Viewpoint: Prepaid Program Managers Must Be Exam-Ready Bank Partners
In light of the intense regulatory focus and pressure on prepaid cards, it’s time for program managers to step up and manage their own compliance to the point of being “exam-ready.”
There’s a tsunami of regulatory attention1 on the oversight of third parties that provide critical activities2 to financial institutions. In the prepaid world, this includes program managers (and other third parties)3 and the activities they provide for prepaid card programs, such as designing and running the card program, verifying cardholders’ identities, marketing and customer services. Increased regulatory oversight is coupled with an aggressive willingness on the part of at least six regulators to issue enforcement actions against banks and program managers for third-party violations of consumer protection and other regulations. Many recent enforcement actions have included multimillion dollar fines, sanctions and mandates to develop or correct written compliance programs.
Banks are addressing the double whammy of enhanced oversight and enforcement by stepping up their third-party risk management, with emphasis on hot spots, including consumer compliance and AML, information security, vendor management, business continuity and incident response. They are now performing initial and ongoing due diligence, monitoring and program manager audits to a very high standard. And, of course, they also are requiring program managers to do more to proactively address the hot spots.
With so much focus on third-party risk and compliance and so much riding on banks’ successful regulatory exams, every prepaid program manager must adopt a culture that supports its issuing banks’ compliance and risk management requirements. Failure to do so could cause banks to withdraw entirely as issuers (except for their own programs, where they can control their risks completely); increase costs to the point that many programs won’t be viable; or become increasingly selective about the programs they’re willing to sponsor.
It’s time to explore the proactive steps program managers can take that are mutually beneficial to their bank issuers, their customers and their overall business.
Third-Party Risk Management Is Broken
In the prepaid industry, it’s time to invert the traditional regulatory message of “banks must manage third-party risk and compliance” to “third parties must proactively manage risk and compliance for their bank partners.” As an example, let’s look at the nature of the relationship between a typical prepaid issuing bank and an independent program manager:
The bank is the prepaid card issuer, but the program manager administers and manages the card program for the bank in accordance with the bank’s specific requirements. Typically, the issuing bank holds the program manager liable for meeting these requirements, including all risk and compliance matters. Unfortunately, the history of enforcement actions and consent orders shows that imposing liability on program managers has not enabled banks to avoid compliance costs. When the regulators find fault with the activities of third parties working with the bank, banks have been fined and ordered to pay civil money penalties or restitution; some have been constrained in their ability to conduct their businesses fully; and some have been ordered to improve their compliance programs.
So What’s the Solution?
- Defining and executing a compliance program to address the numerous regulatory mandates and updates frequently issued by regulators, along with reacting to learnings from regulatory enforcement actions.
- Self-policing4 and validating the effectiveness of its compliance and risk management program.
While the above may seem daunting, successful execution is easier if the strategic approach is segmented into three sequential phases, with each phase building on the previous. At a high level, the three phases are:
Phase 1. Develop compliance policies and procedures.
Based on FFIEC regulations, guidance and industry best practices, McGovern Smith Advisors has identified 34 specific prepaid compliance policies and their required implementing procedures. These policies and procedures define the controls and day-to-day activities that should be in place and working effectively to meet the applicable compliance mandates and manage risk. They address the regulatory hot spots, such as consumer compliance and AML, information security, vendor management and business continuity.
Program managers must begin by creating a set of policies and procedures that are tailored to their business, operations and clients to address these regulatory hot spots.
Once these policies and procedures are adopted by the board or senior management, the program managers will be positioned to implement the second phase of a prepaid compliance and risk management program—executing on the controls and operational day-to-day activities defined in the approved policies and procedures.
Phase 2. Execute the prepaid compliance program.
Implementing and administering a compliance program requires program managers to follow the approved policies and procedures to ensure regulatory mandates and key risks are mitigated throughout their ongoing daily operations for the regulatory hot spots noted previously. For example:
- Consumer compliance and AML. Program managers must make a commitment to internal or third-party expertise to imbed the approved policies and procedures into products, services and daily operational activities to ensure the policies and procedures are carried out. Relevant tasks might include preparing customer notices and disclosures, drafting marketing messages, writing sales scripts, verifying customer identities, monitoring for suspicious transactions and handling complaints.
