal plans or prepay and maintain a
declining balance card for use at “on-campus” food outlets at the beginning of each
semester. Sodexho usually receives these funds at the beginning of each semester
which contributes to Sodexho’s negative working capital business model.
Today, however, with the increased use of pre-paid, declining balance cards
and debit cards (i.e. phone cards, ATM cards, gift cards) a.k.a. “stored value cards”,
Sodexho foresees students wanting to carry only a card, instead of cash, the card
can be used anywhere – both on and off-campus. The Senior Vice President,
Campus Services Division of Sodexho broached an idea that can potentially be a
win-win for both Sodexho and the student. Sodexho should issue a card that can
be utilized both on campus and off campus. This card, utilized like a stored value
card, will incorporate traditional credit card capabilities as well as allowing the
student to access on-campus buildings, check out books from the library, and enjoy
the dining hall menus.
Christie LaDestro MBA599 Fall 2004
Page 6 of 53
This evolving scenario, of campus cards using money traditionally spent on-
campus at off-campus locations, raises several concerns, especially if Sodexho
were to implement or issue this potential “stored value card”. For example, if
Sodexho accepts cash from students to load on their cards for use at off-campus
locations and then disburses the cash to the off-campus retail outlets where
students shop, it is possible for this card to be viewed as a bank/credit/debit card.
Sodexho may potentially be subject to banking laws or other regulations. If so,
Sodexho may have to partner with a bank or card service provider to out-source this
function.
Since Sodexho foresees students wanting to only carry a card, instead of
cash, offering the student a product that can be used on and off campus will provide
a leading edge in the market. If Universities predict the card usage as Sodexho
has, then the Universities will want to contract with food service companies who can
provide this service.
Christie LaDestro MBA599 Fall 2004
Page 7 of 53
II. Stored Value Cards- Defined
Stored value cards are one of the most dynamic and fastest growing
products in the financial industry. Anyone who makes purchases with a merchant
gift card, places phone calls with a prepaid telephone card, or buys goods or
services with a prepaid debit card is using a stored value card. Payroll cards,
government benefit cards, prepaid debit cards, gift cards, and telephone cards are
examples of stored value cards.
Customers obtain stored value cards in a variety of ways. They may obtain a
payroll card from an employer, an electronic benefit card from a government
agency, or a gift card from a retail store. Typically, a customer would purchase a
stored value card at check-cashing outlets, money transfer company locations, and
retail stores, although these cards may be increasingly offered by telephone or
online.
A. Definition
In the wake of dramatic technological advancements over the last decade,
the financial services industry has developed a number of inventive applications that
have the potential for improving the structure and delivery of retail products for
customers. One of the most innovative is the stored value card (SVC), a prepaid
debit card that mimics a checking account. They offer customers who cannot
Christie LaDestro MBA599 Fall 2004
Page 8 of 53
qualify for or do not want a traditional bank account a safe and efficient way to store
funds, make purchases, and pay bills. An example of an application of SVC is the
payroll card, which enables employers to make direct deposit payment to pay their
workers who do not have a bank account.
Like traditional debit cards, stored value cards utilize magnetic stripe
technology to store information and track funds (Jacob, 2004). However, SVCs
differ from account-based debit cards by being prepaid, limiting the risk of overdrafts
while providing nearly immediate liquidity for customers. Early uses of SVCs in the
United States included public transportation and public assistance payments. SVCs
today take several forms, including gift and phone cards, payroll cards, and prepaid
debit cards.
The SVC market is complex. Understanding the various attributes of this
market is necessary. The SVC market’s general characteristics include: potential
cardholders and merchant payment.
The SVC is a plastic card that represents value and can be used to purchase
goods and services in person at participating merchants. It can sometimes be used
to withdraw cash from ATMs or obtain cash refunds from merchants, or it can be
used to make purchases online or over the telephone. The card’s value is
maintained centrally, and not on the card itself. The card can serve other functions
as well, such as a facility access card or an identification card.
Potential cardholders include customers of Sodexho, persons affiliated with
Sodexho, and potentially, other customers of local merchants that accept the card.
Christie LaDestro MBA599 Fall 2004
Page 9 of 53
Cardholders would activate the debit feature of the card in person by purchasing
items of value, although there may be a possibility of requiring online activation.
Only the cardholder may use the SVC, which generally does not have a Personal
Identification Number (PIN) number.
Value for the SVC card can be added by check, credit card, or debit card in
person. The cardholder and others (for example, parents of potential students at
Universities) can add value by credit or debit card online.
Finally, the funds used from the SVC for the purchase must reach the
merchant. The steps for this end result are as follows: The cardholder presents the
card to the participating merchant for a transaction. The local merchant has a card
reader that submits a transaction authorization request to the data processor for
review and response. The terminal submits all transaction information to the data
processor. The data processor submits these settlement files on a daily batch basis
through the Federal Reserve via the ACH network to the issuing company’s
corporate bank account where the value is held. The company administering the
program then settles the funds through the Federal Reserve to the designated bank
accounts of the participating merchants. During the process, administrative fees
and commissions may be retained by various entities involved.
B. Types of Stored Value Cards
Christie LaDestro MBA599 Fall 2004
Page 10 of 53
The stored value card (SVC) market has mushroomed in the last few years in
terms of both the number of providers and the number of customers. These cards
may provide consumers with a more effective means than cash for accessing funds
and making financial transactions. Stored value cards use magnetic stripe
technology to store information about access to value balance account funds that
have been prepaid (or “stored”) to the card. There are three main categories of
stored value cards in the marketplace: Proprietary/gift card, MasterCard/Visa, and
Middle decision.
1. Proprietary/gift card
The first prepaid cards made available to the marketplace were single-
purpose or ‘closed-loop’ cards (Stored Value Cards: An Alternative for the
Unbanked?, 2004) which can be used only for the issuer’s products or for limited
purposes, such as prepaid gift cards or many prepaid phone cards. Gift cards,
which can only be used to purchase goods at the issuer retailer, and prepaid
telephone cards, which can only be used to make telephone calls, are just some
examples of proprietary/gift cards. The store gift cards are usually low risk but are
more profitable (Rinearson, 2004). The issuer is the retailer that accepts the card.
Each card sale is equal to the sale of that retailer’s goods or services. The gift card
runs on the retailer’s point of sale system, usually modified to reduce risk. These
cards are usually anonymous.
Christie LaDestro MBA599 Fall 2004
Page 11 of 53
2. MasterCard/Visa
The second type of card to emerge was a universal acceptance or ‘open-
loop’ card, which can be used to make debit transactions at a wide variety of retail
locations (Stored Value Cards: An Alternative for the Unbanked? 2004). “Open-
loop” SVC systems offer consumers the ability to utilize their cards for multiple
purposes and at multiple points of sale such as making purchases at a variety of
stores or paying bills. Mastercard/Visa SVC come closest to resembling traditional
bank accounts. Consumers can make deposits onto the cards and potentially
withdraw cash or pay a bill at a later date; in some cases, they can have funds
directly debited on a recurring basis. These SVCs can be grouped into three
categories: 1) employee benefit payroll-only cards, which can be used only for
direct deposit of paychecks; 2) reloadable payroll cards, which serve primarily as
direct deposit cards for payroll checks but offer consumers other ways to reload the
cards; and 3) reloadable debit cards, which consumers can reload in a variety of
ways at a range of locations (Jacob, 2004).
