Bank Secrecy Act
Privately Owned Automated Teller Machines
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with privately owned automated teller machines (ATM) and Independent Sales Organization (ISO) relationships, and management’s ability to implement effective due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to privately owned ATM accounts. Evaluate the adequacy of the policies, procedures, and processes given the bank’s privately owned ATM and ISO relationships and the risk they present. Assess whether the controls are adequate to reasonably protect the bank from money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank effectively identifies and monitors privately owned ATM accounts.
3. Determine whether the bank’s system for monitoring privately owned ATM accounts for suspicious activities, and for reporting suspicious activities, is adequate given the bank’s size, complexity, location, and types of customer relationships.
4. Determine whether the bank sponsors network membership for ISOs. If the bank is a sponsoring bank, review contractual agreements with networks and the ISOs to determine whether due diligence procedures and controls are designed to ensure that ISOs are in compliance with network rules. Determine whether the bank obtains information from the ISO regarding due diligence on its sub-ISO arrangements.
5. On the basis of the bank’s risk assessment of its privately owned ATM and ISO relationships, as well as prior examination and audit reports, select a sample of privately owned ATM accounts. From the sample selected, perform the following examination procedures:
- Review the bank’s CDD information. Determine whether the information adequately verifies the ISO’s identity and describes its:
- Source of funds.
- Anticipated activity or transaction types and levels (e.g., funds transfers).
- ATMs (size and location).
- Currency delivery arrangement, if applicable.
- Review any MIS reports the bank uses to monitor ISO accounts. Determine whether the flow of funds or expected activity is consistent with the CDD information.
6. Determine whether a sponsored ISO uses third-party providers or servicers to load currency, maintain ATMs, or solicit merchant locations. If yes, review a sample of third-party service agreements for proper due diligence and control procedures.
7. On the basis of examination procedures completed, including transaction testing, form a conclusion about the adequacy of policies, procedures, and processes associated with ISOs.