Posted By: Polo
CONFUSED with Privately Owned ATM Guidance - 05/18/12 04:27 PM
I need BOL members help in fully understanding the FinCEN requirements for bank due diligence regarding “Privately Owned ATMs”
After reading the section from FinCEN Guidance Manual (4/2011) regarding Privately Owned ATMs multiple times, I think my brain is starting to over-heat. I am coming to an understanding that the Guidance may be directed towards banks that have, allow or sponsor ISOs and/or privately owned ATM networks and not the simply fact that a small business checking account customer, who is a merchant for example, has or owns an ATM but does NOT have a network sponsor relationship with the bank.
Per our IT director and all around ATM network guy; “the bank does not sponsor any ATM or ISO networks.” He says we only operate/sponsor the ATM network for the bank owned ATMs.
I have read some other banks comments on this subject and the majority seems to be coming to a conclusion that if they have a customer who owns or leases an ATM, has it in their store and may or may not use their bank to fund the ATM, they are following the FFIEC’s AML Guidance which specifically addresses ISO and sponsored Network provider risk mitigation activities, such as,
obtaining a ATM lease or purchase agreement with the customer “sponsoring entity”
identifying all location the customer may have ATMs
Whether it is registered (if state requires it)
Copies of 3 monthly statement of ATM activities
How much and how often the ATM is filled, and
What the expected usage and fee collection is.
This type of due diligence does not appear (to me) to be what the FFIEC AML Guidance is referring to (as the “Risk Factor” they are concerned with). Of course, AML risk is always a concern and a bank’s entire BSA program should address all factors. However, this subject appears to specifically address a particular threat or specific concern by law enforcement. The guidance says (page 250-254)
Excerpts: (emphasis provided)
“Some electronic funds transfers (EFT) or point-of-sale (POS) networks require an ISO to be sponsored by a member of the network (sponsoring bank). The sponsoring bank and the ISO are subject to all network rules. The sponsoring bank is also charged with ensuring the ISO abides by all network rules. Therefore, the sponsoring bank should conduct proper due diligence on the ISO and maintain adequate documentation to ensure that the sponsored ISO complies with all network rules.”
Risk Factors:
“Due diligence becomes more of a challenge when ISOs sell ATMs to, or subcontract with, third- and fourth-level companies (“sub-ISOs”) whose existence may be unknown to the sponsoring bank. When an ISO contracts with or sells ATMs to sub-ISOs, the sponsoring bank may not know who actually owns the ATM. Accordingly, sub-ISOs may own and operate ATMs that remain virtually invisible to the sponsoring bank.”
Our bank does NOT have any ISO relationships and thus, I feel like the following is not an applicable factor to our bank’s BSA/AML practices as an independent issue, but would fall under all general AML practices:
“Banks may also provide currency to ISOs under a lending agreement, which exposes those banks to various risks, including reputation and credit risk.”
We do NOT.
And,
“Money laundering can occur through privately owned ATMs when an ATM is replenished with illicit currency that is subsequently withdrawn by legitimate customers. This process results in ACH deposits to the ISO’s account that appear as legitimate business transactions. Consequently, all three phases of money laundering (placement, layering, and integration) can occur simultaneously.
Money launderers may also collude with merchants and previously legitimate ISOs to provide illicit currency to the ATMs at a discount.”
How would a bank know this separate from general AML (currency) monitoring practices?
Risk Mitigation:
“Banks should implement appropriate policies, procedures, and processes, including appropriate due diligence and suspicious activity monitoring, to address risks with ISO customers.”
Again, we dot not have any relationships with ISOs. So, “addressing” specific risks with and ISO would be N/A for our bank, in my opinion
“At a minimum, these policies, procedures, and processes should include:”
As can bee seen (below) the “Risk Mitigation” guidance isolates relationships with ISOs and network “Sponsoring Financial Institutions”
Due to the fact that our bank does NONE of these activities nor do we have any relationships with ISO, I am coming to a conclusion that even if we have a customer that owns an ATM and may or may not use his their bank account with us to replenish the ATM, the FFIEC Guidance is directing monitoring and due diligence/risk mitigation steps to financial institution that have arrangements with ISOs or facilitate Network access for ATM operations (i.e., Sponsoring).
“Appropriate risk-based due diligence on the ISO, through a review of corporate documentation, licenses, permits, contracts, or references.
Review of public databases to identify potential problems or concerns with the ISO or principal owners.
Understanding the ISO’s controls for currency servicing arrangements for privately owned ATMs, including source of replenishment currency.
Documentation of the locations of privately owned ATMs and determination of the ISO’s target geographic market.
