Stored Value Cars as a Business Opportunity

Stored Value Cards as a Business Opportunity

Submitted by:

Christie LaDestro

December 13, 2004

Dr. D. Stephen Rockwood Graduate Business Program Mount St. Mary’s University

Emmitsburg, Maryland

Christie LaDestro MBA599 Fall 2004

Page 1 of 53

I. Introduction.......................................................................................2 II. Stored Value Cards- Defined ...........................................................7

A. Definition .......................................................................................7

B. Types of Stored Value Cards ........................................................9

1. Proprietary/gift card..................................................................10

2. MasterCard/Visa ......................................................................11

3. Middle Decision........................................................................12

C. Stored Value Card Market...........................................................14 III. Legal and Regulatory Issues with Stored Value Cards ...............17

A. Money Services Businesses: ......................................................17

B. Regulation E................................................................................20

C. Gramm-Leach-Bliley Act .............................................................27

1. Gramm-Leach-Bliley Act - Privacy Rule ...................................28

2. Gramm-Leach-Bliley Act - Safeguards Rule ............................31

3. Gramm-Leach-Bliley Act - Pretexting .......................................34

D. Bank Secrecy Act ........................................................................36

1. USA Patriot Act ........................................................................37

E. OFAC- Office of Foreign Assets Control .....................................45

F. Federal Deposit Insurance Corp (FDIC)......................................47 IV. Conclusion...................................................................................49


Page 2 of 53

I. Introduction This paper will explore the area of “stored value cards.” Stored value cards

are usually issued by financial institutions; it is possible for non-financial institutions

to issue a stored value card.

Many important legal and regulatory concerns need to be considered before

issuing a stored value card. The discussion will include explanations for Money

Services Businesses; Regulation E; Gramm-Leach-Bliley Act (the Gramm-Leach-

Bliley Act includes three sections: Privacy, Safeguards, and Pretexting); Bank

Secrecy Act (the Bank Secrecy Act will include the USA Patriot Act); Office of

Foreign Asset Control (OFAC); and finally the Federal Depository Insurance

Corporation (FDIC).

A stored value card is a money services business and subject to its

regulations. Any money services business is required to obtain a money transmitter

license. This license usually requires minimal capitalization and renewal filing fees.

Regulation E applies when a financial institution contracts with a consumer to

provide electronic fund transfer services. A stored value card would utilize

electronic fund transfer services when accepting funds from the consumer and

when processing payment for the merchant. Complying with Regulation E can be

cumbersome. Financial institutions are required to issue access devices,


Page 3 of 53

disclosures notices, and notify of any account changes. Steep penalties can be

imposed for non-compliance.

An issuer of stored value cards may be subject to the Gramm-Leach-Bliley

Act. The Gramm-Leach-Bliley Act limits disclosing of nonpublic personal

information. The requirements of the Gramm-Leach-Bliley act include the privacy

rule, the safeguard rule, and the pretexter rule. The privacy rule discusses how the

financial institution gathers nonpublic personal information and how it processes

that information. The safeguard rule discusses how the financial institution will

ensure nonpublic personal information is protected on the financial institution’s

computer hardware and software. The pretexter rule discusses how the financial

institution will gather nonpublic personal information without using false statements

or documents.

Since a stored value card provider has the possibility of being seen as a

financial institution, they must comply with the Bank Secrecy Act. The Bank

Secrecy Act was initially passed to help stop money laundering and drug trafficking.

Since September 11, 2001, Congress enacted the USA Patriot Act as part of the

Bank Secrecy Act. The USA Patriot Act is designed to track the money flow of

terrorists. A financial institution now has more compliance than before. The Patriot

Act has four broad categories of compliance: enhanced due diligence/know your

customer, currency transaction reporting/suspicious activity report, monetary

instruments sale, and funds transfer recordkeeping.


Page 4 of 53

The USA Patriot Act was enacted to help stop terrorist financing. Especially

because of September 11, 2001, financial institutions are also required to abide by

the Office of Foreign Assets Control (OFAC) regulations. OFAC compiles a list of

suspected countries and/or persons who are thought to be terrorists. OFAC also

places economic sanctions on countries based on foreign policy and national

security concerns. A financial institution is obligated not to maintain accounts with

persons/countries on the OFAC list. They also must be aware of any Specially

Designated Nationals and not conduct business with these either.

Certain types of stored value cards can be construed as a bank account.

Because of this, there is the possibility that Federal Deposit Insurance Corp (FDIC)

may apply. The FDIC is assurance to the individual that if the bank were to go out

of business, the customer’s funds are secured up to $100,000. Since a stored

value card may be considered a bank account, then pass through FDIC can comply.

This issue is fairly new and will be evaluated in the near future.

Sodexho USA is the leading provider of food and facilities management in

the United States, with $5.8 billion in annual revenue and 110,000+ employees.

Sodexho USA offers innovative outsourcing solutions in food service,

housekeeping, grounds keeping, plant operations and maintenance, asset

management, and laundry services to more than 6,000 corporations, health care,

long term care and retirement centers, schools, college campuses, military and


Page 5 of 53

remote sites in North America. Headquartered in Gaithersburg, MD, Sodexho USA

proudly serves as the official food service provider for the US Marine Corps

As part of its operations in the higher education (colleges and universities)

segment, Sodexho attempts to anticipate the needs if its clients and students by

offering innovative programs and services to improve the quality of daily life for

those on campus.

Historically, college students buy board meal plans or prepay and maintain a

declining balance card for use at “on-campus” food outlets at the beginning of each

semester. Sodexho usually receives these funds at the beginning of each semester

which contributes to Sodexho’s negative working capital business model.

Today, however, with the increased use of pre-paid, declining balance cards

and debit cards (i.e. phone cards, ATM cards, gift cards) a.k.a. “stored value cards”,

Sodexho foresees students wanting to carry only a card, instead of cash, the card

can be used anywhere – both on and off-campus. The Senior Vice President,

Campus Services Division of Sodexho broached an idea that can potentially be a

win-win for both Sodexho and the student. Sodexho should issue a card that can

be utilized both on campus and off campus. This card, utilized like a stored value

card, will incorporate traditional credit card capabilities as well as allowing the

student to access on-campus buildings, check out books from the library, and enjoy

the dining hall menus.


Page 6 of 53

This evolving scenario, of campus cards using money traditionally spent on-

campus at off-campus locations, raises several concerns, especially if Sodexho

were to implement or issue this potential “stored value card”. For example, if

Sodexho accepts cash from students to load on their cards for use at off-campus

locations and then disburses the cash to the off-campus retail outlets where

students shop, it is possible for this card to be viewed as a bank/credit/debit card.

Sodexho may potentially be subject to banking laws or other regulations. If so,

Sodexho may have to partner with a bank or card service provider to out-source this

function.

Since Sodexho foresees students wanting to only carry a card, instead of

cash, offering the student a product that can be used on and off campus will provide

a leading edge in the market. If Universities predict the card usage as Sodexho

has, then the Universities will want to contract with food service companies who can

provide this service.


Page 7 of 53

II. Stored Value Cards- Defined

Stored value cards are one of the most dynamic and fastest growing

products in the financial industry. Anyone who makes purchases with a merchant

gift card, places phone calls with a prepaid telephone card, or buys goods or

services with a prepaid debit card is using a stored value card. Payroll cards,

government benefit cards, prepaid debit cards, gift cards, and telephone cards are

examples of stored value cards.

Customers obtain stored value cards in a variety of ways. They may obtain a

payroll card from an employer, an electronic benefit card from a government

agency, or a gift card from a retail store. Typically, a customer would purchase a

stored value card at check-cashing outlets, money transfer company locations, and

retail stores, although these cards may be increasingly offered by telephone or

online.

