The Integrated Market for HSAs:

Regulatory Challenges and Opportunities

Paul Verberne and Devon Devine

©2007 the HSA Bank® division of Webster Bank, N.A.1

Executive Summary

Several factors combine to make regulatory burden a key competitive factor for new entrants
in the health savings account marketplace. First, the HSA marketplace is available to a diverse
group of service providers – a certain amount of regulatory arbitrage is possible as new
entrants strategize about how to best compete. Second, it has become apparent that a key
competitive metric will be the level of integration between these players. As the marketplace
becomes more crowded, integration options proliferate. Integrated relationships between
service providers ultimately act as a multiplier, however, on the regulatory burden that any
single player would otherwise face. Regulatory risk significantly impacts the strategies that
market entrants will evaluate. Relationships with established administrators who have
committed to absorb these costs will lower barriers to market entry and provide opportunity
for profit and enhanced customer loyalty.

1 The authors are in-house counsel at Webster Bank’s HSA Bank® division in Sheboygan, Wisconsin. This document

may be copied and distributed freely provided that it is not modified in any way and the copyright notice is not
removed. It may not be sold for profit or used in commercial documents without the written permission of the
copyright holder. This article is provided “as is” without any written, express or implied warranty. While all
information in this article is believed to be correct at the time of writing, this article is for educational purposes only
and does not purport to provide legal advice. If you require legal advice, you should consult your attorney.

1
Introduction

The multiplier effect between integration and regulatory burden is an important factor to
consider for banks planning their entrance to the HSA marketplace. It is also an important
question for other stakeholders (carriers, third party administrators, software companies,
nonbank administrators) looking for a bank partner with which to go to market with an
integrated HSA services offering. Increasing levels and complexity of integration result in
increased regulatory burden, which ultimately effects a high cost of entry to the market. See
Figure 1.

Figure 1. Combined Cost of Integration and

Regulation

High

Medium
g
r in
ffe
o fO
st
Co
Level of Integration

Low

Low Medium High

Regulatory Multipliers

2
 Integration in the HSA Marketplace

IRS regulations permit a range of institutions to serve as custodian or trustee of health savings
accounts.2 Banks and insurance companies are qualified via the Internal Revenue Code to
serve; additionally, other types of institutions may qualify by petitioning the IRS to be certified
as a nonbank trustee. 3 Forty-two percent of HSA trustee/custodians are publicly held.4 Banks
predominate, holding over 82% of accounts.5 In many cases, however, the bank is only
providing a back-office function.6 In these cases, a nonbank administrator is likely to provide
customer service and other elements of the offering that can justify taking the lion’s share of
fee revenue generated by the account.7 The nonbank administrator may maintain the book of
record for individuals’ HSAs, where the bank holds the actual funds in a single omnibus
account8 in the name of the nonbank administrator.

Three approaches to the HSA services market can be defined: highly integrated, non-
integrated, and federated integration. In a highly integrated offering, the HSA custodian or
trustee provides a comprehensive package of services to the customer; these customers consist
of both consumers who own the HSA accounts and employers who sponsor the employees’
HSA programs as a part of their benefits offering. The consumers receive multi-featured
interest-bearing checking accounts, and employers receive cash management services such as
direct deposit from a corporate account to consumers’ HSAs. Additionally, an integrated
offering could include joint marketing with a carrier providing high-deductible health plans, a
third party administrator (TPA) providing wellness services, and/or a software company
providing a “multi-purse” payroll benefits card to access the HSA alongside other employee
benefit accounts (transportation, limited benefit FSA, etc.). Exante Bank, which jointly
markets itself with United Healthcare (a carrier), provides example of such a highly-integrated
offering.

