A Review and Analysis of the Privately Owned ATM Industry

A Review and Analysis of the Privately Owned ATM Industry By Kevin Sullivan March 2004 Table of Contents Introduction .................................
Author: Randell Baldwin
40 downloads 4 Views 2MB Size
A Review and Analysis of the Privately Owned ATM Industry By Kevin Sullivan March 2004

Table of Contents Introduction ........................................................................................................................ 3 How an ATM transaction works.......................................................................................... 5 History of Processing .......................................................................................................... 6 Networks/Processors .......................................................................................................... 7 Sponsoring Financial Institutions ........................................................................................ 9 Current Trends .................................................................................................................. 10 Triple DES .......................................................................................................................... 11 Money Laundering through Privately Owned ATMs ........................................................ 11 Various Frauds at all ATM Locations................................................................................. 13 Skimming....................................................................................................................... 13 Card Trap ....................................................................................................................... 15 Transaction Reversal Scheme ........................................................................................... 16 Suggested Best Practices for Sponsoring Financial Institutions ....................................... 16 Suggested Best Practices for Networks ............................................................................ 17 Observations/Suggestions ................................................................................................ 19 Future Considerations....................................................................................................... 22 ATM Safety Act.................................................................................................................. 23 Suggestions for Update to ATM Safety Act ...................................................................... 23 Summary ........................................................................................................................... 23

Page 2 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Abstract This White Paper shall identify, describe and recommend remedies for two main areas of concern within the privately owned ATM industry. The first area of concern is PIN based fraud. This is the area of most concern to consumers as it has been an area of card compromise and theft. The second area of concern is money laundering via ATMs. Consumers may be completely unaware of this process, yet it is an area of grave vulnerability and concern to the law enforcement community. To fully understand the scope of the problem and the potential solutions, this white paper shall describe the actual electronic process of an actual ATM. All the entities involved in that process will be identified and described. The types of frauds that have been perpetrated will be detailed, and the potential for money laundering will be explained. Finally, solutions and suggestions for best practice procedures will be introduced.

Introduction Privately owned Automated Teller Machines (ATMs), also known as white label machines, are becoming more popular and appear in more locations such as bars, restaurants, deli’s, gas stations etc. Currently there are approximately 1,347,396 ATMs operating worldwide. At present, more than 320,000 ATMs are operating in the United States. It is estimated that 220,000 are non-bank location ATMs. One estimate is that approximately 85% of all the cash in circulation has come from an ATM. Total ATMs

100,000 220,000

Worldwide US Private ATMs US Bank ATMs

1,347,396

The official banking terminology for entities that own/operate private ATMs is called the Independent Service Operator (ISO). An ISO entity could own one or an unlimited number of machines. Further, the individual store merchant may own an Page 3 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

ATM, lease an ATM, or rent space in his store to someone else who owns the ATM. In many instances the individual merchant has little to do with the ATM. The privately owned ATM has increased in popularity by the legitimate small business owner not just for the customer’s convenience but for financial reasons. When a business owner incorporates a credit card point of sale terminal in his business, he pays a percentage of the sale to the various credit card associations. An owner of an ATM pays a nominal fee to the Network Transaction Association and charges the customer a fee for the use of the ATM. In essence, the small business owner saves money by not paying a fee for each credit card use, and makes money by charging people the ATM usage fee. The surcharges and interchange fees enables the ATM to be profitable for the banks and for the Independent Service Operators. In a high traffic location this sum can quickly add up. Privately owned ATMs fall into two categories: 1) Cash loaded by the ISO and; 2) Cash loaded by a Vault Cash Management Service. Approximately 20,000 of the privately owned ATMs use a vault cash service. A vault cash service provides for the management of the ATM. The management of the ATM includes loading the ATM with cash, arranging for bank loans from which the cash is loaded, the armored car service that delivers the cash, the upkeep and maintenance of the ATM, and providing insurance for all areas such as theft and damage to the ATM, and theft of the cash prior to insertion into the ATM. The majority of the privately owned ATMs are maintained by the Independent Service Operator. This eliminates a major expense that would cut into the profits of an ISO, especially a small operator with just one or a few machines. The ATM industry consists of a multitude of entities that all exist in whole or in part to proliferate the concept of 24 hour limited banking. Every one of them is a viable business enterprise that exists to provide a service and turn a profit. The following is a list of businesses associated with ATMs: •

Manufactures - These companies physically build the ATM.



