INTRODUCTION
The Bank Secrecy Act (“BSA”)1 exists to detect and prevent money laundering, terrorist financing and other financial crimes.2 It authorizes the Treasury Department to impose rules, including reporting and recordkeeping requirements, on financial institutions and other businesses.
This Alert provides a practical guide to the BSA’s application to “prepaid programs,”3 a regulatory term that includes physical “prepaid cards” as well as certain digital or mobile access mechanisms. Programs vary widely and the regulatory analysis is highly fact-specific based on the product features, program structure, and the allocation of responsibilities among participants. However, one common issue is this: identifying the participant in the prepaid program that exercises primary or principal oversight and control over the program for purposes of the BSA. The Alert is intended to be a practical guide to this complex patchwork of statutes, regulations and guidance.
BACKGROUND
Prepaid Card Programs
Research reports indicate that the global prepaid card market will reach approximately $3 trillion in worldwide value by 2027.4 This is due to the increasing adoption of digital payment solutions, the rising demand for financial inclusion, the growing popularity of gift cards and reloadable prepaid cards, the continuing shift towards digital payment methods, the proliferation (and ease of use) of smartphones and mobile payment applications, and increased utilization by governments for disbursing government assistance programs.5 Prepaid cards can allow cardholders to perform a variety of functions, including those that have traditionally been conducted using other payment mechanisms, such as checks, debit cards tied to bank accounts, or credit cards.6 They include cards falling into such categories as general-purpose reloadable, payroll, government disbursement, incentive, gift/closed-loop, and virtual/digital wallets.
The Players
Behind the ease of use and apparent simplicity of prepaid cards and mobile access lies a vast complex of technological, research, development, sales, marketing, finance and administrative operations of multiple participants. Prepaid access programs need banks (“issuing banks”) to hold and protect cardholder funds, issue the cards, ensure compliance with banking and fintech regulations and network rules, and report to the regulators.
Programs also require entities to provide secure processing rails (“processing networks”) for transaction approvals and settlements among merchants, issuing banks and merchant banks – in real time.
Another group of participants (“processors”) provides the technology structure to handle routing, approval/denial decisions, customer balances and system integration, maintaining ledgers, updating accounts, supporting user interfaces and APIs, fraud monitoring and risk management programs.
The last group of businesses are so-called “program managers” – the marketing, sales and distribution component. These entities may also have had a role in designing the program and may also coordinate among the other participants, ensure compliance with regulations, and provide customer support and even operational oversight.
There are no bright lines distinguishing these four groups of players. For example, some program managers are large complexes of processors despite being labeled as program managers in business process flow charts.
The Bank Secrecy Act – An Evolving Patchwork
Under the Bank Secrecy Act, the Financial Crimes Enforcement Network (“FinCEN”), a bureau of the Treasury Department created in 1990,7 promulgates regulations covering the legal and operational data and processes that require financial institutions to verify customers, assess risks, and prevent illicit use of the financial system (“AML/CFT information”) under mandatory AML/CFT Programs.
The BSA and its regulations have evolved over the period from initial enactment in 1970,8 when banks and other financial institutions (and even individuals in some respects) first became subject to early-stage AML/CFT reporting requirements. In 1999, FinCEN published a final rule under the Money Laundering Suppression Act of 1994 separately calling out money services businesses (“MSBs”) as non-bank financial institutions that offered specific financial services and were without a functional Federal regulator. When FinCEN issued that MSB rule, it deferred certain requirements for “stored value” based on its complexity and the desire to avoid unintended consequences with respect to an industry then in its infancy.
As of the 1999 rule, an issuer, seller, or redeemer of stored value was not required to register as an MSB with FinCEN or to file SARs, but an issuer, seller or redeemer of stored value, as defined by those regulations, was nonetheless required to file CTRs and to establish a written AML/CFT program. In 2011, another FinCEN final rule amended the regulations by, among other things, renaming “stored value” as “prepaid access,” requiring registration of prepaid access providers as MSBs, and imposing suspicious activity reporting, customer information and transaction information recordkeeping requirements on providers and sellers of prepaid access.
