This month, the Federal Financial Institutions Examination Council (FFIEC), whose members include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), issued a Joint Statement to financial institutions concerning the increasing risk of cyber-attacks on ATMs. The attacks can result in "cash-out fraud" characterized as "Unlimited Operations" by the U.S. Secret Service.

The FFIEC expects financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes in order to avoid large dollar losses. In so doing, the FFIEC's members appear ready to scrutinize the security of financial institutions' ATM operations.

The risk of large dollar losses from "Unlimited Operations" is not speculative. Indeed, it happened on December 22, 2012, and February 19-20, 2013, after hackers breached the networks of two processors of prepaid debit card transactions. The cyber criminals used the stolen information to create debit cards and withdraw $45 million in 36,000 ATM transactions in 26 countries in just 10 hours, as reported by the Daily News. As the FFIEC observes, in such "Unlimited Operations," cyber criminals may (i) gain access to web-based ATM control panels and (ii) manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that a service provider sends to the financial institution, the designated employee that receives these reports, and other management functions related to card security and internal controls.

Removing withdrawal and other limits and controls reduces the number of counterfeit cards and transactions necessary to perpetrate "cash-out fraud" at ATMs, increasing the risk to financial institutions. Without such limits and controls, so-called "cash crews" can empty innumerable ATMs in single transactions.

The FFIEC expects financial institutions to address the growing risks of such "Unlimited Operations," taking steps as set forth in the Joint Statement. The FFIEC warns that financial institutions that issue debit, prepaid, or ATM cards may face a variety of risks from Unlimited Operations including fraud losses, liquidity and capital risks (depending on the size of the institution and the losses incurred), and reputation risks. Further, financial institutions that outsource card issuing to card processors may initially be liable for losses even if the compromise occurs at the processor.

For further information visit Waller's Banking Law Blog.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.