June 30, 2016
More businesses are beginning to have privately owned Automated Teller Machines. Do you know if any of your business customers have one? If so, have you stepped up your customer due diligence on them? You may be asking yourself, “Why would I need to worry about an ATM the bank does not own?” However, there are risks that come with privately owned ATMs, and some banks will need to make enhancements to address these increased areas of risk.
Risks of Privately Owned ATMs
Privately owned ATMs are typically found in restaurants, bars, gas stations and grocery stores. These ATMs link to an ATM transaction network that debits the customer’s account and credits the ATM owner’s account, or the Independent Sales Organization’s (ISO) account, which can be located anywhere. The ATM transaction network provider and sponsoring bank of the ATM should be completing adequate customer due diligence.
The reason privately owned ATMs have been deemed higher risk is that many of these ATMs have been involved in fraudulent activity, money laundering, theft and identity theft. A few examples of money laundering would be when an individual is replenishing an ATM with currency obtained from illegal activity that is later withdrawn through a legitimate consumer transaction. This would make the deposit to the ATM owner’s account appear like a legitimate transaction. Money launderers may also have agreements with merchants to fill their ATMs with illegal money at a discounted price.
Enhancements should be made to the bank’s systems and customer identification program (CIP) to manage the risks associated with privately owned ATMs and Independent Sales Organization relationships. The bank’s customer due diligence (CDD) of privately owned ATMs should include verification of the owner’s/ISO’s background, location of privately owned ATMs, source of funds to replenish the ATM, anticipated activity, and also include regular monitoring of the account to make sure the identified risks remain consistent with the conclusions of your customer due diligence. As addressed in the FFIEC Examination Manual, banks should implement appropriate policies, procedures and processes, including appropriate due diligence and suspicious activity monitoring, to address risks with ISO customers. At a minimum, these policies, procedures, and processes should include:
Understand Your Own Role
Here are a few questions to ask yourself before you start completing your review.
Bank Secrecy Act violations continue to reach the headlines, and penalties are harsh, especially if previously identified weaknesses have not been addressed. As businesses change, it is critical that you stay informed of their activities and the impact they have on your banking relationship. Even long-time customers deserve your attention; just because they have been a loyal customer, does not mean they can’t put you at risk for potential BSA violations. Ongoing monitoring is critical in identifying suspect activity in any part of the banking relationship, whether it is on the loan or deposit side. All customers should be considered when evaluating BSA risk, even those who may not have a deposit relationship.