This SVC system will either have “branded” cards or “non-branded” cards.
“Branded” cards have a MasterCard or Visa logo and utilize signature-based
technology to allow the consumer to transact business anywhere that those brands
are accepted, as well as through ATM and point of sale (POS) machines. “Non-
branded cards” will not have the MasterCard/Visa logo. An example of universally
accepted non-branded card is a mall card (i.e. FSK Mall). Even though a mall card
is only accepted at that particular mall, each merchant in the mall will accept it.
Christie LaDestro MBA599 Fall 2004
Page 12 of 53
The Mastercard/Visa SVC can be sold directly to businesses or to the
general public. If this SVC is sold to businesses for employee payroll and
expenses, the result is usually lower fraud risk and a more profitable product
(Rinearson, 2004). Since the cardholders are known and often guaranteed by
business clients, the risk is less. If the SVC is sold to the general public, the result
is higher fraud risk and slim profit margins (Rinearson, 2004). This type of SVC is
heavily reliant on fees. Since the cardholders are not known nor guaranteed the
risks are much higher. However, if this kind of SVC had access to cash withdrawals
and ATMs then the result may be an increase in fraud and money laundering risk.
ATM transactions usually do not debit funds from the cardholder’s bank or asset
account, but instead from a pool of funds held by the Issuer. Because of the cash
access feature, the SVC must be issued by a bank or licensed “money transmitter”.
3. Middle Decision
The final type of SVC is the “Semi Closed/Semi Open” or middle decision. This
SVC runs on a branded (MasterCard/Visa) card network and the points of sale
terminals are not modified. To work on existing infrastructure, the SVCs must have
the same attributes as credit/charge cards, for example, magnetic stripe, BIN range
card number, and expiration date. The accepting merchant does not know how
much value is on the SVC; the cardholder knows by calling a toll free number and/or
checking a website. Since the cardholder is often anonymous, the SVC can
Christie LaDestro MBA599 Fall 2004
Page 13 of 53
sometimes be reloadable, and some do not have fixed denominations, the product
is of higher risk and less profitable (Rinearson, 2004). In addition, the fraud risk is
increased, especially during system downtime or for “under floor limit” transactions.
The issuer is a third party service provider (like Sodexho) and not the retailer or
merchant that accepts the cards.
To succeed in the marketplace, the middle decision system SVC product must
satisfy the following “stakeholders”:
For consumers, the issuers must provide useful features not available in
other cards, such as access to payment systems for those without other
cards, for example, teens and the unbanked; quick refund ability; budgeting
tool; and privacy or security
For accepting merchants, the issuers must provide access to a new pool of
customers, for example, dependable systems with no complaints; easy
procedures; and low risk of charge-backs
For sellers and distributors, the issuers must provide additional revenue
stream, for example, easy sales procedures to follow; low risk of compliance
problems; and customer satisfaction (Rinearson, 2004).
Proprietory/gift card stored value cards are issued by a retailer. The funds
stored on the card are sent directly to the retailer, and the item(s) purchased by the
cardholder are at the same retailer. Mastercard/Visa stored value cards are only
issued by a financial institution. The funds stored on the bank issued card are sent
Christie LaDestro MBA599 Fall 2004
Page 14 of 53
directly to the bank. The item(s) purchased by the retailer can be with any
merchant. Middle decision stored value cards are issued by third parties. The third
party is responsible for administering the program. Most functions are usually out-
sourced to financial institutions. Sodexho’s best solution is a non-branded open-
loop card.
Except for closed system gift cards, the business proposition for open-loop and
semi-closed/semi-open loop systems is not yet proven. Because of the recent influx
of new legislation, greater uncertainties have been created.
C. Stored Value Card Market
The stored value card market is growing and evolving rapidly. According to
industry estimates, more than 2,000 stored value programs are available, with
roughly 7 million Visa- or MasterCard-branded stored value cards in the
marketplace. There are approximately 20 million users and that figure is expected to
more than double to 49 million users by 2008. In 2003, stored value cards were
used to make $42 billion in transactions. By 2006 over $72 billion in stored value
transactions are expected. Experts put this industry in the introductory or early
growth stage of the product life cycle, suggesting that there is substantial growth
potential in the years ahead (Stored Value Cards: An Alternative for the
Unbanked?, 2004). These industry figures include all stored value cards, such as
multipurpose general spending cards, payroll cards, government benefit cards, child
support payment cards, merchant gift cards, and telephone cards.
Christie LaDestro MBA599 Fall 2004
Page 15 of 53
The SVC market includes hundreds of product providers, with new ones
emerging frequently. For instance, several banks have their own SVC programs in
which they use third-party transaction processors, but many of them also serve as
issuers for other non-bank SVC programs, which may use different transaction
processors. A few SVC providers are vertically integrated, handling nearly all of the
functions internally, while others outsource everything except sales and marketing.
The majority of SVC providers outsource the transaction processing to one of the
many firms that have developed special software platforms for running SVCs.
While numerous companies are now engaged in the provision of SVCs,
some firms stand out. Major players in the market today include:
SVC issuers: BANKFIRST, Bank of America, Citibank, JP Morgan Chase
Providers of reloadable prepaid debit cards: NetSpend and Next Estate,
INCOMM
SVC processors: Metavante, StarSystems, WildCard and Galileo
Providers of back-end services for SVCs, including ATM and POS
processing: Pulse
Payroll firms: Paychex and Comdata, ADP (Jacob, 2004)
The distinction between products that are distributed by financial institutions
and those distributed by non-bank firms is an important one. Products distributed
by banks and credit unions are more likely to have additional consumer protection,
lower pricing (because fewer actors are involved), and more obvious transitions into
other financial products and services.
Christie LaDestro MBA599 Fall 2004
Page 16 of 53
University cards typically combine stored value with other features such as
access to buildings, registration information, and library book check-out capability.
The stored value on the card can be used at the cafeteria, book store, vending
machines, laundry facilities, etc. Many universities issue cards that can be used off-
campus at selected merchants. Students can participate in all or most campus
activities without ever having to use cash. The card helps students avoid excessive
credit card debt.
Stored value cards clearly fall into the category of the “right issue” for two
reasons (Furletti, 2004). First, while SVCs currently represent only a small portion
of U.S. card payments, consumer demand for SVC products is on the rise and
spurring a spate of innovation. Second, industry executives have indicated that
they are focused on the challenges facing the emerging market for SVCs, including
those related to apparent uncertainties in the legal and regulatory environment.
Since consumer demand for stored value cards is on the rise and many executives
are now focused on the legal and regulatory challenges, Sodexho is entering this
market at the early stage of its life cycle.
Christie LaDestro MBA599 Fall 2004
Page 17 of 53
III. Legal and Regulatory Issues with Stored Value Cards
Regulatory changes and new product innovations may benefit customers. On
the regulatory side, it remains uncertain whether federal regulations that govern
deposit accounts and debit cards will be expanded to apply to stored value cards.
Several regulators, however, are presently looking into the issue.
As a new product with few comparables, stored value cards raise several
complex legal and regulatory concerns. A company wishing to issue a SVC will
want to understand these legal and regulatory concerns. The impact of these legal
and regulatory concerns can be different for regular companies versus financial
institutions.