2
Medicare Prescription Drug, Improvement, and Modernization Act of 2003, codified at 26 USC 223 (d)(1)(B)
3
http://www.aishealth.com/ConsumerDirected/CDdata/HSA_Company_Percent.html
4
http://www.aishealth.com/ConsumerDirected/CDdata/HSA_Ownership.html
5
http://www.aishealth.com/ConsumerDirected/CDdata/HSA_Company_Percent.html
6
See, e.g., FDIC’s approval of such arrangements. (2/1/06 staff counsel opinion from FDIC senior counsel to
Farmers & Merchants State Bank, Blooming Prarie, Minnesota).
7
From 2001-2006, HSA Bank served as the “back-office” for a third party administrator which provided limited
administrative services but charged a maintenance fee significantly greater than HSA Bank’s maintenance fee for
the accounts.
8
12 CFR §330.7 permits individuals’ HSAs to be insured despite being combined in an omnibus account at the
actual custodial bank. See, e.g., 2/1/06 staff counsel opinion from FDIC senior counsel to Farmers & Merchants
State Bank, Blooming Prarie, Minnesota.

3
In the non-integrated approach to HSA administration, the custodian or trustee provides an
account in which to store funds, but little else. Some custodians, for example, do not
necessarily provide debit cards and checks to access the funds.9 As the term “non-integrated”
suggests, these institutions’ offerings are also not integrated with health plans, TPAs, software
companies, or other partners. Most community banks offering HSAs provide non-integrated
HSAs.

Finally, some banks follow a federated integration model. HSA Bank, for example, pursues
joint marketing with 69 relationships and supports two external debit card platforms
independent of its own debit card offering. The relationships that refer business to HSA Bank,
however, tend to request increasingly complex feature sets. A consortium of carriers
collectively covering 4.5 million lives has asked for integrated claims payment solutions which
include access to account funds and data,10 and a leading tax service software company has
asked for bill-pay functionality – both of which require HSA Bank to invest in additional
technologies, and integrate external technology solutions to broaden and strengthen its
alliances with other service providers.

9
A leading provider of individual health plans, for example, acts as custodian on certain HSAs without providing
debit cards, checks, or other features that would typically exist on a transaction account for accessing funds.
10
Integrated settlement allows the carrier to access consumers HSA funds in order to more quickly process
provider’s claims.

4
Research and independent commentary suggest that a highly-integrated HSA offering provides
the most benefit for all stakeholders. According to DiamondCluster International, a
consultancy, a “tight partnership” between banks and other providers of integrated HSA
services “improves efficiency and customer experience.”11 Aon Consulting also advises that
“the integrated approach to offering an HSA/HRA with the insurance plans supports claims
processing, accuracy and member convenience.”12 Commentators like Lynette DeWitt of the
Financial Research Corporation project that the market will witness “an increased number of
partnerships with multiple preferred partners or even complete unbundling due to
participant/employee preference.”13 According to Ms. DeWitt, “providers and employers with
the most flexible HDHP/HSA options (allowing complete freedom of HSA provider) while
still funding the HSA will win market share.”14 However, the costs of building the
infrastructure to support this model are significant, and as integration becomes more complex,
so does compliance with the regulatory environment to which HSAs are subject.

Regulatory Costs Associated with

Integrated Offerings

The core factor determining regulatory impact of integration is the type of ownership structure
(and charter, if applicable). If a large nonbank player seeks to set up a bank subsidiary, the type
of bank charter chosen will determine whether the parent company is subject to examination
by banking regulators. Moreover, if an HSA custodian has a traditional bank charter, the
question of state versus national charter will determine the likelihood that its banking regulator
requires strict compliance with certain “guidance” that has tremendous impact on integrated
offerings. Finally, public versus private ownership will determine the applicability and
attendant costs of Sarbanes Oxley reporting requirements, and therefore the costs of control
considerations relevant to integrated relationships.

11
http://www.diamondconsultants.com/PublicSite/ideas/perspectives/downloads/HSA%20Diamond%20Single.pdf
12
http://www.aon.com/us/busi/hc_consulting/employee_benefits_cons/health_welfare/rb_impact_of_cdh.pdf
13
HSA TrendWatch2Q06, August, 2006. Published by Financial Research Corporation. Available for fee at
http://www.frcnet.com/frc_home.asp
14
Id.

