ATM compliance is a perennial challenge, but doesn’t it seem now that it is coming more frequently, with more force, and with more cost?
The combination of more complex networked ATMs utilizing PC-based operating systems with networks and regulators trying to protect sensitive customer data has led to the never-ending need to upgrade or replace ATMs.
Some might it all started with Y2K. Since then there have been a litany of compliance requirements at the ATM mandated by either the various networks (MasterCard or Visa, aka Cirrus or Plus) or federal and state banking laws. Here is a brief timeline of the most significant:
• 2000: Y2K
• 2005: Triple Data Encryption (3DES)
• 2006: IBM OS/2 End of Life
• 2009: PCI, Encrypted PIN Pads
• 2012: Americans with Disabilities Act (ADA)
• 2014: Windows XP End of Life
• 2016: Europay MasterCard Visa (EMV, chip card)
• 2020: Windows 7 End of Life
Every two to three years, a new mandate or requirement comes along that forces credit unions to make major decisions regarding upgrading and replacing ATM equipment in order to remain compliant. Unfortunately for credit unions, no sooner do you spend money to become compliant than you have to start worrying about another compliance requirement coming down the road. That means you have to evaluate your ATM network all over again, spending more time and more money.
The compliance end goal is to manage and mitigate risks. Most risk associated with ATMs has to do with sensitive customer information being accessible to thieves and criminals. It is the job of everyone in the ATM industry to protect consumers, and all compliance requirements (with the exception of ADA) are designed to accomplish that.
The calculation for ATM upgrade or replacement revolves around the age of the equipment, the upgrade feasibility, and the timing for replacement. All involve considerable expense and hassle. Often, too, the partners you turn to for advice and expertise are the same ones who benefit the most from these never-ending compliance requirements.
With that in mind, here are a few strategies for credit unions to effectively manage compliance at the ATM and protect their members.
• Do nothing. Avoiding the issue involves little effort, but a fair amount of risk. There is the risk of how regulators will deal with or punish the institution. The risk that other third party providers (processors and networks) will shut your ATMs down. The risk of serious damage to your reputation and inconvenience for your members in the event of a breach. And of course, there is the risk of litigation.
Not all compliance requirements are absolutes; EMV, for example, is simply a liability shift. And while migration to Windows 7 is highly recommended by the Federal Financial Institutions Examination Council (FFIEC), it is not an absolute mandate – if you can implement compensating controls to remain PCI compliant. It is all about mitigating your risks, which the vast majority of financial institutions address with conservative decision-making that rarely results in “doing nothing.”
• Upgrade, Upgrade, Upgrade. Upgrading an ATM to remain compliant is always an option. In evaluating whether to upgrade an ATM (and each unit should be looked at individually), you must first consider its age. If your ATM is seven years old, for example, does it really make sense to invest $4,000 to $10,000 in a piece of equipment that is already nearing the end of its useful life?
You also need to consider what is involved in upgrading. Is it just a need for new software? Do you have a software maintenance agreement that provides an update or do you need to buy a software suite? Does the ATM require a new microprocessor or more memory? Will these upgrades handle the next compliance requirement? For example, to upgrade for EMV you must be running Windows 7, and to run Windows 7 you need new software, which requires a faster processor and more memory. A good rule of thumb is to upgrade when you have three or more years of useful life left and the expense doesn’t exceed $5,000.
• Replace. Evaluating the age of your ATM and its current book value and useful life will help determine whether it’s time to replace it and get compliant. Buying a new ATM is more expensive, but may save money in the long run. With a new ATM, maintenance costs will be lower, uptime higher, and future compliance will be less costly.
Before making that purchase, look into software maintenance that may lessen your cost of updates, upgrades, or new software versions. Also consider downgrading; new technology may do wonderful things, but if you see the primary purpose of an ATM as letting members get cash fast, simple may be better. The vast majority of ATM transactions are cash withdrawals. Image
deposits at the ATM may have been the craze for the past few years, but could be short-lived considering the speed with which mobile deposits have taken off.
• Get Out of the ATM Business. Outsourcing ATM operations is a growing trend among credit unions, particularly those that see the ATM as a “necessary evil” and not their core competency. Turning their fleet over to an expert focused exclusively on ATM management and operation can save time, money, and headaches. It also takes the burden of compliance off their back and frees the credit union’s staff to focus on the organization’s primary objectives.
There are many aspects to consider in finding the right partner. One is whether you want to “get out” of ATMs entirely? If so, make sure your partner can do it all (terminal driving, maintenance, cash management, replenishment, telecommunications, monitoring, dispatch, etc.). That includes purchasing your existing ATMs from you or buying new ATMs.
Gary Walston is Executive Vice President of Dolphin Debit (www.dolphindebit.com), a full-service ATM management company that owns and operates ATMs for financial institutions. Contact him at gwalston@dolphindebit.com.