OCC 96-48 Subject: Stored Value Card Systems Description: Information for Bankers and Examiners To: Chief Executive Officers of all National Banks, Department and Division Heads, and all Examining Personnel Purpose The purpose of this bulletin is to provide basic information about emerging stored value card systems, and to outline their associated risks so that bankers can make informed decisions about whether and how to become involved in such systems. The bulletin is not intended to establish policy requirements on how banks must manage these risks. Rather, it provides basic information to assist banks in fulfilling their responsibility to identify and manage risks as they become involved in stored value systems. To that end, this document presents a definition of stored value cards and describes stored value card systems that are emerging. It also outlines the various functions and roles that banks can play in stored value card systems. Like credit and debit cards, stored value cards are likely to become major products for some banks. However, as with any financial product, stored value cards present risks to participants. This bulletin describes the risks banks may face in investing or participating in stored value card systems based upon the risk categories of OCC's Supervision by Risk program. Finally, the document raises basic consumer awareness issues. Background and Definitions Electronic cash can be stored in several forms: directly on a central computer, on individual personal computers (PCs), or on a stored value card. Although some potential risks associated with electronic cash are the same no matter how it is stored and delivered, certain risk exposures vary depending on the delivery channel selected. This bulletin will focus on the stored value card delivery channel. The term stored value card typically refers to a card either with a magnetic stripe or with a computer chip that is charged with a fixed amount of economic claims or value that can be "spent" or transferred to individuals and/or merchants in a manner that is similar to spending paper money or coins. Depending on the particular system adopted by the vendor, stored value cards can operate more like debit cards or more like the functional equivalent of electronic cash. Electronic cash refers to stored value represented by a digital computer code that consumers use for payments processed through a computerized financial network. A consumer executes these payments using a stored value card in conjunction with a personal computer, an automatic teller machine (ATM), a television cable connection, an enhanced telephone, or some other form of telecommunications equipment. When the consumer spends electronic cash with a merchant, the point of sale (POS) device "collects" the appropriate amount for the merchant, deducting electronic cash from the stored value card. The merchant then can redeem the accumulated electronic cash from the POS device for currency or a credit to a deposit account. Although debit transactions also can be processed electronically, electronic debit transactions should not be confused with true electronic cash transactions. The distinction between stored value and debit transactions is significant because, although similar in some respects, they can present different regulatory and supervisory issues. A debit card is used to access an account, in order to withdraw or transfer funds from or to existing accounts. Consumers accomplish these withdrawals or transfers either through ATMs or POS devices. Although these cards have magnetic stripes that contain account information, there is no value stored directly on the card as is the case with stored value cards. The distinction between debit and stored value cards, as noted above, can be fuzzy depending on the system adopted by the vendor; moreover, it should be noted that some systems will offer multi-function cards that can enable a consumer to perform payments by electronic cash, by debit or by drawing on a credit line. A smart card is a plastic card with an embedded computer chip that looks like a credit card. Smart cards may be used as stored value cards. Depending on the capacity of the integrated circuit, the smart card may hold limited information, or may have the ability to perform more complex computing functions. For stored value smart cards, an electronic device is used to read the existing value of electronic cash and to load (add) or deduct electronic cash stored on computer chip. Smart cards, functioning as stored value cards, can operate within existing and future technologies for example, retro-fitted ATMs, augmented telephones such as screen phones and smart phones, electronic purses (stand alone dedicated devices), or PCs. Stored value cards may be disposable or reloadable. Disposable cards store a one-time fixed amount of electronic cash. Reloadable cards generally store electronic cash on a computer chip and interface with special loading devices that allow a consumer to load electronic cash on the card. Each system could have specific features such as limits on the amount of electronic cash that can be stored or cards that expire after some established time period. Finally, stored value card systems may be loosely characterized as either "closed" or "open" systems. In a pure closed system, the stored value card is accepted only by a single merchant or entity. Among other functions, closed stored value card systems are used to pay for public transportation and telephone calls. The issuer distributes the cards to customers of a single merchant and redeems all payments. In contrast, an open system may have one or more