Lock Manufactures - Companies that develop the advanced locking systems that store the cash in the machine.



Software Companies - All the machines operate with some form of interactive software that allows the customer to tell the ATM what he

Page 4 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

wants to do. Further, the information that goes over the phone lines and through the processors and networks are all encrypted. •

Paper Products - All ATMs have the ability to provide a physical receipt. Paper and ink are required.



Service Personnel - Provide routine maintenance and service calls for malfunctioning machines.



Insurance Companies - Establishes insurance coverage for damage to the machine and/or coverage while transporting money to and from the ATM.



Vault Cash Management Companies - These companies will take over the responsibility of delivering and stocking cash in the ATM.



Independent Service Operators - Multiple functions may be performed by the ISO including the retail sales and/or leasing of ATMs. The ISO will provide the expertise to deal with the Sponsoring Financial Institutions and Networks. The ISO may also offer ATM management services that in effect will allow an individual merchant to have little interaction with the ATM as the ISO will handle all the day to day operations.



Sponsoring Financial Institutions - An ATM must be sponsored by a financial institution to be granted access to the Network.

How an ATM transaction works When a cardholder wants to perform an ATM transaction, he provides the mandatory information through the use of the card reader and keypad. The ATM relays this information to the host processor, which routes the transaction request to the cardholder’s bank or the institution that issued the card. If the cardholder is requesting cash, the host processor triggers an electronic funds transfer (EFT) to occur from the customer’s bank account to the host processor’s account. Upon the funds being transferred to the host processor’s bank account, the processor transmits an approval code to the ATM authorizing the machine to dispense the cash. The processor then credits the funds into the merchant’s bank account. The merchant’s account may not necessarily be in the United States.

Page 5 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Scenario: The customer has an account at Citibank. He stops at Harry’s liquor store in the Bronx and makes an ATM cash withdrawal from the machine in the liquor store. •

The customer slides his ATM (Citibank) card into the ATM at the liquor store, and then enters his PIN when prompted



Harry’s liquor store’s ATM must be connected to a host processor. That processor reads the data on the back of the customer’s card, ensures that the PIN is encrypted for security, and sends an electronic message to the network designated on the customer’s ATM card (such as Star, Plus, Cirrus or NYCE)



The network identifies the customers bank and sends an electronic message to Citibank’s processor to authorize the transaction (authorize means to verify that there are sufficient funds in the account, the PIN is correct, the expiration date is ok, and there is no limit on withdrawals)



The amount of cash that the customer wants is debited from his account at Citibank in addition to any surcharge.



Citibank’s processor returns a message to the network indicating that the transaction is approved.



The network sends an approval code to Harry’s liquor store’s processor, which in turn activates the ATM machine to dispense the cash.



Total elapsed time – approximately 8 seconds.

Subsequently, usually by the next business day, the network provides settlement between Citibank and the bank that connects Harry’s liquor store’s ATM for the amount that the customer withdrew and any surcharge (assuming that Harry’s liquor store owns the ATM).

