It’s not uncommon to see private automated teller machines (ATM) in a variety of locations such as convenience stores, entertainment venues and other retail establishments. These ATMs can be profitable for the owner while also offering convenience to customers. In addition, for a private ATM owner there are very few regulatory requirements for performing ongoing due diligence over money-laundering risk. However, the same doesn’t hold true for the financial institution that serves the owner of these ATMs.
The Federal Financial Institutions Examination Council (FFIEC) has said, “Privately owned ATMs are particularly susceptible to money laundering and fraud. Operators of these ATMs are often included within the definition of an Independent Sales Organization (ISO).” Since these machines link their ATM transactions to the same ATM network of the sponsoring financial institution and payments processed through these machines are processed through the Automated Clearing House (ACH) system, privately owned and operated ATMs need to comply with all network rules. The risks for the sponsoring financial institution are higher as these machines are more susceptible to money-laundering schemes, theft and fraud.
The FFIEC has come out with risk mitigation guidance specific to this. These minimum standards are outlined in the “Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual.” Financial institutions should implement appropriate policies, procedures and processes, including appropriate due diligence and suspicious activity monitoring, to address risks with ISO customers. These policies, procedures and processes should include:
- Appropriate risk-based due diligence of the ISO, through a review of corporate documentation, licenses, permits, contracts or references
- Review of public databases to identify potential problems or concerns with the ISO or principal owners
- Understanding the ISO’s controls for currency servicing arrangements for privately owned ATMs, including the source of replenishment currency
- Documentation of the locations of privately owned ATMs and determination of the ISO’s target geographic market
- Expected account activity, including currency withdrawals
Because of these risks, ISO due diligence beyond the minimum customer identification program (CIP) requirements is important. Financial institutions also should perform due diligence on ATM owners and sub-ISOs, as appropriate. This due diligence may include:
- Reviewing corporate documentation, licenses, permits, contracts or references, including the ATM transaction provider contract
- Reviewing public databases for information on the ATM owners
- Obtaining the addresses of all ATM locations, ascertaining the types of businesses in which the ATMs are located and identifying targeted demographics
- Determining expected ATM activity levels, including currency withdrawals
- Ascertaining the sources of currency for the ATMs by reviewing copies of armored car contracts, lending arrangements or any other documentation, as appropriate
- Obtaining information from the ISO regarding due diligence on its sub-ISO arrangements, such as the number and location of the ATMs, transaction volume, dollar volume and source of replenishment currency
Your financial institution should have a process in place to identify which customers have privately owned and operated ATMs. This should be done during the account opening process and built into your financial institution’s CIP checklist. Understanding that this inquiry step during account opening could result in the customer not answering honestly, or that the customer could purchase a privately owned ATM subsequent to opening an account with your financial institution, continuous monitoring also is required. On an ongoing basis, a review of ACH reports for known ATM servicer transactions could help identify privately owned ATM activity. Frequent ACH credits from these servicers could strongly indicate this customer is a privately owned ATM operator. Lastly, if there’s strong suspicion of privately owned ATM activity, an on-site visit to the customer’s location can be a viable step in the identification process.
Once identified, additional information should be obtained from the customer so your financial institution knows the location of and number of ATMs owned and operated by the customer, procedures for filling the ATMs, networks contracted through, copies of all relevant contracts and account numbers related to these ATM transactions. This information should be formally documented in the customer’s file and run against public databases so there are no BSA/AML issues with the ISO or principal owners of the machine.
The final step is ongoing monitoring of this customer. It will take a period of time to determine and establish an expected pattern of activity. Once determined, any activity outside of this pattern should be further researched and documented. In addition, the overall risk rating of the customer should drive the level of ongoing monitoring required for this customer, and this risk rating should be evaluated annually based on the risk appetite of your financial institution. Failure to perform documented ongoing monitoring could result in regulatory scrutiny.
Contact Brok or your trusted BKD advisor if you have questions.