electronic cash issuers of stored value cards that are accepted by multiple merchants. These systems require a valid payment systems network for collecting and processing the electronic cash payments received by merchants. In one respect, most stored value card systems, whether open or closed, function like bank debit or credit card systems; the electronic cash can only be "spent" with a merchant and must be presented to the issuer for redemption. However, some more complex stored value card systems permit transfer of electronic cash from one storage device to another without restrictions. These are called purse-to-purse systems because the electronic cash can move from one consumer electronic purse to another. In such systems, the electronic cash is allowed to circulate for an indefinite period before it is presented back to the issuer for redemption. Risks in Stored Value Card Systems This section identifies the risks that arise in connection with specific functions and roles that banks can perform in stored value card systems. These risk categories are based upon the OCC's Supervision by Risk program and are more fully described in the appendix section attached to this document. National banks may perform or have performed for them one or more of the functions in stored value card systems, each with a specific structure and level of risk. A bank can be involved in stored value systems as an investor or as a non-investor participant. A bank also can perform the function of electronic cash issuer, i.e., the institution that creates electronic cash. The same bank can also act as distributor and redeemer of electronic cash, selling stored value cards to consumers and contracting with merchants to convert their electronic cash into currency or a deposit account balance. In most stored value card systems, transactions will be processed at the point of sale by an electronic device without further authorization. In the few stored value systems designed to require individual transaction authorization, however, a bank may perform the function of transaction authorizer. If electronic cash issued by one bank (one entity) is accepted by a merchant that contracts with another bank, or series of banks, then banks can function as a clearinghouse to settle such transactions. Finally, in electronic cash systems, some bank or entity will probably maintain a transaction archive for error resolution, fraud, or counterfeit detection. A bank should be clear as to who bears the responsibility at each stage of an electronic cash transaction. Thus far, transactional rules for some electronic cash systems are not well established by current law. Accordingly, in many important respects, the transactional rules for such systems must be established by contract. For example, contracts might specify which party is liable for: malfunctioning cards, lost cards, operational errors, and counterfeit electronic cash or stored value cards. Where this occurs, the bank should be sure that it has a valid and clear contract with the relevant parties. For this reason, banks should consider the risks that arise as a result of relying on contracts entered into solely through electronic communications. Risks in Specific Functions and Roles Investing banks: An investing bank is a bank that has an equity stake in a stored value system. As such, the bank incurs a strategic risk that the venture will not perform well or fail and thus cause the bank to lose its investment. The scope of any additional potential liability, however, depends on contractual obligations undertaken by the bank, the type of entity in which the bank invests, and how the entity conducts the stored value operations. Generally, the ownership structure, if properly designed and implemented, can shield the investing bank from liability under the laws that limit liability for owners of corporations and limited liability companies. Issuing banks: An issuing bank is the obligor for its electronic cash. The issuing bank sells electronic cash directly to consumers, or contracts the selling function to another firm. When the issuer sells its electronic cash directly to consumers, it is essentially selling bank liabilities to its customers. The issuer takes the proceeds from the sale of electronic cash and invests or holds the proceeds until the electronic cash is presented to the issuer for redemption. The issuer of electronic cash is exposed to a number of risks related to its development and operation of the stored value card system (i.e., strategic, transaction, compliance, and reputation risk) as well as risks associated with its ownership of electronic cash and investing proceeds from the sale of electronic cash (i.e., credit, liquidity, interest rate, and foreign exchange risk). The investment policy of the issuer should dictate the extent of credit, liquidity, and interest rate risk exposure of the bank. If the portfolio includes any foreign securities, exposure to foreign exchange risk exists. Please refer to the appendix section of this document for a more detailed description of these risk categories. Distributing banks: Any bank that distributes or sells electronic cash on stored value cards, whether it is an issuer, is exposed to transaction, compliance, reputation, credit, and liquidity risk. The transaction risk of a distributor can result from errors in the distribution process. Transaction risk may be increased because existing commercial law standards were not developed with stored value technology in mind, and some of the basic commercial law rules for stored value transactions have yet to be established. Thus, well conceived contracts