5
The Bank Holding Company Act

The Blue Cross Blue Shield Association (BCBSA) announced its intention to build its own
bank division to service HSAs in 2005.15 BCBSA initially applied for a Utah Industrial Loan
Company (ILC) charter16, but opposition from the ABA, consumer groups, and members of
Congress prompted the FDIC to place a moratorium on approval of such charters.17 The
opposition was directed primarily at Wal-Mart, but the BCBSA Bank was caught in the
crossfire, and BCBSA ultimately opted for a Federal Savings Bank charter. Doubtless the
BCBSA Bank will be a competitor in the HSA marketplace, but BCBSA’s willingness to spend
3 years and countless legal fees dealing with preliminary bank charter issues suggests that the
Bank Holding Company Act was an important consideration.

Other sophisticated entrants to the HSA marketplace have also taken pains to establish
themselves as ILC-chartered institutions. Wellpoint, the nation’s largest health carrier, is
pursuing an ILC despite the recent extension of the FDIC moratorium on insurance for
ILCs.18 United Health Care (UHC) established Exante, its bank for HSAs, as an ILC.

BCBSA, WellPoint, and UHC all could have set up a more typical bank charter, either with a
state charter or a national charter. The advantage permitted by forming an ILC is that the
parent company is exempt from the Bank Holding Company Act. Therefore the ILC’s parent
company is exempt from examination by banking regulators.19 While the purpose of such an
examination would not extend beyond ensuring that proper controls exist to ensure that ILC
capital is properly segregated from commercial ventures within the parent company, the
players seeking to establish HSA ILCs apparently found that even narrowly defined regulatory
scrutiny is worth fighting to avoid.

15
AIS Report on Blue Cross and Blue Shield Plans, January 2007. Available at
http://www.aishealth.com/SampleIssues/sampleblu.pdf
16
An ILC is a state-chartered bank which has the unique distinction of allowing ownership by a nonbank
corporation without requiring the corporation’s compliance with the Bank Holding Company Act.
17
http://www.americanbanker.com/article.html?id=2007021380TVQ5VW&from=washregu
18
ICDC 2/23/07 “Blues Bank Could Hold $500 Million in HSA Deposits in 5 Years”.
19
Industrial Loan Companies/Banks and the Separation of Banking and Commerce: Legislative and Regulatory
Perspectives. At 10.

6
State-chartered Banks and Regulatory Impact
State banks have a long history of experimenting outside the bounds of the standard practices
of national banks.20 Interest-bearing checking accounts (“NOW” accounts), for example, were
only offered by a handful of New England state banks prior to 1982. Permissiveness by state
banking regulators tends to allow “evaluation of the feasibility of new activities on a small
scale.”21 Given that HSA-related product offerings legally came into existence in 2003, those
competitors with state charters have seen and will continue to see an advantage.

The history of HSA Bank shows how the state regulatory regime facilitated certain state banks
quickly establishing themselves as leaders in the experimental market for Medical Savings
Accounts (MSAs). In 1997, the year that legislation permitting MSAs became effective, HSA
Bank had 13 such accounts. As a small bank located in a rural community of 3000 people,
HSA Bank’s risk profile was relatively low, and therefore it was able to experiment with MSAs
in the absence of extensive regulatory burden. By 2005, when HSA Bank converted to a
federal charter, it had 100,000 HSAs. This early lead put HSA Bank ahead of “big bank”
administrators with significantly more resources to devote to such projects. However, the
regulatory burden faced by big banks was also that many times greater.

20
Harding de C. Williams, Federal Banking Law and Regulations, at 21.
21
Id.

7
Nationally-chartered Banks and Regulatory Impact
Part I – The New Activity Process

The nationally-chartered banks for which the OCC is a primary regulatory tend to be more
cautious about experimenting in new markets. While some nationally-chartered banks offer
innovative HSA services, the national banks are hampered in their ability to build innovative
offerings in-house, which results from a combination of enhanced scrutiny and a lack of bright
line regulatory guidance surrounding the HSA product. UMB Financial Corp. N.A., for
example, attributes its doubling of HSA deposits between 2005 and 2006 to a line-of-credit
tied to its HSAs.22 When UMB looked for a product differentiator, it looked to a partnership
with a nonbank service provider to develop its line of credit functionality.23 According to First
Data Corp, which developed the line of credit offering used by UMB, the key challenges in
developing the product were regulatory hurdles.24 Only by partnering with a nonbank was
UMB able to accelerate its product feature speed to market.