- Information security. Program managers must implement physical, administrative and technological safeguards to protect the confidentiality and integrity of sensitive data, networks and facilities from known and unknown threats. In accordance with the Gramm-Leach-Bliley security rule and other recognized information security best practices, an effective information security program also includes:
- Threat and vulnerability risk assessments
- Risk management and controls
- Control testing and continuous monitoring
- Vendor risk management. This is a top concern for issuing banks and their regulators. Therefore, program managers must:
- Classify all vendors based on risk to the company and their issuing banks
- Perform comprehensive due diligence and manage their individual vendors and the associated risk to the organization and their partners, network and customer data
- Define mutual key performance and key risk indicators in contracts with all critical vendors
- Business continuity planning. Done properly, business continuity planning (BCP) will enable program managers to rapidly recover from a disruption or disaster, keep their organization compliant with relevant standards and sustain and improve their programs over time. Key elements include:
- Establishing BCP governance, capabilities for managing enterprise-wide crisis, continuity of operations, IT and operational recovery procedures, and pandemic preparedness
- Performing risk assessments of key facilities and business impact analysis that define priorities, recovery time frames and recovery resource requirements
Once program managers begin to execute the operational activities for these regulatory hot spots, the next phase is to oversee the effectiveness of these controls and activities and train staff.
Phase 3. Train staff and oversee the compliance program.
Program managers must:
- Provide annual training to all staff members to ensure they understand their duties and responsibilities associated with day-to-day activities on the prepaid legal and regulatory mandates outlined in the procedures.
- Retain records of the training, including the content and verification that all employees participated.
- Hold quarterly board and audit committee meetings.
- Perform annual assessments to validate the effectiveness of policies, procedures, controls, daily activities and training.
- Document weaknesses in practices and create a framework to track, manage, resolve and report to executive management on the resolution of any issues.
Regulators want banks to be accountable for knowing and managing third-party relationships as if they were an extension of the banks’ own activities. Increasingly, they also are expecting banks’ third-party partners to adopt a culture to show they understand the regulatory mandates of the banks and are willing and able to validate that they are exam-ready partners.
The time and resources for program managers to become trusted partners is significant and raises the cost of doing business with regulated financial institutions. The cost of not implementing an exam-ready culture, however, is even higher—risking the viability of the services from which program managers earn their living.
Prepaid is a complex ecosystem, and each participant in the value chain must play its role for the viability of the whole. Each needs to identify what’s important and fulfill its part of the relationship. This involves operating in a highly regulated payments environment in which regulators are ready to ensure all parties follow the letter of the law and regulation, protect consumers and avoid having prepaid funds used for nefarious purposes.
1 Example references include: OCC Bulletin 2013-29 – Third-Party Relationships: Risk Management Guidance; FDIC FIL-3-2012 – Payment Processor Relationships; and FRB SR 13-19 – Guidance on Managing Outsourcing Risk.
2 Critical activities are significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities (e.g., identity verification of customers) that: could cause a bank to face significant risk if the third party fails to meet expectations; could have significant customer impacts; require significant investment in resources to implement the third-party relationship and manage the risk; or could have a major impact on bank operations if the bank has to find an alternate third party or if the activity has to be brought in-house. Program managers perform many activities that are critical to their issuing bank clients (e.g., access to cardholder data, marketing, selling, customer servicing and performing customer identification procedures).
3 It’s not just program managers that need to step up. Other third parties with a role in the prepaid value chain are in the same situation. The other third parties might include: merchant acquirers, acquiring banks, issuer and merchant processors, payment networks, call centers, distributors or sellers. For the purpose of this article, we’re focusing on program managers.
4 See CFPB Bulletin 2013-6, “Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation” (June 25, 2013).
In Viewpoints, prepaid and emerging payment professionals share their perspectives on the industry. Paybefore endeavors to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.
Paul Reymann is a partner with McGovern Smith Advisors. He has more than 28 years in compliance and risk management, including 13 with the U.S. Department of Treasury, where he co-authored the Gramm-Leach-Bliley Act security regulation. Reach him at firstname.lastname@example.org.