Not every company offering cards needs every document here. Whether a sample applies hinges on factors like whether the cards are for consumers or businesses, whether the cards are prepaid, and others. To help you determine which ones apply, we’ve included brief pointers below.
These samples are made available by Lithic, Inc. under a Creative Commons Attribution-NoDerivs 4.0 International License: https://creativecommons.org/licenses/by-nd/4.0/legalcode. You can use the samples for card programs, but must obtain Lithic’s prior consent if you wish to publicly share any modified versions.
️ The following is not legal advice and should only be used as starting precedents and operational best practices.
Each product and company is unique, and you should consult with an experienced lawyer licensed in the relevant jurisdiction(s) to tailor the agreement as needed.
Lithic does not assume responsibility for the contents of, or the consequence of using, any version of these documents or any other document found on our website. Lithic’s legal team knows many fintech lawyers and we’re happy to point Lithic customers to recommendations.
The Bank Secrecy Act (BSA) requires banks to have anti-money laundering (AML) programs that include written policies and procedures, internal controls, a compliance officer, and other requirements. Read more about BSA and AML requirements.
When a bank works with a fintech, the bank passes its obligations on to the partner company. As a result, fintechs need to have BSA policies.
Fintechs should have complaint policies in place to ensure the company expediently handles customer needs. This helps the company spot issues it may not be aware of and reduces the risk that issues get escalated to a level that poses regulatory or litigation risk.
The Electronic Fund Transfer Act (EFTA) and Regulation E govern consumer electronic fund transfers, other than credit. Practically, Regulation E covers debit and prepaid card transactions. One of Regulation E’s key requirements is that companies need to respond to transaction disputes.
Regulation E does not apply to commercial cardholders or credit products. Accordingly, fintechs that offer consumer debit and prepaid cards should have a Regulation E Dispute Policy.
Consumer and commercial lenders need to comply with fair lending laws, which generally prohibit credit discrimination based on race, gender, religion, and other protected attributes.
Consumer and commercial fintech companies should consider having marketing policies to ensure they’re not exposing themselves to regulatory or legal risk. Misleading materials or emails that don’t comply with CAN-SPAM, for example, can expose a company to scrutiny.
The FTC’s Red Flags Rule requires banks and certain creditors to have programs to identify identity theft red flags. These obligations often get passed through to fintechs that partner with such banks and creditors.
There are various federal and state laws that regulate how creditors can service and collect debt. Any consumer or commercial lender should have a collections and servicing policy to ensure they are compliant with these laws.
It’s best practice for consumer and commercial fintechs to have privacy policies, and such policies may be required under federal or state laws. The exact required contents of a policy depends on factors like where a company offers its products and whether it serves consumers.
Unfair, deceptive, and abusive acts and practices (UDAAPs) rules apply to consumer financial services providers, and unfair and deceptive acts and practices (UDAPs) rules apply to both consumer and commercial financial services. These two are often grouped together under the “UDAAP” name.
These rules generally target misleading or manipulative conduct. Fintechs offering consumer products often have UDAAP policies, while fintechs offering commercial products often have UDAP policies.
The type of agreement a company offering cards has with its cardholders depends on a few factors, such as:
- Is the cardholder a consumer or a business?
- Is the card prefunded (i.e., does the cardholder load funds into the program before a transaction is authorized)?
Card programs should generally use a consumer prepaid cardholder agreement when the program issues prepaid cards and the cardholder is a consumer and the card falls under the Prepaid Rule (as is typical when a cardholder prefunds a program before a transaction is authorized). This sample is not meant for payroll cards or government benefit cards.
In some card programs, the person using the card is an “authorized user,” or someone who is authorized to spend on the cardholders’ behalf. The prototypical example is a corporate spend card where employees are given cards to spend their employers’ funds for work purposes.
Consumer prepaid card programs need to provide both long and short-form disclosures to cardholders. These are both typically presented when a customer signs up and agrees to the cardholder agreement.
The short-form disclosure is typically a portion of a full page, so the layout and font are smaller (see the CFPB’s guide to the short-form disclosure for an example).
Card programs often need a host of other legal documents to get up and running. Below are some of the key ones, and when they apply.
Consumer card programs that wish to send communications to customers electronically generally must have their customers sign an E-SIGN Agreement.
If cardholders will fund a card program via ACH transfers from their bank account, the card issuer generally must obtain cardholders’ ACH authorization.
We will be expanding this collection. If you want to receive alerts when we add a new template, you can sign up for notifications. If you have any questions/feedback, or if you'd like to contribute to the library, please contact us at [email protected].
Updated 12 months ago