Credit Card Issing and Fintech Transaction Rules
Christian Reeves

Credit Card Issing and Fintech Transaction Rules

/in , , , , /by

In this post, I will consider why card issuers and certain fintech businesses have compliance requirements and how those KYC and AML rules translate to transaction monitoring rules within the core system or compliance system. The focus of this post is on anti-money laundering and related transaction rules. 

Know Your Customer (KYC) and Anti-Money Laundering (AML) rules are important components of regulatory compliance for financial institutions, including those issuing virtual prepaid credit cards. Here is some sample transaction rules a company might use to meet KYC and AML obligations:

  1. Customer Identification Program (CIP): Every customer must be properly identified before a virtual prepaid card is issued. This requires collecting, at minimum, the customer’s full legal name, birth date, address, and identification number (like a Social Security number or passport number).
  2. Identity Verification: After collecting this information, it must be verified through reliable means. This can include checking the provided information against databases or asking for additional documentation like a scanned passport or utility bill.
  3. Risk-Based Verification: Customers who are likely to pose a higher risk of money laundering or terrorist financing may require enhanced due diligence, which can involve collecting more detailed information about their personal background, sources of funds, and intended use of the prepaid card.
  4. Ongoing Monitoring: After a card has been issued, its usage must be monitored for suspicious activity. This can include transactions that are unusually large, frequent, or inconsistent with the customer’s normal behavior.
  5. Transaction Limits: To reduce the risk of money laundering, virtual prepaid card issuers may set limits on the amount that can be loaded onto a card at any one time, or the total amount that can be transacted within a certain period.
  6. Reporting Suspicious Activity: If suspicious activity is detected, the card issuer has a duty to report this to the relevant authorities in a timely manner. This typically involves filing a Suspicious Activity Report (SAR).
  7. Record Keeping: Detailed records of all customer information, transactions, and any actions taken in response to suspicious activity must be kept for a certain period, usually five years.
  8. Sanctions Screening: The issuer must ensure that neither the customer nor the recipients of any funds from the card are on any government sanctions lists.
  9. Privacy and Data Security: All collected customer information must be stored securely to protect against data breaches. There should be policies in place to ensure that customer data is only used for the purposes it was collected for and is shared only with authorized entities.
  10. Regular Audits: Internal or external audits should be conducted periodically to ensure that all KYC and AML procedures are being followed, and to identify any areas where improvements can be made.

Please note that these are just samples and the actual rules may differ depending on the jurisdiction the company is operating in, as well as other factors. Always consult with a legal expert or a compliance officer when designing or updating your KYC and AML policies. You can reach us at info@premieroffshore.com 

Criminals can use credit cards in several ways to launder money:

  1. Credit Card Factoring: A common method involves setting up a shell company (a company that exists only on paper and has no office and no employees) and using it to process credit card transactions for non-existent goods and services. The shell company can then pass off these transactions as legitimate business income.
  2. Cash Withdrawals: Criminals can use credit cards to withdraw cash at ATMs, especially in foreign jurisdictions, to obscure the origin of the funds.
  3. Purchase and Resale: Individuals may use a credit card to purchase high-value items (like electronics, jewelry, etc.) and then sell these items to generate “clean” cash. This method allows the laundering of money through legitimate commercial transactions.
  4. Overpayment Fraud: This method involves the criminal intentionally overpaying on the credit card, then requesting a refund from the credit card company. The refund is then returned as a check, which can be deposited into a bank account, effectively converting illicit cash into seemingly legitimate funds.
  5. Gift Cards and Prepaid Cards: Criminals can purchase gift cards or prepaid cards using a credit card. These cards can then be sold for cash or used to purchase goods, thus obfuscating the source of the funds.
  6. Balance Transfers: By continuously transferring balances between different credit cards owned by the same individual or different individuals, money launderers can make it difficult for authorities to track the source of funds.
  7. Collusion with a Merchant: Criminals can also collude with corrupt merchants to carry out fraudulent transactions. The merchant will charge the credit card for non-existent goods or services, and after deducting a commission, transfer the rest of the funds back to the criminal.

These methods are illegal and can lead to severe penalties for the card issuer or fintech that allows the transaction through. Credit card companies and financial institutions must have systems in place to identify and prevent such activities, such as transaction monitoring systems, KYC procedures, and real-time fraud detection algorithms.

Money laundering involves making illegally-gained proceeds appear legal, a process typically accomplished through a three-step process: Placement, Layering, and Integration. Criminals have developed various methods to launder money using credit cards. Here’s how it could happen:

  1. Placement: The initial stage of money laundering where illicit money is introduced into the financial system. With credit cards, this can happen in a few ways:
    • A criminal could use a stolen or counterfeit credit card to purchase goods and then resell them for cash.
    • Fraudulently obtained credit cards could also be used to purchase other forms of monetary instruments, such as gift cards or prepaid cards, which can later be sold or used without leaving a direct link back to the criminal.
  2. Layering: This is the process of creating complex layers of financial transactions to disguise the audit trail and provide anonymity. In the context of credit cards:
    • The criminal might use the card to make numerous small purchases or cash withdrawals across different locations and businesses to obscure the source of funds.
    • They might also use the card to purchase items online, further complicating the trail because these transactions could involve multiple jurisdictions.
  3. Integration: This is the final stage where the ‘cleaned’ money is mixed with legally obtained money. With credit cards:
    • The criminal might operate a fake business and process false transactions using the credit card, making the money appear as legitimate earnings.
    • They might also use a legitimate business to charge the credit card for non-existent goods or services, then present this as legitimate income.