Because national banks regulated by the OCC face a unique challenge in developing new
products in house, these banks are likely to either partner or cede first-to-market advantages to
state banks and nonbank administrators. In 2004 the OCC released official guidance that
requires increased bureaucratization of product development processes.25 Bulletin 2004-20
states that banks must ensure that the board of directors “clearly understand the rationale for
offering the product or service.” In an era where the New York Stock Exchange (NYSE)
requires the majority of the Board to be independent, board education and evaluation slows
speed to market. While not all publicly traded companies are listed on the NYSE, large
publicly traded financial institutions tend to choose the NYSE above other exchanges. Figure 3,
page 7, illustrates this multiplicative effect upon those companies subject to overlapping
regulations. Moreover, in the current regulatory environment, managers of national banks
tends to interpret the additional Bulletin 2004-20 requirement of “consulting relevant
functional areas” broadly.26 If tangentially involved internal stakeholders are considered
“relevant”, this broad standard affords diverse groups of stakeholders an opportunity to hold
up the vetting of the new product.

22
American Banker Online, 4/2/07, by Matt Ackerman
23
Id.
24
Robyn Bartlett-Andersen, the general manager of health care services for First Data Corp., as quoted in
American Banker 4/2/07. "This [line of credit] is something a lot of competitors are trying to get, but the
regulatory hurdles have been difficult to get over," she said. "We were told by the IRS that we were on the right
track."
25
Bulletin 2004-20 (Risk Management of New, Expanded, or Modified Bank Products and Services)
26
Id.

8
Nationally-chartered Banks and Regulatory Impact
Part II – Discretionary Authority

Banking regulators other than the OCC incorporate the principles of Bulletin 2004-20 into
requirements imposed on the banks they regulate. Because banks regulated by the OCC banks
tend to be bigger banks, however, the aggregate cost of compliance across a large organization
is greater. First, the regulators have greater justification for enforcing the guidance more
strictly against big banks. The ostensible purpose of the guidance is to prevent bank failures.
Big bank failures are proportionately worse than small bank failures, both in terms of the
number of individuals affected and in terms of risk to the banking system as a whole. The 50-
state network of state regulated banks, running in parallel to the nationally regulated banks, to
the nationally regulated system, would likely be more resilient to bank failure. Second, smaller
banks are less likely to suffer from balkanization of internal stakeholder interests and therefore
less likely to suffer from hold out problems associated with the vetting process.

In addition to having incentives to enforce guidance more strictly than other regulators, the
OCC has demonstrated a tendency to enforce the guidance of other regulatory bodies more
strictly in recent years. The Federal Financial Institutions Examination Council (FFIEC), for
example, is an interagency body (which includes OCC representation) that prescribes its own
guidance. The OCC tends to use the discretion afforded it by Congress to enforce FFIEC
guidance strictly.27

While UMB, an OCC Bank, has been successful with outsourcing development of innovative
HSA services, as described earlier, outsourcing is not always an end-run around the controls
that the OCC requires for development of new products and services. First, OCC guidance on
new activities (Bulletin 2004-20) expressly applies to activities involving third parties. Second,
separate OCC guidance covers third party relationships, and the required controls, in detail in
Bulletin 2001-47.

27
The OCC required many national banks to comply with the FFIEC’s guidance on “Authentication in an Internet
Banking Environment” by 1/1/07, whereas many state banks are still noncompliant as of publication of this paper.

9
Overlapping SOX

Attempts to outsource new activities are particularly burdensome for those OCC banks that
also happen to be public companies. See Figure 3, page 7, showing the effects of overlapping
regulatory regimes upon banks. Public accounting firms have interpreted SOX Rule 404 to
require that any outsourced control be examined with rigor equal to or greater than that
applied to internal controls. Perhaps not surprisingly,28 accounting firms have encouraged
public companies to require vendors to provide SAS-70 reports. The public company and the
accounting firm must then identify and test the user control considerations specified in the
vendor’s SAS-70. In order to limit liability, the user control considerations are often worded
quite broadly, causing public companies’ documentation of Rule 404 controls to be lengthy,
complex, and expensive.