setting out the rights and obligations of the parties are important considerations for effective risk management of this area. Compliance risk is present because as a distributor the bank may be the primary contact for consumers and, thus, is responsible for distributing necessary disclosures and (in some systems) for initiating an error resolution process. See the Consumer Awareness section of this bulletin for additional discussion of the compliance risks for distributing stored value cards. Reputation risk involves the bank's exposure to litigation, financial loss, or damage to its reputation resulting from customer dissatisfaction or adverse public reaction to any aspect of the stored value card product. The potential for credit risk exposure arises from accepting payment for electronic cash from consumers in a form other than cash or a deposit of the distributing bank. Liquidity risk exposures may result from any delays in converting payments to currency or a deposit account balance. o Distributing banks as selling agent: In some systems, non-issuing banks have a role that is similar to their role in distributing travelers checks. They do not take title to the electronic cash, but instead act as agent on behalf of the issuing entity, selling the issuer's electronic cash to customers. In this role, the risk exposure to the bank is limited since the bank does not have ownership of the electronic cash. The primary risks to the bank are transaction and compliance risk. In some systems, the banks, as agents, will control the process for loading the electronic cash (digital computer code) onto the stored value card on behalf of the issuer. Since this process creates an obligation of the issuer, the bank will be responsible for ensuring that appropriate controls are in place for safeguarding the computer hardware and software used in this process. Distributing agent banks also can incur a risk of being obligated to the electronic cash purchaser if they fail to disclose fully to purchasers their true and limited function regarding the electronic cash. This can occur if a distributing agent bank places its name on a stored value card and fails to make it clear to a purchaser of electronic cash that the bank is not obligated on the electronic cash. For example, if the distributing agent bank fails to inform the purchaser (i.e., consumer) that it is acting as the agent of the issuer, a consumer might seek to hold the agent bank obligated on the electronic cash under a legal theory which imputes the liability of a principal to an agent that has caused others to reasonably believe that the supposed agent was acting as a principal. Appropriate disclosures will help to control these risks. o Distributing banks as underwriters: In other systems, non-issuing banks purchase the electronic cash from an issuer and then re-sell the electronic cash to their customers. These bank underwriters take title to the electronic cash and hold it until resale or until redemption with the issuer. Since the bank takes ownership of the electronic cash, it incurs (in addition to the risks identified for the distributing agent bank) a credit risk vis-a-vis the issuer, i.e., the risk that the issuer will default on its obligation to redeem the electronic cash. Transaction authorizing banks: In some stored value card systems, merchants will require authorization before accepting electronic cash to ensure that it is valid. This is similar to credit card systems where a merchant communicates, through the bank card network, with the issuing bank before accepting a credit card payment. Banks that authorize the exchange of electronic cash for goods and services are exposed to transaction risk. Controls need to be in place to ensure the accuracy of the banks' information. Banks that do not have adequate controls over data integrity run the risk that they will incur liability for the improper authorization of transactions. An authorizing bank should also ensure adequate system capacity and recoverability, so that transactions are consistently authorized on a timely basis. Redeeming banks: In all open stored value systems, holders of electronic cash will be able to convert electronic cash to currency or funds added to a bank deposit account. Banks act as redeemer when they receive electronic cash from merchants for redemption. Redeeming banks incur risks associated with their roles as collection agents or as principal. o Redeeming banks as collection agents: In some systems, banks have a redemption role similar to their role in the check collection process. In that capacity, banks are not required to purchase or redeem the electronic cash for merchants, but instead act as their collecting agent by presenting the electronic cash to the issuer for payment and then crediting the merchants' accounts with the funds received. The bank does not take title to the electronic cash as part of the collection process and therefore avoids the risks associated with owning the electronic cash. Nevertheless, banks acting as collecting agent will have an obligation to merchants to make proper and effective presentment; this obligation subjects them to transaction risk. Moreover, if the bank grants the merchant provisional credit on the redeemed electronic cash pending settlement, the bank incurs a credit risk to the merchant that may be realized if the issuer defaults and the bank is unable to charge back the merchant's account. o Redeeming banks as principal: In other systems, participating banks are obligated to act as principal and redeem electronic cash by purchasing the electronic cash from merchants, thereby taking title and