November 30, 2013

What’s in Your Wallet? Could it be the Department of Homeland Security?

Stephen T. Middlebrook

A hot topic in the financial services industry press is news that the Department of Homeland Security (DHS) has plans to stop certain people at the border and scan the payment cards in their wallets, check the cardholder’s balances and, in certain cases, seize the funds on the card. The initiative is related to regulatory changes proposed by the Financial Crimes Enforcement Network (FinCEN), the part of Treasury that oversees anti-money laundering regulations. 76 F.R. 64049 (October 17, 2011). FinCEN requires people crossing the border to declare if they are carrying more than $10,000 in “monetary instruments.” Monetary instrument is currently defined to include cash, traveler’s checks, certain negotiable instruments, and securities. Because law enforcement has concerns that prepaid cards are being used by criminals to launder money and move it out of the country, FinCEN has proposed adding prepaid cards, but not debit or credit cards, to the list of monetary instruments that must be declared at the border. 

Assessing the value of paper currency and negotiable instruments is relatively easy because the value appears on the face of the document. This is not true, however, for prepaid and other payment cards. To determine how much money is associated with a card, you must contact the financial institution that issued the card and query the current available balance. Consequently, verifying the value of a prepaid card at the border cannot be done independently by the border agent but requires the government to obtain information from the issuing financial institution. 

Homeland Security has acknowledged their new program in several documents as well as in meetings with the card networks, but we still don’t know much about how it will be implemented. DHS stated in a comment letter it filed regarding the FinCEN proposal that it plans to deploy hand held devices at the border to scan debit, credit, and prepaid cards and report back information about the cardholder’s account. In addition to cards, Homeland Security has suggested the FinCEN requirements should also apply to “cell phones, key fobs, or other tangible objects” that might possibly be tied to a prepaid account. In a procurement document seeking vendors of the card scanners, the department required the devices to also be able to read Near Field Communication (NFC) chips. Cell phone makers are starting to incorporate NFC technology into their products in order to facilitate mobile payments. DHS’s NFC requirement suggests it plans on scanning mobile phones as well as payment cards in order to obtain information about travelers from their financial institutions. DHS’s plan represents an unprecedented intrusion into individual privacy that raises serious and troubling legal questions for financial service providers as well as general businesses that use cards to pay wages to employees and for other purposes. This departure from current practice seems especially unwarranted given that the program will do little to combat the illegal movement of money across borders. 

The Money Laundering Risk is Small and Getting Smaller

Prepaid cards are similar to debit cards, but rather than being tied to a checking account, they draw funds from a prepaid balance placed with the issuer by the cardholder or a third party such as an employer or government agency. The cards can be used to make purchases at retailers and some also allow for access to cash at ATMs. Government and private employers have embraced prepaid cards as a way to pay benefits and wages while avoiding the expense and burden of cutting paper checks. 

For a number of years, law enforcement has expressed concern that prepaid cards could be used by criminals to launder the proceeds of illegal activity and remove it from the country, although no significant cases involving prepaid cards have been prosecuted. In response, both FinCEN and banking regulators have strengthened their rules regarding prepaid products and increased oversight of institutions that offer such products. In addition, banks, processors, and other entities involved in prepaid have significantly stepped up their anti-money laundering (AML) programs, adopting more stringent customer identification and transaction monitoring programs to prevent criminal use of their products. As a consequence, the risk potential for prepaid has been lowered significantly over the past few years. A January 2013 study by the Federal Reserve Bank of Atlanta reviewed a number of prepaid programs to evaluate the potential they could be used for money laundering and concluded: “Given both the regulatory and industry measures in place for mitigating money laundering risks associated with U.S.-issued GPR prepaid cards, these products are no longer the attractive instruments for money laundering that they once might have been.” While law enforcement may still have concerns about misuse, those fears have not materialized and the risk that prepaid cards will be used for money laundering purposes continues to decrease over time.

The Program Faces Significant Operational Issues

The FinCEN rules and DHS’s scanning program face operational hurdles which will make it difficult for them to achieve their intended goals. Lawyers familiar with how prepaid cards and mobile payments work have expressed skepticism that the FinCEN rule changes will actually detect any money laundering. A criminal who is sophisticated enough to move money out of the country using a prepaid card would be smart enough to get around the declaration requirement by copying the information from the magnetic stripe on the card to the memory of a computer, iPod, or other digital device, or by sending it over the Internet and then creating a duplicate card outside the country. Also, since DHS will be looking at balances at a single point in time, individuals could avoid detection simply by timing loads to the cards to occur after the border crossing. Ultimately, the new rule is unlikely to catch any criminals, but may very well entrap innocent law abiding citizens. The distinctions between credit, debit, and prepaid cards are not well understood by the general public and consequently we should expect the number of incorrect disclosures to be high. FinCEN’s requirement will undoubtedly result in both under and over reporting by confused cardholders. In addition, to make an accurate disclosure, the cardholder must know the exact balance on his or her card. While most prepaid programs allow cardholders to inquire about their balance through a phone call, over the Internet, or by text message, it isn’t clear that someone standing in line at the airport will always have the ability to obtain current information about his or her account. In the end, the reporting rule does not appear geared toward generating much information useful in preventing money laundering, but it may make unintentional criminals out of average citizens simply because they don’t know whether their payroll or government benefits card is technically a debit or prepaid product or that a deposit has been posted to their account since they last checked their balance. 