History of Processing In the mid-1970s almost all banks began to install ATMs at their branches. Competing banks connected their ATMs electronically allowing people to access money from an ATM owned by another bank. Essentially, the banks agreed to honor each others cards. Local networks merged and got larger, becoming known as shared Electronic Funds Transfer networks. Page 6 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

This new service was expensive, so the banks created fees, including the interchange (the compensation paid to the other bank by the card issuing bank for accepting their customers ATM cards). As business and travel escalated, customers demanded more access to their accounts. Regional networks didn’t reach far enough and national networks were formed so ATM owners could reach more cardholders with a single network. The original networks were consortiums of banks, credit unions and other financial institutions that needed to transfer funds from one institution to another. Currently most regions have a single, dominant network through which transactions pass to reach the national networks (e.g. Plus & Cirrus). In the financial services industry, only the largest banks actually process their own PIN based transactions. The majority will outsource EFT (electronic funds transfer) processing to either regional ATM networks or third party processors. However, all banks, regardless of size, must contract with regional ATM/EFT networks to link financial institutions and their customers with ATMs and merchant POS terminals in order to transmit transactions through the system.

Networks/Processors The host processor is the gateway to the ATM network. The host processor may be owned by a financial institution or it may be owned by an independent service operator. There are various transaction processors in the PIN-based/EFT industry that can perform specific tasks. They act as a “switch” to route transactions to during an authorization to the account holders bank to verify a balance. Electronic funds networks are the main infrastructure for all transaction activity. Regional, National and International networks are all interconnected. There are National EFT networks that connect all the regional systems and act only as a “switch” to direct authorization attempts. Two of the largest national EFT networks are: •

Plus – owned by Visa



Cirrus – owned by MasterCard

These associations also operate EFT networks throughout the world: •

Maestro & Europay – owned by MasterCard Page 7 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com



Interlink & Electron – owned by Visa

Mid size and community banks will utilize third party processors to link to the regional networks. The processors are either owned by a bank or a third party. The processor acts as the issuer/acquirer, or both, for processing EFT transactions. They also offer customer support services such as fraud detection, dispute processing and card mailings. Major EFT Processors 1. Concorde EFS 2. First Data 3. Columbus Data 4. Lynk Systems 5. Core Data 6. Electronic Data Systems 7. eFunds 8. Metavante 9. FiServ 10. GenPass

Page 8 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Top 5 Regional ATM/EFT Networks as of 12/2002

600,000,000

Switch Volume

500,000,000 502,563,000

1. Star

400,000,000

2. NYCE

300,000,000 200,000,000

105,940,000 89,355,652

3. Pulse 4. Interlink

59,038,154

100,000,000

5. Co-Op

0 48,005,905

Manufactures of ATMs as of 2002 (Public & Private) 15,000

10,000

5,000

0 Manufactures

Diebold

Triton

NCR

Tranax

NexTran

GTI

13,560

9,876

8,900

7,600

2,974

756

Sponsoring Financial Institutions With the advent of privately owned ATMs, those in non-banking locations, networks needed to find a way to allow these ATMs to connect to the system. The solution was to request Financial Institutions to sponsor individuals and companies who place ATMs in non bank locations. By sponsoring a privately owned ATM, a Financial Institution is taking on the full responsibility for those terminals in the eyes of the networks. That means that the Financial Institution bears all risks associated with placing that machine, including the risk of fraud and the possibility that a compromise at one machine could adversely affect the entire system. Therefore, all ATMs owned privately must have a sponsoring financial institution. Because sponsorship carries such a risk, the Financial Institution is obligated (by the Networks) to perform due diligence on the companies with which they do business, similar to that of a “know your customer” rule. Page 9 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Known Sponsoring Financial Institutions 1. American States Bank 2. Bankfirst 3. Citizens Bank 4. Creative Card solutions 5. Palm Desert National Bank 6. Paragon Federal Credit Union 7. Pueblo Bank and Trust

It has been difficult to obtain a complete and through list of all the Sponsoring Financial Institutions. There is nothing readily available on the Internet. Various regulators do not have a database. The ATMIA (Automatic Teller Machine Industry Association) does not maintain a list but have provided the above names that they were readily familiar with. Further, the ATMIA has stated that there are not many Sponsoring Financial Institutions, perhaps a maximum of forty, and most are located in the midwest, south-west or west coast. The Networks maintain that privacy issues render them unable to reveal their customers.

