Guidelines on how to use equipment safely fall under the banner of due diligence.

The number of privately owned or operated ATMs has increased over the past few years. The reasons businesses and individuals own ATMs varies. The ATMs generate income for their owners and require little time to maintain. In addition, they are convenient for business’ customers to obtain cash.

The ATMs may be beneficial to their owners, but can mean increased risk to the Bank that serves the owner. There are few regulatory requirements for the owners so nearly anyone can own one or 100. There is increased money laundering risk associated with the machines. Money from illegal activities can be used to fill the machine, customers make withdrawals and clean money is sent to the ATM owner or operator via ACH deposits to settle the transactions.

Regulatory Guidance:

There is regulatory expectation to perform due diligence on all identified ATM owners or operators. The FFIEC BSA Examination Manual states Banks should implement policies and procedures to address risks associated with ISO (Independent Sales Organizations) customers. These policies and procedures should include appropriate due diligence and suspicious activity monitoring. At a minimum, they should include:

• Appropriate risk-based due diligence on the ISO, through a review of corporate documentation licenses, permits, contracts or references
• Review of public databases to identify potential problems or concerns with the ISO or principal owners
• Understanding the ISO’s controls for currency servicing arrangements for privately owned ATMs, including source of replenishment currency
• Documentation of the locations of privately owned ATMs and determination of the ISOs target geographic market
• Expected account activity, including currency withdrawals.
• Obtaining information from the ISO regarding due diligence on its sub-ISO arrangements, such as the number and location of the ATMs, transaction volume, dollar volume, and source of replenishment currency

Because of these risks, ISO due diligence beyond the minimum CIP requirements is important. Banks should also perform due diligence on ATM owners and sub-ISOs, as appropriate. This due diligence may include:

• Reviewing corporate documentation, licenses, permits, contracts, or references, including the ATM transaction provider contract
• Reviewing public databases for information on the ATM owners
• Obtaining the addresses of all ATM locations, ascertain the types of businesses in which the ATMs are located, and identify targeted demographics
• Determining expected ATM activity levels, including currency withdrawals
• Ascertaining the sources of currency for the ATMs by reviewing copies of armored car contracts, lending agreements or any other documentation, as appropriate

So what does that mean? Banks should develop and implement a process to identify ATM owners and obtain sufficient due diligence information to enable them to risk rate the customer and implement a monitoring system.

 Identifying ATM Owners or Operators

The first step for managing ATM owners or operators is to identify which customers have privately owned or operated ATMs. There should be a process to identify them for existing customers as well as at account opening. At account opening the CIP checklist should include a way to identify those customers that have privately owned ATMs such as inquiring of the customer. There should be a process to identify ATM owners for existing customers.

The easiest method to do this is to review ACH reports for transactions coming from known ATM servicers. For example, FDRetail ATM, RBS, Worldpay, Coredata, FirstData, Datastream, Elan FS, Cash Depot, Cardtronics, CDS, EFUNDS, SWITCH, Metabank, Innobeta, MVNT and FDC Star System. If any customers are receiving ACH credits from these originators, the customer is likely an ATM owner/operator. Another method is to visit customers who are more likely to have an ATM onsite, such as bars, restaurants, gas stations/convenience stores, and bowling alleys. If they have on onsite, you will need to inquire who owns or operates the ATM.

Due Diligence for ATM Owners or Operators

Once the Bank has identified an ATM owner or operator, it should obtain additional information to gain an understanding about the ISO or sub-ISO as well as the ATM owner/operator. The most efficient way to obtain the information is to contact the customer directly to obtain the following information:

In addition to obtaining information about the ISO or sub-ISO, the Bank should gain an understanding of the ATM owner’s procedures. The following information should be obtained:

• Total numbers of ATMs owned or operated and location of each
• How the ATMs are replenished (i.e., withdrawal from account, armored car or third party performs, store proceeds, etc.)
• How often the ATM is replenished
• Name of the ISO or ATM network they have contracted with
• Copy of the contract
• The account number the ATM transactions flow through, if unknown

Once this information is obtained, the Bank should do a review of public databases to determine if there are any issues with the ISO or principal owners. This can be accomplished via a web search.

Activity Monitoring

After sufficient information is obtained, the Bank should implement a process to monitor the accounts of the ATM owners. The information obtained during the due diligence process should enable the Bank to determine the amount of monitoring necessary as well as how often. Monitoring ATM owners will not necessarily be a one size fits all.

Monitoring should include a review of all activity as well as ATM activity. If the activity that flows in and out of an account is related only to ATM activity, the monitoring is relatively easy. The amount of debits (cash withdrawals) and credits (reimbursement for transactions) should correlate. Any large variances should be further investigated to determine if it appears reasonable and appropriate.

Monitoring is difficult if more than ATM activity flows through the account, but can still be accomplished by comparing ACH credits to cash withdrawals. If the customer replenishes the ATMs with store proceeds, the monitoring is more difficult, but should still be performed. If it is an existing customer who has recently obtained an ATM, the amount of cash deposits should be decreased because the cash is going into the ATM. The amount of ACH credits related to the ATM should be reasonable given the type of business the customer has.

The risks associated with ATM owners or operators can vary from customer to customer, but must be addressed. Once the expected activity is determined, the monitoring can be accomplished by comparing current activity to the normal activity. Any variances should be further investigated and documented. The frequency of monitoring should be determined by the identified risks as well as the risk appetite of the Bank. To satisfy regulatory expectations, the monitoring procedures and the actual monitoring performed should be documented.