--ATM Scams - Whose Liability Is It, Anyway?
American Banker Tuesday, August 13, 2002
By David Breitkopf
As the topic of fraud at automated teller machines commands increasing
attention, some observers fear that conflicting interests among the banks
and vendors involved - particularly over liability - will snarl
industrywide efforts to correct the problem.
Bankers say they have only begun to understand the range of problems
associated with skimming.
"It's uncharted territory right now," said Robin Nenninger, the executive
vice president and manager of ATM operations at U.S. Bancorp. "I do think
you'll be looking closer at the contracts to decide where the ultimate
liability lies. You want to protect yourself, but you also want to solve it
for the industry."
Henry Polmer, a partner at the law firm Piper Rudnick LLP in Washington, is
part of a task force examining the matter. "Everyone wants to cure the
problem, but what happens if there's a large loss?" he asked. "Who's
liable? At some point, there could be finger-pointing."
On July 23 the Electronic Funds Transfer Association organized a meeting of
nearly every interested party to work on collective solutions, specifically
to the growing problem of skimming. This type of fraud involves stealing
PIN numbers and other card data, often through devices attached to the
machines, and using the data either to manufacture fraudulent cards or to
loot bank accounts.
Because many of the entities represented at the meeting had conflicting
interests, Mr. Polmer and others expressed concern that the "ATM Integrity
Task Force" that was set up at the meeting might not be able to sustain a
"The potential for disputes between the parties over their liabilities to
each other lies just below the surface," he said.
The task force includes officials from ATM manufacturers, banks,
independent sales organizations, the card associations, electronic funds
transfer networks, software companies, and law enforcement. Since skimming
could be fostered by negligence on the part of any of the entities involved
in a transaction - from the card-issuing bank all the way back to the ATM
manufacturer - all manner of finger-pointing is possible.
Complicating the situation is a patchwork of regulations governing these
transactions, along with the fact that law enforcement is reluctant to
pursue skimming thefts unless the amounts involved are substantial.
Consumers who report unauthorized transactions to their card issuers in a
timely fashion are made whole by their bank and protected against losses by
the EFT Act, the Federal Reserve's Regulation E, and card association rules
such as zero liability.
Nevertheless, consumers could be vulnerable to identity theft, which could
destroy their creditworthiness for years. Identity-theft victims complain
that local police departments tend to be powerless to help them and that
working with federal law enforcement tends to be difficult.
Though issuers are the first to take the hit when consumer accounts are
attacked, network rules can make the merchant-acquirer or ISO liable to the
issuer if account data and PINs were not properly encrypted at the ATM.
Nonbank ATM owners and ISOs, in turn, may be contractually liable to the
"Of course, everyone turns ultimately to the ATM manufacturers to see
whether they have accurately certified the compliance of their machines
with network rules," said Mr. Polmer.
At the task force meeting, a number of members said that it is nearly
impossible to locate a machine at which a fraud was perpetrated.
One of the suggested solutions was to give ATMs identification numbers -
similar to the vehicle identification numbers on cars - so the machines
could be more easily tracked. However, that alone would not guarantee that
law enforcement would be able to determine which ATM has been compromised.
Card-issuing banks in particular are interested in being able to identify
which machines were used in the crime to help determine liability.
"If they know whose ATMs caused those cards to be compromised, then the
cardholder's bank will be able to allege that that machine was not secure,"
Mr. Polmer said. Otherwise, the issuing bank would end up paying for the
fraud, he said.
If the issuing bank could identify the acquiring bank responsible for the
ATM, the acquiring bank would then seek to move the liability further down
the food chain, often to the ISO that deployed the machine.
H. Kurt Helwig, the executive director of the Electronic Funds Transfer
Association, of Herndon, Va., said the task force did not want to discuss
the potentially divisive issue of liability.
"I don't look at the task force as a vehicle to discuss liability issues,"
he said. "I suspect the attorneys of those companies will be dealing with
those problems, but I think the goal of the task force is to work together
to solve the issue or control it."
Nandita Bakhshi, the director of the deposit/payment product group for
FleetBoston Financial Corp., said the question of liability remains cloudy.
"I don't think we've gotten a good answer yet. That's an issue that needs
to be discussed between the issuing banks, the acquiring bank, and the EFTA
and the networks. These are evolving things. I don't think people
anticipated these types of issues."
The weakest link in the liability chain could be the ISOs, the companies
that put the ATMs or help finance the placement.
"Quite frankly, we're the last throat to choke," said Lance Setliff, the
national sales manager for Momentum Cash Systems Inc., a Houston ISO.
Mr. Setliff said he doubts the merchants whose stores house the ATMs would
be held liable, because most do not have enough money to cover the funds
that a skimmer could steal. Last year, for example, a scam in New York
netted about $3.5 million in only a few weeks.
Momentum Cash says that in recent months it has gotten much tougher about
screening the people it hires as "dealers" to make arrangements with
merchants. However, the ISO says that the rise of skimming was only one of
the factors in its decision. Another is the spectacular bankruptcy last
year of the Philadelphia-based Credit Card Center, the largest ISO in the
United States, which made many merchants wary of doing business with ISOs,
Momentum Cash says.
"We talked to merchants, and merchants know about that," Mr. Setliff said.
"We took a black eye."