Bank Secrecy Act
Privately Owned Automated Teller Machines—Overview
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with privately owned automated teller machines (ATM) and Independent Sales Organization (ISO) relationships, and management’s ability to implement effective due diligence, monitoring, and reporting systems.
Privately owned ATMs are particularly susceptible to money laundering and fraud. Operators of these ATMs are often included within the definition of an ISO.204
Privately owned ATMs are typically found in convenience stores, bars, restaurants, grocery stores, or check cashing establishments. Some ISOs are large-scale operators, but many privately owned ATMs are owned by the proprietors of the establishments in which they are located. Most dispense currency, but some dispense only a paper receipt (scrip) that the customer exchanges for currency or goods. Fees and surcharges for withdrawals, coupled with additional business generated by customer access to an ATM, make the operation of a privately owned ATM profitable.
ISOs link their ATMs to an ATM transaction network. The ATM network routes transaction data to the customer’s bank to debit the customer’s account and ultimately credit the ISO’s account, which could be located at a bank anywhere in the world. Payments to the ISO’s account are typically made through the automated clearing house (ACH) system. Additional information on types of retail payment systems is available in the FFIEC Information Technology Examination Handbook.205
Some electronic funds transfers (EFT) or point-of-sale (POS) networks require an ISO to be sponsored by a member of the network (sponsoring bank). The sponsoring bank and the ISO are subject to all network rules. The sponsoring bank is also charged with ensuring the ISO abides by all network rules. Therefore, the sponsoring bank should conduct proper due diligence on the ISO and maintain adequate documentation to ensure that the sponsored ISO complies with all network rules.
Most states do not currently register, limit ownership, monitor, or examine privately owned ATMs or their ISOs.206 the provider of the ATM transaction network and the sponsoring bank should be conducting adequate due diligence on the ISO, actual practices may vary. Furthermore, the provider may not be aware of ATM or ISO ownership changes after an ATM contract has already been established. As a result, many privately owned ATMs have been involved in, or are susceptible to, money laundering schemes, identity theft, outright theft of the ATM currency, and fraud. Consequently, privately owned ATMs and their ISOs pose increased risk and should be treated accordingly by banks doing business with them.
Due diligence becomes more of a challenge when ISOs sell ATMs to, or subcontract with, third- and fourth-level companies ("sub-ISOs") whose existence may be unknown to the sponsoring bank. When an ISO contracts with or sells ATMs to sub-ISOs, the sponsoring bank may not know who actually owns the ATM. Accordingly, sub-ISOs may own and operate ATMs that remain virtually invisible to the sponsoring bank.
Some privately owned ATMs are managed by a vault currency servicer that provides armored car currency delivery, replenishes the ATM with currency, and arranges for insurance against theft and damage. Many ISOs, however, manage and maintain their own machines, including the replenishment of currency. Banks may also provide currency to ISOs under a lending agreement, which exposes those banks to various risks, including reputation and credit risk.
Money laundering can occur through privately owned ATMs when an ATM is replenished with illicit currency that is subsequently withdrawn by legitimate customers. This process results in ACH deposits to the ISO’s account that appear as legitimate business transactions. Consequently, all three phases of money laundering (placement, layering, and integration) can occur simultaneously. Money launderers may also collude with merchants and previously legitimate ISOs to provide illicit currency to the ATMs at a discount.
Banks should implement appropriate policies, procedures, and processes, including appropriate due diligence and suspicious activity monitoring, to address risks with ISO customers. At a minimum, these policies, procedures, and processes should include:
- Appropriate risk-based due diligence on the ISO, through a review of corporate documentation, licenses, permits, contracts, or references.
- Review of public databases to identify potential problems or concerns with the ISO or principal owners.
- Understanding the ISO’s controls for currency servicing arrangements for privately owned ATMs, including source of replenishment currency.
- Documentation of the locations of privately owned ATMs and determination of the ISO’s target geographic market.
- Expected account activity, including currency withdrawals.
Because of these risks, ISO due diligence beyond the minimum CIP requirements is important. Banks should also perform due diligence on ATM owners and sub-ISOs, as appropriate. This due diligence may include:
- Reviewing corporate documentation, licenses, permits, contracts, or references, including the ATM transaction provider contract.
- Reviewing public databases for information on the ATM owners.
- Obtaining the addresses of all ATM locations, ascertain the types of businesses in which the ATMs are located, and identify targeted demographics.
- Determining expected ATM activity levels, including currency withdrawals.
- Ascertaining the sources of currency for the ATMs by reviewing copies of armored car contracts, lending arrangements, or any other documentation, as appropriate.
- Obtaining information from the ISO regarding due diligence on its sub-ISO arrangements, such as the number and location of the ATMs, transaction volume, dollar volume, and source of replenishment currency.