It’s important to note that financial institutions, card issuers, and fintech’s are well aware of these tactics, and have measures in place to detect and prevent such activities. These include monitoring for suspicious transaction patterns, implementing strong KYC and AML procedures, and reporting suspicious activities to the authorities.

Credit card transaction rules are guidelines or protocols established by credit card companies to detect and prevent fraudulent transactions, ensure regulatory compliance, and enhance customer security. Here are some common credit card transaction rules:

  1. Daily Spending Limit: To prevent fraudulent transactions, a daily spending limit is often set. If transactions exceed this limit, they may be denied until the cardholder confirms the transactions are genuine.
  2. Geographical Restrictions: Transactions made in unfamiliar locations or foreign countries may be flagged or blocked, especially if the cardholder hasn’t notified the card issuer about their travel plans.
  3. Frequency of Transactions: If there’s a sudden increase in the frequency of transactions, it could indicate fraudulent activity. The card issuer may block further transactions until they can confirm the activity with the cardholder.
  4. Unusual Purchase Patterns: If a transaction or series of transactions deviate significantly from the cardholder’s typical spending habits, they might be flagged as potentially fraudulent.
  5. Online and Card-Not-Present Transactions: These types of transactions can be riskier than in-person transactions, and may be subject to additional security measures, like requiring the cardholder to enter a CVV number.
  6. Incorrect Personal Information: If a transaction is attempted with incorrect personal information (e.g., wrong billing address or zip code), the transaction may be declined.
  7. Large Purchases: Large purchases may be flagged or blocked, especially if they’re inconsistent with the cardholder’s typical spending behavior.
  8. Suspicious Merchant Categories: Transactions with certain types of merchants (e.g., gambling websites or cryptocurrency exchanges) may be flagged or blocked due to the higher risk of fraud or regulatory compliance issues.
  9. Multiple Declined Transactions: If multiple transactions are declined in a short period of time, the card may be temporarily blocked to prevent potential fraud.

These rules help credit card issuers manage risk and protect customers from fraud. However, they’re not foolproof, and cardholders should always monitor their accounts for suspicious activity.

Transaction Rules for Credit Card Issuers and Fintech Companies:

  1. Account Opened, Maxed, and Closed: This rule will alert when the cardholder loads and uses the card up to the balance and then closes the account quickly. There should be a min value such as $5,000.  
  2. High-Risk Jurisdiction Transactions: This rule will alert any transactions that are conducted with high-risk jurisdictions, including those known for high levels of corruption, organized crime, or terrorist activity.
  3. Frequent Small Transactions: This rule will alert when there are frequent small transactions that, collectively, account for a substantial sum. This could be an indication of “structuring” or “smurfing,” techniques often used to evade reporting requirements.
  4. Rapid Movement of Funds: This rule alerts when there is rapid movement of funds from one account to another, or across multiple accounts. This could be indicative of layering, a money laundering technique.
  5. Transactions Just Below Reporting Threshold: This rule will alert transactions that are just below the reporting threshold set by the regulatory bodies. This could be an attempt to evade detection.
  6. Inconsistent Transaction Activity: This rule alerts when the transaction pattern significantly deviates from a customer’s usual behavior or expected transaction pattern.
  7. Round Dollar Transactions: This rule alerts when transactions are made in round numbers (e.g., $1000, $5000), especially when they occur frequently. Criminals often use round numbers for simplicity.
  8. Transactions Matching Sanctioned Lists: This rule will alert any transactions associated with individuals, organizations, or countries that appear on national and international sanctions lists.
  9. Cash Advances: This rule will alert frequent or large cash advances, which could indicate an attempt to obtain cash for illicit purposes.
  10. Multiple Cards to the Same Address: This rule alerts when multiple cards are issued to the same address. This could be a sign of a fraud or identity theft operation.
  11. Transactions with High-Risk Businesses: This rule will alert transactions with businesses known to be high-risk for money laundering, such as casinos, pawn shops, or shell companies.
  12. Non-Resident Transactions: This rule will alert when transactions occur frequently from non-residents, especially from high-risk jurisdictions.
  13. High Number of Declined Transactions: This rule will alert when a customer has a high number of declined transactions, which could indicate fraudulent activity.
  14. Unusual E-commerce Transactions: This rule alerts when there are unusual e-commerce transactions, such as frequent purchases from a single online vendor, which could be indicative of fraudulent activity.
  15. Inconsistent Shipping Information: This rule alerts when the shipping address frequently changes or doesn’t match the customer’s known address. This could be a sign of fraud.
  16. Sudden Increase in Credit Card Usage: This rule will alert when there is a sudden spike in credit card usage, which could indicate that the card has been compromised.
  17. Transactions at Odd Hours: This rule will alert when transactions are conducted at odd hours, inconsistent with the cardholder’s known behavior.
  18. Large Purchases or Withdrawals: This rule will alert any large purchases or cash withdrawals that are unusual based on the customer’s profile and transaction history.
  19. Transactions Involving Cryptocurrency Exchanges: This rule will alert when transactions are made to or from cryptocurrency exchanges, as these can sometimes be used to launder money.
  20. Use of the Card After a Long Period of Inactivity: This rule will alert when a card that hasn’t been used for a long period suddenly becomes active. This could indicate that the card has been compromised.
  21. Frequent Address Changes: This rule alerts when there are frequent changes to the cardholder’s registered address, which could be indicative of identity theft or fraud.
  22. Sequential Card Numbers: This rule will alert when multiple cards are issued with sequential numbers, which could indicate a mass production of fake cards.
  23. Card Not Present Transactions: This rule alerts when there are frequent or large ‘card not present’ transactions, which could suggest fraudulent online or phone purchases.
  24. Multiple Transactions at One Vendor: This rule will alert when there are multiple transactions at one vendor in a short amount of time, which may suggest either a system error or a fraudulent activity.
  25. Overseas Transactions: This rule alerts when a card is used in a foreign country, especially if the cardholder has not reported traveling.
  26. ATM Withdrawals in Multiple Locations: This rule alerts when frequent ATM withdrawals are made in different locations in a short time period, which could indicate the card is cloned.
  27. Multiple Declined Authorization Attempts: This rule will alert when there are multiple declined authorization attempts, which may suggest either a stolen card or a testing of a cloned card.
  28. High-Risk MCC Codes: This rule alerts when there are transactions associated with Merchant Category Codes (MCC) known to be high-risk for fraud or money laundering.
  29. Transaction Volume and Frequency: This rule will alert when a card’s transaction volume or frequency significantly deviates from its usual patterns.
  30. Out-of-pattern Transactions: This rule alerts when transactions are inconsistent with the customer’s established patterns, such as purchases from vendors they haven’t used before.
  31. Multiple Cards Associated with the Same Identity: This rule will alert when multiple cards are issued to the same person, which could be indicative of identity theft.
  32. Same Card Used with Different Merchants Simultaneously: This rule will alert when the same card is used simultaneously at different merchant locations.
  33. Credit Refunds: This rule will alert when there are frequent or large credit refunds to a card, which could indicate return fraud or ‘overpayment’ scams.
  34. Inactivity Followed by High Activity: This rule will alert when a period of card inactivity is followed by a surge of high-value transactions.
  35. Purchases of Gift Cards or Other Monetary Instruments: This rule alerts when the card is used frequently to purchase other cash-like monetary instruments, which could be a money laundering technique.
  36. Unusual Payments to Government Entities: This rule alerts when there are unusual payments to government entities, which could suggest an attempt to hide illicit funds.
  37. Transactions from Unrecognized Devices or IP addresses: This rule will alert when transactions are made from devices or IP addresses that are not recognized or commonly used by the customer.
  38. Duplicate Transactions: This rule alerts when two or more transactions have the same amount, date, and merchant, which could indicate a system error or fraud.
  39. Transactions in Non-Customer’s Regular Geo-Location: This rule alerts when the card is used in a location that is not part of the customer’s regular geographical pattern.
  40. Mismatch between Shipping and Billing Address: This rule alerts when the shipping address for a purchase does not match the billing address of the cardholder.
  41. Multiple Credit Cards Used on a Single Device/IP: This rule alerts when multiple cards are used on a single device or IP address, which could suggest card testing or fraudulent activity.

Again, these rules should be adapted and refined based on the specific requirements of the institution, local regulations, and the evolving risk environment. You can reach us at info@premieroffshore.com if you are interested in hiring us to build your compliance program and system. 

building a fintech crypto card issuing business
Christian Reeves

Building a Compliance Program for a Fintech, Crypto, or Credit Card Issuing Business

/in , , , , /by

In this post, I will review how to build a compliance program for a new or startup fintech, crypto, or credit card issuing business. Most startups focus on tech, testing, and finding customers in the early days. But, a complete compliance program should be the first thing a fintech, crypto, or credit card issuing business should build because this governs onboarding and nearly all aspects of the business. 

Also, your compliance program and documents are the keys to maintaining good relations with your bank, brokerage, exchange, processor, or issuer. Many providers will open an account with minimal documents. But, once you begin transacting, they will ask all kinds of questions. If you don’t have a compliance program in place, your fintech, crypto, or credit card issuing business will be paused or closed until you can build a proper compliance program. 

Building the Program – First Steps

Building a compliance program for a credit card issuing company requires adherence to various regulatory requirements, including those from payment networks like MasterCard and Visa, as well as complying with Know Your Customer (KYC) and Anti-Money Laundering (AML) policies. Here is an overview of the process:

