Privately owned ATMs - i.e. ATMs that are not owned by a bank - is a topic that seems to be gaining traction with examiners during BSA exams. Therefore, it is important for financial institutions to understand their requirements in regards to customers who operate privately owned ATMs.
Understanding Privately Owned ATMs
Privately owned ATMs are those automated teller machines that are not owned by a regulated financial institution. These ATMs are often associated with cash-intensive businesses such as convenience stores, bars, restaurants, grocery stores, or check cashing establishments. As they are often controlled and filled by their owners - which could be just about anyone - privately owned ATMs become particularly susceptible to money laundering and fraudulent activities.
The owners of privately owned ATMs, known as Independent Sales Organizations (ISOs), can be large-scale operators or single ATM owners where the ATM is located in the establishment controlled by the owner. Most privately owned ATMs dispense currency, but some dispense scrip (a paper receipt) that can be exchanged for goods or currency. Privately owned ATMs can be profitable for proprietors due to fees and surcharges for withdrawals, along with additional business generated by customer access to an ATM.
Risks Associated With Privately Owned ATMs
In layman’s terms, one of the biggest challenges with privately owned ATMs is the lack of controls on how currency is placed in the ATM - or how the ATM is refilled. Without effective controls, the concern is that ATM currency could come from illegal activity, which is a perfect example of how money laundering can occur.
To explain further, the goal with money laundering is to take “dirty money” (or money that was obtained illegally) and to somehow “launder” it so that it becomes clean (i.e. legitimate). Said another way, money laundering is taking illegal money and getting it into the financial system. In the case of privately owned ATMs, dirty money could easily be used to refill an ATM where the funds will be “cleaned” when they are withdrawn from the ATM by legitimate people from their legitimate accounts.
In more technical terms, the FFIEC BSA Exam manual explains the risk factors associated with privately owned ATMS as follows:
“Most states do not currently register, limit ownership, monitor, or examine privately owned ATMs or their ISOs.230 the provider of the ATM transaction network and the sponsoring bank should be conducting adequate due diligence on the ISO, actual practices may vary. Furthermore, the provider may not be aware of ATM or ISO ownership changes after an ATM contract has already been established. As a result, many privately owned ATMs have been involved in, or are susceptible to, money laundering schemes, identity theft, outright theft of the ATM currency, and fraud. Consequently, privately owned ATMs and their ISOs pose increased risk and should be treated accordingly by banks doing business with them.
Due diligence becomes more of a challenge when ISOs sell ATMs to, or subcontract with other companies ("sub-ISOs") whose existence may be unknown to the sponsoring bank. When an ISO contracts with or sells ATMs to sub-ISOs, the sponsoring bank may not know who actually owns the ATM. Accordingly, sub-ISOs may own and operate ATMs that remain virtually invisible to the sponsoring bank.
Some privately owned ATMs are managed by a vault currency servicer that provides armored car currency delivery, replenishes the ATM with currency, and arranges for insurance against theft and damage. Many ISOs, however, manage and maintain their own machines, including the replenishment of currency. Banks may also provide currency to ISOs under a lending agreement, which exposes those banks to various risks, including reputation and credit risk.
Money laundering can occur through privately owned ATMs when an ATM is replenished with illicit currency that is subsequently withdrawn by legitimate customers. This process results in ACH deposits to the ISO’s account that appear as legitimate business transactions. Consequently, all three phases of money laundering (placement, layering, and integration) can occur simultaneously. Money launderers may also collude with merchants and previously legitimate ISOs to provide illicit currency to the ATMs at a discount.”
Financial Institution Management of Privately Owned ATMs
Over the years, financial institutions have taken several different approaches to managing privately owned ATMs. Most take a risk-based approach that fits their organization: Some have done nothing (not recommended), some just identify their customers that have privately owned ATMs, while others require a separate account for all ATM transactions and conduct annual audits/reviews of each account.
The key with managing privately owned ATMs is to understand the risk they present to your organization in regards to potential money laundering. To do this, two things should be considered. First, a financial institution should determine the quantity of risk by understanding the volume of privately owned ATMs retained by customers of the financial institution. For example, if a financial institution identifies only one privately owned ATM from a long-time customer who has all accounts with the financial institution, the risk is going to be lower than if there were hundreds of identified privately owned ATMs from dozens of different owners.
The second thing a financial institution can do to understand the risk that privately owned ATMs present is to understand the expectations of the financial institution’s federal regulator. Some regulators haven’t dug into privately owned ATMs at all, while others have much higher expectations. In layman’s terms, it is important to understand how high the bar is being set by a regulator so that a financial institution is able to meet their expectations.
That said, the FFIEC BSA Exam Manual - which is the main guidance for privately owned ATMs - actually sets the bar of expectations pretty high:
"Banks should implement appropriate policies, procedures, and processes, including appropriate due diligence and suspicious activity monitoring, to address risks with ISO customers. [b]At a minimum[/b], these policies, procedures, and processes should include:
Appropriate risk-based due diligence on the ISO, through a review of corporate documentation, licenses, permits, contracts, or references.
Review of public databases to identify potential problems or concerns with the ISO or principal owners.
Understanding the ISO’s controls for currency servicing arrangements for privately owned ATMs, including source of replenishment currency.
Documentation of the locations of privately owned ATMs and determination of the ISO’s target geographic market.
Expected account activity, including currency withdrawals.
Because of these risks, ISO due diligence beyond the minimum CIP requirements is important. Banks should also perform due diligence on ATM owners and sub-ISOs, as appropriate. This due diligence may include:
Reviewing corporate documentation, licenses, permits, contracts, or references, including the ATM transaction provider contract.
Reviewing public databases for information on the ATM owners.
Obtaining the addresses of all ATM locations, ascertaining the types of businesses in which the ATMs are located, and identifying targeted demographics.
Determining expected ATM activity levels, including currency withdrawals.
Ascertaining the sources of currency for the ATMs by reviewing copies of armored car contracts, lending arrangements, or any other documentation, as appropriate.
Obtaining information from the ISO regarding due diligence on its sub-ISO arrangements, such as the number and location of the ATMs, transaction volume, dollar volume, and source of replenishment currency."
The full section in the BSA Exam Manual can be found here.
NOTE: It is important to check with your state for any state-specific requirements that apply to privately owned ATMs.