Statement on Bank Secrecy Act Due Diligence for Independent ATM Owners or Operators
June 22, 2022
The Financial Crimes Enforcement Network (FinCEN) is issuing this statement to provide clarity to banks1 on how to apply a risk-based approach to conducting customer due diligence (CDD) on independent Automated Teller Machine (ATM) owners or operators, consistent with the requirements set out in FinCEN’s 2016 CDD Rule.2 Some independent ATM owners and operators have reported difficulty in obtaining and maintaining access to banking services, which jeopardizes the important financial services they provide, including to persons in underserved markets.
ATMs offer fast and convenient access to cash and are an important channel in providing financial services. Independent ATMs may be found in a wide variety of public and retail venues and are not owned by banks. An independent ATM operator is an individual or an entity that is in the business of owning, leasing, managing, or otherwise controlling access to the interior of an ATM, including its internal cash vault. The independent ATM operator may be the same or different from the independent ATM owner. For all types of
independent ATMs, owners or operators generally need bank accounts to supply cash for the ATMs and to settle the electronic funds transfers used to process the ATM transactions.
FinCEN reminds banks that not all independent ATM owner or operator customers pose the same level of money laundering, terrorist financing (ML/TF), or other illicit financial activity risk, and not all independent ATM owner or operator customers are automatically higher risk. Further, banks that operate in compliance with applicable Bank Secrecy Act/ anti-money laundering (BSA/AML) regulatory requirements and reasonably manage and mitigate risks related to the unique characteristics of customer relationships are neither prohibited nor discouraged from providing banking services to independent ATM owner or operator customers, including those that are Independent Sales Organizations (ISOs).3
CDD Requirements
Understanding a customer’s risk profile enables banks to apply appropriate policies, procedures, and processes to manage and mitigate risk, and comply with BSA/AML regulatory requirements. Like all bank accounts, those held by independent ATM owners or operators are subject to BSA/AML regulatory requirements. In addition to CDD,4 these include requirements related to customer identification,5 beneficial ownership of legal entity customers,6 currency transaction reporting,7 and suspicious activity reporting.8 Banks must apply a risk-based approach to CDD in developing the risk profiles of their customers, including independent ATM owners or operators, and are required to establish and maintain written procedures reasonably designed to identify and verify beneficial owners of legal entity customers. More specifically, banks must adopt appropriate risk-based procedures for conducting CDD that, among other purposes, enable banks to: (i) understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and (ii) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.9 Consistent with a risk-based approach, the level and type of CDD should be appropriate for the risks presented by each customer. The CDD Rule does not require banks to conduct additional due diligence or to institute due diligence processes unique to independent ATM owner or operator customers.
Considerations for a Risk-Based Approach
No specific customer type, including independent ATM owners and operators, automatically presents a higher risk of ML/TF or other illicit financial activity; rather, the potential risk to a bank depends on the presence or absence of numerous factors. The ML/TF risk for independent ATM owners or operators can vary depending on the facts and circumstances specific to the customer relationship, such as transaction volume, locations of the ATMs, and the source of funds to replenish the ATMs. Independent ATM owners or operators that fund their ATM replenishment solely with cash withdrawn from their account at a bank may pose a relatively lower ML/TF risk because the bank knows the source of funds and can compare the volume of cash usage to electronic funds transfer settlements to identify suspicious activity. Conversely, independent ATM owners or operators that replenish ATMs from other or unknown cash sources may present potentially higher ML/TF risks, as the source of cash can be difficult for the bank to verify. Although FinCEN’s CDD Rule does not specifically require the collection of this information, the following customer information may be useful for banks in making determinations on the ML/TF risk profile of independent ATM owner or operator customers:
• Organizational structure, including key principals and management.
• Information pertaining to the operating policies, procedures, and internal controls of the ATM owner or operator.
• ATM currency servicing arrangements, contracts, and responsibilities (e.g., cash vault services, third-party providers, and self-service).
• Information regarding the source of funds if the bank account is not used to replenish the ATM. Sources of cash may include proceeds generated by the core retail business of the owner, proceeds from a loan or revolving credit line, or cash originating from an account maintained at another bank.