A. Definition

In the wake of dramatic technological advancements over the last decade,

the financial services industry has developed a number of inventive applications that

have the potential for improving the structure and delivery of retail products for

customers. One of the most innovative is the stored value card (SVC), a prepaid

debit card that mimics a checking account. They offer customers who cannot


Page 8 of 53

qualify for or do not want a traditional bank account a safe and efficient way to store

funds, make purchases, and pay bills. An example of an application of SVC is the

payroll card, which enables employers to make direct deposit payment to pay their

workers who do not have a bank account.

Like traditional debit cards, stored value cards utilize magnetic stripe

technology to store information and track funds (Jacob, 2004). However, SVCs

differ from account-based debit cards by being prepaid, limiting the risk of overdrafts

while providing nearly immediate liquidity for customers. Early uses of SVCs in the

United States included public transportation and public assistance payments. SVCs

today take several forms, including gift and phone cards, payroll cards, and prepaid

debit cards.

The SVC market is complex. Understanding the various attributes of this

market is necessary. The SVC market’s general characteristics include: potential

cardholders and merchant payment.

The SVC is a plastic card that represents value and can be used to purchase

goods and services in person at participating merchants. It can sometimes be used

to withdraw cash from ATMs or obtain cash refunds from merchants, or it can be

used to make purchases online or over the telephone. The card’s value is

maintained centrally, and not on the card itself. The card can serve other functions

as well, such as a facility access card or an identification card.

Potential cardholders include customers of Sodexho, persons affiliated with

Sodexho, and potentially, other customers of local merchants that accept the card.


Page 9 of 53

Cardholders would activate the debit feature of the card in person by purchasing

items of value, although there may be a possibility of requiring online activation.

Only the cardholder may use the SVC, which generally does not have a Personal

Identification Number (PIN) number.

Value for the SVC card can be added by check, credit card, or debit card in

person. The cardholder and others (for example, parents of potential students at

Universities) can add value by credit or debit card online.

Finally, the funds used from the SVC for the purchase must reach the

merchant. The steps for this end result are as follows: The cardholder presents the

card to the participating merchant for a transaction. The local merchant has a card

reader that submits a transaction authorization request to the data processor for

review and response. The terminal submits all transaction information to the data

processor. The data processor submits these settlement files on a daily batch basis

through the Federal Reserve via the ACH network to the issuing company’s

corporate bank account where the value is held. The company administering the

program then settles the funds through the Federal Reserve to the designated bank

accounts of the participating merchants. During the process, administrative fees

and commissions may be retained by various entities involved.

B. Types of Stored Value Cards


Page 10 of 53

The stored value card (SVC) market has mushroomed in the last few years in

terms of both the number of providers and the number of customers. These cards

may provide consumers with a more effective means than cash for accessing funds

and making financial transactions. Stored value cards use magnetic stripe

technology to store information about access to value balance account funds that

have been prepaid (or “stored”) to the card. There are three main categories of

stored value cards in the marketplace: Proprietary/gift card, MasterCard/Visa, and

Middle decision.

1. Proprietary/gift card

The first prepaid cards made available to the marketplace were single-

purpose or ‘closed-loop’ cards (Stored Value Cards: An Alternative for the

Unbanked?, 2004) which can be used only for the issuer’s products or for limited

purposes, such as prepaid gift cards or many prepaid phone cards. Gift cards,

which can only be used to purchase goods at the issuer retailer, and prepaid

telephone cards, which can only be used to make telephone calls, are just some

examples of proprietary/gift cards. The store gift cards are usually low risk but are

more profitable (Rinearson, 2004). The issuer is the retailer that accepts the card.

Each card sale is equal to the sale of that retailer’s goods or services. The gift card

runs on the retailer’s point of sale system, usually modified to reduce risk. These

cards are usually anonymous.


Page 11 of 53

2. MasterCard/Visa

The second type of card to emerge was a universal acceptance or ‘open-

loop’ card, which can be used to make debit transactions at a wide variety of retail

locations (Stored Value Cards: An Alternative for the Unbanked? 2004). “Open-

loop” SVC systems offer consumers the ability to utilize their cards for multiple

purposes and at multiple points of sale such as making purchases at a variety of

stores or paying bills. Mastercard/Visa SVC come closest to resembling traditional

bank accounts. Consumers can make deposits onto the cards and potentially

withdraw cash or pay a bill at a later date; in some cases, they can have funds

directly debited on a recurring basis. These SVCs can be grouped into three

categories: 1) employee benefit payroll-only cards, which can be used only for

direct deposit of paychecks; 2) reloadable payroll cards, which serve primarily as

direct deposit cards for payroll checks but offer consumers other ways to reload the

cards; and 3) reloadable debit cards, which consumers can reload in a variety of

ways at a range of locations (Jacob, 2004).

This SVC system will either have “branded” cards or “non-branded” cards.

“Branded” cards have a MasterCard or Visa logo and utilize signature-based

technology to allow the consumer to transact business anywhere that those brands

are accepted, as well as through ATM and point of sale (POS) machines. “Non-

branded cards” will not have the MasterCard/Visa logo. An example of universally

accepted non-branded card is a mall card (i.e. FSK Mall). Even though a mall card

is only accepted at that particular mall, each merchant in the mall will accept it.


Page 12 of 53

The Mastercard/Visa SVC can be sold directly to businesses or to the

general public. If this SVC is sold to businesses for employee payroll and

expenses, the result is usually lower fraud risk and a more profitable product

(Rinearson, 2004). Since the cardholders are known and often guaranteed by

business clients, the risk is less. If the SVC is sold to the general public, the result

is higher fraud risk and slim profit margins (Rinearson, 2004). This type of SVC is

heavily reliant on fees. Since the cardholders are not known nor guaranteed the

risks are much higher. However, if this kind of SVC had access to cash withdrawals

and ATMs then the result may be an increase in fraud and money laundering risk.

ATM transactions usually do not debit funds from the cardholder’s bank or asset

account, but instead from a pool of funds held by the Issuer. Because of the cash

access feature, the SVC must be issued by a bank or licensed “money transmitter”.

3. Middle Decision

The final type of SVC is the “Semi Closed/Semi Open” or middle decision. This

SVC runs on a branded (MasterCard/Visa) card network and the points of sale

terminals are not modified. To work on existing infrastructure, the SVCs must have

the same attributes as credit/charge cards, for example, magnetic stripe, BIN range

card number, and expiration date. The accepting merchant does not know how

much value is on the SVC; the cardholder knows by calling a toll free number and/or

checking a website. Since the cardholder is often anonymous, the SVC can


Page 13 of 53

sometimes be reloadable, and some do not have fixed denominations, the product

is of higher risk and less profitable (Rinearson, 2004). In addition, the fraud risk is

increased, especially during system downtime or for “under floor limit” transactions.

The issuer is a third party service provider (like Sodexho) and not the retailer or

merchant that accepts the cards.

To succeed in the marketplace, the middle decision system SVC product must

satisfy the following “stakeholders”:

For consumers, the issuers must provide useful features not available in

other cards, such as access to payment systems for those without other

cards, for example, teens and the unbanked; quick refund ability; budgeting

tool; and privacy or security

For accepting merchants, the issuers must provide access to a new pool of

customers, for example, dependable systems with no complaints; easy

procedures; and low risk of charge-backs

For sellers and distributors, the issuers must provide additional revenue

stream, for example, easy sales procedures to follow; low risk of compliance

problems; and customer satisfaction (Rinearson, 2004).

Proprietory/gift card stored value cards are issued by a retailer. The funds

stored on the card are sent directly to the retailer, and the item(s) purchased by the

cardholder are at the same retailer. Mastercard/Visa stored value cards are only

issued by a financial institution. The funds stored on the bank issued card are sent


Page 14 of 53

directly to the bank. The item(s) purchased by the retailer can be with any

merchant. Middle decision stored value cards are issued by third parties. The third

party is responsible for administering the program. Most functions are usually out-

sourced to financial institutions. Sodexho’s best solution is a non-branded open-

loop card.

