News & Articles


Practice Areas

General Counsel Services

Guidance Issued on Applying CIP Requirements to Holders of Prepaid Cards

May 11, 2016
Kevin Patterson
Garden City

Federal banking regulators have issued guidance on the applicability of customer identification program (“CIP”) regulations to prepaid cards (the “Interagency Guidance”). Among other things, the Interagency Guidance clarifies that an institution’s CIP policy applies to general purpose prepaid cards that can be reloaded, or that permit access to credit or overdraft features. As a result, financial institutions must properly identify individuals purchasing these types of cards.  

The Interagency Guidance was issued by the Board of Governors of the Federal Reserve System (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), the Office of the Comptroller of the Currency (“OCC”), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) (collectively, the “Agencies”), and applies to “Issuing Banks.” An Issuing Bank is any national or commercial bank, savings association or credit union (or branch of a foreign bank located in the United States) which issues prepaid cards. The guidance requires that Issuing Banks apply the CIP requirements set forth in Section 326 of the USA Patriot Act (the “Patriot Act”) and related regulations to certain customers who are issued a prepaid card by the Issuing Bank and/or by certain third-party program managers. 

What is the CIP?

CIP regulations require a financial institution to obtain information sufficient to form a reasonable belief regarding the identity of each “customer” opening a new “account.” As defined in the CIP regulations, a customer is “a ‘person’ (an individual, a corporation, partnership, a trust, an estate or any other entity recognized as a legal person) who opens a new account, an individual who opens a new account for another individual who lacks the legal capacity to do so, and an individual who opens a new account for an entity that is not a legal person (e.g., a civic club).”[1]  An account is a “defined formal banking relationship to provide or engage in services, dealings or other financial transactions, and includes a deposit account, a transaction or asset account, a credit account, or another extension of credit.”[2]

Under the Patriot Act, an institution’s CIP must use risk-based procedures to verify the customer’s identity, including obtaining certain customer information upon opening an account (e.g., customer’s name, date of birth, address and tax identification number), and applying an identity verification procedure that describes how the institution will verify the customer’s identity.

Applying an Issuing Bank’s CIP to Prepaid Cards

Prepaid Cards

The Interagency Guidance states that prepaid cards have become mainstream financial products, widely used by individuals, corporations, and other private sector entities, as well as state, federal and local governments.  Some of the reasons why these prepaid cards are so desirable are:

The benefits to the customer associated with prepaid cards in turn create potential issues for the Issuing Banks. According to the Interagency Guidance, the ease at which a prepaid card can be obtained, the anonymity associated with its purchase and use, and the large amount of funds that can be accessed by the card have fostered an environment for potential fraud and criminal abuse.  

Applying CIP to Prepaid Cards

The Agencies have determined that any prepaid cards that allow cardholders to reload funds or access an Issuing Bank’s credit or overdraft features (“general purpose prepaid cards”) should be treated as “accounts” under the CIP since such cards exhibit the same characteristics as standard bank accounts.  These general purpose prepaid cards can be reloaded by the cardholder, or another person on behalf of the cardholder, similarly to how funds may be deposited into a deposit, asset or transaction account.[3]  Thus, the Agencies have determined that a general purpose prepaid cardholder meets the definition of a “customer” under the CIP as the cardholder has successfully opened an “account” with the Issuing Bank. Under the CIP regulations, this requires the Issuing Bank to apply its identification and verification procedures to the issuance of these general purpose prepaid cards.

Prepaid Cards and Third Parties

Often the supplier of general purpose prepaid cards is a third-party program manager under an arrangement with a financial institution[4]. According to the Interagency Guidance, such a third-party program manager should be treated as an agent of the Issuing Bank in this situation, and the Issuing Bank is ultimately responsible for complying with CIP and Patriot Act obligations for general purpose prepaid cards issued by the third party. In order for the Issuing Bank to comply with its CIP requirements when dealing with third-party program managers, the Issuing Bank should ensure it enters into a contract with the third-party program manager describing in detail the manager’s obligations under the CIP requirements, as well as other responsibilities and expectations. The Interagency Guidance specifically states that an Issuing Bank’s contract with a third-party program manager should:

Additional Information:

The Interagency Guidance may be accessed through the following link:

If you have any questions regarding the Interagency Guidance or CIP requirements in general, please feel free to contact Kevin Patterson at (516) 296-9196 or via email at, Joseph D. Simon at (516) 357-3710 or via email at, or Jeff Fowler at (516) 296-9134 or via email at

[1] The definition of customer does not include a person who does not receive banking services, such as someone who was denied a loan, an existing customer about whom the institution has a reasonable belief it knows the customer’s true identity, federally regulated banks, banks regulated by a state bank regulator, governmental agencies and publicly traded companies. 

[2] An account also includes a relationship established to provide a safe deposit box or other safe keeping services or to provide cash management, custodian or trust services.

[3] Some general purpose prepaid cards have the potential for reload, credit and overdraft features to be activated at a later time, but they will not fall within the CIP requirements until those features are actually activated.

[4]  The Interagency Guidance describes a “third-party program manager” as a company that designs, manages and operates a prepaid card program and contracts with a bank to issue prepaid cards under the program and to process transactions conducted using those cards. The third-party program manager also provides customer service and card distribution (sales).