  1. Understand MasterCard and Visa requirements: Both MasterCard and Visa have their own set of rules and regulations for credit card issuers. These may include guidelines on transaction processing, chargeback management, fraud prevention, data security, and reporting. Review the MasterCard Rules and the Visa Core Rules and Visa Product and Service Rules to familiarize yourself with their requirements.
  2. Develop internal policies and procedures: Create comprehensive internal policies and procedures that adhere to MasterCard and Visa requirements, as well as applicable federal and state laws and regulations. This may include policies for card issuance, underwriting, account management, billing, dispute resolution, and fraud management.
  3. Implement a KYC program: A robust KYC program should include customer identification procedures, risk-based customer due diligence, and ongoing monitoring of customer transactions. Ensure that your program aligns with applicable KYC regulations and industry best practices.
  4. Implement an AML program: Develop an AML program that includes risk-based customer due diligence, transaction monitoring, suspicious activity reporting, record-keeping, and employee training. Ensure that your program complies with applicable AML regulations, such as the Bank Secrecy Act (BSA) and the USA PATRIOT Act.
  5. Establish a Compliance Management System (CMS): A CMS is a formalized system for managing compliance within the organization. It should include components like compliance policies and procedures, a compliance officer, employee training, and monitoring and corrective action processes.
  6. Develop a data security program: Implement a data security program that complies with the Payment Card Industry Data Security Standard (PCI DSS) and any applicable data privacy regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
  7. Train employees: Train employees on your compliance program, policies, and procedures. Regularly update training materials to ensure that employees stay informed about regulatory changes and industry best practices.
  8. Monitor and audit: Regularly monitor and audit your compliance program to identify any gaps or areas for improvement. Implement corrective actions as necessary to maintain compliance with all applicable regulations and requirements.

Creating a compliance program for a credit card issuer is similar to creating a compliance program for a bank in several ways:

  • Both require adherence to federal and state regulations, as well as KYC and AML policies.
  • Both need to establish a CMS to manage compliance within the organization.
  • Both require employee training to ensure understanding of and adherence to the compliance program.
  • Both need to conduct regular monitoring and audits to maintain compliance with applicable regulations and requirements.

However, credit card issuers must also comply with the specific rules and regulations set forth by payment networks like MasterCard and Visa, as well as adhere to the PCI DSS for data security.

Building a Program – Toolbox

A robust compliance program for a credit card issuer should include various tools and resources to ensure adherence to regulatory requirements and mitigate risks. Some common and popular compliance tools include:

  1. Compliance Management System (CMS): A CMS is a centralized platform to manage, track, and report on all aspects of the organization’s compliance program. It can help automate and streamline processes, such as policy management, risk assessment, training, and reporting.
  2. Risk Assessment Tools: Risk assessment tools can help identify, assess, and prioritize risks associated with credit card issuing activities. These tools may include questionnaires, checklists, or software solutions designed to assess risks in areas like fraud, AML, and data security.
  3. Policy Management Software: Policy management software can be used to create, maintain, and distribute internal policies and procedures related to credit card issuing operations. This software typically includes version control, approval workflows, and audit trails to ensure consistency and compliance with regulations.
  4. Transaction Monitoring System: A transaction monitoring system can be used to detect suspicious activities, potential fraud, and other risks related to credit card transactions. This may involve rule-based systems or machine learning algorithms to analyze transaction data and generate alerts for further investigation.
  5. Fraud Detection Tools: Fraud detection tools, such as artificial intelligence (AI) and machine learning algorithms, can help identify patterns indicative of fraudulent activities. They may be used to analyze transaction data, monitor user behavior, and identify potential risks in real time.
  6. Know Your Customer (KYC) and Customer Due Diligence (CDD) Solutions: KYC and CDD solutions can help automate customer identification, verification, and risk assessment processes. These tools may include identity verification services, watchlist screening, and ongoing customer monitoring.
  7. Anti-Money Laundering (AML) Software: AML software can help automate the process of monitoring transactions for suspicious activity, filing suspicious activity reports (SARs), and maintaining compliance with AML regulations. This may include rule-based systems or more advanced AI-driven solutions.
  8. Data Security Solutions: Data security solutions, such as encryption tools, firewalls, and intrusion detection systems, can help protect sensitive customer and transaction data, ensuring compliance with data privacy and security regulations like the Payment Card Industry Data Security Standard (PCI DSS).
  9. Training and Learning Management Systems (LMS): An LMS can help manage and track employee training related to compliance, including course content, attendance, assessment, and reporting. This can be especially useful for organizations that must regularly train employees on AML, KYC, and other compliance topics.
  10. Regulatory Reporting Tools: Reporting tools can help streamline the process of generating, submitting, and tracking regulatory reports, such as SARs or periodic financial statements. These tools may include templates, automated data aggregation, and tracking capabilities.

While these tools can help support a comprehensive compliance program for a credit card issuer, it is important to remember that the specific tools needed will depend on the organization’s size, risk profile, and regulatory environment. Tools will also depend on the jurisdiction of your customers, of which I was uncertainly reviewing your website. 

Building a Program – Bank Secrecy Act

The Bank Secrecy Act (BSA) does apply to credit card issuers. The BSA, also known as the Currency and Foreign Transactions Reporting Act, was enacted to combat money laundering and other financial crimes. It requires financial institutions, including credit card issuers, to maintain certain records, file reports, and implement anti-money laundering (AML) programs.

Credit card issuers and fintech companies are considered financial institutions under the BSA, as they offer various types of financial products and services. Therefore, they are subject to the same AML rules and regulations as banks and other financial institutions. These rules and regulations include Know Your Customer (KYC) policies, Currency Transaction Reports (CTRs), Suspicious Activity Reports (SARs), and other due diligence requirements.

Compliance with the BSA helps credit card issuers mitigate risks associated with money laundering, terrorism financing, and other financial crimes. Non-compliance can lead to substantial fines and penalties, as well as reputational damage.

