Risk-based approach to independent ATM owners or operators

On June 22, 2022, the Financial Crimes Enforcement Network (FinCEN) issued the “Statement on Bank Secrecy Act Due Diligence for Independent ATM Owners or Operators.” The purpose of the statement was to provide clarity to financial institutions on how to apply a risk-based approach to the collection of customer due diligence (CDD) for these higher-risk type of customers.

FinCEN stated that institutions should follow a risk-based approach to allow them to:

• Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile.
• Conduct ongoing monitoring to identify and report suspicious transactions.

Customer due diligence

An independent ATM operator is an individual or an entity that is in the business of owning, leasing, managing or otherwise controlling access to the interior of an ATM (including the internal cash vault).

A key point to keep in mind is that ATM owners or operators should not automatically be considered a high-risk customer. These customer types fall into the “higher-risk” category, and the institution should collect enough information to allow them to make a determination on whether they should in fact be treated as high-risk, and monitored in accordance with the institution’s high-risk customer procedures.

The potential money laundering risk, potential terrorist financing risk or other illicit financial activity risk depends on several factors. Activity that would affect the overall risk level could include things such as the customer’s overall relationship with the institution, location (and number) of ATMs, transaction volume and the source of funds used to replenish the ATMs.

Customers who replenish ATMs with funds withdrawn from an account at the same financial institution where electronic settlement of the ATM transactions occur are typically lower risk, as the institution would have the ability to both verify the source of funds for the cash, and compare that activity with the electronic settlements.

However, not all ATM owners replenish cash via withdrawals from deposit accounts at the same institution where electronic settlement occurs. Some ATM owners may replenish cash in the ATM by using cash on hand or by using an account at another financial institution. These types of situations may pose a higher risk since the institution accepting the electronic settlements will likely not be able to verify the source of funds for the cash used in the ATMs.

FinCEN’s CDD rule, which was established in 2016, does not layout specific details as to what CDD information should be collected. Instead, FinCEN has instructed financial institutions to collect enough information from customers to allow the institution to determine what type of activity could be expected in the account, and what overall risk the customer would present to the institution.

Information to collect

Based on the risk profile, the institution may consider collecting the following information in order to understand the nature and purpose of the relationship:

1. Organizational structure, including key principals and management.
2. Information pertaining to the operating policies, procedures and internal controls of the ATM owner or operator.
3. ATM currency servicing arrangements, contracts, and responsibilities (e.g., cash vault services, third-party providers and self-service).
4. Information regarding the source of funds if the bank account is not used to replenish the ATM. Sources of cash may include proceeds generated by the core retail business of the owner, proceeds from a loan or revolving credit line or cash originating from an account maintained at another bank.
5. Location where the independent ATM owner or operator-customer is organized, and where they maintain their places of business, including locations of owned or operated ATMs.
6. Description of expected and actual ATM activity levels, including currency transactions.
7. Information to better understand whether ATM operations are generally ancillary to other retail operations or the primary business of the independent ATM owner or operator-customer.

Ongoing monitoring

The FFIEC BSA/AML Examination Manual states “Banks must have appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships and to develop a customer risk profile.”

In other words, the institution should monitor these types of customers and update CDD information as needed. If the customer is determined to be high-risk, the monitoring may occur on a more frequent basis, based on the institution’s own policies and procedures.

Federal banking agencies and FinCEN have recognized that it is vital for independent ATM owners and operators to have access to financial services. ATMs are an important channel in providing financial services, including to consumers in underserved markets and to those who may not have access to traditional banking services.

By collecting sufficient CDD, institutions will be able to make a determination regarding the type of activity to expect from these types of businesses and to also take an appropriate risk-based approach to the level of monitoring required to bank them.

How Wipfli can help

How well are you managing the risks stemming from independently operated or owned ATMs at your financial institution? Wipfli’s compliance consultants can provide the clarity and support you need in your due diligence efforts. Wipfli’s team brings real-world experience to your financial institution to meets today’s evolving compliance programs. Contact us to learn more. 

Sign up to receive additional financial institutions content and information in your inbox, or continue reading on: 

• Are you on top of the FinCEN priorities?
• How financial institutions can assess risks of nonprofits
• FinCEN issues first national AML/CFT priorities