Except for closed system gift cards, the business proposition for open-loop and

semi-closed/semi-open loop systems is not yet proven. Because of the recent influx

of new legislation, greater uncertainties have been created.

C. Stored Value Card Market

The stored value card market is growing and evolving rapidly. According to

industry estimates, more than 2,000 stored value programs are available, with

roughly 7 million Visa- or MasterCard-branded stored value cards in the

marketplace. There are approximately 20 million users and that figure is expected to

more than double to 49 million users by 2008. In 2003, stored value cards were

used to make $42 billion in transactions. By 2006 over $72 billion in stored value

transactions are expected. Experts put this industry in the introductory or early

growth stage of the product life cycle, suggesting that there is substantial growth

potential in the years ahead (Stored Value Cards: An Alternative for the

Unbanked?, 2004). These industry figures include all stored value cards, such as

multipurpose general spending cards, payroll cards, government benefit cards, child

support payment cards, merchant gift cards, and telephone cards.


Page 15 of 53

The SVC market includes hundreds of product providers, with new ones

emerging frequently. For instance, several banks have their own SVC programs in

which they use third-party transaction processors, but many of them also serve as

issuers for other non-bank SVC programs, which may use different transaction

processors. A few SVC providers are vertically integrated, handling nearly all of the

functions internally, while others outsource everything except sales and marketing.

The majority of SVC providers outsource the transaction processing to one of the

many firms that have developed special software platforms for running SVCs.

While numerous companies are now engaged in the provision of SVCs,

some firms stand out. Major players in the market today include:

SVC issuers: BANKFIRST, Bank of America, Citibank, JP Morgan Chase

Providers of reloadable prepaid debit cards: NetSpend and Next Estate,

INCOMM

SVC processors: Metavante, StarSystems, WildCard and Galileo

Providers of back-end services for SVCs, including ATM and POS

processing: Pulse

Payroll firms: Paychex and Comdata, ADP (Jacob, 2004)

The distinction between products that are distributed by financial institutions

and those distributed by non-bank firms is an important one. Products distributed

by banks and credit unions are more likely to have additional consumer protection,

lower pricing (because fewer actors are involved), and more obvious transitions into

other financial products and services.


Page 16 of 53

University cards typically combine stored value with other features such as

access to buildings, registration information, and library book check-out capability.

The stored value on the card can be used at the cafeteria, book store, vending

machines, laundry facilities, etc. Many universities issue cards that can be used off-

campus at selected merchants. Students can participate in all or most campus

activities without ever having to use cash. The card helps students avoid excessive

credit card debt.

Stored value cards clearly fall into the category of the “right issue” for two

reasons (Furletti, 2004). First, while SVCs currently represent only a small portion

of U.S. card payments, consumer demand for SVC products is on the rise and

spurring a spate of innovation. Second, industry executives have indicated that

they are focused on the challenges facing the emerging market for SVCs, including

those related to apparent uncertainties in the legal and regulatory environment.

Since consumer demand for stored value cards is on the rise and many executives

are now focused on the legal and regulatory challenges, Sodexho is entering this

market at the early stage of its life cycle.


Page 17 of 53

III. Legal and Regulatory Issues with Stored Value Cards

Regulatory changes and new product innovations may benefit customers. On

the regulatory side, it remains uncertain whether federal regulations that govern

deposit accounts and debit cards will be expanded to apply to stored value cards.

Several regulators, however, are presently looking into the issue.

As a new product with few comparables, stored value cards raise several

complex legal and regulatory concerns. A company wishing to issue a SVC will

want to understand these legal and regulatory concerns. The impact of these legal

and regulatory concerns can be different for regular companies versus financial

institutions.

A. Money Services Businesses:

In addition to traditional banks, the category “financial institutions” also includes

non-bank institutions that are assigned to the category “Money Services

Businesses” (MSBs). Money transmitters, check cashers, currency exchanges, and

issuers, sellers, and redeemers of traveler’s checks, money orders, and stored

value are each considered MSBs. Based on this definition, Sodexho’s potential

stored value card program would be considered a MSB and subject to its

regulations. In 1999, the Financial Criminal Enforcement Network (FinCEN) broadly


Page 18 of 53

construed the manner in which regulations applied to Money Services Businesses.

The new definition included as a Money Services Businesses:

Any person, whether or not licensed or required to be

licensed, who engages as a business in accepting

currency, or funds denominated in currency, and

transmits the currency or funds, or the value of the

currency or funds, by any means through a financial

agency or institution, a Federal Reserve Bank or other

facility of one or more Federal Reserve Banks, the Board

of Governors of the Federal Reserve System, or both, or

an electronic funds transfer network; or any other person

engaged as a business in the transfer of funds (Turner,

2004).

Additionally, in 2001, this definition was extended to include “any person who

engages as a business in an informal money transfer system or any network of

people who engage as a business in facilitating the transfer of money.”

Once a firm has identified itself as a Money Services Business, then the firm will

be required to obtain a Money Transmitter License. Given the aforementioned

definition of a Money Services Business, Sodexho would be required to obtain a

Money Transmitter License. Money Transmitter Licensing Laws usually require


Page 19 of 53

minimal capitalization, background checks on principals, holding of 100% consumer

funds in “permissible investments,” regular reports, annual renewal filings, fees, and

audits. Many states have amended their licensing laws to require issuers of Stored

Value Cards (other than single-retailer gift cards) to get a license under state money

transmitter laws. Some states have taken the position that they do not need to

amend their money transmission statutes on the basis that stored value card

products are already covered under existing “money transfer” laws.

Requiring Money Services Businesses to obtain a Money Transmitter License

has its advantages and disadvantages. Some of the advantages include allowing

non-financial institutions to participate in the payments industry (such as Sodexho),

protecting the integrity of the payments industry, and reducing consumer losses that

might otherwise occur when a payments industry business files bankruptcy or

ceases business. The disadvantages include additional costs to already low margin

products, for example, stored value cards, variations from state to state that can be

difficult to comply with (Sodexho has a presence in all 50 states), creation of an

additional level of supervisory regulators who oversee not only compliance with

state licensing law but also federal anti-money laundering laws and increasing risk

and exposure with respect to actions of licensees’ distribution networks.

If Sodexho were to implement its stored value program on its own, it would be

required to obtain a Money Transmitter License in all 50 states. This additional


Page 20 of 53

required licensing would add costs to the SVC program. In addition to obtaining the

original license, constant renewal and updates would need to be addressed.

B. Regulation E

Regulation E defines the term “financial institution” to include any person that

directly or indirectly holds an account belonging to a consumer or that issues an

access device to a customer and agrees with a customer to provide Electronic Fund

Transfer (EFT) services (Federal Register, 2004). An access device is a card,

code, or other means of access to a consumer’s account, or any combination

thereof, that may be used by the consumer to initiate electronic fund transfers. One

or more parties involved in offering stored value card accounts may meet the

definition of a “financial institution” under the regulation-whether it is Sodexho, the

firm, a financial institution, or other third party involved in the transfer of funds to the

account or in the issuance of the card. Existing regulatory language addresses the

regulatory framework for financial institutions that provide EFT services jointly. The

parties may contract among themselves to comply with the regulation.

Regulation E applies to consumer accounts that can be accessed only by

Electronic Funds Transfer (EFT) devices An access device, as defined, becomes

an accepted access device when the consumer: 1)requests and receives, or signs,

or uses the access device to transfer money between accounts or to obtain money,

property, or services; 2)requests validation of an access device issued on an


Page 21 of 53

unsolicited basis; or 3)receives an access device in renewal of, or in substitution for,

an already accepted access device (Federal Register, 2004).