Current Trends A current trend in the ISO community is acquisitions. The organic growth in the industry is on the decline as much of the prime real estate for ATM sites have already been established (malls, transportation hubs, etc.) Currently, large ISO’s are scouting out and evaluating profitable ATM portfolios and negotiating deals to purchase them. Further it appears that the retail ATM business is in the midst of a strong consolidation phase. Smaller ISO’s concerned by the upgrade costs that may be required to comply with upcoming Triple DES mandates may be ready to cash out.

Page 10 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Triple DES The ATM industry, concerned that the codes that protect PINs as they travel from ATM to host could be compromised, concluded that the solution was to update to triple data encryption standard (Triple DES). With DES, a binary number called a key is used to encrypt and decrypt data. The DES algorithm uses a 56-bit key length; Triple DES specifies three rounds of encryption, effectively increasing the key length to 168 bits. Current ATMs both private and bank owned would have to spend approximately $900 $1200 on each machine to update to the new specifications. This update was not mandated by any governmental regulatory body, it was orchestrated by MasterCard and Visa. MasterCard and Visa operate the Plus and Cirrus Networks which is the network superhighway that connects all the regional networks.

Money Laundering through Privately Owned ATMs Money laundering trends and patterns have become more elaborate and sophisticated over the years due in part to credit transactions which can present intricate financial relationships and roundabout means through which dirty money can move through financial institutions. The main purpose of a money launderer is to make the money that was obtained from ill gotten gains appear to be legitimate. A flaw in the privately owned ATM system has been developing that is a prime opportunity for money launderers to facilitate their operations. A launderer purchases numerous white label ATM machines and establishes them in various locations. The places of business that the ATMs are placed in may or may not be a co-conspirator in the crime. The launderer loads his ATMs with the cash proceeds from whatever criminal enterprise he is engaged in, or at the least, the money is co-mingled with clean cash. Subsequently the ATM is continually refilled by the ISO using dirty money. Unsuspecting cardholders make legitimate use of the ATM or smurfs make multiple withdrawals. The electronic transaction process debits the cardholders account and credits the ISO’s bank account. At the end of the month the ISO shows a genuine bank statement, which reveals money being electronically deposited into his account from a legitimate financial institution. Hence, the launderer has made his dirty money appear to be clean money. The launderer is facilitated by the fact that since the privately owned ATM is several steps removed from the Sponsoring Financial Institution, they have not been in the radar zone for bank compliance and AML procedures. There are guidelines for the ISO to perform due diligence on the individual merchant, and the Sponsoring Financial Institution to “know your customer” with reference to the ISO and/or merchant Page 11 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

accounts, and the Networks to know who is using their systems. Until recent media attention, those guidelines were very loosely maintained. Further hampering the system is the fact that the Networks, Processors and ISO’s are not considered financial institutions. Therefore the Bank Secrecy Act, Money Laundering Control Act, AnnunzioWylie Act, nor the U.S. Patriot Act is applicable to them. The only regulated entity in the privately owned ATM transaction process is the Sponsoring Financial Institution. Although this method of money laundering is somewhat labor intensive, it is still believed to be considerably less expensive and poses less risk than other alternative methods. Another advantage is that money launderers can acquire and operate their own network of ATMs, thus asserting total control over the withdrawal process with little or no actual movement of cash. A review of Suspicious Activity Reports (SAR’s) for 2002 and 2003 in the New York Metropolitan area has revealed that only 400 SAR’s were filed reporting suspicious ATM transactions. Most of these SAR’s were filed with reference to ATM withdrawals in foreign countries. All of these SAR’s were filed by only four area banks, and the majority of those reports were filed by just one bank. Based on this research it is obvious that the money laundering techniques have been invisible to most bank compliance departments. Indicators of Money Laundering: •

Above average volume of withdrawals for a similar business and location.