The AML/CFT challenge for regulators is that prepaid access programs involve more parties and sub-parties than routine debit or credit card transactions. As such, AML/CFT information generated by the sale and use of prepaid access is dispersed among the four broad groups of prepaid program participants discussed above. To minimize inefficiency and engage those most knowledgeable about how the business operates, FinCEN requires a central source of AML/CFT information to act as the principal conduit for access to that information from fellow program participants, to accept and manage the flow of information generated by all of the program participants, to comply with other regulatory requirements and to simply have the ability to amass the appropriate information with dispatch.9 Under FinCEN MSB regulations and guidance, that central source is referred to as the “provider of prepaid access,” defined to be “the participant within a prepaid program that agrees to serve as the principal conduit for access to information from its fellow program participants.” If, however, there is no such agreement and the bank is the participant with “primary oversight and control” or “principal oversight and control,” then the bank (which is not an MSB) is that central source.
Bank-Controlled Programs – “Primary or Principal Oversight and Control”10
If the bank is the participant in the program with “primary oversight and control” (as discussed in a 2012 Ruling on the program)11 or “principal oversight and control” (as discussed in a FAQ#9 in a 2011 Final Rule)12 of the program, then the bank (although not an MSB) will be the central source, and other participants generally will not be deemed “providers of prepaid access” for that program under the FinCEN prepaid access framework. However, depending on the facts, a participant could still be an MSB under another category (e.g., money transmitter, seller of prepaid access, etc.) and may have independent federal or state compliance obligations.
Third Party-Controlled Programs -“Principal Oversight and Control” – “Provider of Prepaid Access”
In any prepaid arrangement where the bank is not the participant in the program with primary or principal oversight and control of the program, one of the other (non-bank) participants will be classified as an MSB “provider of prepaid access” by reason of its exercising “principal oversight and control.” As such, it must comply with FinCEN regulations requiring MSBs to register with FinCEN, renew their registration every two years, and maintain a list of their agents, if any.13 As noted above, MSBs are also subject to the full range of BSA regulatory requirements, including the anti-money laundering program rule, suspicious activity and currency transaction reporting rules, and various other identification and recordkeeping rules.14
Due Diligence
Prepaid access is heavily regulated at the federal level through overlapping authorities and expectations that may involve multiple agencies depending on the product and participants, including the Internal Revenue Service, the Consumer Financial Protection Bureau (“CFPB”), the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency and FinCEN – to name a few. For participants, an early (and recurring) diligence priority is to determine, on a fact-specific basis, which party exercises primary or principal oversight and control and therefore functions as that central source for program governance and information flow under the BSA.
FINCEN’S FIVE FACTORS INDICATIVE OF OVERSIGHT AND CONTROL
FinCEN has identified five Factors as indicative of “principal oversight and control” and “primary oversight and control.” These factors are set forth in definitions15 and a rule.16 Whether the program will prove to be a bank-controlled program or a third-party-controlled program (and even though banks are not MSBs), we recommend using the five factors in determining such control. We discuss the five factors in detail, below.
- Organizing the prepaid program.
“Organizing the prepaid program” includes the initiation and establishment of the prepaid program. This may involve actions or activities as diverse as identifying the need for a prepaid program, developing a business plan, obtaining financing, and contracting with other principals. A participant that organizes the prepaid program demonstrates oversight and control.”
- Setting the terms and conditions of the prepaid program and determining that the terms have not been exceeded.
“This factor concerns the technical specifications involved in establishing and operating the prepaid program. Setting the terms and conditions encompasses a range of decisions concerning sales locations for prepaid access, fees assessed for activation and reloading, providing customer service, and other aspects of the program. A participant that sets the terms and conditions of a prepaid program demonstrates oversight and control.”
- Determining the other businesses that will participate in the prepaid program, which may include the issuing bank, the payment processor, or the distributor.
“This factor addresses the participant that identifies and recruits the other participants involved in the prepaid program. The provider of prepaid access may choose other participants based on geographic proximity, specialized expertise in a particular line of prepaid access such as payroll programs, market expertise, or other considerations. Regardless of the reasons other participants are chosen, a participant that determines the other entities involved demonstrates oversight and control.”