A. Money Services Businesses:
In addition to traditional banks, the category “financial institutions” also includes
non-bank institutions that are assigned to the category “Money Services
Businesses” (MSBs). Money transmitters, check cashers, currency exchanges, and
issuers, sellers, and redeemers of traveler’s checks, money orders, and stored
value are each considered MSBs. Based on this definition, Sodexho’s potential
stored value card program would be considered a MSB and subject to its
regulations. In 1999, the Financial Criminal Enforcement Network (FinCEN) broadly
Christie LaDestro MBA599 Fall 2004
Page 18 of 53
construed the manner in which regulations applied to Money Services Businesses.
The new definition included as a Money Services Businesses:
Any person, whether or not licensed or required to be
licensed, who engages as a business in accepting
currency, or funds denominated in currency, and
transmits the currency or funds, or the value of the
currency or funds, by any means through a financial
agency or institution, a Federal Reserve Bank or other
facility of one or more Federal Reserve Banks, the Board
of Governors of the Federal Reserve System, or both, or
an electronic funds transfer network; or any other person
engaged as a business in the transfer of funds (Turner,
2004).
Additionally, in 2001, this definition was extended to include “any person who
engages as a business in an informal money transfer system or any network of
people who engage as a business in facilitating the transfer of money.”
Once a firm has identified itself as a Money Services Business, then the firm will
be required to obtain a Money Transmitter License. Given the aforementioned
definition of a Money Services Business, Sodexho would be required to obtain a
Money Transmitter License. Money Transmitter Licensing Laws usually require
Christie LaDestro MBA599 Fall 2004
Page 19 of 53
minimal capitalization, background checks on principals, holding of 100% consumer
funds in “permissible investments,” regular reports, annual renewal filings, fees, and
audits. Many states have amended their licensing laws to require issuers of Stored
Value Cards (other than single-retailer gift cards) to get a license under state money
transmitter laws. Some states have taken the position that they do not need to
amend their money transmission statutes on the basis that stored value card
products are already covered under existing “money transfer” laws.
Requiring Money Services Businesses to obtain a Money Transmitter License
has its advantages and disadvantages. Some of the advantages include allowing
non-financial institutions to participate in the payments industry (such as Sodexho),
protecting the integrity of the payments industry, and reducing consumer losses that
might otherwise occur when a payments industry business files bankruptcy or
ceases business. The disadvantages include additional costs to already low margin
products, for example, stored value cards, variations from state to state that can be
difficult to comply with (Sodexho has a presence in all 50 states), creation of an
additional level of supervisory regulators who oversee not only compliance with
state licensing law but also federal anti-money laundering laws and increasing risk
and exposure with respect to actions of licensees’ distribution networks.
If Sodexho were to implement its stored value program on its own, it would be
required to obtain a Money Transmitter License in all 50 states. This additional
Christie LaDestro MBA599 Fall 2004
Page 20 of 53
required licensing would add costs to the SVC program. In addition to obtaining the
original license, constant renewal and updates would need to be addressed.
B. Regulation E
Regulation E defines the term “financial institution” to include any person that
directly or indirectly holds an account belonging to a consumer or that issues an
access device to a customer and agrees with a customer to provide Electronic Fund
Transfer (EFT) services (Federal Register, 2004). An access device is a card,
code, or other means of access to a consumer’s account, or any combination
thereof, that may be used by the consumer to initiate electronic fund transfers. One
or more parties involved in offering stored value card accounts may meet the
definition of a “financial institution” under the regulation-whether it is Sodexho, the
firm, a financial institution, or other third party involved in the transfer of funds to the
account or in the issuance of the card. Existing regulatory language addresses the
regulatory framework for financial institutions that provide EFT services jointly. The
parties may contract among themselves to comply with the regulation.
Regulation E applies to consumer accounts that can be accessed only by
Electronic Funds Transfer (EFT) devices An access device, as defined, becomes
an accepted access device when the consumer: 1)requests and receives, or signs,
or uses the access device to transfer money between accounts or to obtain money,
property, or services; 2)requests validation of an access device issued on an
Christie LaDestro MBA599 Fall 2004
Page 21 of 53
unsolicited basis; or 3)receives an access device in renewal of, or in substitution for,
an already accepted access device (Federal Register, 2004).
Electronic fund transfers include the following:
• Debit card transactions (point-of-sale transaction)
• Automated Teller Machine (ATM) transactions
• Direct deposits or withdrawals
• Pre-authorized debits or credits
• Pre-authorized loan payments to third parties
• Transfers initiated by telephone (e.g. bill-payer, wire transfers)
• Transactions originated through personal computer banking (e.g. Homelink
or Web Banking)
• Transfers sent via Automated Clearing House (ACH)
The Regulation represents a balance between consumer groups, who
advocate more disclosures and consumer protection, and the financial services
industry, which promotes less regulation to avoid hampering the efficiency of EFT
payment systems. The purpose is to provide a basic framework establishing the
rights, liabilities and responsibilities of participants (both consumers and financial
institutions) in electronic fund transfer (EFT) systems.
The Electronic Funds Transfer Act (EFTA) as implemented by Regulation E
was enacted in Nov 1978. Coverage of EFT services under the EFTA and
Christie LaDestro MBA599 Fall 2004
Page 22 of 53
Regulation E hinges upon whether a transaction involves an EFT to or from a
customer’s account. The EFTA defines an “account” as “a demand deposit, savings
deposit, or other asset account [sic] as described in regulations of the Board,
established primarily for personal, family, or household purposes.” (Federal
Register, 2004) The definition is broad and is not limited to traditional checking and
savings accounts. The Board possesses broad authority of the EFTA to determine
coverage when EFT services are offered by entities other than traditional financial
institutions, for example, Sodexho. Moreover, Congress has clearly vocalized its
expectation that the Board continue to examine new and developing EFT services
to assure that the EFTA’s basic protections continue to apply.
The EFTA’s legislative history demonstrates a clear Congressional intent that
the definition of an “account” be broad, so as to ensure that “all persons who offer
equivalent EFT services involving any type of asset account, for example, stored
value cards, are subject to the same standards and consumers owning such
accounts are assured of uniform protection.”(Federal Register, 2004) S. Rep. No.
915, 95th Cong., 2d Sess. 9 (1978)
To ensure compliance with the EFTA, financial institutions must issue access
devices, written disclosures, and notification of account changes, error resolution
notices, and transfer notices. Financial institutions may only issue an access device
to a consumer in response to an oral or written request, or upon renewal or
replacement of an access device issued by the financial institution. Written
Christie LaDestro MBA599 Fall 2004
Page 23 of 53
disclosures must be given during certain segments of the transaction. Four different
types of disclosures exist:
1. Initial- financial institutions must provide a disclosure at the time consumer
contracts for an EFT service or before the first EFT is made. Financial
institutions are required to disclose certain terms and conditions of EFT
services at the time the consumer contracts with the bank for EFT service or
before the first transfer, and must be in a written statement to be retained by
the consumer.
2. Terminal receipt- electronic terminal must make a receipt available at the
time of the transfer electronic terminal means an electronic device, other
than a telephone operated by a consumer, through which a consumer may
initiate an electronic fund transfer. The term includes, but is not limited to,
point-of-sale terminals, automated teller machines, and cash dispensing
machines
3. Periodic statement- an institution generally must send a periodic statement
monthly if an EFT has occurred or quarterly if no EFT has occurred
4. Initial and Annual Error Resolution notice- provides instructions to the
consumer in the event of errors or questions about their electronic transfers
(EFTA, Regulation E)
Financial institutions are required to mail or deliver a written notice to the
consumer, at least 21 days before the effective date of any change in a term or
condition on the account. The financial institution must retain all copies of
Christie LaDestro MBA599 Fall 2004
Page 24 of 53
disclosures and changes of forms for a period of two years from the date that the
disclosures are required to be made or action is required to be taken.