Electronic fund transfers include the following:

• Debit card transactions (point-of-sale transaction)

• Automated Teller Machine (ATM) transactions

• Direct deposits or withdrawals

• Pre-authorized debits or credits

• Pre-authorized loan payments to third parties

• Transfers initiated by telephone (e.g. bill-payer, wire transfers)

• Transactions originated through personal computer banking (e.g. Homelink

or Web Banking)

• Transfers sent via Automated Clearing House (ACH)

The Regulation represents a balance between consumer groups, who

advocate more disclosures and consumer protection, and the financial services

industry, which promotes less regulation to avoid hampering the efficiency of EFT

payment systems. The purpose is to provide a basic framework establishing the

rights, liabilities and responsibilities of participants (both consumers and financial

institutions) in electronic fund transfer (EFT) systems.

The Electronic Funds Transfer Act (EFTA) as implemented by Regulation E

was enacted in Nov 1978. Coverage of EFT services under the EFTA and


Page 22 of 53

Regulation E hinges upon whether a transaction involves an EFT to or from a

customer’s account. The EFTA defines an “account” as “a demand deposit, savings

deposit, or other asset account [sic] as described in regulations of the Board,

established primarily for personal, family, or household purposes.” (Federal

Register, 2004) The definition is broad and is not limited to traditional checking and

savings accounts. The Board possesses broad authority of the EFTA to determine

coverage when EFT services are offered by entities other than traditional financial

institutions, for example, Sodexho. Moreover, Congress has clearly vocalized its

expectation that the Board continue to examine new and developing EFT services

to assure that the EFTA’s basic protections continue to apply.

The EFTA’s legislative history demonstrates a clear Congressional intent that

the definition of an “account” be broad, so as to ensure that “all persons who offer

equivalent EFT services involving any type of asset account, for example, stored

value cards, are subject to the same standards and consumers owning such

accounts are assured of uniform protection.”(Federal Register, 2004) S. Rep. No.

915, 95th Cong., 2d Sess. 9 (1978)

To ensure compliance with the EFTA, financial institutions must issue access

devices, written disclosures, and notification of account changes, error resolution

notices, and transfer notices. Financial institutions may only issue an access device

to a consumer in response to an oral or written request, or upon renewal or

replacement of an access device issued by the financial institution. Written


Page 23 of 53

disclosures must be given during certain segments of the transaction. Four different

types of disclosures exist:

1. Initial- financial institutions must provide a disclosure at the time consumer

contracts for an EFT service or before the first EFT is made. Financial

institutions are required to disclose certain terms and conditions of EFT

services at the time the consumer contracts with the bank for EFT service or

before the first transfer, and must be in a written statement to be retained by

the consumer.

2. Terminal receipt- electronic terminal must make a receipt available at the

time of the transfer electronic terminal means an electronic device, other

than a telephone operated by a consumer, through which a consumer may

initiate an electronic fund transfer. The term includes, but is not limited to,

point-of-sale terminals, automated teller machines, and cash dispensing

machines

3. Periodic statement- an institution generally must send a periodic statement

monthly if an EFT has occurred or quarterly if no EFT has occurred

4. Initial and Annual Error Resolution notice- provides instructions to the

consumer in the event of errors or questions about their electronic transfers

(EFTA, Regulation E)

Financial institutions are required to mail or deliver a written notice to the

consumer, at least 21 days before the effective date of any change in a term or

condition on the account. The financial institution must retain all copies of


Page 24 of 53

disclosures and changes of forms for a period of two years from the date that the

disclosures are required to be made or action is required to be taken.

At least once each year, an error-resolution notice must be mailed or

delivered to the consumer. There are specific guidelines that the bank must follow

when investigating a customer’s claim of an error, including: 1) providing written

notice to customers, 2) provisional credit, and 3) notification of final resolution. If

the financial institution is unable to complete its investigation within 10 business

days, the institution may take up to 45 calendar days from receipt of a notice of

error to investigate and determine whether an error occurred, provided the

institution gives the customer provisional credit for the amount disputed.

Penalties for non-compliance include:

• Actual and punitive damages in individual or class actions

• Court costs and attorney fees

• An amount not less than $100 or greater than $1,000 in actions

brought by an individual

• $50,000 or 1% of bank’s net worth, whichever is less for a class

action

• Reputation risk and image impairment (EFTA, Regulation E)

Finally, for preauthorized transfers financial institutions must provide a positive

or negative notice to the consumer at least once every 60 days.


Page 25 of 53

The Office of the Comptroller of the Currency (OCC), the bank regulator for

national financial institutions, has recently issued direction to its member financial

institutions on proper disclosures of consumer protections for stored value cards

(SVCs). But, it is still unclear whether SVCs are subject to Regulation E. Customer

supporters argue that if customers are going to use SVCs as substitutes for bank

accounts, then the cards should carry the same protections, and Regulation E

should apply. For example, many people refuse to obtain a bank account for

various reasons. These people are known as the unbanked.

Sodexho, or a firm that provides an electronic fund transfer service to a

consumer but that does not hold the consumer’s account is subject to all

requirements of Regulation E if Sodexho, or the firm: issues a debit card (or other

stored value card device) that the consumer can use to access the consumer’s

account held by a financial institution; and has no agreement with the account-

holding institution regarding such access (Federal Register, 2004).

If a consumer loses his/her access device then the consumer’s liability for an

unauthorized electronic fund transfer is determined solely by the consumer’s

promptness in reporting loss or theft or disputing an unauthorized transfer. If the

unauthorized transfer involved an access device, it must be an accepted access

device and the financial institution must have provided a means to identify the


Page 26 of 53

consumer to whom it was issued. A consumer’s liability for an unauthorized

electronic fund transfer shall be determined as follows:

• Timely notice given- a consumer must notify financial institution within two

business days after learning of loss or theft, the consumer’s liability shall not

exceed the lesser of $50 or amount of unauthorized transfers that occur before

notice to financial institution.

• Timely notice not given- if the consumer fails to notify the financial institution

within two business days after learning of the loss or theft of the access

device, the consumer’s liability shall not exceed the lesser of $500 or the sum

of unauthorized transfers (Federal Register, 2004).

For example, a financial institution complies with the many requirements of this

regulation by ensuring adequate controls are in place including informative

disclosures in the required time frame, issuance of access devices at account

opening renewal or replacement, and prompt and proper error resolution.

Sodexho’s stored value card would meet the definition of Regulation E’s access

device. The stored value card would also be considered an “asset account” as

defined by the EFTA. In the explanations of Regulation E and EFTA, Sodexho

would be required to issue access devices, provide written disclosures, notify

customer of account changes, and supply error resolution notices. All of these

aforementioned tasks would create even more layers to the stored value card


Page 27 of 53

program with Sodexho. Additional costs for complying with Regulation E may

outweigh any potential benefits.

C. Gramm-Leach-Bliley Act

The GLBA applies to "financial institutions" – firms, like Sodexho, that offer

financial products or services to individuals, like loans, financial or investment

advice, insurance, or stored value cards. The Gramm-Leach-Bliley Act (GLBA) was

enacted in November 1999. All financial institutions were required to comply by

July 1, 2001. The GLBA permits information sharing among affiliates and provides

exceptions to the restrictions on third party sharing for legal and administrative

purposes (Regulation P). Congress limited when a financial institution can

legitimately disclose nonpublic personal information about a customer to non-

affiliated third parties, and required financial institutions to disclose their privacy

policies in clear and conspicuous notices. Nonpublic personal information is all the

personally identifiable information given to the financial institution to handle the

bank account. It does not include data that is publicly available, such as publicly

recorded real estate records or information in a public telephone directory. The

Gramm-Leach-Bliley Act has three main requirements: Privacy Rule, Safeguards,

and Pretexting.