Expected account activity, including currency withdrawals.
“Because of these risks, ISO due diligence beyond the minimum CIP requirements is important. Banks should also perform due diligence on ATM owners and sub-ISOs, as appropriate. This due diligence may include:”
Based on the “Risk” being so definitively connected to Privately Owned ATM’s with network Sponsorship and ISO relationships, it appears to me that some banks that DO NOT have such relationships may be misinterpreting the FFIEC’s risk mitigation guidance as it relates to the collection of certain corporate documents and monitoring due diligence beyond established mitigation practices required by the guidance for other customer/entities.
Reviewing corporate documentation, licenses, permits, contracts, or references, including the ATM transaction provider contract.
Reviewing public databases for information on the ATM owners.
Obtaining the addresses of all ATM locations, ascertain the types of businesses in which the ATMs are located, and identify targeted demographics.
Determining expected ATM activity levels, including currency withdrawals.
Ascertaining the sources of currency for the ATMs by reviewing copies of armored car contracts, lending arrangements, or any other documentation, as appropriate.
Obtaining information from the ISO regarding due diligence on its sub-ISO arrangements, such as the number and location of the ATMs, transaction volume, dollar volume, and source of replenishment currency.”
What we do:
As with ALL of our customer base, we monitor (daily) all currency transaction for suspicious activity, unusual increases in cash movement, out of the normal deposits, currency exchanges and withdraws, etc...
At account opening, we do document whether the customer has or will operate a Privately Owned ATM.
We have attempted, to the best of our ability, to identify any current customer who has or plans on operating a Privately Owned ATM.
We do not and will avoid banking ATM ISOs.
We perform all CIP & CDD Risk Assessments on new customers
However, I am attempting to determine whether it is necessary for our bank to create a separate policy and procedure (or add to the current policy) for the sole purpose of monitoring Privately Owned ATM and there relation with ISOs, when in fact we do not have any relationships with ISOs and do not sponsor any networks for ATMs that are not bank owned, which may have a relationship with an ISO.
Our only (current) relationships are with customers who have told us that they have ATM machines within their establishments, but do NOT have any network relationship with our bank. Some do, from time-to-time withdraw cash from their small business accounts to replenish their ATMs. But, as stated above, we monitor large cash transaction ($3,000+) on all of our customers. We simply do not segregate ATM owners from any other “risk” group.
Please help me understand this correctly. What am I missing if my interpretation is off base?
Thank you all kindly.
After reading the section from FinCEN Guidance Manual (4/2011) regarding Privately Owned ATMs multiple times, I think my brain is starting to over-heat. I am coming to an understanding that the Guidance may be directed towards banks that have, allow or sponsor ISOs and/or privately owned ATM networks and not the simply fact that a small business checking account customer, who is a merchant for example, has or owns an ATM but does NOT have a network sponsor relationship with the bank.
Per our IT director and all around ATM network guy; “the bank does not sponsor any ATM or ISO networks.” He says we only operate/sponsor the ATM network for the bank owned ATMs.
I have read some other banks comments on this subject and the majority seems to be coming to a conclusion that if they have a customer who owns or leases an ATM, has it in their store and may or may not use their bank to fund the ATM, they are following the FFIEC’s AML Guidance which specifically addresses ISO and sponsored Network provider risk mitigation activities, such as,
obtaining a ATM lease or purchase agreement with the customer “sponsoring entity”
identifying all location the customer may have ATMs
Whether it is registered (if state requires it)
Copies of 3 monthly statement of ATM activities
How much and how often the ATM is filled, and
What the expected usage and fee collection is.
This type of due diligence does not appear (to me) to be what the FFIEC AML Guidance is referring to (as the “Risk Factor” they are concerned with). Of course, AML risk is always a concern and a bank’s entire BSA program should address all factors. However, this subject appears to specifically address a particular threat or specific concern by law enforcement. The guidance says (page 250-254)
Excerpts: (emphasis provided)
“Some electronic funds transfers (EFT) or point-of-sale (POS) networks require an ISO to be sponsored by a member of the network (sponsoring bank). The sponsoring bank and the ISO are subject to all network rules. The sponsoring bank is also charged with ensuring the ISO abides by all network rules. Therefore, the sponsoring bank should conduct proper due diligence on the ISO and maintain adequate documentation to ensure that the sponsored ISO complies with all network rules.”
Risk Factors:
“Due diligence becomes more of a challenge when ISOs sell ATMs to, or subcontract with, third- and fourth-level companies (“sub-ISOs”) whose existence may be unknown to the sponsoring bank. When an ISO contracts with or sells ATMs to sub-ISOs, the sponsoring bank may not know who actually owns the ATM. Accordingly, sub-ISOs may own and operate ATMs that remain virtually invisible to the sponsoring bank.”