A larger than average amount of withdrawal. The national average is approximately $60. A money launderer may withdraw as much as possible per transaction.



Lack of bank withdrawals for the replenishment of ATM funds. When the ISO’s bank repatriates the funds electronically into his account, there still must be a physical withdrawal in order to load the ATM. A lack of withdrawals would indicate that the ATM is being loaded by funds from another source.



Above average surcharges. The surcharge becomes the payoff for the collusive merchant.



Times of the day for transaction concentration. Are the bulk of transactions being conducted at a time that would be inconsistent for a large volume of business? Note transactions that occur near midnight so a person can withdraw the maximum amount for two days at one time. Page 12 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Mobile ATMs usually appear at special events such as concerts or fairs, and sometimes remain for the duration of the event. One has to wonder what a suspicious activity or money laundering indicator would be with reference to a machine or location that does not have any historical activity to refer to.

Various Frauds at all ATM Locations Skimming A common method used to turn an ATM into a point of compromise is via the illegal skimming of a cardholder’s card. Skimming involves the use of a device similar to that which legitimately reads the magnetic stripe on the back of a cardholders ATM card. In essence a ghost ATM or Parasite ATM is created. The device is placed over the current and legitimate magnetic reader on the ATM or sometimes over the card reader at the door or lobby of the bank using double sided tape. Essentially, the customer’s card is read twice, once by the legit skimmer and once by the parasite. (Alternate methods of skimming, has been enormously popular with credit card counterfeiters and identity thieves) Once a card is skimmed and the password captured by a keystroke logger device, a video camera, or just someone looking over your shoulder, the criminal ultimately reproduces another card. Using a blank card known as white plastic, or a hotel type card key, the criminal places a new magnetic stripe containing duplicated information from the cardholder’s actual card. The criminal has successfully stolen all of the cardholders ATM card information and is set to withdraw cash out of the cardholders account. The mainstream banking sector certainly has had their fair share of fraudulent occurrences of skimming devices on branch bank ATMs. However, those bank machines Page 13 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

are maintained and regulated and examined by bank personnel or personnel authorized by the bank on a regular and consistent basis. A privately owned ATM does not have the same scrutiny as a bank machine. In fact, a privately owned ATM that is loaded by an unscrupulous ISO has no inspection or safeguards in place at all. The is no regulating body that is currently auditing these ATMs. Essentially, a criminal can own the ATM that he puts a skimming device on and ultimately the proceeds from his skimming operation get put back into the ATM for cleansing. As an added bonus to the criminal the ATM is mobile enough that it can be placed in another location before law enforcement authorities are alerted to the original crime.

A parasite skimming device is placed on top of the actual machine. Subsequently, a card is read twice. Once by the parasite skimmer and once by the real magnetic reader on the machine. A customer has no idea that his card has been compromised.

A hidden camera is placed inside of a brochure box. This camera captures your PIN code when you press the keyboard.

Page 14 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Additional Notes: •

The criminals may exploit the customer’s faith in the bank by using the parasite on mainstream branch ATMs and only during off hours. Then the device can be removed prior to the business day and any possible inspection by bank staff.



ATMs that are prime for compromise are usually in upscale neighborhoods and are frequented by customer’s that carry a large balance. (The customer might not even note the compromise when he receives his monthly statement)



ATM locations that do not maintain a security camera are desirable for obvious reasons.



The criminals have been known to use hotel type key cards so if they are ever stopped by police, an unsuspecting officer may not recognize a hotel card key as suspicious.



Devices labeled “ATM card washer” has been placed near legitimate ATM machines. This is just a clever skimming device.