Building a Program – US Sanctions for Card Issuers

U.S. sanctions are relevant to U.S. credit card issuers and fintech companies because they impose restrictions on transactions and dealings with specific individuals, entities, or countries. They are required to comply with these sanctions to prevent financial crimes, such as money laundering and terrorism financing. Non-compliance can lead to significant penalties and reputational damage.

Here’s how U.S. sanctions are relevant to U.S. credit card issuers and fintech companies:

  1. Restricted transactions: Sanctions prohibit U.S. credit card issuers from engaging in transactions with individuals, entities, or countries designated by the Office of Foreign Assets Control (OFAC), a division of the U.S. Department of the Treasury. This includes processing payments, providing services, or extending credit to sanctioned parties.
  2. Compliance programs: Credit card issuers must implement comprehensive compliance programs to identify and block transactions involving sanctioned parties. These programs should include policies and procedures, employee training, and transaction monitoring systems to ensure compliance with OFAC regulations.
  3. Due diligence: Credit card issuers are required to conduct due diligence on their customers, merchants, and business partners to ensure they are not engaging in transactions with sanctioned parties. This involves screening customers against OFAC’s Specially Designated Nationals (SDN) list and other restricted party lists.
  4. Reporting requirements: U.S. credit card issuers must report any blocked or rejected transactions involving sanctioned parties to OFAC within a specified timeframe. Failure to report such transactions can lead to penalties and enforcement actions.
  5. Penalties for non-compliance: Non-compliance with U.S. sanctions can result in substantial fines, penalties, and reputational damage for credit card issuers. In some cases, individuals involved in non-compliance may also face criminal prosecution.

U.S. credit card issuers and fintech companies must stay informed of updates and changes to U.S. sanctions programs and ensure their compliance programs are up-to-date and effective. This helps protect the issuer from potential financial and reputational risks associated with non-compliance.

Building a Program – AML & BSA Risk Assessment 

An Anti-Money Laundering (AML) and Bank Secrecy Act (BSA) risk assessment is a comprehensive evaluation of an organization’s exposure to money laundering, terrorism financing, and other financial crime risks. A risk assessment typically includes factors such as geographical risk, market risk, product risk, customer risk, and distribution channel risk. By assigning scores to these factors, an organization can better understand its risk exposure and implement appropriate controls to mitigate those risks.

Here is a description of an AML/BSA risk assessment that incorporates a scoring system based on various risk factors:

  1. Geographical risk: Assess the countries and regions where the organization operates or conducts business with customers. Assign a score based on the level of risk associated with each location, considering factors such as political stability, corruption levels, the presence of organized crime or terrorist groups, and AML/CTF regulatory framework effectiveness.
  2. Market risk: Evaluate the organization’s exposure to market risks, such as fluctuations in interest rates, currency exchange rates, or stock market prices. Assign scores based on the level of market volatility and the organization’s susceptibility to these risks.
  3. Product risk: Assess the organization’s products and services, focusing on their vulnerability to money laundering and terrorism financing. Assign a score to each product or service based on factors such as the level of anonymity, transaction size, ease of transferability, and complexity of the product or service.
  4. Customer risk: Evaluate the organization’s customer base, considering factors such as customer type (individual, corporate, or government), occupation, source of funds, and expected transaction patterns. Assign a score based on the level of risk associated with each customer segment.
  5. Distribution channel risk: Assess the organization’s distribution channels, such as branches, agents, digital platforms, or correspondent banking relationships. Assign a score based on factors such as the level of oversight, transparency, and the risk of money laundering or terrorism financing associated with each channel.
  6. Internal controls and compliance risk: Evaluate the effectiveness of the organization’s internal controls and compliance program, including policies, procedures, employee training, and monitoring systems. Assign a score based on the level of risk mitigation provided by these controls.

Once the scores are assigned, the organization can aggregate the scores to create an overall risk score for each category. This process helps identify areas of higher risk that require enhanced due diligence and monitoring.

The results of the risk assessment should be used to develop and enhance the organization’s AML/BSA compliance program, ensuring that resources are allocated effectively to mitigate identified risks. Regularly reviewing and updating the risk assessment is essential to maintain its effectiveness and ensure the organization’s compliance with evolving regulatory requirements.

Building a Program – Miscellaneous Policies 

Here’s an overview of a few key policies and their relevance to credit card issuers which I haven’t covered above:

  1. Suspicious Activity Reports (SARs) Policy: Under the Bank Secrecy Act (BSA), credit card issuers are required to file SARs for any transaction that may involve money laundering, terrorist financing, or other suspicious activities. This policy should establish guidelines for identifying, investigating, and reporting suspicious transactions, as well as maintaining proper documentation.
  2. USA PATRIOT Act Policy (Section 314 reporting): Section 314(a) of the USA PATRIOT Act allows financial institutions, including credit card issuers, to share information with law enforcement agencies to identify and report potential money laundering or terrorist financing activities. The policy should outline procedures for responding to 314(a) requests, safeguarding customer information, and maintaining records of information sharing.
  3. FinCEN Policy: The Financial Crimes Enforcement Network (FinCEN) is responsible for implementing and enforcing the BSA and AML regulations. A credit card issuer’s FinCEN policy should detail the company’s compliance with FinCEN’s regulations, including Customer Identification Program (CIP), Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and recordkeeping requirements.
  4. OFAC Policy: The Office of Foreign Assets Control (OFAC) enforces economic and trade sanctions against certain individuals, entities, and countries. Credit card issuers must have a policy in place to ensure compliance with OFAC regulations, including screening customers, transactions, and business partners against OFAC’s Specially Designated Nationals (SDN) list and other restricted parties lists, as well as blocking or rejecting prohibited transactions.
  5. FBAR Policy: The Report of Foreign Bank and Financial Accounts (FBAR) is a reporting requirement for U.S. persons with foreign financial accounts. While this requirement may not directly apply to credit card issuers, they should have policies in place to ensure compliance with FBAR regulations if they hold or have signature authority over foreign financial accounts.
  6. Identity Theft Policy: The Fair and Accurate Credit Transactions Act (FACTA) requires financial institutions, including credit card issuers, to establish an Identity Theft Prevention Program (ITPP) to detect, prevent, and mitigate identity theft. The policy should include procedures for identifying and addressing red flags, verifying customer identity, maintaining customer information security, and responding to identity theft incidents.

By developing and implementing these policies, credit card issuers or fintech companies in the United States can demonstrate compliance with relevant regulations, mitigate risks associated with financial crimes, and protect their customers and business from potential harm. Regularly reviewing and updating these policies is essential to ensure ongoing compliance and effectiveness.

Building Program – Why is this Relevant 

Credit cards and fintech systems can be used in various ways to facilitate money laundering. Money laundering is the process of making illegally-gained proceeds appear legitimate by disguising their origins. Here are some ways that credit cards can be used in money laundering schemes:

  1. Overpayment and refunds: A criminal may make a large overpayment on their credit card account using illicit funds and then request a refund. This creates the appearance of a legitimate transaction and allows the launderer to receive “clean” money from the credit card issuer.
  2. “Credit card factoring” or “credit card laundering”: This involves a criminal using a shell or front company to process fraudulent credit card transactions. They use stolen or fake credit card information to create transactions, which are then processed through the merchant account of the shell company. The company receives the funds from the credit card processor, less any fees, and transfers the laundered money to the criminal’s account.
  3. Collusion with merchants: Criminals may collude with complicit merchants who allow them to use their credit cards to make purchases or pay for services with illegal funds. The merchant then refunds the transaction, providing the criminal with laundered money from the merchant’s account.
  4. Buying and selling goods: Criminals may use illicit funds to purchase high-value goods or services using credit cards, and then sell those goods or services to convert them back into cash. This process can help disguise the origins of the illegal funds.
  5. Multiple small transactions: Criminals can use credit cards to make multiple small transactions (structuring) to avoid detection or reporting thresholds. These transactions may be spread across several accounts, cards, or merchants to further reduce the risk of detection.
  6. Prepaid credit cards: Prepaid credit cards can be used to launder money, as they can be bought and reloaded with cash. Criminals can use these cards for purchases, ATM withdrawals, or online transactions without revealing their true identity. In some cases, they may also use prepaid cards to transfer money between different countries.

Financial institutions, including credit card issuers and Fintech companies, are required to implement robust anti-money laundering (AML) programs to detect and prevent such activities. This includes Know Your Customer (KYC) policies, transaction monitoring systems, and Suspicious Activity Reports (SARs) to identify and report any suspicious activities.

Building a Program – Transaction Flow for a Credit Card Provider

The typical transaction flow for a credit card issuer involves multiple parties and several steps. This section is specific to card issuers as fintech companies have structures that are to diverse to cover in an article, Here is an overview of the process when a cardholder makes a purchase using a credit card:

  1. Cardholder initiates a purchase: The cardholder presents their credit card to the merchant for payment.
  2. Merchant processes the transaction: The merchant uses a point-of-sale (POS) terminal, payment gateway, or other payment processing system to capture the card details and submit the transaction for authorization.
  3. Transaction is sent to the acquiring bank: The merchant’s acquiring bank (or payment processor) receives the transaction details and forwards the information to the card network (e.g., Visa or MasterCard).
  4. Card network routes the transaction: The card network routes the transaction to the issuing bank (the bank that issued the credit card to the cardholder) for authorization.
  5. Issuing bank authorizes the transaction: The issuing bank checks the cardholder’s account for available credit, verifies that the card is valid and not flagged for fraudulent activity, and either approves or declines the transaction. The response is sent back through the card network and the acquiring bank to the merchant.
  6. Merchant receives authorization response: The merchant receives the response and completes the sale if the transaction is approved. The approved transaction is then stored in a batch for later settlement.
  7. Merchant submits the batch for settlement: At the end of the business day or another predetermined time, the merchant submits the batch of approved transactions to the acquiring bank for settlement.
  8. Acquiring bank requests funds: The acquiring bank sends the batched transaction details to the card network, which then forwards the information to the respective issuing banks.
  9. Issuing banks transfer funds: The issuing banks transfer the funds for the settled transactions, minus interchange fees, to the card network.
  10. Card network transfers funds to the acquiring bank: The card network consolidates the funds from the issuing banks and transfers the net amount, minus network fees, to the acquiring bank.
  11. Acquiring bank deposits funds to the merchant’s account: The acquiring bank deposits the funds, minus any applicable fees, into the merchant’s account.
  12. Cardholder is billed: The issuing bank adds the transaction amount to the cardholder’s account balance. The cardholder will be responsible for paying the balance according to their credit card agreement.

