A Point of View on Bank Secrecy Act/AML Issues for Mobile Payments Law Seminars International Mobile Payment Systems September 9-10, 2013 Andrew J. Lorentz, Partner Washington, D.C. Office

Key issues and challenges Agenda Perspective Key issues and challenges Enforcement and regulatory trends Thanks. Great to here. 13th floor, 13th Street, at 13:30. Anybody notice? Why not Friday? It’s a thirteen this week… Started professional life in the intelligence business – 8 years in military and law enforcement intelligence Views here shaped by over 5 years launching mobile payment solutions with clients – mostly not successful – or watching them shy away

FDIC Deposit Insurance Anti-Money Laundering Compliance Bank Secrecy Act FDIC Deposit Insurance Anti-Money Laundering Compliance Data breach/security State Privacy and Security Statutes OFAC Truth in Savings Act Truth in Lending Act / Reg Z Truth in Billing Electronic Fund Transfer Act / Regulation E OFAC Reg D State Money Transmitter Laws Unfair, Deceptive or Abusive Acts and Practices Laws Gift card Card brand rules Durbin Amendment Bank Secrecy Act/AML are only ONE PART of the maze – you have two days on these issues - apologies to the telecoms lawyers for the bank lawyer bias obvious in this chart Identity-Theft Red Flags Regulation DD Regulation II Reg CC Regulation B Check 21 Gramm-Leach-Bliley Act E-SIGN Act TISA/Reg DD Fair Credit Reporting Act Escheat Business of banking / Deposit-Taking

Bank Secrecy Act/Anti-Money Laundering* Intent of the BSA/AML laws is to abate money laundering Major Provisions 3 R’s: Registration, Record-Keeping and Reporting Requires Anti-Money Laundering (“AML”) programs – the “Four Pillars” Criminalizes money laundering *(Lots) more (real) information on Paymentlawadvisor.com Ignoring state requirements – sometimes included in state MTLs, seem often to parallel Fed BSA rqmts – see David’s presentation on MTL The “Four Pillars” of AML Compliance Internal Controls: policies, procedures and controls reasonably designed to assure compliance Designated compliance officer Ongoing employee training program Independent Review - audit function to monitor and test programs

Bank Secrecy Act/Anti-Money Laundering Applies to “financial institutions” Types most relevant to mobile: Banks and other depository institutions Money Service Businesses (“MSBs”) AML criminal prohibitions apply more broadly MSB – characterization questions can be hard – are you one or not? Federal definitions narrower than state MTLs – Federal has narrower BSA/AML-only focus

BSA Compliance Summary Depository Institutions Money Transmitters Agents of Money Transmitters* Providers of Prepaid Access Sellers of Prepaid Access Registration X Records Reports SARs CTRs CMIRs Others AML Program These are the types of BSA entities we typically see in mobile payments solutions Other than depositories, all are sub-types of “Money Services Businesses” (“MSBs”) BIG EXCEPTION: Carrier billing and carrier billing aggregators generally not caught – see David’s presentation on sweep of MTLs though * Principals and agents may allocate responsibility but both are responsible for compliance.

Dispro-portionate impact PERSPECTIVE Dispro-portionate impact Risk-based – except for getting customers? Where roles unsettled – a game of compliance hot potato On small $ payments -- only one legal regime among many – single focus regulators and compliance, hits innovation hardest High stakes reputationally, criminal, conduct restrictions intrusive Disproportionate to risks and return on investments in these controls ($450K to finance 9/11 attack – from 9/11 Commission Report Compare to the real money laundering messes – see below Risk based but with prescriptive parts – impact on customer acquisition Compliance is pushed around among players – everybody hunkers down and doubles down – perversion of a risk-based regime that confuses picture further – why FinCEN was so concerned in the prepaid access rule to define the “provider of prepaid access” as the principal conduit of info to law enforcement Amusing – I thought every U.S. company with data worth having was a conduit of info to the USG now?

Mobile Potential PERSPECTIVE Physical retail outlets of carriers Pre-existing customer relationships More and better data (geo-location) Handset for authentication (“something you have”) Mobile Potential Tremendous promise of mobile to be less prone to abuse, add security to the system – here’s why

New Approaches Verification by carrier customer accounts Payfone’s “Mobile Authentication” leverages customer’s existing relationship with mobile carriers. Examples of aggregators exploiting that potential

New Approaches Prepaid accounts with mobile carriers Boku mobile carrier billing leverages SMS authentication for payments

Often both bank and MSB customer verification obligations triggered Customer Acquisition Often both bank and MSB customer verification obligations triggered Banks cannot formally rely on non-banks for CIP

Customer Acquisition Verification Requirements Must obtain identifying information when… What information? Depository institution “Formal banking relationship established to provide or engage in services….” Customer Identification Program (“CIP”) (name, address, ID #, DOB) Money Transmitter AML policy must provide for… “Verifying customer identification” Notice the money transmitter is the only type that remains “risk-based” Obligation to obtain this info creates friction in establishing accounts – no

Customer Acquisition Verification Requirements Must obtain identifying information when… What information? Provider of Prepaid Access A “person” “obtains prepaid access under a prepaid program” [even closed loop if > $2,000 per “vehicle or device” per day] Name, address, ID #, DOB (same as CIP) Seller of Prepaid Access A “person” “obtains prepaid access under a prepaid program,” or A “person” “obtains prepaid access to funds that exceed $10,000 during any one day”