- Controlling or directing the appropriate party to initiate, freeze, or terminate prepaid access.
“The ability to affect the movement of funds is a very important factor in determining the provider of prepaid access. We understand that a participant in a prepaid program may exercise this authority alone, in tandem with other participants or at the direction of law enforcement or judicial authority. A participant that either moves or suspends funds or directs another participant to move or suspend funds demonstrates oversight and control.”
- Engaging in activity that demonstrates oversight and control of the prepaid program.
“This factor is intended to capture situations where oversight and control may be evidenced by activities that do not fit squarely within items (i) through (iv), preceding. To the extent that both the prepaid industry and our understanding of it continue to evolve, this criterion provides the flexibility needed to ensure reasonable longevity for the rule.”
PRACTICAL CHECKLIST (DOCUMENTS AND QUESTIONS)
The checklist below provides steps participants in prepaid programs can take to discern which participant will have oversight and control
- Collect the full contract set and other materials, including (i) contracts, exhibits, appendices and annexes between and among the web of participants and their subcontractors; (ii) spreadsheets, presentations, business process and operational flow charts; (iii) program policies and procedures, operational and technology policies and compliance manuals; (iv) authorizations and approvals, (v) sales and marketing materials and advertising proofs; and (vi) participant websites and screens of mobile devices.
- Determine if the program may have evolved significantly from the conception point and to have become a bank-controlled program or a third party-controlled program based on factors other than the identity of the “initiator(s).”
- Identify who has final approval rights over: fees; load/reload limits; cardholder terms; marketing and customer disclosures; sales channels; subcontractors; and program changes.
- Confirm who controls key compliance functions: AML/CFT standards; sanctions screening; transaction monitoring rules; SAR investigation/escalation decisioning; CTR processes; and record retention/access – Who has ultimate supervisory and regulatory responsibility for the program.
- Map who can initiate, freeze, suspend, or terminate access (contractual authority and system/operational capability), including who can direct others to do so.
- Determine who selects and can replace other participants (issuer, processor, distributors) and who “owns” or can demand delivery of program records, logs, and customer data.
- Look for contractual and other provisions that the products and services offered under the program are products and services of a particular participant, that such party retains decisional authority and control over the program and that any program changes and/or that the program is issued and supervised by a particular party.
- Identify which participant requires that all customers must be approved and qualified consistently with that party’s policies and procedures.
- Locate the contractual provisions requiring the submission of technology, user interfaces and marketing materials to a particular participant for approval and requiring that all subcontractors be subject to such review and approval.
- Validate actual practice through interviews/certifications: Who makes the calls when issues arise (fraud spikes, regulator inquiries, disputes, program changes)? Who interfaces with regulators and who is accountable for remediation?
BOTTOM LINE
Determining principal oversight and control (and any resulting bank-controlled or third party-controlled program) is highly fact-specific; misclassification can create gaps in registration, AML program design, reporting, and recordkeeping, so participants should document their analysis and revisit it as program roles and capabilities change.
As a practical matter, the contracts are likely to provide ample evidence of oversight and control, but it is likely that countervailing provisions may also be found in the agreements, discussions and certifications. As a result, the ultimate determination will be based upon discussions and certifications and the detailed and nuanced review of applicable law, biparty (or triparty) contracts, flow charts, web pages, physical card text, mobile phone legends and corporate graphics (among the other documents mentioned above) and will give due regard to the legislative and regulatory purposes of applicable law, taken in context and as a whole and will weigh and assess the totality of the factors against the characteristics of the various program participants.
This Alert is limited to the federal laws of the United States. In addition, it does not address circumstances under which the activities of a prepaid access program participant may result in its being treated as an MSB under other categories (particularly “seller of prepaid access”),17 state MSB regulations”18 or regulation of banks, financial institutions or money services businesses by other governmental agencies.