This transaction flow represents a simplified version of the process. In practice, there may be variations depending on the specific payment infrastructure, card network, and additional services or features offered by the involved parties.

SOP for a Credit Card Processor and Fintech Company

Creating a comprehensive compliance Standard Operating Procedure (SOP) for a credit card issuer and a fintech company requires addressing multiple areas of regulatory and operational compliance. While the exact SOP will depend on your specific circumstances, the following components should generally be included:

  1. Compliance Management System (CMS): Develop a formalized system for managing compliance within the organization, including the appointment of a dedicated compliance officer, clear reporting lines, and regular communication with senior management.
  2. Regulatory Compliance: Ensure adherence to all applicable federal, state, and local regulations, as well as payment network rules (e.g., MasterCard and Visa). This may include consumer protection laws, fair lending practices, data privacy, and security requirements.
  3. Know Your Customer (KYC): Establish a robust KYC program that includes customer identification, risk-based due diligence, and ongoing monitoring of customer transactions. Ensure that the program complies with all applicable KYC regulations.
  4. Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF): Implement a comprehensive AML/CTF program, including risk-based customer due diligence, transaction monitoring, suspicious activity reporting, record-keeping, and employee training.
  5. Third-Party Risk Management: Develop a process for assessing, monitoring, and managing risks associated with third-party service providers, such as payment processors, technology vendors, and collection agencies.
  6. Fraud Prevention and Detection: Implement a fraud management program that includes transaction monitoring, fraud detection tools, chargeback management, and customer education on fraud prevention.
  7. Data Security and Privacy: Establish a data security program that complies with the Payment Card Industry Data Security Standard (PCI DSS) and any applicable data privacy regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
  8. Internal Policies and Procedures: Develop and maintain comprehensive internal policies and procedures that cover all aspects of the credit card issuer’s operations, including card issuance, underwriting, account management, billing, dispute resolution, and fraud management.
  9. Employee Training and Awareness: Provide regular training to employees on compliance requirements, internal policies, and procedures. Ensure that training materials are updated to reflect regulatory changes and industry best practices.
  10. Monitoring, Auditing, and Reporting: Establish a process for regularly monitoring and auditing the credit card issuer’s compliance program to identify gaps, areas for improvement, and potential violations. Implement corrective actions as needed and report any significant compliance issues to senior management and, if required, to regulatory authorities.
  11. Record-Keeping: Maintain accurate and complete records of all compliance-related activities, including risk assessments, audits, training, and reporting, as required by applicable regulations.

The million-dollar issue: Do all credit card issuers and Fintech companies take possession of client funds? As a result, do all credit card issuers require a money services license?

Credit card issuers and Fintechs generally do not take possession of client funds in the same way as banks, which hold deposits in customer accounts. Credit card issuers extend a line of credit to cardholders, allowing them to make purchases or obtain cash advances up to a specified limit. Cardholders are then required to repay the borrowed amount, typically with interest, according to their credit card agreement.

As a result, credit card issuers usually do not fall under the category of money services businesses (MSBs) and may not require a money services license. MSBs typically include entities involved in money transmission, currency exchange, check cashing, and other financial services that involve the handling of client funds.

For more on this topic, you might also read through Structuring a Fintech or Card Issuer without an MSB License

Process to Apply for a Money Service Business License

In the United States, money transmission licensing is regulated at the state level. Each state has its own requirements and procedures for obtaining a money transmission license, which means that if you plan to operate in multiple states, you may need to obtain a license in each state where you conduct business. Here is a general outline of the process:

  1. Research state-specific requirements: Begin by researching the specific licensing requirements for each state in which you plan to operate. You can usually find this information on the state’s financial regulatory agency website or by consulting with a legal professional.
  2. Prepare your application: Each state has its own application form and supporting documentation requirements. Commonly required documents may include a business plan, financial statements, policies and procedures, AML program documentation, background checks, and fingerprints for key personnel, as well as information about the company’s organizational structure and management.
  3. Obtain a surety bond: Most states require money transmitters to obtain a surety bond as part of the licensing process. The bond amount varies by state and is designed to protect consumers in case the licensee fails to meet its obligations.
  4. Pay application fees: Each state typically requires payment of a non-refundable application fee and, if applicable, a licensing fee upon approval.
  5. Submit your application: Once you have prepared all the required documents, submit your application to the appropriate state agency for review. The review process can take several weeks to several months, depending on the state and the complexity of your application.
  6. Respond to any inquiries or requests for additional information: During the review process, the state agency may request additional information or clarification. Respond promptly to these requests to avoid delays in the licensing process.
  7. Obtain your license: If your application is approved, the state agency will issue your money transmission license. You may need to pay an initial licensing fee or meet additional requirements, such as providing proof of a surety bond, before your license becomes active.
  8. Maintain compliance: Once licensed, you must maintain compliance with state-specific regulations, including periodic reporting, financial statement submissions, and maintaining a surety bond. You may also be subject to periodic examinations by the state agency to ensure ongoing compliance.
  9. Renew your license: Money transmission licenses typically have expiration dates and must be renewed periodically. Each state has its own renewal process and fees, so be sure to stay aware of the requirements and timelines to avoid any lapses in your license.