exposing them to all of the risks associated with ownership. Upon purchase, the bank may either hold the electronic cash for resale to merchants or redeem it with the issuer. Clearing and settling banks: Clearing and settling a payment transaction requires transmitting both information and funds through a valid payment systems network. Banks involved in clearing and settlement may be continuing a role they undertook as redeemer for their customers or, alternatively, they may accept that role on behalf of other banks and act as an intermediary in the process through which the electronic cash is presented to the issuer for payment. Clearing and settling banks may be exposed to transaction, credit, liquidity, and foreign exchange risk. The applicability of these risk categories is similar to those same risks as described under Issuing and Distributing banks. Also, please refer to the appendix section of this document for a more detailed description of these risk categories. In electronic cash systems with a single issuer, minimal processing is needed for settlement because the collecting banks need only present all the electronic cash to the single issuer. After the electronic cash is presented to the issuer, the issuer redeems the electronic cash, sending the proceeds or funds to the clearing banks. The subsequent action by the clearing bank will depend on whether it has redeemed the electronic cash as principal or as agent. If acting as principal, the bank will retain the proceeds or permit the issuer to retain the proceeds to offset obligations that the bank owes to the issuer. If the bank has acted as agent, it will forward the proceeds to the appropriate consumers and merchants. In multiple issuer systems, redeeming banks will usually need to use some clearinghouse mechanism to have the electronic cash presented to the appropriate issuer for payment. In such systems, electronic cash transactions likely would clear through the existing bank clearinghouse network. Bank members to the clearinghouse likely would incur the same types of risks of member failure that they incur in other clearing house arrangements. (Refer to OCC Banking Circular 271 (May 1993) for a detailed discussion of risks associated with clearinghouses.) Banks that participate in the clearing and settlement process potentially also are exposed to risks that vary depending upon whether they act as principal or agent. Banks that act as principal and therefore take title to electronic cash as part of the clearing process are exposed to the additional risks (i.e., transaction and credit risk) associated with ownership of the electronic cash. Agent banks that do not take title to the electronic cash are exposed to transaction risk. They may incur liability to their customers if they fail to process items for clearing and settlement on a timely basis. The banks' credit risk is limited to the risk that the clearinghouse will fail. Transaction archiving banks: There are two types of record keeping or archiving systems. In the first, a central system archives records of each transaction on a given stored value card separately, as it is executed. These systems are fully auditable. The second system records each transaction, but in batch form, merchant-by-merchant (electronic cash recipients). Although it would be possible to establish an audit trail for an individual stored value card under the second type of system, it would result in greater costs. Both kinds of record keeping systems can be used to settle disputes between consumers, merchants, and participating banks. They also could be used by the government to investigate suspected crimes. The transaction archiving role can expose the bank to transaction, reputation, and compliance risk. Transaction risk results from problems with data integrity that can lead to losses from the inability to resolve errors accurately, to identify patterns of fraud, or to recognize counterfeit electronic cash. Reputation risk may arise from public criticism of a bank's improper or incompetent handling of customer information or complaints. Compliance risk may arise if records do not conform to applicable federal or state consumer regulations, particularly those imposing obligations to safeguard confidential information. Consumer Awareness Stored value cards are new products that may outwardly resemble some existing debit and credit card products. However, stored value cards function differently from debit and credit card products and can expose customers to different risks. For this reason, it important for banks to take appropriate steps to adequately inform consumers of their rights and responsibilities when using stored value cards. To do so, banks will need to keep informed of regulatory developments in this area. In 1994, the Federal Reserve Board (FRB) issued a proposal to simplify and update Regulation E. In that proposal, the FRB indicated that smart cards (defined as plastic cards that have the capacity to either compute or communicate information) would be subject to Regulation E if the cards are used to access a customer account. As a result of several issues raised during and after the public comment period, the FRB is now proposing another amendment to Regulation E. [See 61 Federal Register 19696 (May 2, 1996).] Additionally, the Federal Deposit Insurance Corporation (FDIC) recently issued a legal opinion on the extent to which funds underlying stored value cards may be considered to be deposits covered by federal deposit insurance. [See FDIC General Counsel's Opinion No. 8, 61 Federal Register 40490 (August 2, 1996).] The opinion holds that stored value (electronic