Resource Documents Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency Office of Thrift Supervision Financial Crimes Enforcement Network Office of Foreign Assets Control

Examination Procedures Core Procedures Expanded Procedures

Bank Secrecy Act Anti-Money Laundering Examination Manual

Backward | Table of Contents | Forward

Privately Owned Automated Teller Machines—Overview

Objective.  Assess the adequacy of the bank’s systems to manage the risks associated with privately owned automated teller machines (ATMs) and Independent Sales Organization (ISO) relationships, and management’s ability to implement effective due diligence, monitoring, and reporting systems.

Privately owned ATMs are particularly susceptible to money laundering and fraud.  Operators of these ATMs are often included within the definition of an ISO.¹⁷⁷

Privately owned ATMs are typically found in convenience stores, bars, restaurants, grocery stores, or check cashing establishments.  Some ISOs are large-scale operators, but many privately owned ATMs are owned by the proprietors of the establishments in which they are located.  Most dispense currency, but some dispense only a paper receipt (scrip) that the customer exchanges for currency or goods.  Fees and surcharges for withdrawals, coupled with additional business generated by customer access to an ATM, make the operation of a privately owned ATM profitable.

ISOs link their ATMs to an ATM transaction network.  The ATM network routes transaction data to the customer’s bank to debit the customer’s account and ultimately credit the ISO’s account, which could be located at a bank anywhere in the world.  Payments to the ISO’s account are typically made through the automated clearing house (ACH) system.  Additional information on types of retail payment systems is available in the FFIEC Information Technology Examination Handbook.¹⁷⁸

Sponsoring Bank

Some electronic funds transfers (EFTs) or point-of-sale (POS) networks require an ISO to be sponsored by a member of the network (sponsoring bank).  The sponsoring bank and the ISO are subject to all network rules.  The sponsoring bank is also charged with ensuring the ISO abides by all network rules.  Therefore, the sponsoring bank should conduct proper due diligence on the ISO and maintain adequate documentation to ensure that the sponsored ISO complies with all network rules.

Risk Factors

Most states do not currently register, limit ownership, monitor, or examine privately owned ATMs or their ISOs.  While the provider of the ATM transaction network and the sponsoring bank should be conducting adequate due diligence on the ISO, actual practices may vary.  Furthermore, the provider may not be aware of ATM or ISO ownership changes after an ATM contract has already been established.  As a result, many privately owned ATMs have been involved in, or are susceptible to, money laundering schemes, identity theft, outright theft of the ATM currency, and fraud.  Consequently, privately owned ATMs and their ISOs pose increased risk and should be treated accordingly by banks doing business with them.

Some privately owned ATMs are managed by a vault currency servicer that provides armored car currency delivery, replenishes the ATM with currency, and arranges for insurance against theft and damage.  Many ISOs, however, manage and maintain their own machines, including the replenishment of currency.  Banks may also provide currency to ISOs under a lending agreement, which exposes those banks to various risks, including reputation and credit risk.

Money laundering can occur through privately owned ATMs when an ATM is replenished with illicit currency that is subsequently withdrawn by legitimate customers.  This process results in ACH deposits to the ISO’s account that appear as legitimate business transactions.  Consequently, all three phases of money laundering (placement, layering, and integration) can occur simultaneously.  Money launderers may also collude with merchants and previously legitimate ISOs to provide illicit currency to the ATMs at a discount.

Risk Mitigation

Banks should implement appropriate polices, procedures, and processes to address risks with ISO relationships.  At a minimum, the policies should include:

• Verification of an ISO’s legitimacy through a review of corporate documentation, licenses, permits, contracts, or references.
• Review of public databases to determine the existence of issues with the ISO or principal owners.
• Understanding the controls of the currency servicing arrangements for privately owned ATMs and whether legitimate currency generation is sufficient to service machines.
• Documentation of the locations of privately owned ATMs and determination of the ISO’s target geographic market.
• Expected account activity, including currency withdrawals.

Because of these risks, due diligence on customers that are ISOs, beyond the minimum Customer Identification Program requirements is critical.  Banks should also perform due diligence on ATM owners.  This due diligence should:

• Verify the ATM owner’s legitimacy through a review of corporate documentation, licenses, permits, contracts, or references, including the ATM transaction provider contract.
• Review public databases for information on the ATM owners.
• Obtain the addresses of all ATM locations, ascertain the types of businesses in which the ATMs are located, and identify targeted demographics.
• Determine expected ATM activity levels, including currency withdrawals.
• Ascertain the sources of currency for the ATMs by reviewing copies of armored car contracts, lending arrangements, or any other documentation, as appropriate.

 

 

 

Backward | Table of Contents | Forward