Automated Teller Machines

An ATM is an electronic banking outlet, which allows members to complete transactions without the assistance of a member service representative or teller. Anyone with a credit card or debit card can access an ATM as long as they are all on the same network. An ATM communicates through the ATM network so members can access their account information.

Electronic Fund Transfers (Regulation E), is intended to protect individual consumers engaging in EFTs and remittance transfers. These services include the following:

  • Transfers through ATMs
  • POS terminals
  • ACH systems
  • Telephone bill-payment plans in which periodic or recurring transfers are contemplated
  • Remote banking programs
  • Remittance transfers

Reg E applies to ATMs in several different areas. If the ATM receives deposits, the Credit Union must display an Expedited Funds Availability disclosure/sign. This could be on the screen or on the deposit envelopes. Additionally, Reg E requires ATM operators that impose an ATM surcharge to:

  • Post a notice on the machine that a surcharge may be imposed
  • Inform the consumer, either through on-screen message or paper receipt, of the amount of the surcharge before the consumer is committed to completing the transaction (Opt- out).

Reg E also governs the timeframes for error resolution and notification. A financial institution may require a consumer to give written confirmation of an error within 10 business days of giving oral notice. The financial institution must provide the address where confirmation must be sent (12 CFR 1005.11(b)(2)). Error resolution procedures. After receiving a notice of error, the financial institution must do all of the following:

  • Promptly investigate the oral or written allegation of error
  • Complete its investigation within 10 business days (12 CFR 1005.11(c)(1))

The financial institution may take up to 45 calendar days (12 CFR 1005.11(c)(2)) to complete its investigation provided it:

  • Provisionally credits the funds (including interest, where applicable) to the consumer’s account within the 10 business-day period
  • Advises the consumer within two business days of the provisional crediting
  • Gives the consumer full use of the funds during the investigation

Physical and Logical Controls

When reviewing an ATM program both physical and logical controls should be considered. A sound program should have a physical and logical security and risk awareness program in place. In addition, there should be board approved documented policies and procedures addressing dual control for ATM access as well as maintenance, security procedures, patch management, network security, and fraud monitoring and protection.

An ATM is an electronic communication device and, therefore, the controls a credit union has in place for their other electronic devices should be in place on the ATM. As such, the following items should be addressed as part of ATM security:

  • Access time-out and log-on attempt limits
  • Anti-skimming software and hardware
  • User access and other internal controls
  • Monitoring for physical tampering
  • Captured card handling procedures
  • Dual control for card stock/printer refills
  • Mail PIN and card separately
  • Block unauthorized withdrawals and transfers
  • Approved and documented daily withdrawal limits

An ATM runs on a PC platform and operating system, therefore application security also needs to be in place, such as:

  • Patch management
  • Virus protection
  • Change management controls
  • Software maintenance (operating system upgrades)

Compliance

In addition, compliance with state, federal, and regulatory laws and statues must be considered when evaluating an ATM. As of March 12, 2012, the ADA mandates all ATMs must be accessible, and include features such as Braille keypad, audio output, and command instructions.

Credit unions should be monitoring their compliance with Reg E as it relates to ATMs, such as:

  • Adequate signage on ATM or screens
  • Funds availability and deposit disclosures available or displayed
  • Tracking of deposits at ATMs for AML/BSA
  • Confirm Dispute timeframes are met and managed with process and procedures

Transactional Controls

Internal controls are key to a sound ATM program. Credit unions should have the following key controls in place:

  • Timely reconciliation of related GL accounts
  • Transaction dollar and frequency limits
  • Dual control over cash replenishments
  • Dual control over ATM balancing

Additionally, periodic audits of the ATM and of policies and procedures should be performed by an independent party (internal audit, independent auditor, etc.). The independent party performing the review should have some knowledge regarding ATMs. All audit and examination findings should be tracked and a resolved in a timely manner.

Last updated February 7, 2017