At least once each year, an error-resolution notice must be mailed or
delivered to the consumer. There are specific guidelines that the bank must follow
when investigating a customer’s claim of an error, including: 1) providing written
notice to customers, 2) provisional credit, and 3) notification of final resolution. If
the financial institution is unable to complete its investigation within 10 business
days, the institution may take up to 45 calendar days from receipt of a notice of
error to investigate and determine whether an error occurred, provided the
institution gives the customer provisional credit for the amount disputed.
Penalties for non-compliance include:
• Actual and punitive damages in individual or class actions
• Court costs and attorney fees
• An amount not less than $100 or greater than $1,000 in actions
brought by an individual
• $50,000 or 1% of bank’s net worth, whichever is less for a class
action
• Reputation risk and image impairment (EFTA, Regulation E)
Finally, for preauthorized transfers financial institutions must provide a positive
or negative notice to the consumer at least once every 60 days.
Christie LaDestro MBA599 Fall 2004
Page 25 of 53
The Office of the Comptroller of the Currency (OCC), the bank regulator for
national financial institutions, has recently issued direction to its member financial
institutions on proper disclosures of consumer protections for stored value cards
(SVCs). But, it is still unclear whether SVCs are subject to Regulation E. Customer
supporters argue that if customers are going to use SVCs as substitutes for bank
accounts, then the cards should carry the same protections, and Regulation E
should apply. For example, many people refuse to obtain a bank account for
various reasons. These people are known as the unbanked.
Sodexho, or a firm that provides an electronic fund transfer service to a
consumer but that does not hold the consumer’s account is subject to all
requirements of Regulation E if Sodexho, or the firm: issues a debit card (or other
stored value card device) that the consumer can use to access the consumer’s
account held by a financial institution; and has no agreement with the account-
holding institution regarding such access (Federal Register, 2004).
If a consumer loses his/her access device then the consumer’s liability for an
unauthorized electronic fund transfer is determined solely by the consumer’s
promptness in reporting loss or theft or disputing an unauthorized transfer. If the
unauthorized transfer involved an access device, it must be an accepted access
device and the financial institution must have provided a means to identify the
Christie LaDestro MBA599 Fall 2004
Page 26 of 53
consumer to whom it was issued. A consumer’s liability for an unauthorized
electronic fund transfer shall be determined as follows:
• Timely notice given- a consumer must notify financial institution within two
business days after learning of loss or theft, the consumer’s liability shall not
exceed the lesser of $50 or amount of unauthorized transfers that occur before
notice to financial institution.
• Timely notice not given- if the consumer fails to notify the financial institution
within two business days after learning of the loss or theft of the access
device, the consumer’s liability shall not exceed the lesser of $500 or the sum
of unauthorized transfers (Federal Register, 2004).
For example, a financial institution complies with the many requirements of this
regulation by ensuring adequate controls are in place including informative
disclosures in the required time frame, issuance of access devices at account
opening renewal or replacement, and prompt and proper error resolution.
Sodexho’s stored value card would meet the definition of Regulation E’s access
device. The stored value card would also be considered an “asset account” as
defined by the EFTA. In the explanations of Regulation E and EFTA, Sodexho
would be required to issue access devices, provide written disclosures, notify
customer of account changes, and supply error resolution notices. All of these
aforementioned tasks would create even more layers to the stored value card
Christie LaDestro MBA599 Fall 2004
Page 27 of 53
program with Sodexho. Additional costs for complying with Regulation E may
outweigh any potential benefits.
C. Gramm-Leach-Bliley Act
The GLBA applies to "financial institutions" – firms, like Sodexho, that offer
financial products or services to individuals, like loans, financial or investment
advice, insurance, or stored value cards. The Gramm-Leach-Bliley Act (GLBA) was
enacted in November 1999. All financial institutions were required to comply by
July 1, 2001. The GLBA permits information sharing among affiliates and provides
exceptions to the restrictions on third party sharing for legal and administrative
purposes (Regulation P). Congress limited when a financial institution can
legitimately disclose nonpublic personal information about a customer to non-
affiliated third parties, and required financial institutions to disclose their privacy
policies in clear and conspicuous notices. Nonpublic personal information is all the
personally identifiable information given to the financial institution to handle the
bank account. It does not include data that is publicly available, such as publicly
recorded real estate records or information in a public telephone directory. The
Gramm-Leach-Bliley Act has three main requirements: Privacy Rule, Safeguards,
and Pretexting.
Christie LaDestro MBA599 Fall 2004
Page 28 of 53
1. Gramm-Leach-Bliley Act - Privacy Rule
The GLBA requires financial institutions to issue Privacy Notices. The avenue
utilized for Privacy Notices can be different for a consumer versus a customer. The
Privacy Notice must contain certain information as well. The Privacy Rule applies to
“financial institutions”, as defined. Under the FTC's jurisdiction, such institutions
include nonbank firms (like Sodexho) that engage in a wide array of "financial
activities" such as: lending; brokering or servicing any type of consumer loan;
transferring or safeguarding money; preparing individual tax returns; providing
financial advice or credit counseling; providing residential real estate settlement
services; collecting consumer debts; and various other activities, for example,
stored value cards (Financial Privacy, 2004).
A financial institution’s obligations under the GLBA depend on whether the
company has consumers or customers who obtain its services (Financial Privacy,
2004). A consumer is an individual who obtains or has obtained a financial product
or service from a financial institution for personal, family or household reasons. A
customer is a consumer with a continuing relationship with a financial institution, for
example, a stored value card can be regarded as an ongoing relationship.
Generally, if the relationship between the financial institution and the individual is
significant and/or long-term, the individual is a customer of the institution. For
example, a person who obtains a mortgage from a lender is considered a customer
of the lender, while a person who uses a check-cashing service is a consumer of
that service.
Christie LaDestro MBA599 Fall 2004
Page 29 of 53
The difference between consumers and customers is so important because
only Sodexho’s stored value card customers would be entitled to receive Sodexho’s
privacy notice automatically. Consumers are entitled to receive a privacy notice
from a financial institution only if the financial institution shares the consumers'
information with other companies not affiliated with it. Customers must receive a
notice every year for as long as the customer relationship lasts.
The privacy notice must be given to individual customers or consumers by mail
or in-person; it may not be posted on a wall. Reasonable ways to deliver a notice
may depend on the type of business the institution is in: for example, Sodexho may
post its notice on its website and require online consumers to acknowledge receipt
as a necessary part of a loan application.
The privacy notice must be a clear, conspicuous, and accurate statement of the
financial institution's privacy practices; it should include what information the
financial institution collects about its consumers and customers, with whom it shares
the information, and how it protects the information. The notice applies to the
"nonpublic personal information" the financial institution gathers and discloses about
its consumers and customers. For example, nonpublic personal information could
be information that a consumer or customer puts on an application; information
about the individual from another source, such as a credit bureau; or information
about transactions between the individual and the financial institution, such as an
account balance. Indeed, even the fact that an individual is a consumer or customer
of a particular financial institution is nonpublic personal information. But information
Christie LaDestro MBA599 Fall 2004
Page 30 of 53
that the financial institution has reason to believe is lawfully public - such as
mortgage loan information in a jurisdiction where that information is publicly
recorded - is not restricted by the GLBA.