Page 28 of 53

1. Gramm-Leach-Bliley Act - Privacy Rule

The GLBA requires financial institutions to issue Privacy Notices. The avenue

utilized for Privacy Notices can be different for a consumer versus a customer. The

Privacy Notice must contain certain information as well. The Privacy Rule applies to

“financial institutions”, as defined. Under the FTC's jurisdiction, such institutions

include nonbank firms (like Sodexho) that engage in a wide array of "financial

activities" such as: lending; brokering or servicing any type of consumer loan;

transferring or safeguarding money; preparing individual tax returns; providing

financial advice or credit counseling; providing residential real estate settlement

services; collecting consumer debts; and various other activities, for example,

stored value cards (Financial Privacy, 2004).

A financial institution’s obligations under the GLBA depend on whether the

company has consumers or customers who obtain its services (Financial Privacy,

2004). A consumer is an individual who obtains or has obtained a financial product

or service from a financial institution for personal, family or household reasons. A

customer is a consumer with a continuing relationship with a financial institution, for

example, a stored value card can be regarded as an ongoing relationship.

Generally, if the relationship between the financial institution and the individual is

significant and/or long-term, the individual is a customer of the institution. For

example, a person who obtains a mortgage from a lender is considered a customer

of the lender, while a person who uses a check-cashing service is a consumer of

that service.


Page 29 of 53

The difference between consumers and customers is so important because

only Sodexho’s stored value card customers would be entitled to receive Sodexho’s

privacy notice automatically. Consumers are entitled to receive a privacy notice

from a financial institution only if the financial institution shares the consumers'

information with other companies not affiliated with it. Customers must receive a

notice every year for as long as the customer relationship lasts.

The privacy notice must be given to individual customers or consumers by mail

or in-person; it may not be posted on a wall. Reasonable ways to deliver a notice

may depend on the type of business the institution is in: for example, Sodexho may

post its notice on its website and require online consumers to acknowledge receipt

as a necessary part of a loan application.

The privacy notice must be a clear, conspicuous, and accurate statement of the

financial institution's privacy practices; it should include what information the

financial institution collects about its consumers and customers, with whom it shares

the information, and how it protects the information. The notice applies to the

"nonpublic personal information" the financial institution gathers and discloses about

its consumers and customers. For example, nonpublic personal information could

be information that a consumer or customer puts on an application; information

about the individual from another source, such as a credit bureau; or information

about transactions between the individual and the financial institution, such as an

account balance. Indeed, even the fact that an individual is a consumer or customer

of a particular financial institution is nonpublic personal information. But information


Page 30 of 53

that the financial institution has reason to believe is lawfully public - such as

mortgage loan information in a jurisdiction where that information is publicly

recorded - is not restricted by the GLBA.

Furthermore, the Financial Privacy Rule requires financial institutions to give

their customers privacy notices that explain the financial institution’s information

collection and sharing practices. In turn, customers have the right to limit some

sharing of their information. Also, financial institutions and other companies that

receive personal financial information from a financial institution may be limited in

their ability to use that information. The Federal Trade Commission is one of eight

federal agencies that, along with the states, are responsible for developing a

consistent regulatory framework to administer and enforce the Financial Privacy

Rule.

If nonpublic information is shared with unaffiliated third parties outside of an

exception, financial institutions must provide a form for customers to opt out. In

addition, any applicable opt out disclosures required under the Fair Credit Reporting

Act (FCRA) with respect to information sharing among affiliates must be part of the

privacy policy (Regulation P). The law requires that financial institutions protect

information collected about individuals, via the stored value card application; it does

not apply to information collected in business or commercial activities.

For example, some financial institutions have developed a proactive privacy

policy that exceeds the requirements of the privacy provisions of GLBA. They do

not share nonpublic customer information with unaffiliated third parties for marketing


Page 31 of 53

purposes without a customer’s affirmative consent. The privacy policy is mailed to

existing customers on an annual basis, and provides it to new customers at account

opening. The penalties for non-compliance may include civil penalties imposed by

supervisory regulator; privacy class action lawsuits and/or actions by state Attorney

Generals; reputation risk and image impairment; and unsatisfactory or adverse

privacy examination ratings.

2. Gramm-Leach-Bliley Act - Safeguards Rule

As part of its implementation of the GLBA, the Federal Trade Commission

(FTC) has issued the Safeguards Rule. This Rule requires financial institutions

under FTC jurisdiction to secure customer records and information.

The Safeguards Rule applies to businesses, regardless of size, that are

“significantly engaged” in providing financial products or services to consumers

(Financial Institutions and Customer Data, 2002), like stored value cards and

retailers that issue credit cards to consumers. The Safeguards Rule also applies to

financial companies, like credit reporting agencies and ATM operators that receive

information from other financial institutions about their customers. In addition to

developing their own safeguards, financial institutions are responsible for taking

steps to ensure that their affiliates and service providers safeguard customer

information in their care.


Page 32 of 53

Adequately securing customer information is not only the law, it makes good

business sense. When you show customers that you care about the security of

their personal information, you increase their level of confidence in your institution.

Poorly-managed customer data can lead to identity theft. Identity theft occurs when

someone steals a customer’s personal identifying information to open new charge

accounts, order merchandise or borrow money.

If Sodexho were to implement safeguards, the Safeguards Rule requires it to

consider all areas of its operations, including three areas that are particularly

important to information security: employee management and training; information

systems; and managing system failures (Financial Institutions and Customer Data,

2002).

The success or failure of an information security plan depends on the

employee hired to implement it. For all of its new employees, the financial

institution will want to check references; have the employee sign confidentiality

agreements; train the employee to maintain the security, confidentiality, and

integrity of customer information; and to instruct the new employee on the financial

institution’s policy to keep customer information secure and confidential. In

addition, the financial institution will want to limit access to customer information to

those employees who have a business reason for seeing it and impose disciplinary

measures for any breaches (Financial Institutions and Customer Data, 2002).


Page 33 of 53

The information systems utilized in a security plan include network and

software design, information processing, storage, transmission, retrieval, and

disposal. In order for a financial institution to maintain security throughout the life

cycle of customer information they will need to store records in a secure area,

provide secure data transmission, and dispose of customer information. Authorized

employees are to be the only ones to have access to the stored records. The

stored papers are to be locked in a cabinet, room, or other container. The area is to

be protected against destruction or potential damage. The customer’s electronic

information is to be stored on a secure server that is accessed by password only.

When the financial institution collects or transmits customer information, the data

transmission is to be secured. When obtaining credit card information, a Secure

Sockets Layer (SSL) or other secure connection must be used to ensure the

information is encrypted. Any electronic mail sent to the customer is to be

password protected so only authorized employees have access. The financial

institution is to dispose of customer information in a secure manner. The financial

institution should hire or designate a records retention manager to oversee the

disposal of records containing nonpublic personal information. Customer

information on paper is to be shredded and stored in a secure area until a recycling

service picks it up. In addition the financial institution should use appropriate

oversight or audit procedures to detect the improper disclosure or theft of customer

information.


Page 34 of 53

Effective system failure management includes the prevention, detection and

response to attacks, intrusions or other system failures. The financial institution

should maintain up-to-date and appropriate controls by following their written

contingency plan to address any breaches; inquire with their software vendors for

any patches or vulnerabilities; and utilize anti-virus software and firewalls. The

financial institution’s systems should be maintained to ensure access to nonpublic

consumer information is granted only to legitimate and valid users. Any loss,

damage or unauthorized access to customer’s information should be notified

immediately to the customer as well.

Basically, according to the Safeguards Rule, financial institutions must develop

a written information security plan that describes their program to protect customer

information. All programs must be appropriate to the financial institution’s size and

complexity, the nature and scope of its activities, and the sensitivity of the customer

information at issue.

3. Gramm-Leach-Bliley Act - Pretexting

Pretexting is the practice of obtaining the customer’s personal information

under false pretenses. Pretexters sell the customer’s personal information to people

who may use it to get credit in your name, steal your assets, or to investigate or sue

the customer (Pretexting, 2001).