All public companies experience increased costs associated with Rule 404, but in a new
industry like that for HSA services, barriers to outsourcing are of particular concern. The
vendors for outsourced services in a new industry tend to be new, and therefore incapable of
providing the test data required for accounting firms to sign off on a complete SAS-70.

The “World Is Flat” concept popularized by Thomas Friedman holds that outsourcing is
critical in order to grow market share in nascent industries. Friedman describes how with
outsourcing options available, “the big question became, How do I get my entrepreneurs and
their new companies to a point where they were breaking even or profitable sooner…the
answer many firms came up with was: I better start outsourcing as many functions as I can
from the beginning.”29 Because the public companies and the national banks seeking to
integrate HSA services are limited in their ability to outsource, it takes longer to achieve
returns on integration. See Figure 4, which shows the relatively flat return on investment in the
near term for integrated offerings.

28
SAS-70 reports must be created by an accounting firm, and typically cost at least $10,000-$20,000, depending
on the size of the client.
29
Quote from Promod Haque, venture capitalist and former head of Lucent Technologies, 112. Excerpted from
The World is Flat, Thomas Friedman, 2005.

10
Nothing unique about the handoff between banking, insurance, and administrative services
related to HSAs stands in the way of the economics of outsourcing. The HSA services
industry, like financial services in general, is “seeing standards emerging around payroll, e-
commerce payment, and risk profiling … and most important, around how supply chains are
connected. All of these standards, on top of work flow software, help enable work to be
broken apart, reassembled, and made to flow, without friction, back and forth between the
most efficient producers.”30 The fact that the regulatory environment for banks and public
companies may reverse that economic logic is an important consideration for firms looking to
either enter or partner in the HSA marketplace.

30
Quote from Joel Cawley, IBM’s Vice President of Corporate Strategy, 79. Excerpted from The World is Flat,
Thomas Friedman, 2005.

11
 Returns to Scale

Although larger companies in the HSA services market tend to be publicly owned and/or
nationally regulated,31 these companies are better able to absorb the up-front costs associated
with developing regulation-compliant integrated offerings. 32 Regulatory hindrances to
launching integrated offerings impose extensive costs to the design of new products. Unlike
traditional banking, in which a single banking platform can be purchased, the integrated
market at this early stage requires constantly adding connectivity with new third parties. For
small banks, it will be more difficult to recoup the ongoing costs of such integration.
Commentators on the integration between banks and various other service providers describe
Webster Bank, which holds the most HSA deposits, as “small” for the HSA arena, despite
being a top 50 U.S. bank.33

The challenge for these “small” banks is to obtain a critical mass of integrated services. UMB,
another “small” bank leader, has pinned its success as a small bank to its ability to offer
expanded HSA capabilities despite its size, by partnering with FirstData to offer a line of credit
tied to the HSA.34 In the words of Dennis Triplett, the unit’s president, “HSAs are not just a
deposit product.”35 Banks and other firms offering HSA services must look to partner with a
wide range of businesses to obtain market share.

The up-front costs of integration are relatively high. The value of integration stems from
tapping into new distribution channels and referral sources. Initial dollars spent on integration
yield little revenue. Only with continued investment of time and money will marginal revenues
exceed the marginal costs of additional integration. HSAs are already a low revenue, low
margin financial product. A profitable model can only be built with significant account volume
to offset integration costs. There are currently over 1600 HSA custodians vying for those
deposits, however.36

31
http://www.aishealth.com/ConsumerDirected/CDdata/HSA_Ownership.html
32
But see, contra, American Banker, 4/2/07 ("To be honest, I think bigger banks are going to have a tougher time
breaking into the HSA space than the smaller banks, because their goals are so much bigger," Mr. Mazzella
[director of Information Strategies]” said.)
33
American Banker Online, 4/2/07, by Matt Ackermann
34
Id
35
Id
36
Id

