We continue our series on the legal and regulatory challenges facing individual coverage health reimbursement arrangements (ICHRAs); this time, we are focusing on the fintech-related requirements that may apply to ICHRA vendors. In part one of our series, we summarized an array of health benefit plan and third party administrator compliance requirements with a brief mention of money transmission considerations. In part two, we further explored other health benefit plan compliance issues as well as tax and insurance agency topics. In part three (this article), we explore an array of financial services laws and regulations that may apply to many ICHRA vendor activities, many of which may surprise you.
OVERVIEW
Some ICHRA vendors see themselves as merely the administrators of a simple employee benefit, striving to provide excellent user experiences, streamlined processes, and robust healthcare benefit administration services. So why would financial services laws and regulations apply to them? The simple answer is that those user experiences, streamlined processes, and benefit administration services nearly always involve a financial component, whether its processing or facilitating payments and/or handling financial data.
Innovative technology solutions and the companies that provide them, like ICHRA vendors, are growing in popularity across industries. Usually, these technologies sit in the middle between a traditional merchant/company (e.g., store, employer) and a consumer or a traditional financial institution (e.g., bank, insurance carrier) and a consumer. However, the legal and regulatory frameworks that apply to payments, financial data, and other financial services activities continue to apply to those ICHRA-related activities and those engaging them, which can often be viewed quite broadly by financial regulators. Additionally, by placing themselves in the middle of what might have otherwise been a traditional two-party transaction (e.g., employer-consumer, bank-consumer), ICHRA vendors may trigger additional financial regulatory requirements related to money transmission.
APPLICABLE LAWS
Money Services Business (MSB), Money Transmission
Generally, money transmission means the acceptance and transmission of funds from one person to another location or person by any means. Money transmission is regulated at the federal and state levels. At the federal level, a business engaged in money transmission may be considered a money services business (MSB) under the Bank Secrecy Act and its implementing regulations (collectively, the BSA). MSBs may have to register with the Financial Crimes Enforcement Network (FinCEN) and may be required to maintain a robust anti-money laundering compliance program (AML). State law is similar, with some form of money transmission licensure required in every state, and generally similar definitions of money transmission or MSB.
Under the BSA, several exemptions could apply to an ICHRA vendor for federal MSB registration, depending on the scope and structure of their money movement activities. Unfortunately, the exemptions available at the state level are fewer and vary state-to-state.
Anti-Money Laundering, Know Your Customer, Customer Identification Program
The BSA and state laws require MSBs to maintain robust AML compliance programs, which involve, among other things, extensive policies and procedures, transaction reporting to federal and state governmental authorities, and annual independent AML compliance reviews. The BSA also requires MSBs to comply with Customer Identification Program (CIP) and Know Your Customer (KYC) requirements when onboarding new customers and monitoring customer transaction activities throughout the relationship.
Payment Rules
Businesses that use or facilitate certain types of payment methods may be subject to laws or rules applicable to those payment methods.
Payment Cards
Any company that accepts payments via card (credit or debit), serves as a payment processor, stores cardholder data, or handles cardholder data in anyway is required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS), which is a set of information security standards designed to maintain a secure environment and mitigate card payment fraud and data breaches.
Businesses accepting or processing card payments must also adhere to rules established by the card networks (e.g., Visa, Mastercard) as well as federal and state laws related to credit card surcharges and related fees.
Electronic Fund Transfers & Automated Clearing House (ACH)
Payments may be in the form of electronic fund transfer or ACH. Nacha, previously known as the National Automated Clearinghouse Association, runs the ACH network and has Operating Rules with which anyone transacting ACH transactions will need to comply. Additionally, if any electronic transfers involve debiting or crediting a consumer's bank account, the company will need to ensure such transfers comply with the Electronic Fund Transfers Act and its Regulation E.
Gramm-Leach-Bliley Act (GLBA)
The GLBA is a financial privacy law that requires financial institutions – defined broadly as companies that offer consumers financial products or services, including insurance and payment related activities – to safeguard nonpublic personal information with a comprehensive data security program and to provide certain privacy notices. It is important to understand that GLBA protections apply not only to financial institutions, but also may apply to data that originated from financial institutions, such as payment information.
Lender Status
In some instances, an ICHRA vendor may advance its own funds to a carrier to cover an employer's obligation for employees in order to mitigate lapses in insurance coverage. While mitigating risk in the insurance space, ICHRA vendors could be unknowingly increasing their risk in the lending space. "Credit" under both federal and state law is broadly defined and typically means the right granted by a person to another person to defer payment of a debt, or to incur debt and defer its payment. By advancing funds on the employer's behalf and deferring their payment obligation, such arrangement may qualify as credit in some states, and would trigger lending licenses or interest rate considerations, particularly if this practice is a regular occurrence.
Industry Alert – Increasing Expectations from Banks for BSA/AML Requirements
BSA/AML are highly regulated areas. Even if ICHRA vendors are not independently required to maintain their own BSA/AML compliance programs, partner banks may nonetheless contractually require ICHRA vendors to comply with several components of the BSA/AML requirements applicable to banks. Many of the due diligence and other compliance requirements ICHRA vendors have seen when onboarding with a new bank are driven by the bank's BSA/AML requirement.
We are seeing increased expectations and scrutiny from bank partners, including onerous independent audits of a FinTech's BSA/AML program at onboarding and annually thereafter, which are extremely time consuming and costly. It is important for ICHRA vendors to evaluate their compliance programs as we expect more oversight from not only the banks, but also from state regulators.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