Card Trap The card trap is also known as the Lebanese Loop. This only works with a motorized card reader (as opposed to a dip type or swipe type reader) A card trapping device is inserted into the reader. The device blocks the complete insertion of the card into the reader and then traps the card inside the reader. As the frustrated customer makes futile attempts to retrieve his card another “customer” will advise that he too was victimized by the apparently faulty ATM. He then tells the legit customer that he had to enter his PIN code to get his card back. While the legit customer performs this, his PIN is observed being entered (shoulder surfing). Ultimately, the card is never returned to the customer and he leaves the scene. The fraudster then removes the card with a special tool and now he has the card and the PIN. In alternate variations the card is skimmed and returned to the customer.

Page 15 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Additional Notes: •

Fraudsters will choose locations that do not have any branch personnel nearby, or after hours or privately owned ATMs



Similar to skimming, fraudsters prefer the lack of surveillance cameras and upscale locations.

Transaction Reversal Scheme A fraudster using a legitimate card, requests to draw cash out of an ATM. When the notes are presented, the fraudster removes a portion of the stack from the mechanism. For example, from a $200 stack, the center $160 are removed, leaving $40 in the presenter. The ATM will receive an error message and think that the cash was never taken and subsequently retract the cash that is left in the presenter. The dispenser does not calculate the number of notes when it is retracted is unaware that $160 of the $200 is not being retracted. The customer’s account is not debited for the transaction.

Suggested Best Practices for Sponsoring Financial Institutions The requirements of the sponsor can vary depending on their internal polices established on sponsorship. However, Sponsoring Financial Institution’s should maintain the following minimum requirements and retain these files so as to be accessible to the networks and to bank regulatory examiners: a.

Business Financial Information, to include financial statements (balance sheet and income statement) for the most current two year period;

b.

Federal Income Tax Returns (two previous years, all schedules and extensions);

c.

Financial Information for any principal with significant ownership or management interest in the company, to include complete income tax returns for the most current two year period (further require current personal financial statements);

d.

Proof of Liability Insurance (insurance declaration page);

e.

Proof of valid existence of company (Articles of Incorporation, LLC or Partnership Organization); Page 16 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

f.

Documentation showing ownership and percentage owned;

g.

Internal documentation to include; i.

Background investigation; i. Name ii. Social Security Number iii. Criminal Records iv. Residency – Citizenship v. Check against OFAC list

ii.

Credit Checks on all principals

iii.

Business Credit Check and/or Dunn & Bradstreet review;

iv.

On site inspections;

v.

Network registration materials, which may include a PIN security audit

h.

Adequate controls established by the ISO and reviewed by SFI including an auditing process, with clear and secure procedures for adding and deleting merchants.

i.

An ongoing process for controlling risks associated with the ISO which includes a review of all the above items on an annual basis.

j.

The SFI is accountable of the activities of the ISO, including compliance with governmental regulatory statutes.

k.

Services provided by the ISO on behalf of the SFI are not subcontracted to any other entity.

Suggested Best Practices for Networks a) Networks should provide Financial Institutions and ISO’s with network approved training sessions on Network rules and standards. The basic content of such a course might include: Page 17 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

a. Terminology and definitions b. Technology and Operations Overview c. System Integrity and Security i. Terminal requirements ii. PIN encryptions and management processes iii. Data privacy requirements iv. Other operational requirements d. Fraud - financial exposure and practices i. Liability under Network rules e. Registration process b) All Networks presently require that Financial Institutions meet their settlement obligations, ensure compliance with the Network rules and standards by their sponsored parties, and be fully liable for the actions of all their sponsored parties and sponsored entities. In addition: a. The Financial Institution should require and review reports of ATM deployment locations and redeployments. b. Require and review standard reports on operations c. Perform random checks or audits of reports to ensure operations are in compliance with the Network rules and standards. d. Maintain current records reflecting any changes to the ISO’s such as: i. Change of ownership ii. Name or address change iii. Assumption of a new DBA iv. Report of termination of its relationship with an ISO

Page 18 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Observations & Suggestions for the ATM Industry 1) The Sponsoring Financial Institutions, reportedly only approximately fifty in the country, are of the community to mid-size bank size. Because of their smaller size, these institutions do not process the EFT themselves, they outsource to a third party processor. The good news is that fraud detection vendors can and do enter into partnerships with the processors and networks and offer all third party processors fraud detection services to their clients. ATMs will generate alerts such as card read errors that can be combined with ATM location information to create compromise indicators. Changes in transactions and transaction patterns can also be indicators that something odd is happening at the ATM. A good ATM management system allows you to detect these compromise indicators and react in the most efficient manner possible.

