Page 72 - Pay Magazine s2014
P. 72
70
Government watch
Prepaid Program Managers Must Be Exam-Ready Bank Partners
selective about the programs they’re willing to sponsor.
It’s time to explore the proactive steps program managers can take that are mutually beneficial to their bank issuers, their customers and their overall business.
Third-Party Risk
Management Is Broken
In the prepaid industry, it’s time
to invert the traditional regulatory message of “banks must manage third-party risk and compliance”
to “third parties must proactively manage risk and compliance for their bank partners.” As an example, let’s look at the nature of the relationship between a typical prepaid issuing bank and an independent program manager:
The bank is the prepaid card issuer, but the program manager administers and manages the card program for the bank in accordance with the bank’s specific requirements. Typically, the issuing bank holds the program manager liable for meeting these requirements, including all risk and compliance matters. Unfortunately,
the history of enforcement actions
and consent orders shows that imposing liability on program manag- ers has not enabled banks to avoid compliance costs. When the regulators find fault with the activities of third parties working with the bank, banks have been fined and ordered to pay civil money penalties or restitution; some have been constrained in their ability to conduct their businesses fully; and some have been ordered to improve their compliance programs.
So what’s the solution?
There’s a lot for program mana- gers to do on their way to achiev- ing a “trusted partner,” exam-ready state that proactively addresses the needs of their bank partners. These include:
• Defining and executing a compli- ance program to address the numerous regulatory mandates and updates frequently issued by regulators, along with react- ing to learnings from regulatory enforcement actions.
• Self-policing4 and validating the effectiveness of its compliance and risk management program.
While the above may seem daunt- ing, successful execution is easier if the strategic approach is seg- mented into three sequential phases, with each phase building on the previous. At a high level, the three phases are:
Based on FFIEC regulations, guid- ance and industry best practices, McGovern Smith Advisors has identified 34 specific prepaid compliance policies and their required implementing procedures. These policies and procedures define the controls and day-to-day activities that should be in place and working effectively to meet the applicable compliance mandates and manage risk. They address the regulatory hot spots, such as
consumer compliance and AML, information security, vendor man- agement and business continuity.
Program managers must begin by creating a set of policies and procedures that are tailored to their business, operations and clients to address these regulatory hot spots.
Once these policies and procedures are adopted by the board or senior management, the program manag- ers will be positioned to implement the second phase of a prepaid compliance and risk management program—executing on the controls and operational day-to-day activities defined in the approved policies
and procedures.
Implementing and administering
a compliance program requires program managers to follow the approved policies and procedures to ensure regulatory mandates and key risks are mitigated throughout their ongoing daily operations for the regulatory hot spots noted previously. For example:
• Consumer compliance and aML. Program managers must make a commitment to internal or third-party expertise to imbed the approved policies and procedures into products, services and daily operational activities to ensure the policies and procedures are carried out. Relevant tasks might include preparing customer
phase 2. execute the prepaid compliance program.
phase 1. Develop compliance policies and procedures.
