--ATM Scams - Whose Liability Is It, Anyway?
American Banker Tuesday, August 13, 2002 By David Breitkopf As the topic of fraud at automated teller machines commands increasing attention, some observers fear that conflicting interests among the banks and vendors involved - particularly over liability - will snarl industrywide efforts to correct the problem. Bankers say they have only begun to understand the range of problems associated with skimming. "It's uncharted territory right now," said Robin Nenninger, the executive vice president and manager of ATM operations at U.S. Bancorp. "I do think you'll be looking closer at the contracts to decide where the ultimate liability lies. You want to protect yourself, but you also want to solve it for the industry." Henry Polmer, a partner at the law firm Piper Rudnick LLP in Washington, is part of a task force examining the matter. "Everyone wants to cure the problem, but what happens if there's a large loss?" he asked. "Who's liable? At some point, there could be finger-pointing." On July 23 the Electronic Funds Transfer Association organized a meeting of nearly every interested party to work on collective solutions, specifically to the growing problem of skimming. This type of fraud involves stealing PIN numbers and other card data, often through devices attached to the machines, and using the data either to manufacture fraudulent cards or to loot bank accounts. Because many of the entities represented at the meeting had conflicting interests, Mr. Polmer and others expressed concern that the "ATM Integrity Task Force" that was set up at the meeting might not be able to sustain a united front. "The potential for disputes between the parties over their liabilities to each other lies just below the surface," he said. The task force includes officials from ATM manufacturers, banks, independent sales organizations, the card associations, electronic funds transfer networks, software companies, and law enforcement. Since skimming could be fostered by negligence on the part of any of the entities involved in a transaction - from the card-issuing bank all the way back to the ATM manufacturer - all manner of finger-pointing is possible. Complicating the situation is a patchwork of regulations governing these transactions, along with the fact that law enforcement is reluctant to pursue skimming thefts unless the amounts involved are substantial. Consumers who report unauthorized transactions to their card issuers in a timely fashion are made whole by their bank and protected against losses by the EFT Act, the Federal Reserve's Regulation E, and card association rules such as zero liability. Nevertheless, consumers could be vulnerable to identity theft, which could destroy their creditworthiness for years. Identity-theft victims complain that local police departments tend to be powerless to help them and that working with federal law enforcement tends to be difficult. Though issuers are the first to take the hit when consumer accounts are attacked, network rules can make the merchant-acquirer or ISO liable to the issuer if account data and PINs were not properly encrypted at the ATM. Nonbank ATM owners and ISOs, in turn, may be contractually liable to the merchant-acquiring bank. "Of course, everyone turns ultimately to the ATM manufacturers to see whether they have accurately certified the compliance of their machines with network rules," said Mr. Polmer. At the task force meeting, a number of members said that it is nearly impossible to locate a machine at which a fraud was perpetrated. One of the suggested solutions was to give ATMs identification numbers - similar to the vehicle identification numbers on cars - so the machines could be more easily tracked. However, that alone would not guarantee that law enforcement would be able to determine which ATM has been compromised. Card-issuing banks in particular are interested in being able to identify which machines were used in the crime to help determine liability. "If they know whose ATMs caused those cards to be compromised, then the cardholder's bank will be able to allege that that machine was not secure," Mr. Polmer said. Otherwise, the issuing bank would end up paying for the fraud, he said. If the issuing bank could identify the acquiring bank responsible for the ATM, the acquiring bank would then seek to move the liability further down the food chain, often to the ISO that deployed the machine. H. Kurt Helwig, the executive director of the Electronic Funds Transfer Association, of Herndon, Va., said the task force did not want to discuss the potentially divisive issue of liability. "I don't look at the task force as a vehicle to discuss liability issues," he said. "I suspect the attorneys of those companies will be dealing with those problems, but I think the goal of the task force is to work together to solve the issue or control it." Nandita Bakhshi, the director of the deposit/payment product group for FleetBoston Financial Corp., said the question of liability remains cloudy. "I don't think we've gotten a good answer yet. That's an issue that needs to be discussed between the issuing banks, the acquiring bank, and the EFTA and the networks. These are evolving things. I don't think people anticipated these types of issues." The weakest link in the liability chain could be the ISOs, the companies that put the ATMs or help finance the placement. "Quite frankly, we're the last throat to choke," said Lance Setliff, the national sales manager for Momentum Cash Systems Inc., a Houston ISO. Mr. Setliff said he doubts the merchants whose stores house the ATMs would be held liable, because most do not have enough money to cover the funds that a skimmer could steal. Last year, for example, a scam in New York netted about $3.5 million in only a few weeks. Momentum Cash says that in recent months it has gotten much tougher about screening the people it hires as "dealers" to make arrangements with merchants. However, the ISO says that the rise of skimming was only one of the factors in its decision. Another is the spectacular bankruptcy last year of the Philadelphia-based Credit Card Center, the largest ISO in the United States, which made many merchants wary of doing business with ISOs, Momentum Cash says. "We talked to merchants, and merchants know about that," Mr. Setliff said. "We took a black eye."
