Articles & E-Books

 

Risk-based approach to independent ATM owners or operators

Sep 20, 2022

On June 22, 2022, the Financial Crimes Enforcement Network (FinCEN) issued the “Statement on Bank Secrecy Act Due Diligence for Independent ATM Owners or Operators.” The purpose of the statement was to provide clarity to financial institutions on how they should apply a risk-based approach to the collection of customer due diligence (CDD) to these higher-risk type of customers.

FinCEN states that institutions should follow a risk-based approach to allow them to:

  • Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile.
  • Conduct ongoing monitoring to identify and report suspicious transactions.

Customer due diligence

An independent ATM operator is an individual or an entity that is in the business of owning, leasing, managing or otherwise controlling access to the interior of an ATM (including the internal cash vault).

A key point to keep in mind is that ATM owners or operators should not automatically be considered to be a high-risk customer. These customer types fall into the “higher-risk” category, and the institution should collect enough information to make a determination on whether they should in fact be treated as high-risk and monitored in accordance with the institution’s high-risk customer procedures.

The potential money laundering risk, potential terrorist financing risk or other illicit financial activity risk depends on several factors. Activity that would affect the overall risk level could include things such as the customer’s overall relationship with the institution, location (and number) of ATMs, transaction volume and the source of funds used to replenish the ATMs.

The customers who rely on funds withdrawn from a bank account with your financial institution are typically lower risk, as the institution would have the ability to verify the source of funds for the cash withdrawals and would also potentially be able to compare that activity with the electronic settlements.

However, not all ATM owners replenish cash via cash withdrawals from their deposit accounts. Some ATM owners may replenish cash to the ATM by using cash on hand or by using an account at another financial institution. These types of situations may pose a higher risk since an institution may not be able to verify the source of funds for the cash used in the ATMs.

FinCEN’s CDD rule, which was established in 2016, does not exactly layout specific details as to what CDD information should be collected. FinCEN has left it open to financial institutions to collect enough information from the customers to allow them to determine what type of activity could be expected in the account and what type of overall risk the customer would present to the institution.

Information to collect

Based on the risk profile, the institution may consider collecting the following information in order to understand the nature and purpose of the relationship:

  1. Organizational structure, including key principals and management.
  2. Information pertaining to the operating policies, procedures and internal controls of the ATM owner or operator.
  3. ATM currency servicing arrangements, contracts, and responsibilities (e.g., cash vault services, third-party providers and self-service).
  4. Information regarding the source of funds if the bank account is not used to replenish the ATM. Sources of cash may include proceeds generated by the core retail business of the owner, proceeds from a loan or revolving credit line or cash originating from an account maintained at another bank.
  5. Location where the independent ATM owner or operator-customer is organized, and where they maintain their places of business, including locations of owned or operated ATMs.
  6. Description of expected and actual ATM activity levels, including currency transactions.
  7. Information to better understand whether ATM operations are generally ancillary to other retail operations or the primary business of the independent ATM owner or operator-customer.

Ongoing monitoring

The FFIEC BSA/AML Examination Manual states that, “Banks must have appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships and to develop a customer risk profile.”

In other words, the institution should continue to monitor these types of customers and update CDD on file as needed. If the customer is determined to be high-risk, the monitoring may occur on a more frequent basis, based on the institution’s own policies and procedures.

Federal banking agencies and FinCEN have recognized that it is vital for independent ATM owners and operators to have access to financial services. ATMs are an important channel in providing financial services, including to consumers in underserved markets and to those who may not have access to traditional banking services.

By collecting sufficient CDD, institutions will be able to make a determination on the type of activity to expect from these types of businesses and to also take an appropriate risk-based approach in the level of monitoring required to bank them.

How Wipfli can help

How well are you managing the risks stemming from independently operated or owned ATMs at your financial institution? Wipfli’s compliance consultants can provide the clarity and support you need in your due diligence efforts. Wipfli’s team brings real-world experience to your financial institution to meets today’s evolving compliance programs. Contact us to learn more. 

Sign up to receive additional financial institutions content and information in your inbox, or continue reading on: 

Author(s)

Kristen J. Ferwerda, CRCM
Manager, Compliance
View Profile