Bond Requirements (CA and TX as examples)

Money Services Businesses (MSBs) are required to obtain surety bonds as part of the licensing process. These bonds help protect consumers from potential financial loss resulting from the MSB’s failure to comply with state regulations or unethical business practices.

Here are the bond requirements for MSBs in California and Texas:

  1. California: Money transmitters in California are required to obtain a surety bond under the California Money Transmission Act. The bond amount varies based on the volume of the money transmitter’s business. The minimum bond amount is $250,000, and the maximum bond amount is $7,000,000. However, if the money transmitter also conducts business in receiving money for obligations, the maximum bond amount may be increased to $10,000,000.
  2. Texas: In Texas, MSBs that are engaged in money transmission or currency exchange must obtain a surety bond under the Texas Finance Code. The bond amount is determined by the Texas Department of Banking based on the MSB’s business activity and volume. The minimum bond amount is $300,000, and the maximum bond amount is $2,000,000. In addition to the state-level bond requirement, certain cities in Texas, such as Austin and Houston, may also require MSBs to obtain a separate bond at the local level.

Note that bond requirements may vary based on the specific type of MSB (e.g., money transmitter, check casher, currency exchanger) and other factors, such as the volume of transactions processed. The above is just an example.

Given the complexity and state-specific nature of money transmission licensing, this is a very complex matter. We are capable of applying for licenses in multiple states if that is what’s required. My quotation below does NOT include the cost of applying for an MSB license(s).

Consulting Services

We can create a compliance program that covers all essential aspects, including regulatory compliance, risk assessment, transaction monitoring, fraud detection, data security, and employee training as described above. Our team of experienced compliance professionals will work closely with you to ensure the program is tailored to your organization’s unique needs and requirements.

We can assist in all aspects of a fintech, crypto, or credit card issuing business compliance program. For more information and pricing, please contact us at info@premieroffshore.com. For information on this topic for banks, see my other website www.banklicense.pro 

FBO Account MSB License
Christian Reeves

Structuring a Fintech or Card Issuer without an MSB License

/in , , , /by

One of the biggest issues facing fintech and card issuers in the United States is how to structure the business to avoid the need for an MSB license. An MSB license can tie up many millions of dollars in capital and cost a fortune to acquire on a national level. Thus, there is how to structure a fintech or card issuer without an MBS license. 

First, allow me to describe an MSB license. An MSB or Money Services Business license is a regulatory approval that is mandatory for any company operating in the money transfer industry or providing financial services. MSB is a broad term that encompasses various types of financial service providers such as currency exchanges, money transmitters, and stored value card issuers. The goal of this license is to prevent money laundering, terrorist financing, and illegal activities from being conducted through these companies.

For fintech or card issuer companies, obtaining an MSB license is critical because it enables them to legally operate in the financial industry. Fintech companies who engage in activities such as international transactions or online payments must have this license to conduct business. Card issuers, on the other hand, may need an MSB license when offering prepaid cards or other stored-value products. In addition to compliance with regulations, holding an MSB license can also help improve customer confidence and trust as it provides a level of legitimacy and credibility to a business.

Basically, any time you take control of customer funds, you need an MSB license. Thus, the way to eliminate the need for an  MBS license as a fintech or card issuer is to not take control of customer funds. One way to accomplish this is to use an FBO account at your local bank. 

An FBO (For Benefit Of) account is a type of bank account used to hold funds on behalf of a third party. It is different from a typical corporate bank account in that the funds in an FBO account do not belong to the account holder but rather to the named beneficiary or beneficiaries.

FBO accounts are commonly used in various scenarios, such as when a company collects funds on behalf of its clients, in trust accounts managed by lawyers, or by non-profit organizations to hold donations.

The primary difference between an FBO account and a regular corporate bank account lies in the ownership and control of the funds. In an FBO account, the account holder (usually a business) acts as a custodian, merely holding the funds in a fiduciary capacity for the benefit of the named beneficiary or beneficiaries. The account holder does not have the authority to use the funds for its own purposes.

In contrast, a typical corporate bank account is owned and controlled by the company, which can use the funds as needed for its business operations.

Regarding the need for an MSB (Money Services Business) license, FBO accounts can help reduce or eliminate the requirement for such a license because the account holder does not take possession of client funds. MSB licenses are typically required for businesses that transmit or convert money, such as money transmitters, currency exchangers, or check cashers.

By using an FBO account, a business can avoid being classified as an MSB because it does not take possession of client funds, nor does it engage in money transmission or currency exchange activities. Instead, it merely holds the funds in a fiduciary capacity on behalf of the client. However, it’s essential to consult with a legal or compliance expert to ensure the specific arrangement does not trigger any regulatory requirements, as regulations may vary depending on jurisdiction and the nature of the business.

I hope you find this information helpful. For more information on banking licenses, see our website on this topic, www.banklicense.pro. We are here to assist you structure a fintech or MSB or credit card issuing business in the United States or in Mexico. For more information, please send me a message to info@premieroffshore.com