cash) issued by banks will be insured if the funds underlying the electronic cash remain in a customer's account until it is transferred to a merchant or other third party, who in turn collects the funds from the customer's bank. However, bank-issued electronic cash does not result in an insured deposit when the underlying funds are placed in a reserve or general liability account held by the issuing bank to pay merchants and other payees as they make claims for payments. Electronic cash issued by nonbanks will not be insured even if distributed or sold by banks. The OCC encourages banks to consider the basic disclosures needed for stored value cards they distribute. Among others, banks should consider the following topics when deciding how to adequately inform consumers: o How to use the card. o Where and how the consumer can increase the value on the card. o Whether the electronic cash earns interest, dividends, or any other return. o Where, how, and when the electronic cash can be redeemed. o All fees charged in connection with obtaining or using the card or the electronic cash stored on it. o The name of the entity that issues the electronic cash and its obligation to redeem it. o Whether the consumer is protected in case of a lost or stolen card. o Whether the amount of the electronic cash transferred to the card is insured by the FDIC. o Where does liability lie if a transaction is not properly consummated. o What happens to electronic cash that is abandoned or expires under the terms of the agreement. o How consumers can resolve disputes involving electronic cash transactions. o The circumstances under which information on a consumer's electronic cash transactions may be disclosed to third parties. If a bank sells electronic cash stored on media other than a stored value card (i.e., a computer hard disk), it should consider similar disclosures appropriate to those electronic cash devices. Questions regarding this bulletin should be directed to the Chief National Bank Examiner's Office at (202) 874-5190. _______________________ Jimmy F. Barton Chief National Bank Examiner September 10, 1996 Appendix Appendix Description of General Risks in Stored Value Card Systems Banks involved in stored value systems are exposed to a variety of risks. While the exact nature of that risk exposure depends on the design of the specific system and upon the precise role or roles the bank assumes, the general types of risks common to such systems are described here. These are the same risk categories that are provided in the OCC's Supervision by Risk program. Descriptions of credit and interest rate risk are taken verbatim from the Comptroller's Handbook section on Bank Supervision Process. The other applicable risk descriptions have been altered to focus on the environment for stored value card systems. In all cases, each risk is presented based on its impact to capital and earnings. The primary risks for banks participating in stored value systems are transaction, strategic, reputation, and compliance. Transaction risk: Transaction risk is a function of the adequacy of internal controls, data integrity, transaction rules, employee performance, and operating processes in stored value card systems. Maintaining data integrity is extremely important as it determines the fundamental reliability of data or information. Information systems should provide timely, accurate, and secure data in order to prevent errors and maintain customer satisfaction. Without adequate staff and good internal controls over electronic cash system operations, a bank can leave itself open to potential fraud and costly disruptions in operations. Internal control systems should provide proper access, authorization, and accountability for processing transactions. Effective controls, audit coverage, and other preventive measures should be in place to deter or minimize the impact of fraud, counterfeiting, and other improper activities. Proper contingency planning with appropriate back-up facilities should be considered to ensure timely restoration of operations and continuity of business activity. Transaction risk also can arise from disputes or uncertainty over the transactional rules that apply to payment systems. Strategic risk: Strategic risk is a function of the compatibility of an organization's strategic goals, the business strategies developed to achieve those goals, the resources deployed against those goals, and the quality of implementation. The design, development, and implementation of a stored value card system is a complicated process. Proper product design and pricing are critical to success. If banks do not properly anticipate consumer and merchant behavior for small value transactions, for example, this product may not be widely accepted. Losses also may accrue if the company fails to develop and implement cost-effective point of sale devices and software systems to load and unload the value from the cards. Banks that do not have the expertise to design and service the necessary hardware and therefore decide to contract out for such services may be exposed to risks from poorly conceived contracts for outsourced services, partnership agreements, and other alliances. Failure to integrate the stored value card system into other bank operations could cause an otherwise successful business plan to fail. The technical hardware and software design should successfully support the stored value card system and be compatible with existing or planned bank systems. Lack of standardization in electronic cash processing, data communication, and transaction security could prevent banks from achieving the volume of