Furthermore, the Financial Privacy Rule requires financial institutions to give
their customers privacy notices that explain the financial institution’s information
collection and sharing practices. In turn, customers have the right to limit some
sharing of their information. Also, financial institutions and other companies that
receive personal financial information from a financial institution may be limited in
their ability to use that information. The Federal Trade Commission is one of eight
federal agencies that, along with the states, are responsible for developing a
consistent regulatory framework to administer and enforce the Financial Privacy
Rule.
If nonpublic information is shared with unaffiliated third parties outside of an
exception, financial institutions must provide a form for customers to opt out. In
addition, any applicable opt out disclosures required under the Fair Credit Reporting
Act (FCRA) with respect to information sharing among affiliates must be part of the
privacy policy (Regulation P). The law requires that financial institutions protect
information collected about individuals, via the stored value card application; it does
not apply to information collected in business or commercial activities.
For example, some financial institutions have developed a proactive privacy
policy that exceeds the requirements of the privacy provisions of GLBA. They do
not share nonpublic customer information with unaffiliated third parties for marketing
Christie LaDestro MBA599 Fall 2004
Page 31 of 53
purposes without a customer’s affirmative consent. The privacy policy is mailed to
existing customers on an annual basis, and provides it to new customers at account
opening. The penalties for non-compliance may include civil penalties imposed by
supervisory regulator; privacy class action lawsuits and/or actions by state Attorney
Generals; reputation risk and image impairment; and unsatisfactory or adverse
privacy examination ratings.
2. Gramm-Leach-Bliley Act - Safeguards Rule
As part of its implementation of the GLBA, the Federal Trade Commission
(FTC) has issued the Safeguards Rule. This Rule requires financial institutions
under FTC jurisdiction to secure customer records and information.
The Safeguards Rule applies to businesses, regardless of size, that are
“significantly engaged” in providing financial products or services to consumers
(Financial Institutions and Customer Data, 2002), like stored value cards and
retailers that issue credit cards to consumers. The Safeguards Rule also applies to
financial companies, like credit reporting agencies and ATM operators that receive
information from other financial institutions about their customers. In addition to
developing their own safeguards, financial institutions are responsible for taking
steps to ensure that their affiliates and service providers safeguard customer
information in their care.
Christie LaDestro MBA599 Fall 2004
Page 32 of 53
Adequately securing customer information is not only the law, it makes good
business sense. When you show customers that you care about the security of
their personal information, you increase their level of confidence in your institution.
Poorly-managed customer data can lead to identity theft. Identity theft occurs when
someone steals a customer’s personal identifying information to open new charge
accounts, order merchandise or borrow money.
If Sodexho were to implement safeguards, the Safeguards Rule requires it to
consider all areas of its operations, including three areas that are particularly
important to information security: employee management and training; information
systems; and managing system failures (Financial Institutions and Customer Data,
2002).
The success or failure of an information security plan depends on the
employee hired to implement it. For all of its new employees, the financial
institution will want to check references; have the employee sign confidentiality
agreements; train the employee to maintain the security, confidentiality, and
integrity of customer information; and to instruct the new employee on the financial
institution’s policy to keep customer information secure and confidential. In
addition, the financial institution will want to limit access to customer information to
those employees who have a business reason for seeing it and impose disciplinary
measures for any breaches (Financial Institutions and Customer Data, 2002).
Christie LaDestro MBA599 Fall 2004
Page 33 of 53
The information systems utilized in a security plan include network and
software design, information processing, storage, transmission, retrieval, and
disposal. In order for a financial institution to maintain security throughout the life
cycle of customer information they will need to store records in a secure area,
provide secure data transmission, and dispose of customer information. Authorized
employees are to be the only ones to have access to the stored records. The
stored papers are to be locked in a cabinet, room, or other container. The area is to
be protected against destruction or potential damage. The customer’s electronic
information is to be stored on a secure server that is accessed by password only.
When the financial institution collects or transmits customer information, the data
transmission is to be secured. When obtaining credit card information, a Secure
Sockets Layer (SSL) or other secure connection must be used to ensure the
information is encrypted. Any electronic mail sent to the customer is to be
password protected so only authorized employees have access. The financial
institution is to dispose of customer information in a secure manner. The financial
institution should hire or designate a records retention manager to oversee the
disposal of records containing nonpublic personal information. Customer
information on paper is to be shredded and stored in a secure area until a recycling
service picks it up. In addition the financial institution should use appropriate
oversight or audit procedures to detect the improper disclosure or theft of customer
information.
Christie LaDestro MBA599 Fall 2004
Page 34 of 53
Effective system failure management includes the prevention, detection and
response to attacks, intrusions or other system failures. The financial institution
should maintain up-to-date and appropriate controls by following their written
contingency plan to address any breaches; inquire with their software vendors for
any patches or vulnerabilities; and utilize anti-virus software and firewalls. The
financial institution’s systems should be maintained to ensure access to nonpublic
consumer information is granted only to legitimate and valid users. Any loss,
damage or unauthorized access to customer’s information should be notified
immediately to the customer as well.
Basically, according to the Safeguards Rule, financial institutions must develop
a written information security plan that describes their program to protect customer
information. All programs must be appropriate to the financial institution’s size and
complexity, the nature and scope of its activities, and the sensitivity of the customer
information at issue.
3. Gramm-Leach-Bliley Act - Pretexting
Pretexting is the practice of obtaining the customer’s personal information
under false pretenses. Pretexters sell the customer’s personal information to people
who may use it to get credit in your name, steal your assets, or to investigate or sue
the customer (Pretexting, 2001).
Christie LaDestro MBA599 Fall 2004
Page 35 of 53
Pretexters use a variety of tactics to obtain one’s personal information. For
example, a pretexter may call, claim he's from a survey firm, and ask several
questions. When the pretexter has the information he wants, he uses it to call the
customer’s financial institution. He pretends to be the customer with authorized
access to the account. He might claim that he's forgotten his checkbook and needs
information about his account. In this way, the pretexter may be able to obtain
personal information such as the customer’s Social Security number (SSN), bank
and credit card account numbers, and information in the credit report. It is important
to keep in mind that some information may be a matter of public record, such as
home ownership, paying real estate taxes, or filing for bankruptcy (Pretexting,
2001).
Under the Gramm-Leach-Bliley Act it is illegal to:
• use false, fictitious or fraudulent statements or documents to get customer
information from a financial institution or directly from a customer of a financial
institution;
• use forged, counterfeit, lost, or stolen documents to get customer information
from a financial institution or directly from a customer of a financial institution;
• Ask another person to get someone else's customer information using false,
fictitious or fraudulent statements or using false, fictitious or fraudulent
documents or forged, counterfeit, lost, or stolen documents (Pretexting, 2001).
Pretexting can lead to "identity theft." Identity theft occurs when someone seizes
Christie LaDestro MBA599 Fall 2004
Page 36 of 53
one’s personal identifying information to open new charge accounts, order
merchandise, or borrow money. Consumers targeted by identity thieves usually
don't know they've been victimized until the robber fails to pay the bills or repay the
loans, and collection agencies begin dunning the consumers for payment of
accounts they didn't even know they had.