• Location where the independent ATM owner or operator customer is organized, and where they maintain their places of business, including locations of owned or operated ATMs.
• Description of expected and actual ATM activity levels, including currency transactions.
• Information to better understand whether ATM operations are generally ancillary to other retail operations or the primary business of the independent ATM owner or operator customer.
Conclusion
FinCEN is issuing this statement to reaffirm that the level of ML/TF risk associated with independent ATM owner or operators varies; these bank customers do not automatically present a higher ML/TF risk. FinCEN continues to encourage banks to manage customer relationships and mitigate risks based on those customer relationships rather than declining to provide banking services to entire categories of customers.10 The application of a risk- based approach for independent ATM owners or operators is consistent with existing CDD and other BSA/AML requirements.
1. Under the Bank Secrecy Act, the term “bank” is defined in 31 CFR § 1010.100(d) and includes each agent, agency, branch, or office within the United States of, inter alia, commercial banks, trust companies, savings associations, credit unions, and foreign banks.
2. Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398 (May 2016); see also 31 CFR §§ 1010 and 1020.
3. See Independent ATM Owners or Operators section of the Federal Financial Institutions Examination Council BSA/AML Examination Manual. “An ISO is generally a person or entity that is (1) approved by, and under contract with, a sponsor bank to deploy and service independent ATMs and (2) under contract with an approved acquiring processor to route independent ATM transactions to Electronic Funds Transfer networks for which the ISO has been registered by the sponsor bank.”
4. 31 CFR §§ 1010.210 and 1020.210(a)(2)(v).
5. 31 CFR § 1020.220.
6. 31 CFR § 1010.230.
7. 31 CFR §§ 1010 and 1020.310.
8. 31 CFR § 1020.320.
9. 31 CFR § 1020.210(b)(5).
10. See Joint Statement on Risk-Focused BSA/AML Supervision, issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Financial Crimes Enforcement Network, the National Credit Union Administration, and the Office of the Comptroller of the Currency (July 22, 2019).
June 22, 2022
The Financial Crimes Enforcement Network (FinCEN) is issuing this statement to provide clarity to banks1 on how to apply a risk-based approach to conducting customer due diligence (CDD) on independent Automated Teller Machine (ATM) owners or operators, consistent with the requirements set out in FinCEN’s 2016 CDD Rule.2 Some independent ATM owners and operators have reported difficulty in obtaining and maintaining access to banking services, which jeopardizes the important financial services they provide, including to persons in underserved markets.
ATMs offer fast and convenient access to cash and are an important channel in providing financial services. Independent ATMs may be found in a wide variety of public and retail venues and are not owned by banks. An independent ATM operator is an individual or an entity that is in the business of owning, leasing, managing, or otherwise controlling access to the interior of an ATM, including its internal cash vault. The independent ATM operator may be the same or different from the independent ATM owner. For all types of
independent ATMs, owners or operators generally need bank accounts to supply cash for the ATMs and to settle the electronic funds transfers used to process the ATM transactions.
FinCEN reminds banks that not all independent ATM owner or operator customers pose the same level of money laundering, terrorist financing (ML/TF), or other illicit financial activity risk, and not all independent ATM owner or operator customers are automatically higher risk. Further, banks that operate in compliance with applicable Bank Secrecy Act/ anti-money laundering (BSA/AML) regulatory requirements and reasonably manage and mitigate risks related to the unique characteristics of customer relationships are neither prohibited nor discouraged from providing banking services to independent ATM owner or operator customers, including those that are Independent Sales Organizations (ISOs).3
CDD Requirements
Understanding a customer’s risk profile enables banks to apply appropriate policies, procedures, and processes to manage and mitigate risk, and comply with BSA/AML regulatory requirements. Like all bank accounts, those held by independent ATM owners or operators are subject to BSA/AML regulatory requirements. In addition to CDD,4 these include requirements related to customer identification,5 beneficial ownership of legal entity customers,6 currency transaction reporting,7 and suspicious activity reporting.8 Banks must apply a risk-based approach to CDD in developing the risk profiles of their customers, including independent ATM owners or operators, and are required to establish and maintain written procedures reasonably designed to identify and verify beneficial owners of legal entity customers. More specifically, banks must adopt appropriate risk-based procedures for conducting CDD that, among other purposes, enable banks to: (i) understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and (ii) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.9 Consistent with a risk-based approach, the level and type of CDD should be appropriate for the risks presented by each customer. The CDD Rule does not require banks to conduct additional due diligence or to institute due diligence processes unique to independent ATM owner or operator customers.