Page 35 of 53

Pretexters use a variety of tactics to obtain one’s personal information. For

example, a pretexter may call, claim he's from a survey firm, and ask several

questions. When the pretexter has the information he wants, he uses it to call the

customer’s financial institution. He pretends to be the customer with authorized

access to the account. He might claim that he's forgotten his checkbook and needs

information about his account. In this way, the pretexter may be able to obtain

personal information such as the customer’s Social Security number (SSN), bank

and credit card account numbers, and information in the credit report. It is important

to keep in mind that some information may be a matter of public record, such as

home ownership, paying real estate taxes, or filing for bankruptcy (Pretexting,

2001).

Under the Gramm-Leach-Bliley Act it is illegal to:

• use false, fictitious or fraudulent statements or documents to get customer

information from a financial institution or directly from a customer of a financial

institution;

• use forged, counterfeit, lost, or stolen documents to get customer information

from a financial institution or directly from a customer of a financial institution;

• Ask another person to get someone else's customer information using false,

fictitious or fraudulent statements or using false, fictitious or fraudulent

documents or forged, counterfeit, lost, or stolen documents (Pretexting, 2001).

Pretexting can lead to "identity theft." Identity theft occurs when someone seizes


Page 36 of 53

one’s personal identifying information to open new charge accounts, order

merchandise, or borrow money. Consumers targeted by identity thieves usually

don't know they've been victimized until the robber fails to pay the bills or repay the

loans, and collection agencies begin dunning the consumers for payment of

accounts they didn't even know they had.

If Sodexho were to issue a stored value card, the company would be required to

comply with all three sections of the Gramm-Leach-Bliley Act. Privacy notices

would be issued annually by Sodexho to its customers. These privacy notices must

comply with the GBLA as enforced by the Federal Trade Commission. Additional

costs would be involved ensuring privacy notices are sent timely and comply. Since

Sodexho would be obtaining personal information about its customers, the company

is required to safeguard this information. Additional computer hardware and

software programs are necessary to ensure the personal information does not fall

into the wrong hands. Sodexho’s initial application for obtaining a stored value card

must be worded as such to avoid any potential Pretexting. Sodexho may incur

additional costs ensuring the employees do not solicit illegal information from its

customers.

D. Bank Secrecy Act

The Currency and Foreign Transactions reporting Act, also known as the Bank

Secrecy Act (BSA) is a tool the U.S. Government uses to fight drug trafficking,

money laundering, and other crimes. Congress enacted the BSA to prevent


Page 37 of 53

financial institutions and other financial service providers from being used as

intermediaries for criminal activity. The Office of the Comptroller of the Currency

(OCC) monitors national bank compliance with the BSA.

Since its passage, Congress has amended the BSA many times to enhance

law enforcement effectiveness. The Anti-Drug Abuse Act of 1986, which included

the Money Laundering Control Act of 1986 (MLCA), strengthened the government’s

ability to fight money laundering by making it a criminal activity. The Money

Laundering Suppression Act of 1994 required regulators to develop enhanced

examination procedures and increase examiner training to improve the identification

of money laundering schemes in financial institutions.

1. USA Patriot Act

The USA Patriot Act was enacted after the events of September 11, 2001.

Congress rushed to enact a law that it believed would help identify and stop the flow

of money to and from terrorists. Also, it was believed that identifying the money trail

would help law enforcement stop the terrorists.

Money laundering is the criminal practice of filtering “dirty” money through a

series of transactions, so the funds are “cleaned” to look like proceeds from legal

activities. Money laundering does not have to involve cash at every stage of the

laundering process. Any transaction conducted with a bank might constitute money


Page 38 of 53

laundering. Although money laundering is a diverse and often complex process, it

basically involves three independent steps that can occur simultaneously:

1. Placement- The process of depositing unlawful cash proceeds into traditional

financial institutions.

2. Layering- The process of separating the proceeds of criminal activity from their

origin through the use of layers of complex financial transactions, such as

converting cash into traveler’s checks, money orders, wire transfers, letters of

credit, stocks, bonds, or purchasing valuable assets, such as art or jewelry.

3. Integration- The process of using an apparently legitimate transaction to

disguise the illicit proceeds, allowing the laundered funds to be disbursed back

to the criminal (Bank Secrecy Act).

Prior to the enactment of the Patriot Act, much of the focus of anti-money

laundering requirements was on the discovery and elimination of illegal activities

related to drug trafficking. As a result of the Patriot Act, the attention was shifted to

terrorist financing. Many of the requirements are enhanced elements of the Bank

Secrecy Act compliance measures with which financial institutions had been

complying for years. The body of laws and regulations that comprise BSA

compliance may be grouped into four broad categories:

1. Enhanced Due Diligence (EDD)/Know your customer (KYC)

2. Currency Transaction Reporting(CTR) / Suspicious Activity Report(SAR)-for

every cash transaction over $10,000 financial Institutions must file a CTR


Page 39 of 53

3. Monetary Instruments Sale Log-all transactions between $3,000 and

$10,000 be recorded

4. Funds Transfer recordkeeping and Travel Rule-identification of the originator

and beneficiary is required and all identifying information must travel with the

payment order throughout the transfer (Private Communication, Bank of

America, 2004).

An effective BSA compliance program needs to cover in detail the above

mentioned BSA components and have a training program that ensures all

associates understand the BSA requirements, what constitutes money laundering,

how to detect money laundering “red flags”, and the penalties for non-compliance.

Enhanced Due Diligence (EDD) and Know your Customer (KYC) are part of the

Customer Identification Program (CIP). In regulations under CIP, a covered financial

institution is not permitted to open an account for a customer unless it has obtained

certain required pieces of information. The financial institution also is required to

provide adequate notice to the customer that it is collecting information to verify the

customer’s identity. Then, within a reasonable time after account opening, it must

take steps to verify the identity of the customer so that it may form a “reasonable

belief” that it knows the “true identity’ of the customer. Its procedures must address

what it will do if it cannot form such a belief (e.g. closing the account or other

action).


Page 40 of 53

The CIP must include account opening procedures that specify the identifying

information that will be obtained from each customer. It must also include

reasonable and practical risk-based procedures for verifying the identity of each

customer. These procedures must enable the bank to form a reasonable belief that

it knows the true identity of each customer. Financial institutions should conduct a

risk assessment of their customer base and product offerings, and in determining

the risks, the following factors are considered:

The various types of accounts maintained by the bank;

The bank’s various methods of opening accounts;

The various types of identifying information available; and

The bank’s size, location, and customer base (Bank Secrecy Act

Examination Procedures, 2004).

For years, financial organizations have struggled with the requirement to

manually analyze many pages of data to determine required currency transaction

report (CTR) filings and to determine a need to file suspicious activity report (SAR).

Many of the Anti-Money Laundering (AML) systems offered today condense the

related account information onto a single report, which allows an organization to

determine when to file a CTR or SAR. Some systems go as far as accumulating

cash-transaction records by account and customer and automatically filing the CTR

with the Internal Revenue Service.


Page 41 of 53

With the passage of the USA Patriot Act compliance takes a lot of time and

energy. It takes a huge amount of work. There is the level of training; the amount of

training; the implementation; the review process. It is very burdensome. The Act

expands the authority of the Secretary of the Treasury to regulate the activities of

U.S. financial institutions, particularly their relations with foreign individuals and

entities. Also, the Act contains a number of new money laundering crimes, as well

as amendments and increased penalties for earlier crimes. Finally, the Act creates

two types of forfeitures and modifies several confiscation-related procedures. It

allows confiscation of all the property of any individual or firm (such as Sodexho)

that participates in, plans, or obtains property derived from an act of domestic or

international terrorism (Turner, 2004).

The consequences of this law for financial institutions, or Sodexho, include

additional required customer identification programs, anti-money laundering

programs, and information sharing requirements. There is also greater

accountability at all levels of the institution, from the board of directors to tellers and

customer service representatives. The federal banking agencies have adopted new

rules, imposed new requirements, and developed new examination procedures.

