When I entered community banking, one of my least favorite responsibilities was servicing the automated teller machines (ATMs). As a young officer at a small community bank, I, along with a few of our other young officers, was tasked with resupplying the bank’s local ATMs with cash, scheduling maintenance on them when they went down, and rotating being “on call” for responding to after-hours ATM problems that arose from time to time. Not only did it seem to be an inconvenient interruption to my day (or night, in the case of an after-hours issue that I had to respond to), but it just was not a very exciting part of banking. After all, at that time ATMs had been around for decades, had become ubiquitous, and rarely presented much risk so long as proper security procedures were maintained with respect to restocking the machines with cash. They were so routine that the federal banking regulators didn’t even require banks to file an application before opening one away from a branch location.

The boring existence of ATMs is now changing. Banks have begun expanding the capabilities of ATMs in exciting and useful ways. Many have chosen to utilize a next-generation machine known as an interactive teller machine (ITM) as a replacement for branches in remote locations where a full branch may be an unnecessary deployment of overhead expenses. ITMs are increasingly sophisticated banking facilities that resemble ATMs but allow customers to interact with live tellers remotely.

However, with this new functionality, the federal banking regulators are rethinking their approach as to exactly how many services can be provided at such a machine without regulatory approval. On August 9, 2024, the Federal Deposit Insurance Corporation (FDIC) issued Financial Institution Letter (FIL) 53-2024, “Classification of Interactive Teller Machines as Domestic Branches or Remote Service Units.” This FIL relates exclusively to the applicability of the Federal Deposit Insurance Act’s (FDI Act) branch establishment requirements for state nonmember banks regarding ITMs, but one can assume that its standards will also be persuasive with respect to similar questions raised for state member banks and national banks as well.

The FDI Act requires state nonmember banks to obtain the FDIC’s consent before establishing a domestic branch. However, ATMs and remote service units (RSUs) are specifically excluded from the definition of a domestic branch under the act. This FIL addresses whether the use of ITMs at locations other than established branch facilities would require a domestic branch application or qualify for the RSU exclusion.

According to the FIL, the FDIC would not consider an ITM established by a state nonmember bank as a “domestic branch” subject to FDIC approval under the following circumstances:

• The ITM is an automated, unstaffed banking facility owned or operated by the bank, enabling its customers (and only its customers) to initiate interactive sessions with remote bank personnel.
• The ITM allows the bank’s customers to perform transactions with or without the involvement of bank personnel and provides customers the sole discretion to initiate and terminate interactive sessions.

State nonmember banks can also provide noncustomers access to ITM facilities without applying for a branch application so long as the services available to noncustomers are limited to typical ATM functionalities. This means that noncustomers should not be able to engage a live remote teller to perform core banking functions. ITMs operating outside the stated parameters at a non-branch location may require a branch application. However, ITMs established at approved branch locations can operate beyond these parameters without an additional branch application.

For those ATMs that have not yet been upgraded with ITM software, a troubling development known as “ATM jackpotting” has recently affected a number of our clients. ATM jackpotting is a form of ATM fraud that occurs when a criminal accesses the computer hardware of an ATM and hacks it, causing it to dispense cash until the ATM is empty. This scheme has been around for some time, but it has become a more frequent threat for Mississippi banks over the past few months.

The first obvious question is, how do the criminals gain access to the computer hardware of the ATM? Believe it or not, it is apparently easier than you would expect, with some criminals actually possessing keys that allow them to open up the compartment containing the “brains” of the machine. Therefore, the first key (pun intended) to stopping these attacks is to make it more difficult for the criminals to open the machines. This could involve installing a more complicated locking mechanism or possibly installing alarms within the cabinet that are triggered when someone opens it without approval.

Hardware or software upgrades for the machine could also be a helpful defense, either through encryption of the hard drive or installation of software updates and patches in a timely manner. Since such upgrades can be a useful defense, older ATM machines that are likely to not have these upgrades become attractive targets for criminals. For those banks that are not concerned about what regulatory application may be necessary for their brand new ITMs, they may instead need to focus on what protections need to be put in place for their older machines to avoid jackpotting schemes. Who said ATMs are not exciting (and scary)?