Considerations for a Risk-Based Approach
No specific customer type, including independent ATM owners and operators, automatically presents a higher risk of ML/TF or other illicit financial activity; rather, the potential risk to a bank depends on the presence or absence of numerous factors. The ML/TF risk for independent ATM owners or operators can vary depending on the facts and circumstances specific to the customer relationship, such as transaction volume, locations of the ATMs, and the source of funds to replenish the ATMs. Independent ATM owners or operators that fund their ATM replenishment solely with cash withdrawn from their account at a bank may pose a relatively lower ML/TF risk because the bank knows the source of funds and can compare the volume of cash usage to electronic funds transfer settlements to identify suspicious activity. Conversely, independent ATM owners or operators that replenish ATMs from other or unknown cash sources may present potentially higher ML/TF risks, as the source of cash can be difficult for the bank to verify. Although FinCEN’s CDD Rule does not specifically require the collection of this information, the following customer information may be useful for banks in making determinations on the ML/TF risk profile of independent ATM owner or operator customers:
• Organizational structure, including key principals and management.
• Information pertaining to the operating policies, procedures, and internal controls of the ATM owner or operator.
• ATM currency servicing arrangements, contracts, and responsibilities (e.g., cash vault services, third-party providers, and self-service).
• Information regarding the source of funds if the bank account is not used to replenish the ATM. Sources of cash may include proceeds generated by the core retail business of the owner, proceeds from a loan or revolving credit line, or cash originating from an account maintained at another bank.
• Location where the independent ATM owner or operator customer is organized, and where they maintain their places of business, including locations of owned or operated ATMs.
• Description of expected and actual ATM activity levels, including currency transactions.
• Information to better understand whether ATM operations are generally ancillary to other retail operations or the primary business of the independent ATM owner or operator customer.
Conclusion
FinCEN is issuing this statement to reaffirm that the level of ML/TF risk associated with independent ATM owner or operators varies; these bank customers do not automatically present a higher ML/TF risk. FinCEN continues to encourage banks to manage customer relationships and mitigate risks based on those customer relationships rather than declining to provide banking services to entire categories of customers.10 The application of a risk- based approach for independent ATM owners or operators is consistent with existing CDD and other BSA/AML requirements.
1. Under the Bank Secrecy Act, the term “bank” is defined in 31 CFR § 1010.100(d) and includes each agent, agency, branch, or office within the United States of, inter alia, commercial banks, trust companies, savings associations, credit unions, and foreign banks.
2. Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398 (May 2016); see also 31 CFR §§ 1010 and 1020.
3. See Independent ATM Owners or Operators section of the Federal Financial Institutions Examination Council BSA/AML Examination Manual. “An ISO is generally a person or entity that is (1) approved by, and under contract with, a sponsor bank to deploy and service independent ATMs and (2) under contract with an approved acquiring processor to route independent ATM transactions to Electronic Funds Transfer networks for which the ISO has been registered by the sponsor bank.”
4. 31 CFR §§ 1010.210 and 1020.210(a)(2)(v).
5. 31 CFR § 1020.220.
6. 31 CFR § 1010.230.
7. 31 CFR §§ 1010 and 1020.310.
8. 31 CFR § 1020.320.
9. 31 CFR § 1020.210(b)(5).
10. See Joint Statement on Risk-Focused BSA/AML Supervision, issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Financial Crimes Enforcement Network, the National Credit Union Administration, and the Office of the Comptroller of the Currency (July 22, 2019).