Over the past few months, financial institutions found to have lax or insufficient

anti-money laundering procedures or policies, or those that have not complied with

the policies they have set, have been subject to enforcement actions. In the well-

publicized case of Riggs National Bank, its primary regulator, the Office of the


Page 42 of 53

Comptroller of the Currency, has itself come under intense scrutiny because the

agency failed to discover lapses in the bank’s Bank Secrecy Act compliance

program. All of the federal banking agencies have indicated that compliance with all

anti-money laundering laws has the highest priority (Bahin, 2004).

Moreover, as concerns around terrorism and money laundering mounted

following September 11, 2001, financial institutions came under pressure to keep

and report accurate records proving their customers’ identities. The USA Patriot Act

requires financial institutions to be more diligent in documenting customer

identification, which has had significant impact on enrollment processes and

management of stored value card programs. Most SVC providers do not currently

require that customers provide Social Security Numbers if their cards are PIN-

based. Considering that some underbanked consumers cite privacy as a primary

concern, the reduced identification requirements for PIN-based SVCs may help

encourage customer acceptance. At the same time, Visa and MasterCard require

Social Security Numbers for signature-based SVCs, an important change in the

industry following the Patriot Act. Another emerging issue around the Patriot Act is

that some SVC products allow consumers to give second cards to family members

in other countries as a way to transfer money, and it can be difficult to verify the

identity of individuals living outside the U.S. The inability to verify individuals living

outside the U.S. can become a potential issue (Bahin, 2004).


Page 43 of 53

Financial institutions have been required to comply with the Bank Secrecy Act

(BSA) since it took effect, but recent BSA enforcement actions and a heightened

awareness by regulators make compliance in this area more important now than

ever.

The Financial Crimes Enforcement network (FinCEN) and the Office of

Foreign Assets Control (OFAC) are emphasizing that BSA audits will be thorough

and have demonstrated that violations will result in penalties. The $25 million fine

imposed on Riggs National of Washington, DC, is the most-recent example. The

regulators are also suggesting to organizations during BSA audits that manually

verifying identity or detecting suspicious activity are next to impossible. Even

organizations with only one or two branches will need to determine whether they

have the ability to monitor suspicious activities manually.

In the United States, between $100 billion to $300 billion is laundered every

year. Globally, the estimates run about $1 trillion. (Bennett, 2004) The odds that

Sodexho will be used to launder money at some level are high. Would Sodexho be

willing to take this risk?

As a result, financial organizations are looking to implement an automated

AML system that is effective but also practical. Many organizations are turning to

technology solutions because they realize that automating their AML process allows


Page 44 of 53

them to more quickly and accurately identify their customer’s identities, know their

customer’s normal activity, and generate the required reports.

Determining the identity of the person in front of a lender or new account

representative is more efficient and consistent with the help of an automated system

that accesses multiple databases and public records and checks names against

government lists. An automated system not only helps give the organization a

better picture of the person wanting to do business with it, but also helps ensure

employees collect the appropriate customer information. As a side benefit, it

speeds up the screening process at account opening. Using technology eliminates

many of the manual steps an organization’s staff takes to complete a transaction, as

well as helps maintain required information.

Before an organization can determine what activity is suspicious for its

customers, it first needs to decide what activity is normal. Many organizations are

turning to comprehensive AML systems to meet the new requirements. Some AML

systems give an organization the ability to examine a customer’s activity in all of its

business areas. The organization can then put these activities together to create a

big picture of the customer’s business with the organization. Not only is the

organization able to determine what is “normal” for its customers, but it can also

monitor customers’ cash transactions for any indication of structuring, high-volume

wire activity, or unusual connections to people in countries deemed restricted by the

Financial Action Task Force on Money Laundering.


Page 45 of 53

If Sodexho were to issue a stored value card, the company is required to be

compliant with the Bank Secrecy Act and as it relates to the USA Patriot Act.

Sodexho must have programs and policies in place to accurately detect any

potential money laundering either for drug trafficking or terrorist financing. Sodexho

must know its customer or face steep penalties.

E. OFAC- Office of Foreign Assets Control

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC)

administers economic sanctions and trade embargoes against certain countries,

entities and individuals, including narcotics traffickers and terrorists. Sanctions are

imposed based on U.S. foreign policy and national security concerns. They can

involve prohibiting trade, blocking (also known as “freezing”) assets, prohibiting

certain types of commercial and financial transactions or a combination of these

measures. These sanctions apply to all U.S.-based financial institutions. OFAC

administers a series of laws that impose economic sanctions against hostile targets

to further U.S. foreign policy and national security objectives.

Under OFAC, a Financial Institution must:

Provide adequate understanding of OFAC sanctions, programs, and

enforcement authority

Facilitate recognition and reporting of transactions, which involve blocked

targets


Page 46 of 53

Maintain OFAC interdiction software required for high risk transaction

screening such as wire transfers

Maintain automated or manual processes for OFAC clearance and screening

of new accounts and transactions

Not maintain account relationships with Specially Designated Nationals

(SDNs)

Scan existing customer databases for OFAC SDN list changes (Dept of

Treasury, 2004)

Specially Designated Nationals (SDNs) are individuals and entities

associated with targeted countries or are associated with international narcotics

trafficking or terrorism. All property in a SDN name must be blocked in an across-

the-board prohibition against transfers or transactions of any kind. OFAC publishes

a SDN list that consists of individuals, groups and entities owned targeted countries.

The importance of establishing a compliance program and developing

internal audit procedures should be obvious to every financial institution. Definite

expectations exist with regard to the processing of transactions involving countries

under sanctions. Financial institutions are required to report all blockings to OFAC

within 10 days of occurrence. If your bank does not block and report a transfer and

another bank does, then your bank is in trouble. A bank in non-compliance may be

opening itself to adverse publicity, fines and even criminal penalties.


Page 47 of 53

OFAC has imposed millions of dollars in civil penalties involving US financial

Institutions. The majority of the fines resulted from financial Institutions’ failure to

block illicit transfers when there was a reference to a targeted country of SDN

Once again, if Sodexho were to issue a stored value card the company must

know its customer. Sodexho must implement a special program to detect if any of

its customers fall on the OFAC list of Specially Designated Nationals. If Sodexho

were found to be non-compliant, the company would face potential steep penalties.

F. Federal Deposit Insurance Corp (FDIC)

The issue of whether stored value cards are considered depository accounts

is a timely one that is currently under review by the Federal Deposit Insurance

Corporation (FDIC). If funds stored on SVCs are considered deposits, FDIC

insurance would possibly apply. If a financial institution pools the SVC accounts

and does not provide individual “sub-accounts” to cardholders, FDIC insurance is

not available on an individual customer basis. But if a financial institution offers the

SVC as an individual bank account-like product, “pass-through” FDIC insurance

might apply. Some SVC providers welcome the expansion of FDIC insurance to

SVCs and are already operating as if their products are considered deposits. On

the other hand, some industry representatives argue that SVCs should not be

compared to bank accounts-that they are in fact more appropriately compared to

cash, and for that reason Regulation E is not appropriate. They worry that, if funds


Page 48 of 53

placed on these cards are in fact considered deposits by federal regulators,

additional costly infrastructure and regulatory oversight might be required. This

could change the current economic model for SVCs and make them a less

attractive business opportunity.

Since the issue of considering if stored value cards are subject to FDIC

insurance is relatively new, its implications on Sodexho are unable to be considered

at this point.


Page 49 of 53

IV. Conclusion

Sodexho is a food service provider for many colleges and universities.

Sodexho contracts with these colleges and universities to provide the best service.

If the college or university is interested in additional services, Sodexho will do its

best to provide these services. Sodexho proposes additional services to the

colleges and universities, especially some the colleges and universities may not

have contemplated.