If Sodexho were to issue a stored value card, the company would be required to
comply with all three sections of the Gramm-Leach-Bliley Act. Privacy notices
would be issued annually by Sodexho to its customers. These privacy notices must
comply with the GBLA as enforced by the Federal Trade Commission. Additional
costs would be involved ensuring privacy notices are sent timely and comply. Since
Sodexho would be obtaining personal information about its customers, the company
is required to safeguard this information. Additional computer hardware and
software programs are necessary to ensure the personal information does not fall
into the wrong hands. Sodexho’s initial application for obtaining a stored value card
must be worded as such to avoid any potential Pretexting. Sodexho may incur
additional costs ensuring the employees do not solicit illegal information from its
customers.
D. Bank Secrecy Act
The Currency and Foreign Transactions reporting Act, also known as the Bank
Secrecy Act (BSA) is a tool the U.S. Government uses to fight drug trafficking,
money laundering, and other crimes. Congress enacted the BSA to prevent
Christie LaDestro MBA599 Fall 2004
Page 37 of 53
financial institutions and other financial service providers from being used as
intermediaries for criminal activity. The Office of the Comptroller of the Currency
(OCC) monitors national bank compliance with the BSA.
Since its passage, Congress has amended the BSA many times to enhance
law enforcement effectiveness. The Anti-Drug Abuse Act of 1986, which included
the Money Laundering Control Act of 1986 (MLCA), strengthened the government’s
ability to fight money laundering by making it a criminal activity. The Money
Laundering Suppression Act of 1994 required regulators to develop enhanced
examination procedures and increase examiner training to improve the identification
of money laundering schemes in financial institutions.
1. USA Patriot Act
The USA Patriot Act was enacted after the events of September 11, 2001.
Congress rushed to enact a law that it believed would help identify and stop the flow
of money to and from terrorists. Also, it was believed that identifying the money trail
would help law enforcement stop the terrorists.
Money laundering is the criminal practice of filtering “dirty” money through a
series of transactions, so the funds are “cleaned” to look like proceeds from legal
activities. Money laundering does not have to involve cash at every stage of the
laundering process. Any transaction conducted with a bank might constitute money
Christie LaDestro MBA599 Fall 2004
Page 38 of 53
laundering. Although money laundering is a diverse and often complex process, it
basically involves three independent steps that can occur simultaneously:
1. Placement- The process of depositing unlawful cash proceeds into traditional
financial institutions.
2. Layering- The process of separating the proceeds of criminal activity from their
origin through the use of layers of complex financial transactions, such as
converting cash into traveler’s checks, money orders, wire transfers, letters of
credit, stocks, bonds, or purchasing valuable assets, such as art or jewelry.
3. Integration- The process of using an apparently legitimate transaction to
disguise the illicit proceeds, allowing the laundered funds to be disbursed back
to the criminal (Bank Secrecy Act).
Prior to the enactment of the Patriot Act, much of the focus of anti-money
laundering requirements was on the discovery and elimination of illegal activities
related to drug trafficking. As a result of the Patriot Act, the attention was shifted to
terrorist financing. Many of the requirements are enhanced elements of the Bank
Secrecy Act compliance measures with which financial institutions had been
complying for years. The body of laws and regulations that comprise BSA
compliance may be grouped into four broad categories:
1. Enhanced Due Diligence (EDD)/Know your customer (KYC)
2. Currency Transaction Reporting(CTR) / Suspicious Activity Report(SAR)-for
every cash transaction over $10,000 financial Institutions must file a CTR
Christie LaDestro MBA599 Fall 2004
Page 39 of 53
3. Monetary Instruments Sale Log-all transactions between $3,000 and
$10,000 be recorded
4. Funds Transfer recordkeeping and Travel Rule-identification of the originator
and beneficiary is required and all identifying information must travel with the
payment order throughout the transfer (Private Communication, Bank of
America, 2004).
An effective BSA compliance program needs to cover in detail the above
mentioned BSA components and have a training program that ensures all
associates understand the BSA requirements, what constitutes money laundering,
how to detect money laundering “red flags”, and the penalties for non-compliance.
Enhanced Due Diligence (EDD) and Know your Customer (KYC) are part of the
Customer Identification Program (CIP). In regulations under CIP, a covered financial
institution is not permitted to open an account for a customer unless it has obtained
certain required pieces of information. The financial institution also is required to
provide adequate notice to the customer that it is collecting information to verify the
customer’s identity. Then, within a reasonable time after account opening, it must
take steps to verify the identity of the customer so that it may form a “reasonable
belief” that it knows the “true identity’ of the customer. Its procedures must address
what it will do if it cannot form such a belief (e.g. closing the account or other
action).
Christie LaDestro MBA599 Fall 2004
Page 40 of 53
The CIP must include account opening procedures that specify the identifying
information that will be obtained from each customer. It must also include
reasonable and practical risk-based procedures for verifying the identity of each
customer. These procedures must enable the bank to form a reasonable belief that
it knows the true identity of each customer. Financial institutions should conduct a
risk assessment of their customer base and product offerings, and in determining
the risks, the following factors are considered:
The various types of accounts maintained by the bank;
The bank’s various methods of opening accounts;
The various types of identifying information available; and
The bank’s size, location, and customer base (Bank Secrecy Act
Examination Procedures, 2004).
For years, financial organizations have struggled with the requirement to
manually analyze many pages of data to determine required currency transaction
report (CTR) filings and to determine a need to file suspicious activity report (SAR).
Many of the Anti-Money Laundering (AML) systems offered today condense the
related account information onto a single report, which allows an organization to
determine when to file a CTR or SAR. Some systems go as far as accumulating
cash-transaction records by account and customer and automatically filing the CTR
with the Internal Revenue Service.
Christie LaDestro MBA599 Fall 2004
Page 41 of 53
With the passage of the USA Patriot Act compliance takes a lot of time and
energy. It takes a huge amount of work. There is the level of training; the amount of
training; the implementation; the review process. It is very burdensome. The Act
expands the authority of the Secretary of the Treasury to regulate the activities of
U.S. financial institutions, particularly their relations with foreign individuals and
entities. Also, the Act contains a number of new money laundering crimes, as well
as amendments and increased penalties for earlier crimes. Finally, the Act creates
two types of forfeitures and modifies several confiscation-related procedures. It
allows confiscation of all the property of any individual or firm (such as Sodexho)
that participates in, plans, or obtains property derived from an act of domestic or
international terrorism (Turner, 2004).
The consequences of this law for financial institutions, or Sodexho, include
additional required customer identification programs, anti-money laundering
programs, and information sharing requirements. There is also greater
accountability at all levels of the institution, from the board of directors to tellers and
customer service representatives. The federal banking agencies have adopted new
rules, imposed new requirements, and developed new examination procedures.
Over the past few months, financial institutions found to have lax or insufficient
anti-money laundering procedures or policies, or those that have not complied with
the policies they have set, have been subject to enforcement actions. In the well-
publicized case of Riggs National Bank, its primary regulator, the Office of the
Christie LaDestro MBA599 Fall 2004
Page 42 of 53
Comptroller of the Currency, has itself come under intense scrutiny because the
agency failed to discover lapses in the bank’s Bank Secrecy Act compliance
program. All of the federal banking agencies have indicated that compliance with all
anti-money laundering laws has the highest priority (Bahin, 2004).