There is even greater concern with regard to whether the Homeland Security scanning program can be successfully implemented. While the FinCEN rule would add prepaid cards but not debit cards to the list of monetary instruments that must be disclosed at the border, as noted above, it is very hard to tell the two apart. The difficulty stems in part from a settlement agreement resolving antitrust claims brought by Wal-Mart and other retailers against Visa and MasterCard, which requires that both debit and prepaid cards be labeled “debit” on their face. In re Visa Check/MasterMoney Antitrust Litigation (CV-96-5238 E.D.NY). Even well trained border agents are apt to be confused. Homeland Security seems to understand this problem, because their plan is to ignore the distinctions and scan all payment cards – prepaid, debit, and perhaps even credit – and then see what information is generated. Consequently, while on the surface DHS’s plan appears only to impact prepaid cards, its negative effects will be felt by users of all types of payment cards. 

The card networks require a cardholder’s consent for most transactions, usually manifested by signing your name or entering your PIN. DHS, however, intends to submit card transactions without cardholder consent, which would violate the network rules. In order to seize the funds on the card, it appears DHS will initiate a standard point-of-sale purchase transaction which normally also requires the customer’s authorization. Presumably DHS will either have to force the cardholder to authorize the transaction with a signature or PIN or submit the transaction without permission – in either the case, the transaction will not be supported by voluntary consent and thus be of dubious legality. Under Regulation E, cardholders have a right to dispute unauthorized transactions, so the traveler who has had money seized at the border may very well contact the card issuer and demand that his or her money be returned. In a case like this involving an unauthorized transaction, the card issuer would typically refund the transaction amount to the cardholder and initiate a chargeback against the merchant to recover the funds. It seems unlikely that DHS will cooperate with the chargeback process, however, and the card issuer will be left to sort out the mess and probably take the hit on the loss. Lawyers for financial service providers should be prepared to advise their clients who may find themselves in this conundrum. 

It’s important to note that the card networks were built to allow cardholders to make purchases at participating merchants, not to allow the government to obtain information about its citizens. While the networks may support transactions that allow for a balance inquiry or a purchase, those transaction types were not designed for what Homeland Security wants to do and it is unclear if they will work as DHS expects. In other words, even if DHS successfully obtains financial data related to the card, that information may not mean what DHS thinks it means. Without more transparency from the government, it is not possible to determine if, or to what degree, the plan to scan cards at the border will produce meaningful information. 

The Program Will Harm Innocent People

The FinCEN reporting requirements will apply to everyone who carries a prepaid card across the border. Who are these people? One large category of prepaid users is recipients of state and federal benefits. In a 2012 report, the Federal Reserve Board found that 158 different federal, state, and local programs made approximately $100 billion in payments utilizing prepaid cards. Governments have increasingly switched to prepaid cards from checks to make benefit payments to unbanked recipients. The cards are faster, safer, and significantly cheaper, saving cash strapped agencies millions of dollars a year. The U.S. Treasury has been a leader in this area with its Direct Express card which is now used by over 4 million people to access their Social Security, VA, OPM, and other federal benefits. In addition, most states now deliver food and nutrition assistance, unemployment insurance, child support, and other government payments to recipients via prepaid cards. The DHS program will turn these millions of people into second class citizens at the border and subject them to extra rules and requirements simply because they receive Social Security benefits or some other government payment on a prepaid card. 

Prepaid cards are also popular with individuals who for whatever reason cannot or choose not to open a traditional bank account. This population tends to be younger, lower income, and disproportionately comprised of African-Americans, Hispanics, and recent immigrants. The National Urban League reports that over half of African-American households are either unbanked or underbanked and that 33 percent of black Americans use reloadable prepaid cards to manage their finances. There is a legitimate concern that DHS’s scanning program will be viewed as a tool to harass racial and ethnic minorities.. Businesses that use prepaid cards to pay wages and salaries should be prepared to answer employee questions about the DHS program and have a contingency plan in place should employees request to be paid with a more expensive and cumbersome check. 

While the FinCEN reporting requirement would apply only to prepaid cards, border agents have no reliable way to distinguish prepaid cards from other types and it appears they plan simply to scan all cards they encounter in a traveler’s physical wallet or stored in a digital wallet on their mobile phone. Consequently, while the reporting requirement only applies to users of prepaid products, Homeland Security appears prepared to use the rule to obtain financial information about practically everyone who crosses the border. 

DHS also intends to seize funds associated with prepaid cards it detects at the border. Presumably this power will primarily be used against prepaid cardholders who fail to make a correct disclosure under the FinCEN rule. As noted above, the distinctions between prepaid and debit cards are probably too nuanced for the general public to understand. Some people will not understand that the FinCEN reporting requirement applies to them and will fail to make a proper disclosure, thus subjecting themselves to seizure of their funds. While the possibility of this happening may seem remote, law enforcement has become increasingly aggressive with its seizure authority, the proceeds of which supplement strained agency budgets. More importantly, the people who are most likely to have their funds seized are among our most vulnerable people: senior citizens living on Social Security, workers out of a job receiving unemployment insurance, and single mothers for whom the state is collecting child support from non-custodial parents. Seizing the money that these people need to live on seems an overly severe punishment. Homeland Security should not have the authority to use asset forfeiture to enforce a confusing disclosure requirement. 