[1] The Currency and Foreign Transactions Reporting Act, its amendments, and the other statutes relating to the subject matter of that Act, have come to be referred to as the Bank Secrecy Act. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C. 1951–1959, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C. 5311–5314 and 5316–5332 and notes thereto. Note also that the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the “GENIUS Act”) also contains provisions applying AML/CFT obligations on so-called Permitted Payment Stablecoin Issuers(“PPSI”); the U.S. Department of the Treasury recently issued a Notice of Proposed Rulemaking, which among other things, classifies such PPSIs as a new category of financial institutions subject to familiar AML/CFT requirements. See: Federal Register: Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism Program and Sanctions Compliance Program Requirements
[2] See footnote 1 above.
[3] 31 CFR 1010.100(ff)(4)(iii) 31 CFR § 1010.100 – General definitions. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute. See also FAQ #1 here: Final Rule – Definitions and Other Regulations Relating to Prepaid Access | FinCEN.gov
[4] Prepaid Cards: Fraud and Money Laundering Risks
[5] US Prepaid Card Market Size, Share & Growth Report [2024-2034]
[6] Interagency Guidance to Prepaid Cards
[7] Merged with Treasury’s Office of Financial Enforcement in 1994, and mission expanded.
[9] Federal Register :: Bank Secrecy Act Regulations-Definitions and Other Regulations Relating to Prepaid Access
[10] A Note on Terminology: “Primary” vs. “Principal” Oversight and Control: FinCEN has used two related but textually distinct phrases in its guidance on prepaid access programs. In its September 2011 Final Rule and related FAQ #9, FinCEN used the phrase “principal oversight and control” to identify the participant that functions as the provider of prepaid access under the MSB regulations. In its 2012 Administrative Ruling (FIN-2012-R003), FinCEN used the phrase “primary oversight and control” in the context of bank-controlled programs.
These phrases appear in different regulatory instruments and different factual contexts. FinCEN has not expressly stated that the two phrases are synonymous, nor has it indicated that they are intended to describe materially different standards. As a practical matter, the substantive factors that inform the analysis (organizing the program, setting terms and conditions, selecting participants, controlling access, and exercising general oversight) appear consistent across both sources.
This Alert uses both phrases, consistent with the source materials in which they appear. Participants and their counsel should identify which FinCEN instrument is most directly applicable to their program and apply the relevant terminology accordingly. Where the program involves a bank asserting primary oversight and control under the 2012 Ruling framework, the analysis will proceed under that instrument. Where the question is which non-bank participant qualifies as the provider of prepaid access under the 2011 Final Rule, the “principal oversight and control” standard governs. In either case, the determination remains highly fact-specific.
[12] Final Rule – Definitions and Other Regulations Relating to Prepaid Access | FinCEN.gov
[14] Note, however, that these requirements are also typically imposed on (or flowed down to) the non-oversight and non-controlling participants by the overseeing and controlling party. See also (depending on the categorization of the MSB): 31 CFR 1022.210 (requirement for MSBs to establish and maintain an anti-money laundering program); 31 CFR 1022.310 (requirement for MSBs to file Currency Transaction Reports); 31 CFR 1022.320 (requirement for MSBs to file Suspicious Activity Reports, other than for check cashing); 31 CFR 1010.415 (requirement for MSBs that sell monetary instruments for currency to verify the identity of the customer and create and maintain a record of each currency purchase between $3,000 and $10,000, inclusive); 31 CFR 1010.410(e) and (f) (rules applicable to certain transmittals of funds); and 1022.410 (additional recordkeeping requirement for dealers in foreign exchange including the requirement to create and maintain a record of each exchange of currency in excess of $1,000);1022.420 (additional recordkeeping requirements for providers or sellers of prepaid access).
[15] 31 CFR §1010.100(ff)(4) 31 CFR § 1010.100 – General definitions. | Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute
[16] Federal Register :: Bank Secrecy Act Regulations-Definitions and Other Regulations Relating to Prepaid Access
[17] Current money services business categories include dealer in foreign exchange, check casher, issuer of traveler’s checks or money orders, provider of prepaid access, money transmitter, U.S. Postal Service and seller of prepaid access.
[18] All states (other than Montana) regulate money services businesses. As of February 26, 2026, 31 states have adopted some version of the relatively new Money Transmission Modernization Act created by state regulators and experts to provide net worth, surety bond, permissible investments and other state requirements, while other states operate under older regimes.