One of these additional services proposed by Sodexho is the stored value

card. The stored value card will enable university and college students to not only

utilize the dining hall menus but also to shop or eat at off campus locations. The

idea of this stored value card was expressed by Sodexho’s Senior Vice President,

Finance, Campus Services Division in early 2004. Developing this particular stored

value card is moving Sodexho into unchartered territory. The envisioned product

does not yet exist, as examples are non existent.

This paper reviewed the types of stored value cards and the surrounding

legal and regulatory concerns. When the Sodexho stored value card idea was first

mentioned in early 2004, the company was unable to determine if a financial

institution should be involved or if the company could “do it alone”. As previously

mentioned, the market for stored value cards has excellent potential.


Page 50 of 53

The stored value card Sodexho is proposing would utilize a non-branded

open loop type. The card is issued by a third party (Sodexho) but has all the

backing of a credit/debit card since a financial institution will manage the product.

A non-branded open loop card is reliant heavily on fees. Sodexho will receive a fee

for each transaction. The anticipation of students using this card frequently can

impact Sodexho’s bottom line positively.

Because of September 11, 2001 the U.S. government is concerned about

terrorism. Stopping terrorist financing is one way to slow down any potential

attacks. Hence, many new laws and regulations have been enacted since then.

With all the legal and regulatory issues surrounding a stored value card

Sodexho’s compliance costs would be significant. Imaging that the additional

computer hardware/software programs and staff costs would overshadow any

benefit of the program can be seen without any heavy analysis. Compliance alone

is not the only risk to consider for the stored value card, Sodexho should also

consider other tangible risks. Other tangible risks include start up costs and

maintenance costs. Intangible risks are another type of risk to consider. Examples

of intangible risks are name risk and reputation risk.

Because of all the aforementioned risks and potential costs, Sodexho’s

stored value card program would be best issued by partnering with a national bank.

Banks are already compliant with any laws and regulations for the stored value


Page 51 of 53

card, and banks have already invested in any computer hardware/software and staff

necessary to ensure compliance. The Sodexho stored value card would be best as

a “non-branded” open loop.


Page 52 of 53

Reference List Bank Secrecy Act/Anti-Money Laundering, Comptroller’s Handbook, Bank Secrecy Act Keenan, Charles, (Sept 2004). Turning up the Heat. Community Banker Bank Secrecy Act Examination Procedures for Customer Identification Programs; July 28, 2004 Bahin, Charlotte,(Sept 2004). Evolving Compliance requirements. Community Banker. Nash-Goetz, Karen, USA Patriot Act Customer Identification Programs, The New Federal Regulations…How will they Affect you?, http://www.afponline.org/mbr/res/oh/2003/219_article_13.html Frequently Asked Questions, Bank Secrecy Act, Bank of America (personal communication, Sept 2004) Bennett, Shannon, (Aug 2004). Automating Fight on Money Laundering. Bank Technology News The Gramm-Leach-Bliley Act: The Financial Privacy Rule, http://www.ftc.gov/privacy/privacyinitiatives/financial_rule.html Gramm-Leach-Bliley Act, 15 USC, subchapter 1, Sec 6801-6809, Disclosure of Nonpublic Information, http://www.ftc.gov/privacy/glbact/glbsub1.htm Halsey, Susan, (July 2004). Customer Privacy Protection Under the Gramm-Leach-Bliley Act, Electronic Fund Transfers, Regulation E; Docket No. R-1210, 12 CFR Part 205, The Federal Register Foreign Assets Control Regulations for the Financial Community, September 2004, Department of the Treasury Foreign Assets Control Regulations for the Corporate Registration Industry, October 2004, Department of the Treasury Financial Institutions and Customer Data: Complying with the Safeguards Rule, Federal Trade Commission, www.ftc.gov


Page 53 of 53

Safeguarding Customers’ Personal Information: A Requirement for Financial Institutions, Federal Trade Commission Pretexting: Your Personal Information Revealed, January 2001, http://www.ftc.gov/bcp/conline/pubs/credit/pretext.htm Turner, Shawn, (2004) U.S. Anti-Money Laundering Regulations: An Economic Approach to Cyberlaundering, Case Western Reserve Law Review Stored Value Cards: An Alternative for the unbanked?, (September 2004), http://www.ny.frb.org/regional/stored_value_cards.html Jacob, Katy, (July 2004) Stored Value Cards: A Scan of Current Trends and Future Opportunities, The Center for Financial Services Innovation, Research Series White Paper #1 Rinearson Esq, Judith, (2004, June) Legal and Regulatory Issues Facing the Prepaid-Card Industry, Paper presented at the meeting of the Federal Reserve Bank of Philadelphia Budnitz, Prof Mark E, (2004, June) Legal and Regulatory Issues Facing the Prepaid-Card Industry, “Prepaid Cards: How do they Function? How are they Regulated?” Paper presented at the meeting of the Federal Reserve Bank of Philadelphia Furletti, Mark, (2004, June) Conference Summary, Payment Cards Center, Legal and Regulatory Issues Facing the Prepaid-Card Industry, “Prepaid Cards: How do they Function? How are they Regulated?” Paper presented at the meeting of the Federal Reserve Bank of Philadelphia Bank Secrecy Act Examination Procedures for Customer Identification Programs (July 28, 2004)

Stored Value Cards

Christie LaDestroMBA 599, Fall 2004

Introduction

The Company

Issue at Hand

Definition

Legal and Regulatory Issues

Stored Value Cards- Defined

Definition

Types of Stored Value Cards

Stored Value Card Market

Definition

Prepaid debit card• Mimics checking account• Plastic card –holds access to value for purchases• Value maintained centrally

Examples of early uses• Public Transportation, public assistance payments

SVC Market• Potential cardholders• Merchant payment

Types of Stored Value Cards

Proprietary/Gift Cards• Single-purpose/”closed-loop” cards• Store gift cards• Low risk, more profitable

MasterCard/Visa• Multipurpose cards/”open-loop” cards• Payroll cards-sold to business-low risk• Reloadable debit cards-sold to public-high fraud risk, slim profit

margins• Branded vs Non Branded

Middle Decision• “Semi Closed/Semi-Open”• Branded-works on MC/Visa infrastructure• Reloadable-higher risk, less profitable

Stored Value Card Market

Growing and Evolving Rapidly

Product Providers

“Right Issue”Demand on the riseIndustry Executives focused on challenges in market

Legal and Regulatory Issues with SVC

Money Services BusinessesRegulation EGramm-Leach BlileyBank Secrecy ActOFAC-Office of Foreign Assets ControlFDIC-Federal Deposit Insurance Corp

Money Services Business

Definition

Money Transmitter License

Advantages of MTL• Allows non-financial institutions in payments industry

Disadvantages of MTL• Additional costs to already low profit margin product

Regulation E

Definition

Compliance• Issue access devices• Written disclosures• Error resolutions• Notification of account changes

SVCs and Regulation E

Gramm-Leach Bliley

Definition

Privacy Rule• Consumers vs customers

Safeguards• Protection of private information

Pretexting• Cannot obtain customer’s personal information under false

pretenses

Bank Secrecy Act

Definition

US PATRIOT Act• Fight Terrorism Financing

Compliance• Know your Customer• Currency Transaction Reporting/Suspicious Activity

Report• Monetary Instruments• Funds Transfer recordkeeping and Travel Rule

OFAC-Office of Foreign Asset Control

Definition

Specially Designated Nationals (SDN)

Compliance

FDIC-Federal Deposit Insurance Corp

SVC and FDIC

SVC-pooling• Lack of Sub-accounts

SVC-individual• Pass through FDIC

Conclusion

The Company/The Issue

SVC Card market overview

Legal and Regulatory Overview

Decision

Stored Value Cars as a Business Opportunity

Documents

Transcript of Stored Value Cars as a Business Opportunity