The Program Violates the Right to Financial Privacy Act

Homeland Security’s plan to scan payment cards at the border in order to obtain financial information about travelers also raises obvious concerns about privacy. In particular, the program appears to violate the Right to Financial Privacy Act (RFPA) which prohibits financial institutions from providing federal agencies with the financial records of a customer except in certain limited situations. Under that law, release of financial records is generally only permitted with the customer’s consent or if the agency obtains a warrant, court order, or subpoena and, even then, only after the customer has been notified of the disclosure and has had an opportunity to object. When DHS scans a card at the border, it is sending a request for balance information about the card to the financial institution that issued the card. Such a request is prohibited under RFPA unless the agency has obtained consent or a warrant, court order, or subpoena – none of which will be happening. A financial institution that discloses records in violation of the RFPA is subject to significant civil penalties. 

DHS takes the position that the RFPA does not apply to prepaid cards because they are not the same kind of account as a checking or savings account. Typically, when an issuer sets up a prepaid program, it opens an omnibus account which holds all of the funds for all of the cards in the program. The financial institution then creates sub-accounts within the omnibus account for each prepaid card it issues. This structure is used for ease of accounting and processing and the cardholder is generally unaware of and unaffected by it. DHS seems to think that this account versus sub-account distinction makes the RFPA inapplicable to prepaid. However, federal regulatory agencies that have looked at the question have concluded that despite their structural differences, there is no reason to treat prepaid cards and traditional bank products differently. For example, payroll cards, which are one type of prepaid card, are deemed to be accounts for purposes of Regulation E and the Electronic Funds Transfer Act. The Consumer Financial Protection Bureau has also proposed extending Regulation E to cover a broader range of prepaid products. Similarly, when the FDIC looked at whether deposit insurance was available to prepaid cards, it concluded that the funds underlying these products “are no different, in substance, than the funds underlying traditional access mechanisms.” Consequently, the FDIC extended coverage to prepaid cards that meet the general requirements for pass-through insurance. Financial regulators have not found the structural attributes unique to prepaid justify treating the cards differently from traditional account products which suggests that prepaid should also not be treated differently for RFPA purposes. 

More importantly, the U.S. Treasury’s Financial Management Service has concluded that the RFPA applies to Direct Express, its own prepaid product. Millions of Americans are currently using Direct Express to access their Social Security and other federal benefit payments. Treasury conducted a detailed analysis of the privacy issues that surround prepaid cards and, after consulting with regulatory agencies, consumer groups, Congress, and the general public, concluded that the RFPA does cover prepaid products. 

DHS’s position that RFPA does not protect prepaid is in direct conflict with the conclusions reached by the Treasury Department and is inconsistent with the views taken by federal financial regulators. Moreover, assuming RFPA does not apply to prepaid cards, it still applies to debit and credit cards and DHS’s plan is to scan all payment card types. Even if prepaid cards are not covered by RFPA, DHS would be acting contrary to the statute when it obtains financial records tied to other types of payment cards. No matter how you interpret the statute, Homeland Security’s program appears to have significant RFPA problems. 

In addition to problems it may create for the government, DHS’s RFPA violations will create substantial liability for card issuers. Every time a bank responds to a balance inquiry or transaction from DHS, it will be subjecting itself to civil liability to cardholders. The law allows customers whose financial records are improperly disclosed to recovery actual and punitive damages along with statutory damages of $100. That means every DHS transaction subjects issuers to financial loss even if the customer has no direct harm. If DHS limits the scanning of payment cards to a small percentage of the 350 million travelers it inspect each year, the potential liability could still be enormous. Facing this level of risk, financial institutions may consider taking steps to insulate themselves from liability for DHS’s legal violations. One option would be to modify card processing systems to identify and reject the illegal transactions. If a number of issuers choose to block DHS transactions in self-defense, however, the government’s scanning program would certainly be a failure. 


Homeland Security’s new program to stop individuals at the border in order to scan their payment cards, obtain information from their financial institutions, and potentially seize funds associated with the cards raises serious legal questions. It will invade the privacy of travelers and, in the process, violate federal law. Recipients of state and federal benefits along with other people who cannot afford a bank account will be called out at the border, subjected to additional scrutiny, and potentially turned into inadvertent law breakers. Financial institutions may incur significant liability because of the government’s illegal actions. Can these harms be justified for a program that is unlikely to identify or prevent significant amounts of money laundering? DHS should be required to address these legal and operational deficiencies before it moves forward with the program.




Stephen T. Middlebrook

Stephen T. Middlebrook is general counsel at FSV Payment Systems, Inc., in Jacksonville, Florida. The opinions expressed in this article are those of the author, and may not necessarily be shared or endorsed by his employer.