Moreover, as concerns around terrorism and money laundering mounted
following September 11, 2001, financial institutions came under pressure to keep
and report accurate records proving their customers’ identities. The USA Patriot Act
requires financial institutions to be more diligent in documenting customer
identification, which has had significant impact on enrollment processes and
management of stored value card programs. Most SVC providers do not currently
require that customers provide Social Security Numbers if their cards are PIN-
based. Considering that some underbanked consumers cite privacy as a primary
concern, the reduced identification requirements for PIN-based SVCs may help
encourage customer acceptance. At the same time, Visa and MasterCard require
Social Security Numbers for signature-based SVCs, an important change in the
industry following the Patriot Act. Another emerging issue around the Patriot Act is
that some SVC products allow consumers to give second cards to family members
in other countries as a way to transfer money, and it can be difficult to verify the
identity of individuals living outside the U.S. The inability to verify individuals living
outside the U.S. can become a potential issue (Bahin, 2004).
Christie LaDestro MBA599 Fall 2004
Page 43 of 53
Financial institutions have been required to comply with the Bank Secrecy Act
(BSA) since it took effect, but recent BSA enforcement actions and a heightened
awareness by regulators make compliance in this area more important now than
ever.
The Financial Crimes Enforcement network (FinCEN) and the Office of
Foreign Assets Control (OFAC) are emphasizing that BSA audits will be thorough
and have demonstrated that violations will result in penalties. The $25 million fine
imposed on Riggs National of Washington, DC, is the most-recent example. The
regulators are also suggesting to organizations during BSA audits that manually
verifying identity or detecting suspicious activity are next to impossible. Even
organizations with only one or two branches will need to determine whether they
have the ability to monitor suspicious activities manually.
In the United States, between $100 billion to $300 billion is laundered every
year. Globally, the estimates run about $1 trillion. (Bennett, 2004) The odds that
Sodexho will be used to launder money at some level are high. Would Sodexho be
willing to take this risk?
As a result, financial organizations are looking to implement an automated
AML system that is effective but also practical. Many organizations are turning to
technology solutions because they realize that automating their AML process allows
Christie LaDestro MBA599 Fall 2004
Page 44 of 53
them to more quickly and accurately identify their customer’s identities, know their
customer’s normal activity, and generate the required reports.
Determining the identity of the person in front of a lender or new account
representative is more efficient and consistent with the help of an automated system
that accesses multiple databases and public records and checks names against
government lists. An automated system not only helps give the organization a
better picture of the person wanting to do business with it, but also helps ensure
employees collect the appropriate customer information. As a side benefit, it
speeds up the screening process at account opening. Using technology eliminates
many of the manual steps an organization’s staff takes to complete a transaction, as
well as helps maintain required information.
Before an organization can determine what activity is suspicious for its
customers, it first needs to decide what activity is normal. Many organizations are
turning to comprehensive AML systems to meet the new requirements. Some AML
systems give an organization the ability to examine a customer’s activity in all of its
business areas. The organization can then put these activities together to create a
big picture of the customer’s business with the organization. Not only is the
organization able to determine what is “normal” for its customers, but it can also
monitor customers’ cash transactions for any indication of structuring, high-volume
wire activity, or unusual connections to people in countries deemed restricted by the
Financial Action Task Force on Money Laundering.
Christie LaDestro MBA599 Fall 2004
Page 45 of 53
If Sodexho were to issue a stored value card, the company is required to be
compliant with the Bank Secrecy Act and as it relates to the USA Patriot Act.
Sodexho must have programs and policies in place to accurately detect any
potential money laundering either for drug trafficking or terrorist financing. Sodexho
must know its customer or face steep penalties.
E. OFAC- Office of Foreign Assets Control
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC)
administers economic sanctions and trade embargoes against certain countries,
entities and individuals, including narcotics traffickers and terrorists. Sanctions are
imposed based on U.S. foreign policy and national security concerns. They can
involve prohibiting trade, blocking (also known as “freezing”) assets, prohibiting
certain types of commercial and financial transactions or a combination of these
measures. These sanctions apply to all U.S.-based financial institutions. OFAC
administers a series of laws that impose economic sanctions against hostile targets
to further U.S. foreign policy and national security objectives.
Under OFAC, a Financial Institution must:
Provide adequate understanding of OFAC sanctions, programs, and
enforcement authority
Facilitate recognition and reporting of transactions, which involve blocked
targets
Christie LaDestro MBA599 Fall 2004
Page 46 of 53
Maintain OFAC interdiction software required for high risk transaction
screening such as wire transfers
Maintain automated or manual processes for OFAC clearance and screening
of new accounts and transactions
Not maintain account relationships with Specially Designated Nationals
(SDNs)
Scan existing customer databases for OFAC SDN list changes (Dept of
Treasury, 2004)
Specially Designated Nationals (SDNs) are individuals and entities
associated with targeted countries or are associated with international narcotics
trafficking or terrorism. All property in a SDN name must be blocked in an across-
the-board prohibition against transfers or transactions of any kind. OFAC publishes
a SDN list that consists of individuals, groups and entities owned targeted countries.
The importance of establishing a compliance program and developing
internal audit procedures should be obvious to every financial institution. Definite
expectations exist with regard to the processing of transactions involving countries
under sanctions. Financial institutions are required to report all blockings to OFAC
within 10 days of occurrence. If your bank does not block and report a transfer and
another bank does, then your bank is in trouble. A bank in non-compliance may be
opening itself to adverse publicity, fines and even criminal penalties.
Christie LaDestro MBA599 Fall 2004
Page 47 of 53
OFAC has imposed millions of dollars in civil penalties involving US financial
Institutions. The majority of the fines resulted from financial Institutions’ failure to
block illicit transfers when there was a reference to a targeted country of SDN
Once again, if Sodexho were to issue a stored value card the company must
know its customer. Sodexho must implement a special program to detect if any of
its customers fall on the OFAC list of Specially Designated Nationals. If Sodexho
were found to be non-compliant, the company would face potential steep penalties.
F. Federal Deposit Insurance Corp (FDIC)
The issue of whether stored value cards are considered depository accounts
is a timely one that is currently under review by the Federal Deposit Insurance
Corporation (FDIC). If funds stored on SVCs are considered deposits, FDIC
insurance would possibly apply. If a financial institution pools the SVC accounts
and does not provide individual “sub-accounts” to cardholders, FDIC insurance is
not available on an individual customer basis. But if a financial institution offers the
SVC as an individual bank account-like product, “pass-through” FDIC insurance
might apply. Some SVC providers welcome the expansion of FDIC insurance to
SVCs and are already operating as if their products are considered deposits. On
the other hand, some industry representatives argue that SVCs should not be
compared to bank accounts-that they are in fact more appropriately compared to
cash, and for that reason Regulation E is not appropriate. They worry that, if funds
Christie LaDestro MBA599 Fall 2004
Page 48 of 53
placed on these cards are in fact considered deposits by federal regulators,
additional costly infrastructure and regulatory oversight might be required. This
could change the current economic model for SVCs and make them a less
attractive business opportunity.
Since the issue of considering if stored value cards are subject to FDIC
insurance is relatively new, its implications on Sodexho are unable to be considered
at this point.
Christie LaDestro MBA599 Fall 2004
Page 49 of 53
IV. Conclusion
Sodexho is a food service provider for many colleges and universities.
Sodexho contracts with these colleges and universities to provide the best service.
If the college or university is interested in additional services, Sodexho will do its
best to provide these services. Sodexho proposes additional services to the
colleges and universities, especially some the colleges and universities may not
have contemplated.