Our bank does NOT have any ISO relationships and thus, I feel like the following is not an applicable factor to our bank’s BSA/AML practices as an independent issue, but would fall under all general AML practices:
“Banks may also provide currency to ISOs under a lending agreement, which exposes those banks to various risks, including reputation and credit risk.”
We do NOT.
And,
“Money laundering can occur through privately owned ATMs when an ATM is replenished with illicit currency that is subsequently withdrawn by legitimate customers. This process results in ACH deposits to the ISO’s account that appear as legitimate business transactions. Consequently, all three phases of money laundering (placement, layering, and integration) can occur simultaneously.
Money launderers may also collude with merchants and previously legitimate ISOs to provide illicit currency to the ATMs at a discount.”
How would a bank know this separate from general AML (currency) monitoring practices?
Risk Mitigation:
“Banks should implement appropriate policies, procedures, and processes, including appropriate due diligence and suspicious activity monitoring, to address risks with ISO customers.”
Again, we dot not have any relationships with ISOs. So, “addressing” specific risks with and ISO would be N/A for our bank, in my opinion
“At a minimum, these policies, procedures, and processes should include:”
As can bee seen (below) the “Risk Mitigation” guidance isolates relationships with ISOs and network “Sponsoring Financial Institutions”
Due to the fact that our bank does NONE of these activities nor do we have any relationships with ISO, I am coming to a conclusion that even if we have a customer that owns an ATM and may or may not use his their bank account with us to replenish the ATM, the FFIEC Guidance is directing monitoring and due diligence/risk mitigation steps to financial institution that have arrangements with ISOs or facilitate Network access for ATM operations (i.e., Sponsoring).
“Appropriate risk-based due diligence on the ISO, through a review of corporate documentation, licenses, permits, contracts, or references.
Review of public databases to identify potential problems or concerns with the ISO or principal owners.
Understanding the ISO’s controls for currency servicing arrangements for privately owned ATMs, including source of replenishment currency.
Documentation of the locations of privately owned ATMs and determination of the ISO’s target geographic market.
Expected account activity, including currency withdrawals.
“Because of these risks, ISO due diligence beyond the minimum CIP requirements is important. Banks should also perform due diligence on ATM owners and sub-ISOs, as appropriate. This due diligence may include:”
Based on the “Risk” being so definitively connected to Privately Owned ATM’s with network Sponsorship and ISO relationships, it appears to me that some banks that DO NOT have such relationships may be misinterpreting the FFIEC’s risk mitigation guidance as it relates to the collection of certain corporate documents and monitoring due diligence beyond established mitigation practices required by the guidance for other customer/entities.
Reviewing corporate documentation, licenses, permits, contracts, or references, including the ATM transaction provider contract.
Reviewing public databases for information on the ATM owners.
Obtaining the addresses of all ATM locations, ascertain the types of businesses in which the ATMs are located, and identify targeted demographics.
Determining expected ATM activity levels, including currency withdrawals.
Ascertaining the sources of currency for the ATMs by reviewing copies of armored car contracts, lending arrangements, or any other documentation, as appropriate.
Obtaining information from the ISO regarding due diligence on its sub-ISO arrangements, such as the number and location of the ATMs, transaction volume, dollar volume, and source of replenishment currency.”
What we do:
As with ALL of our customer base, we monitor (daily) all currency transaction for suspicious activity, unusual increases in cash movement, out of the normal deposits, currency exchanges and withdraws, etc...
At account opening, we do document whether the customer has or will operate a Privately Owned ATM.
We have attempted, to the best of our ability, to identify any current customer who has or plans on operating a Privately Owned ATM.
We do not and will avoid banking ATM ISOs.
We perform all CIP & CDD Risk Assessments on new customers
However, I am attempting to determine whether it is necessary for our bank to create a separate policy and procedure (or add to the current policy) for the sole purpose of monitoring Privately Owned ATM and there relation with ISOs, when in fact we do not have any relationships with ISOs and do not sponsor any networks for ATMs that are not bank owned, which may have a relationship with an ISO.
Our only (current) relationships are with customers who have told us that they have ATM machines within their establishments, but do NOT have any network relationship with our bank. Some do, from time-to-time withdraw cash from their small business accounts to replenish their ATMs. But, as stated above, we monitor large cash transaction ($3,000+) on all of our customers. We simply do not segregate ATM owners from any other “risk” group.
Please help me understand this correctly. What am I missing if my interpretation is off base?
Thank you all kindly.