12
 Conclusion
Given that market size projections are limited and numerous players already have a vested
interest,37 opportunities for revenue growth are less significant than consultancies predict.
There will be two types of winners in the HSA space: those players who either offer a
stripped-down product as a loss-leader for other services, or those who invest in the
infrastructure to meet both complex integration and regulatory compliance requirements and
build a large account volume. Neither case is a short-term gain proposition. In the stripped-
down approach, ongoing relationship management will be key to ensuring that HSAs offered
as a loss-leader translate into profit. In the high-volume approach, subject matter expertise
must be allocated to mitigating regulatory and technology risk. In both cases, players must be
committed to building the infrastructure and willing to invest long-term to realize the benefits
of this new market. Evidence shows, however, that federated integration brings a middle
ground – best-of-breed HSA services to customers and low-cost market access to new
entrants. Banks who specialize in HSA administration, for example, can provide other banks
with a full-featured account and revenue share without interfering with primary customer
relationships. So long as relationships are structured to minimize the potential multiplier
effect of regulatory burden, players can be viewed as network participants rather than strictly
as competitors.

37
The most aggressive predictions for HSA asset growth call for less than $110B by 2010 (Financial Research
Corporation). There are already over 1600 custodial institutions competing for these deposits (American Banker
Online, Ackerman, 4/2/07), meaning that best case, the average per-provider deposit volume is less than $70MM
over the next 3 years.

13
Appendix 1 – BSA/AML/USAPA/OFAC Regulations

Regulation Requirements Unique difficulty posed to integrated

CDH
Customer Collection and Given that HSAs are at the nexus of
Identification verification of insurance, investments, benefits
Program (CIP) customer administration, and banking, the custodian
information. must go to great lengths to “know” the
“Customer” is broad range of stakeholders involved with
broadly defined. the HSA. This is particularly challenging in
an electronic banking environment, or
where a third party, such as an employer or
TPA, seeks to be an intermediary between
the HSA custodian and the other
stakeholders. These third parties must
consent to HSA using credit bureau
records to verify the third party’s identities.

Employers, carriers, TPAs, and software

companies that provide “front-end” of
enrollment perceive this verification
obligation to be burden. Given that HSA
custodian typically does not have face-to-
face relationship with customers, bank
must rely on verification via credit bureau
records. According to the credit bureaus,
over 20% of customers cannot be
authenticated, leading to the need for
custodian to contact customer for
documentation to further verify identity.
Custodian staff doing this follow-up must
be trained in order to allay consumers’
fears about privacy issues arising from the
documentation requirements. Alternatively,
employer can be involved in the
authentication process, but must receive
appropriate permissions from employees in
order to provide required documentation
to the custodian.
Enhanced Due Payroll cards are considered “high risk”,
Diligence requiring intensive monitoring.
http://www.occ.treas.gov/bsa/pages_man
ual/OLM_061.htm. In order to accomplish
monitoring, high degree of integration is
required, giving rise to privacy risks and IT
risks.

14
Appendix 2 – Miscellaneous Banking Regulations
Regulation Requirements
Reg D Transaction accounts
require extra reserve
withholding
Reg E Account terms must be
Reg DD Reg communicated to customers
CC prior to and throughout life
of account
Reg P Permission must be gained
from consumers to disclose
any personally identifiable
information.
Esign Act In order for consumers to
receive bank disclosures
electronically, consumers
must consent in a manner
that demonstrates their
ability to receive the
disclosures electronically
NACHA ACH transactions must be
rules processed according to
certain timelines and
formats. Underwriting is
required to control credit
risk.
Unique difficulty posed to
integrated CDH
Tough to tell which members of a
given group will be spenders versus
savers. Regulator-approved models to
minimize reserve requirements for
parsing transaction accounts from
savings accounts have not yet been
developed.
Employers, carriers, TPAs, and
software companies that provide
“front-end” of enrollment perceive
disclosure obligation to be burden.
Extension of document management
system to third party intermediaries
and resellers is required if any account
terms are changed.
The natural unique identifier on which
to map integrated systems is SSN.
Alternate identifier or customer
permission must be sought. Moreover,
the simple fact that someone is a
customer is protected information.
Electronic and online enrollment
methods must be mixed with paper
processes if the consumers do not
have personal internet access.
Small employers or insured groups
inexperienced with ACH file formats
must be educated by the HSA
custodian. Due to NACHA timelines,
HSA custodian must provide staff to
reformat files correctly to maintain
strong relationships with these groups,
or else be forced to return
contributions. Underwriting standards
must be developed with actuarial
knowledge of contribution patterns
and spending patterns of market
segment demographic.
15