One of these additional services proposed by Sodexho is the stored value
card. The stored value card will enable university and college students to not only
utilize the dining hall menus but also to shop or eat at off campus locations. The
idea of this stored value card was expressed by Sodexho’s Senior Vice President,
Finance, Campus Services Division in early 2004. Developing this particular stored
value card is moving Sodexho into unchartered territory. The envisioned product
does not yet exist, as examples are non existent.
This paper reviewed the types of stored value cards and the surrounding
legal and regulatory concerns. When the Sodexho stored value card idea was first
mentioned in early 2004, the company was unable to determine if a financial
institution should be involved or if the company could “do it alone”. As previously
mentioned, the market for stored value cards has excellent potential.
Christie LaDestro MBA599 Fall 2004
Page 50 of 53
The stored value card Sodexho is proposing would utilize a non-branded
open loop type. The card is issued by a third party (Sodexho) but has all the
backing of a credit/debit card since a financial institution will manage the product.
A non-branded open loop card is reliant heavily on fees. Sodexho will receive a fee
for each transaction. The anticipation of students using this card frequently can
impact Sodexho’s bottom line positively.
Because of September 11, 2001 the U.S. government is concerned about
terrorism. Stopping terrorist financing is one way to slow down any potential
attacks. Hence, many new laws and regulations have been enacted since then.
With all the legal and regulatory issues surrounding a stored value card
Sodexho’s compliance costs would be significant. Imaging that the additional
computer hardware/software programs and staff costs would overshadow any
benefit of the program can be seen without any heavy analysis. Compliance alone
is not the only risk to consider for the stored value card, Sodexho should also
consider other tangible risks. Other tangible risks include start up costs and
maintenance costs. Intangible risks are another type of risk to consider. Examples
of intangible risks are name risk and reputation risk.
Because of all the aforementioned risks and potential costs, Sodexho’s
stored value card program would be best issued by partnering with a national bank.
Banks are already compliant with any laws and regulations for the stored value
Christie LaDestro MBA599 Fall 2004
Page 51 of 53
card, and banks have already invested in any computer hardware/software and staff
necessary to ensure compliance. The Sodexho stored value card would be best as
a “non-branded” open loop.
Christie LaDestro MBA599 Fall 2004
Page 52 of 53
Reference List Bank Secrecy Act/Anti-Money Laundering, Comptroller’s Handbook, Bank Secrecy Act Keenan, Charles, (Sept 2004). Turning up the Heat. Community Banker Bank Secrecy Act Examination Procedures for Customer Identification Programs; July 28, 2004 Bahin, Charlotte,(Sept 2004). Evolving Compliance requirements. Community Banker. Nash-Goetz, Karen, USA Patriot Act Customer Identification Programs, The New Federal Regulations…How will they Affect you?, http://www.afponline.org/mbr/res/oh/2003/219_article_13.html Frequently Asked Questions, Bank Secrecy Act, Bank of America (personal communication, Sept 2004) Bennett, Shannon, (Aug 2004). Automating Fight on Money Laundering. Bank Technology News The Gramm-Leach-Bliley Act: The Financial Privacy Rule, http://www.ftc.gov/privacy/privacyinitiatives/financial_rule.html Gramm-Leach-Bliley Act, 15 USC, subchapter 1, Sec 6801-6809, Disclosure of Nonpublic Information, http://www.ftc.gov/privacy/glbact/glbsub1.htm Halsey, Susan, (July 2004). Customer Privacy Protection Under the Gramm-Leach-Bliley Act, Electronic Fund Transfers, Regulation E; Docket No. R-1210, 12 CFR Part 205, The Federal Register Foreign Assets Control Regulations for the Financial Community, September 2004, Department of the Treasury Foreign Assets Control Regulations for the Corporate Registration Industry, October 2004, Department of the Treasury Financial Institutions and Customer Data: Complying with the Safeguards Rule, Federal Trade Commission, www.ftc.gov
Christie LaDestro MBA599 Fall 2004
Page 53 of 53
Safeguarding Customers’ Personal Information: A Requirement for Financial Institutions, Federal Trade Commission Pretexting: Your Personal Information Revealed, January 2001, http://www.ftc.gov/bcp/conline/pubs/credit/pretext.htm Turner, Shawn, (2004) U.S. Anti-Money Laundering Regulations: An Economic Approach to Cyberlaundering, Case Western Reserve Law Review Stored Value Cards: An Alternative for the unbanked?, (September 2004), http://www.ny.frb.org/regional/stored_value_cards.html Jacob, Katy, (July 2004) Stored Value Cards: A Scan of Current Trends and Future Opportunities, The Center for Financial Services Innovation, Research Series White Paper #1 Rinearson Esq, Judith, (2004, June) Legal and Regulatory Issues Facing the Prepaid-Card Industry, Paper presented at the meeting of the Federal Reserve Bank of Philadelphia Budnitz, Prof Mark E, (2004, June) Legal and Regulatory Issues Facing the Prepaid-Card Industry, “Prepaid Cards: How do they Function? How are they Regulated?” Paper presented at the meeting of the Federal Reserve Bank of Philadelphia Furletti, Mark, (2004, June) Conference Summary, Payment Cards Center, Legal and Regulatory Issues Facing the Prepaid-Card Industry, “Prepaid Cards: How do they Function? How are they Regulated?” Paper presented at the meeting of the Federal Reserve Bank of Philadelphia Bank Secrecy Act Examination Procedures for Customer Identification Programs (July 28, 2004)
Definition
Prepaid debit card• Mimics checking account• Plastic card –holds access to value for purchases• Value maintained centrally
Examples of early uses• Public Transportation, public assistance payments
SVC Market• Potential cardholders• Merchant payment
Types of Stored Value Cards
Proprietary/Gift Cards• Single-purpose/”closed-loop” cards• Store gift cards• Low risk, more profitable
MasterCard/Visa• Multipurpose cards/”open-loop” cards• Payroll cards-sold to business-low risk• Reloadable debit cards-sold to public-high fraud risk, slim profit
margins• Branded vs Non Branded
Middle Decision• “Semi Closed/Semi-Open”• Branded-works on MC/Visa infrastructure• Reloadable-higher risk, less profitable
Stored Value Card Market
Growing and Evolving Rapidly
Product Providers
“Right Issue”Demand on the riseIndustry Executives focused on challenges in market
Legal and Regulatory Issues with SVC
Money Services BusinessesRegulation EGramm-Leach BlileyBank Secrecy ActOFAC-Office of Foreign Assets ControlFDIC-Federal Deposit Insurance Corp
Money Services Business
Definition
Money Transmitter License
Advantages of MTL• Allows non-financial institutions in payments industry
Disadvantages of MTL• Additional costs to already low profit margin product
Regulation E
Definition
Compliance• Issue access devices• Written disclosures• Error resolutions• Notification of account changes
SVCs and Regulation E
Gramm-Leach Bliley
Definition
Privacy Rule• Consumers vs customers
Safeguards• Protection of private information
Pretexting• Cannot obtain customer’s personal information under false
pretenses
Bank Secrecy Act
Definition
US PATRIOT Act• Fight Terrorism Financing
Compliance• Know your Customer• Currency Transaction Reporting/Suspicious Activity
Report• Monetary Instruments• Funds Transfer recordkeeping and Travel Rule
FDIC-Federal Deposit Insurance Corp
SVC and FDIC
SVC-pooling• Lack of Sub-accounts
SVC-individual• Pass through FDIC
top related