business necessary to make stored value card systems viable. Reputation risk: Reputation risk arises from negative public opinion. For any new product, the reputation of the bank that markets the product is at risk. For example, if a bank provides a stored value card product and subsequently the issuer of the stored value becomes insolvent and defaults, the bank may experience substantial damage to its reputation. Any malfunctions or security breaches that occur also may contribute to reputation risk. There also are risks resulting from potentially of adverse media coverage associated with a brand name. Customer dissatisfaction with the product due to misinformation, lack of information, or failure to resolve problems related to use of the product could result in litigation or adverse publicity that would damage a bank's reputation and subject it to liability. Compliance risk: Compliance risk arises from violation of, or non- conformance with laws, rules, regulations, prescribed practices, or ethical standards. Stored value systems need to be sufficiently flexible to adapt to a changing regulatory environment because many issues that could cause compliance risk have yet to be resolved. For example, the applicability of consumer protection laws and regulations to stored value card transactions is under review. The Federal Reserve Board (FRB) is in the process of amending Regulation E and has yet to decide how other federal consumer regulations will apply to stored value card systems. Also, the application of the Bank Secrecy Act to such systems is not clear. Finally, states may assert authority over stored value card systems. Thus, for example, banks involved in stored value systems should consider the applicability of state escheat and money transmitter laws. Even without specific regulatory guidance, issuing banks will need to give consumers basic information about how to use the stored value card. Also, banks will need to be prepared to address consumer questions about electronic cash such as whether electronic cash on stored value cards is federally insured (like deposits) and whether the consumer is exposed to loss if the issuer becomes insolvent or if the card is lost or stolen. (See the Consumer Awareness section of this document for more information.) Credit risk: Credit risk arises from an obligor's failure to meet the terms of any contract with the bank or otherwise fail to perform as agreed. Credit risk is found in all activities where success depends on counter-party, issuer, or borrower performance. It arises any time bank funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet. Credit risk is the most recognizable risk associated with banking. This definition, however, encompasses more than the traditional definition for lending activities. Credit risk also arises in conjunction with a broad range of bank activities, including selecting investment portfolio product, derivatives trading partners, or foreign exchange counter-parties. Credit risk also arises due to country or sovereign exposure, as well as indirectly through guarantor performance. In electronic cash systems, a bank that purchases electronic cash from an issuer and then resells it to its customers incurs risk i.e., the risk that the issuer may default on its obligations to redeem the electronic cash. Liquidity risk: This risk originates from an inability to meet obligations as they come due without incurring unacceptable losses. Banks that issue electronic cash will be responsible for holding and investing the funds used to purchase electronic cash. Such banks should take into account liquidity risk since some investments may not be easily converted to meet redemption demands without incurring unacceptable losses. Interest rate risk: Interest rate risk arises from movements in interest rates. The economic perspective focuses on the value of the bank in today's interest rate environment and the sensitivity of that value to changes in interest rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (repricing risk); from changing rate relationships among different yield curves affecting bank activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from interest-related options embedded in bank products (options risk). The evaluation of interest rate risk must consider the impact of complex, illiquid hedging strategies or products, and the potential impact on fee income which is sensitive to changes in interest rates. In those situations where trading is separately managed, this refers to structural positions and not trading portfolios. The assessment of interest rate risk should consider risk from both an accounting perspective (i.e., the effect on the bank's accrual earnings) and the economic perspective (i.e., the effect on the market value of the bank's portfolio equity). Issuers of electronic cash may face interest rate risk on the portfolio of investments they hold to provide a pool of funds to redeem their circulating electronic cash. Foreign exchange risk: This risk is found in cross-border investing and operating activities. Foreign exchange risk arises from accrual accounts denominated in foreign currency, including loans, deposits, and equity investments. Banks may choose to accept foreign currencies in payment for electronic cash or structure stored value card systems that accept multiple currencies. In both instances, the bank may be exposed to the risk associated with fluctuations of foreign exchange rates. It should therefore ensure that it possesses the necessary expertise, such as the ability to conduct ongoing revaluations of currency, before it accepts foreign currency transactions.