EFFECTS Mobile environment is challenging for customer acquisition and verification Small form factor may introduce an inefficient or awkward registration process Interface may not be optimized for mobile Increased risk of abandoned accounts Disputes over ownership/use of customer information in new ecosystem Already hard – BSA makes it harder Info accessed, collected, etc. – tension between privacy, data rights and usage, and these ID verification obligations In ecosystem/deals, parties can find common ground in fraud control –

EFFECTS (Most) mobile payments solutions fit into defined boxes Prepaid, credit, debit Merchant aggregation Bewilderment as to who does what Overkill: Everybody is an MSB or acts like one Where does mobile carrier billing fit? Unpack solutions and you find very traditional stuff Flow of money into the solutions has not leveraged the huge carrier retail footprint – stuck with MTL and bank account inputs Dressing up aggregation of sub-merchants – reaching more merchants important but not revolutionary (watch underwriting!) Some new stuff: Money transmitter at POS (PayPal with Discover) Expansion of carrier billing(?) But mostly just better interfaces, reporting, simpler POS experience for buyers and merchants

Enforcement and regulatory trends FDIC, FinCEN, DoJ, $15MM civil money penalty, “death penalty” (terminated FDIC insurance, revoked charter) Activities at issue were those of third party payment processor customers of bank Bank failed to monitor and control RCC and ACH returns First Bank of Delaware (Nov. 2012) Return rates total of 60%, unauthorized over 5 and 8% (NACHA guideline is 1% for shutdown, average for 2010 was .03%)

Enforcement and regulatory trends Lessons Duty to police customer and activities of customer Customer’s customer… and so on Enforcement squeeze at bank level ripples down the compliance chain, to MSB customers of banks and beyond First Delaware part of a major enforcement sweep targeting payment processors and their banks Risks to banks and their officers (FIRREA liability) What we are seeing: Captive TPPPs/TPPPs that have same ownership as bad acting merchants e.g.. foreclosure and debt relief scams

Enforcement and regulatory trends FinCEN ANPRM on customer due diligence (CDD) (Mar. 5, 2012) Intended to “codify, clarify, consolidate, and strengthen existing CDD regulatory requirements and supervisory expectations, and establish a categorical requirement for financial institutions to identify beneficial ownership of their accountholders” Banks plus others covered – but not MSBs at this time So much for a risk-based regime? Bank risk committees Parallel development on regulatory side: Four parts to proposed rule: ID and verify (risk based verification) [FIRST DELAWARE] Understand nature of the account [FIRST DELAWARE] NEW!!! ID beneficial owners Monitor [FIRST DELAWARE] Common dilemma: how to file a SAR with no customer information?

Enforcement and regulatory trends HSBC Holdings (Dec. 2012) “HSBC is being held accountable for stunning failures of oversight – and worse – that led the bank to permit narcotics traffickers and others to launder hundreds of millions of dollars through HSBC subsidiaries…The level of dysfunction at HSBC for many years was astonishing.” $1.921 billion in forfeiture and fines –largest BSA penalty ever Changes to management, systems Must submit to ongoing monitoring

Enforcement and regulatory trends Remind me why mobile payments are so risky?

Enforcement and regulatory trends Digital currency company that facilitated money laundering Did no verification of its customers Allowed account to account transfers; funding and cash out only through “exchangers” added more anonymity 17 country takedown – “largest ever” Avowedly “illegal” activity 200,000 U.S. users 55 million transactions Laundered $6 billion Liberty Reserve (May 2013) “Exchangers” were generally unlicensed money transmitters in Russia, Nigeria, Malaysia, and Vietnam

Enforcement and regulatory trends Lessons Srsly?* Don’t be a crook Don’t be an idiot – this activity was not in the regulatory grey zone *“Bitcoin” and “srsly” were both added to the Oxford Dictionaries Online on Aug. 28, 2013. Coincidence? http://blog.oxforddictionaries.com/2013/08/new-words-august-2013/

Enforcement and regulatory trends FinCEN Virtual Currency Guidance (March 2013) “Exchangers” and “administrators” of “convertible virtual currency” are money transmitters “Virtual currency” is a medium of exchange that operates like currency in some environments, but does not have all the attributes of real currency “Convertible virtual currency” has an equivalent value in real currency, or acts as a substitute for real currency Bitcoin SecondLife Per FinCEN, “prepaid” is access to “funds or the value of funds” and hence something cannot be both “virtual currency”’ and “prepaid access” Encourage self-serving distinctions: monkey with “exchange” rate – is that enough? Prefer to consider SUBSTANCE rather than window dressing

Questions? Andrew Lorentz, Partner 202.973.4232 andrewlorentz@dwt.com

Disclaimer This presentation is a publication of Davis Wright Tremaine LLP. Our purpose in making this presentation is to inform our clients and friends of recent legal developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Attorney advertising. Prior results do not guarantee a similar outcome. Davis Wright Tremaine, the D logo, and Defining Success Together are registered trademarks of Davis Wright Tremaine LLP. © 2013 Davis Wright Tremaine LLP.