Wipfli logo
Back to Articles

Due Diligence for Private ATM Owners or Operators - Credit Unions

Shelley Foster
Shelley Foster
Mar 01, 2014
5 min read

The number of privately owned or operated ATMs has increased over the past few years. The reasons businesses and individuals own ATMs varies. The ATMs generate income for their owners and require little time to maintain. In addition, they are convenient for the business’ customers to obtain cash.

The ATMs may be beneficial to their owners, but can mean increased risk to the Credit Union that serves the owner. There are few regulatory requirements for the owners so nearly anyone can own one or 100. There is increased money laundering risk associated with the machines. Money from illegal activities can be used to fill the machine, customers make withdrawals and clean money is sent to the ATM owner or operator via ACH deposits to settle the transactions.

Regulatory Guidance:

There is a regulatory expectation to perform due diligence on all identified ATM owners or operators. The FFIEC BSA Examination Manual states Credit Unions should implement policies and procedures to address risks associated with ISO (Independent Sales Organizations) members. These policies and procedures should include appropriate due diligence and suspicious activity monitoring. At a minimum, they should include:

  • Appropriate risk-based due diligence on the ISO, through a review of corporate documentation licenses, permits, contracts or references
  • Review of public databases to identify potential problems or concerns with the ISO or principal owners
  • Understanding the ISO’s controls for currency servicing arrangements for privately owned ATMs, including source of replenishment currency
  • Documentation of the locations of privately owned ATMs and determination of the ISOs target geographic market
  • Expected account activity, including currency withdrawals.
  • Obtaining information from the ISO regarding due diligence on its sub-ISO arrangements, such as the number and location of the ATMs, transaction volume, dollar volume, and source of replenishment currency

Because of these risks, ISO due diligence beyond the minimum CIP requirements is important. Credit Unions should also perform due diligence on ATM owners and sub-ISOs, as appropriate. This due diligence may include:

  • Reviewing corporate documentation, licenses, permits, contracts, or references, including the ATM transaction provider contract.
  • Reviewing public databases for information on the ATM owners
  • Obtaining the addresses of all ATM locations, ascertain the types of businesses in which the ATMs are located, and identify targeted demographics
  • Determining expected ATM activity levels, including currency withdrawals
  • Ascertaining the sources of currency for the ATMs by reviewing copies of armored car contracts, lending agreements or any other documentation, as appropriate

So what does that mean? Credit Unions should develop and implement a process to identify ATM owners and obtain sufficient due diligence information to enable them to risk rate the member and implement a monitoring system.

Identifying ATM Owners or Operators

The first step for managing ATM owners or operators is to identify which members have privately owned or operated ATMs. There should be a process to identify them for existing members as well as at account opening for new members. At account opening the CIP checklist should include a way to identify those members that have privately owned ATMs such as inquiring of the member.

There should be a process to identify ATM owners for existing members. The easiest method to do this is to review ACH reports for transactions coming from known ATM servicers. For example, FDRetail ATM, RBS, Worldpay, Coredata, FirstData, Datastream, Elan FS, Cash Depot, Cardtronics, CDS, EFUNDS, SWITCH, Metabank, Innobeta, MVNT and FDC Star System. If any members are receiving ACH credits from these originators, the member is likely an ATM owner/operator. Another method is to visit members who are more likely to have an ATM onsite, such as bars, restaurants, gas stations/convenience stores, and bowling alleys. If they have on onsite, you will need to inquire who owns or operates the ATM.

Due Diligence for ATM Owners or Operators

Once the Credit Union has identified an ATM owner or operator, it should obtain additional information to gain an understanding about the ISO or sub-ISO as well as the ATM owner/operator. The most efficient way to obtain the information is to contact the member directly to obtain the following information: In addition to obtaining information about the ISO or sub-ISO, the Credit Union should gain an understanding of the ATM owner’s procedures. The following information should be obtained:

  • Total numbers of ATMs owned or operated and location of each
  • How the ATMs are replenished (i.e., withdrawal from account, armored car or third party performs, store proceeds, etc.)
  • How often the ATM is replenished
  • Name of the ISO or ATM network they have contracted with
  • Copy of the contract
  • The account number the ATM transactions flow through, if unknown

Once this information is obtained, the Credit Union should do a review of public databases to determine if there are any issues with the ISO or principal owners. This can be accomplished via a web search.

Activity Monitoring

After sufficient information is obtained, the Credit Union should implement a process to monitor the accounts of the ATM owners. The information obtained during the due diligence process should enable the Credit Union to determine the amount of monitoring necessary as well as how often. Monitoring ATM owners will not necessarily be a one size fits all.

Monitoring should include a review of all activity as well as ATM activity. If the activity that flows in and out of an account is related only to the ATM, the monitoring is relatively easy. The amount of debits (cash withdrawals) and credits (reimbursement for transactions) should correlate. Any large variances should be further investigated to determine if it appears reasonable and appropriate.

Monitoring is difficult if more than ATM activity flows through the account, but can still be accomplished by comparing ACH credits to cash withdrawals. If the member replenishes the ATMs with store proceeds, the monitoring is more difficult, but should still be performed. If it is an existing member who has recently obtained an ATM, the amount of cash deposits should be decreased because the cash is going into the ATM. The amount of ACH credits related to the ATM should be reasonable given the type of business the member has.

The risks associated with ATM owners or operators can vary from member to member, but must be addressed. Once the expected activity is determined, the monitoring can be accomplished by comparing current activity to the normal activity. Any variances should be further investigated and documented. The frequency of monitoring should be determined by the identified risks as well as the risk appetite of the Credit Union. To satisfy regulatory expectations, the monitoring procedures and the actual monitoring performed should be documented.

Author(s)

Shelley Foster
Shelley Foster
CRCM, CCBIA, Senior Manager, Internal Audit and Regulatory Compliance
View Profile

Fill out the form below, and we’ll be in touch to discuss your financial institution’s needs.

State of the banking industry report 2025

How do financial institution executives feel about the future? Our fourth annual “State of the banking industry” report uncovered confidence, despite rising threats and uncertainty.

Download the report

TOP PICKS

Rhonda Coggins
Rhonda Coggins 04/02/2025
FDIC extends compliance deadline
Read full story
Doug Chapman 03/24/2025
Managing financial risk models amid tariff uncertainty
Read full story
Ken Kulawiak
Ken Kulawiak 03/06/2025
IT Leadership Roundtable: Transitioning to the NIST Cybersecurity Framework
Watch now