2) Each and every financial institution must have an Anti Money Laundering program. Because of this, it would be the responsibility of either the sponsoring financial institution (preferably) and the settling financial institution to install AML procedures regarding privately owned ATMs. The AML procedures should require the reporting of various AML indices, both previously established and new indices surrounding ATM standards. Either the sponsoring financial institution (preferably) or the settling financial institution should be mandated to update their AML policies to include the auditing of the accounts of any ISO. In addition, the sponsoring and settling financial institutions should maintain an enhanced due diligence procedures on any ISO, sub ISO, and merchant. Essentially, a “know your customers customer” policy. 3) As per the Bank Secrecy Act (BSA) Financial Institutions are required to review their customers accounts and look for any transaction(s) that appear suspicious. Subsequently a SAR would be filed with FinCEN. The Sponsoring Financial Institutions have not been appropriately monitoring the accounts of the ISO’s. It is the ultimate responsibility of the Sponsoring Financial Institutions to adopt a set of best practices which would include fraud detection and anti-money laundering compliance. The sponsoring financial institutions should work hand in hand with the third party processors and the Network associations in developing the best practices and AML standards. Strategic Alliances may be developed between the Networks, Processors and SFI’s with reference to readily available software to detect fraud and money laundering.

Page 19 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

4) Training should be developed for all Sponsoring Financial Institutions, Networks and Processors as to the indicators of fraud and money laundering and the procedures for the reporting of the same. 5) All ISO’s must have accounts just for the ATM. a. This eliminates any co-mingling of funds b. Allows for easier auditing c. Downside – what about ISO’s that have hundreds of machines. We can’t expect an individual account for each ATM. 6) All ISO’s must be in business for a minimum of 2 years before they can be accepted as an ISO 7) Documentation of individual ATMs a. The ISO should enter into a three party agreement between the network/ISO/SFI so that all required ATM information is on file with the SFI. The minimum the documentation needed is: i. The physical location of each ATM; ii. ATM makes and models; iii. Terminal serial numbers; iv. Terminal ID numbers; v. Software and hardware versions; vi. Terminal owner/ lease names and contact information; vii. Terminal owner / lease social security number viii. Terminal owner / lease driver’s license number ix. Surcharge amount; x. Names of companies or individuals providing vault cash, maintenance, key loading, etc.

Page 20 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

8) A central registry of all ATMs in the state should be established and maintained (similar to that of Money Service Businesses). A license for the placement of and operation of an ATM should be licensed by either state or federal statutes. A registration sticker or medallion should be affixed to each and every ATM signifying compliance with registration regulations. Information in the database should consist of the following: a. An ID number assigned to each ATM (similar to a VIN) which corresponds to the number on the sticker/medallion. b. The location of all ATMs c. The name of the owner/operator (ISO/merchant) d. The name and location of the Sponsoring Financial Institution Note: Law Enforcement must have a method to discover who the Sponsoring Financial Institution is without contacting the ISO. Currently there is no way of knowing who the SFI is. This can prove to be a major stumbling block when an investigation is being conducted and it would be unknown who to serve a subpoena on, especially if the target of the investigation is the ISO. Remaining Questions 1)

What would be a cause for a sponsoring financial institution to refuse an Independent Service Operator? The best answer is that each bank must determine how much liability there is on each and every potential customer. Similar to the standards that a bank might use for a loan application is what might guide a SFI during this due diligence phase. A traffic ticket issued to an applicant 15 yrs ago is probably not a disqualifier. Yet someone with several felony convictions for credit card fraud is more than likely, not a good bet for access into the Network.

