News

Is there a future for the sub-ISO?

Rose Bunch, ISO coordinator for Bankfirst, says that an increasing number of industry leaders concur that the use of sub-ISOs for ATM sales is a risky practice and are joining the call to seek out and stop the use of unregistered sales organizations.

December 22, 2004

ATM sales and placements have skyrocketed in recent years, as more and more businesses and merchants lined up to share in the surcharge revenue. As merchants saw an effective and profitable path to drive more customers to their location, a proliferation of businesses sought to fill this demand.

The explosion in off-premises ATM deployment stimulated intense competition in the industry. The result: a highly aggressive environment with ever-shrinking margins for those who place the machines. Recently, new regulatory requirements and revised network rules have created a demand for more stringent reporting and due diligence.

A start-up or small company is under a serious disadvantage in the ATM world. Network registration fees are between $6,000 and $12,000, depending on connectivity. Many processors prefer not to sign agreements with small companies. Manufacturers will not sell terminals to individuals. Cash providers generally will not work with start-ups. Hard working individuals who want to start and build their own company don't have much of a chance.

The result has been the emergence of a network of undocumented, unregistered "sub" ISOs that lack the resources and backing to guarantee the integrity of the business they place. By joining forces with an existing ISO, the undocumented sub-ISOs place ATMs through registered ISOs, thereby building the larger ISO's portfolio and profits.

To conform to regulatory guidelines, these small businesses must secure merchant agreements in the name of the registered ISO. If they want to move their client base, they are often in for a fight. Many ISO/sub-ISO fights have been settled in court.

Naturally, sub-ISOs do not want to "meet and greet" in the name of another company, nor do they want to place agreements in the name of another company. So many sub-ISOs establish merchant agreements and label the ATM in their own name despite network regulations to the contrary.

This practice has come to a halt in recent months, as networks and other ISOs are policing machines and reporting violators to the networks.

Networks now require merchants to enter into agreements only with the member banks which sponsor ISOs into the networks. The federal government has gotten into the act by authoring the Patriot Act, which requires banks to "know their customer." Conventional interpretation of the Patriot Act defines merchants with ATMs as customers of the bank, thereby requiring at least the same due diligence the banks use when opening new checking accounts.

When banks investigate merchants, they will learn whether the ISO that placed a machine is registered with them. Visa has gotten into the act as well. Visa imposes fines of $10,000 on member banks that allow an unregistered company to operate an ATM. Visa employees have been issued special cards to screen unmarked machines for unregistered ISOs, and also to locate scrip machines operating as ATMs.

Risky business

A bank spends one to two months and upwards of a thousand dollars approving an ISO. If the ISO allows an unknown third party to buy, own, and place ATMs under that sponsorship, it creates a risk for the bank.

Placing a label on the machine identifying a registered ISO, as network rules require, does nothing to mitigate the risk to a sponsoring financial institution if the machine was placed by an third party company. 

The sub-ISO is also at substantial risk for terminals they sell because they are usually too small to complete adequate due diligence on each merchant (background criminal check, identity verification, OFAC scan and credit check).  Registered ISOs may not be completing this regulatory and network requirement for each of their sub-ISOs. 
 
Many industry leaders are joining the call to seek out and stop the use of sub-ISOs. They concur that the use of sub-ISOs is a high risk practice and have made it a goal to eliminate this underground operation.

At the sponsor level

Locating and shutting down unregistered ISOs has proved fruitless as they can easily move to another ISO or another processor, without the sponsoring bank's knowledge. Merchant level approval and processor accountability can prove to be a much more effective way to put an end to this practice. To aid in the cause, concerned institutions are asking Visa and MasterCard to support efforts to enforce these actions.

Sponsoring institutions must be persuaded to place ATMs under their own processing agreements as the most effective way to stop unregistered ISOs and thwart them from using anonymous processors.

Only in this way can the sponsor bank activate every machine, know where they are located, track transactions and monitor their access. By acquiring agreements with each processor and each merchant, the sponsor bank assures its compliance with Patriot Act requirements to "know your customer."

Alternatives emerge

As the call for an answer grows louder, some alternatives are beginning to emerge. For instance, Bankfirst has developed on option which allows individuals to place machines directly for the bank rather than through a larger ISO. In effect, they become contract employees or independent contractors (IC) of the bank. 

The bank's IC requirements are much the same as for ISOs. The program is not for ISOs that have been declined by other banks nor is it designed to circumvent the registration process.

Once the IC understands network rules and issues involving PIN security and activation, they have the opportunity to move from IC status to ISO status.  Any ATMs placed by the IC will be automatically moved from the bank to the ISO.  The IC will be registered in the desired networks and managed based on the policies and procedures developed for this program.

An IC may enjoy name recognition and credibility by marketing in the name of a financial institution while saving revenues that can be used to build their business, not that of another ISO. 

The program can be a valuable training tool for emerging ICs, helping them understand network rules and regulations, and correct PIN security procedures, including receiving and storing key components and shifting risk and liability for Patriot Act reporting requirements to the bank. 

As regulators join forces with the networks and financial institutions in an effort to strengthen the registration and compliance process, these new programs being instituted to draw sub-ISOs out of the underground of non compliance can serve as a viable way to reduce risk for all involved in the ATM channel.

The author, Rose Bunch, is a 25-year payments industry veteran. As Star Systems' ISO coordinator, she managed Star's ISO program with 32 member banks, 18 transaction processors and more than 400 ISOs. She is now the ISO coordinator for Bankfirst, which sponsors ISOs into Star and other networks.

Questions or information about sub-ISOs can be sent to Rose Bunch at rosebunch@cox.net