2) How does NYS regulate ATMs that are sponsored by banks out of state? The Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994 allows any adequately capitalized and managed bank holding company to acquire banks in other states and have the ability to branch into other states. This would support the process of an out of state bank sponsoring an ATM Page 21 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

within another state. However, a sponsoring bank in another state, whose regulator, in their home state, is the State Department of Banking, would not be regulated by the same agency in a different state. 3) What prevents an out of country sponsoring financial institution from sponsoring an ISO that places ATMs in this country? The STAR network association does not allow any international sponsorship, by it’s own rules and regulations. Considering the fact that rules and regulations can change, it might be prudent to develop legislation to disallow any foreign entity to sponsor an ISO for membership into any Network Association.

Future Legal Considerations Recent federal legislation passed by the House and Senate will most likely change the way financial institutions process checks. The House passed the “Check Clearing for the 21st Century Act” also known as Check 21. The Senate passed the Check Truncation Act. Both acts offer the banks the option of creating substitute paper checks using a digital image. The substitutes will be the same size and carry the same data as the original checks and can be exchanged with banks that lack the technology to receive digital images. Presently banks are mandated to physically present and return the original checks. As the imaging technology develops, and is implemented into the banks, it is projected that eventually the ATM will become a viable alternative for depositors of checks. It clearly has the ability to be more cost effective for the banks and they will persuade their customers to use the ATMs with the deposit of checks. It is unknown at this stage if privately owned ATMs via the Network Associations will become part of the Check 21 process. Other potential events on the horizon that could become law enforcement issues are the ability to “load” phone cards or other types of “smart cards” via the ATM. Currently in certain markets a customer may purchase movie tickets, order flowers and purchase postage stamps. As the ATM becomes more versatile and entrenched in the daily banking routine of the average customer, the need for regulation is apparent and imperative.

Page 22 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

ATM Safety Act In 1996 New York Governor George Pataki signed into legislation the ATM Safety Act. This mandated the installation of video cameras at financial institutions ATMs and the installation of card entry locks at all indoor terminals. In 2003 Gov. Pataki and the New York State Legislature passed an amended version of the ATM Safety Act which requires banks to retain video tape and/or digital recording of ATM transactions for 45 days, extending by 15 days the previous required retention time of 30 days.

Suggestions for Update to ATM Safety Act 1)

Lobby cameras that operate 24/7 to observe any activity in the area of the ATM.

2)

For Drive up Machines - the camera on the ATM is set at one level (usually average car height) which does not always capture images of subjects in vehicles that are of different heights (such a SUV’s and Pick-up’s). Additional camera’s should be placed in front of and in the rear of the stopping area of a drive up ATM. This has a better chance of capturing a photo of all customers and additional subjects in a vehicle, and the license plate.

Summary Sponsoring Financial Institutions should understand and assess the risk to their payment systems from merchant processing activities. An assessment of payment systems will assist management to understand the risks to the bank; to establish policies, procedures, and controls appropriate to these risks; and to develop an audit process to review compliance with policy. Sponsoring Financial Institutions should have sturdy vendor management programs that include written agreements with all third parties involved in the settlement process. Management should have proper monitoring controls in place over parties in the settlement process. Controls should include quality assurance, audits, onsite visits, performance reporting and financial monitoring.

About Kevin Sullivan Kevin Sullivan, MS, MMBA, CAMS, was an Investigator with the New York State Police, and he coordinated NY state investigations at the New York HIFCA El Dorado Intelligence Center. Sullivan is co-chair of the NY chapter of ACAMS. Page 23 © Anti-Money Laundering Training, Kevin Sullivan www.AMLtrainer.com

Suggest Documents