ATM Crime in the UK

The Automated Teller Machine has changed the financial lifestyle of millions of people in the UK with eighty percent of all cash withdrawals now being made at the many tens of thousands of ATMs located throughout the United Kingdom.

As in many countries around the world, the UK has experienced a significant growth in the number of ATM deployments over the past few years: 36,750 in 2001 compared to 63,900 in 2007, a 42% increase.

Remarkably, the financial institution in-branch ATM estate has remained virtually unchanged over this period of time with 19,067 installations in 2001 and 19,076 in 2007, while the remote financial institution ATM estate has substantially increased from 11,800 to 15,550 in the same time frame.

The real deal has been with the independent ATM deployers, known as IADs in the UK or ISO’s in the USA, who have increased their UK market share almost fivefold in eighty-four months from 5,900 ATMs in 2001 to 29,300 in 2007

This is great news for IADs, financial institutions, retailers with businesses near ATMs and the multi-various ATM industries involved in the ATM lifecycle, bringing as it does more jobs, more prosperity, more retail spending and more convenient access to cash for the public.

However, this is an achievement that also carries a responsibility to ensure that those hosting ATMs, those who carry out replenishment / services and the public who use them can do so safely.

Although only a few short years ago, perhaps surprisingly, the IAD sector had little understanding of the basic security aspects in deploying an ATM.  Freestanding or “stand-alone” machines were being installed in locations without any consideration for the security of the machine itself, the premises in which they were located or for the safety of those responsible for replenishment and servicing.

Moreover, some IAD companies were inappropriately using ATMs fitted with daytime business safes for overnight use with the inevitable consequences that criminals soon learnt which models could be easily and quickly forced opened compared to those made for the purpose.  Additionally, IAD companies were working in total isolation, in order to protect their market share, without realising the huge benefits obtainable through sharing security data, experiences and the knowledge of preventative measures available to protect people and assets.

Unsurprisingly, as the IAD and remote financial institution ATM market share rose, the industry experienced an exponential increase in ATM attacks, rising from 213 attacks in 2002 to 773 in 2005, with equally significant losses in terms of cash, damage to property and in some cases risk to individuals.

Typically, the majority of ATM attacks take place at convenience stores (26.7% - 2007), followed by leisure facilities (16.5% - 2007) and social locations (11.8% - 2007) and are predominantly IAD sector installations, where the security of the premises and the machines are of a lower standard compared to a bank installation.  Financial institutions suffer far less attacks; in branch (8.8% - 2007), supermarkets (7.3% - 2007) and petrol stations (6.8% - 2007), the latter two being where a large proportion of the financial institution remote ATM estate is located.

In order to attempt to rectify this situation a number of organisations decided to work in partnership and collectively gather all the data, procedures and preventative measures available to find solutions to the escalating wave of ATM crime.  The principal organisations involved were the ATM Security Working Group, British Bankers’ Association, Building Societies Association, Association for Payment Clearing Services, British Security Industry Association, LiNK Interchange and ATM Industry Association (www.atmia.com).

One of the first tasks was to create a joint crime database in order to understand and analyse the scale, geography and methodology of the problem.  Technically not a difficult task, but trying to work around the “politics” of getting individual ATM deployers to part with this sensitive data was a challenge.  Nonetheless, the combined database was achieved and is now used as a first touchstone to consider the advisability of locating an ATM in any particular location and is extensively used by UK police forces when investigating ATM related crime.

The next stage was to develop industry security guidelines that could be used as a reference point by all involved in the ATM installation, replenishment and servicing processes of these machines.  There was already guidelines published for “through-the-wall” ATMs, but nothing was available for the “stand-alone” and remote “pod” or “converted telephone” style of machines.  These security guidelines were written and published and now form the basis for the security requirements for these type of installations

Another important job was to obtain buy-in from the UK police forces, particularly in those areas adversely affected by ATM crime.  Within the UK there are fifty-two separate police forces, as well as a number of other forces with specific responsibility for railways, military establishments, royal parks, etc., so no easy task.

The group collectively wrote to every force targeting three key areas of police activity; prevention, intelligence and enforcement, offering a fast track information service, access to the crime database and, crucially, financial support in relation to rewards and specialist equipment.  This approach has successfully led to several police operations against professional gangs targeting ATMs, with support from the industry, leading to the arrest and conviction of numerous prolific criminals.

In order to tackle specific styles of attacks, individual ATM deployers now employ a range of preventative measures to deter criminals.  Broadly speaking the method of attack can be divided into three main areas; complete removal of the ATM, brute force in-situ or professionally conducted attacks in-situ.

The first method will frequently involve the theft of a truck or four-wheel drive vehicle that is then used to ram-raid the premises, demolishing all in its path, and the uplifting of the ATM onto the vehicle to be cut open at some later stage at the criminal’s convenience.  Ram-raids are a particular cause of concern to the insurance industry and community at large, as the criminals who commit these crimes have no regard to the extensive structural damage caused to the premises that will often require the business to close for weeks depriving rural communities of basic commodities.

The second method will involve the forcible entry to the premises or area where the ATM is located and attacking the machine with various tools easily purchased at the local DIY store.  These attacks are often aimed at the smaller, less secure ATMs of the type found in convenience stores, bars and leisure facilities.

Finally, the third type of attack is conducted by criminals with a working knowledge of the security locking mechanisms employed in ATMs.  These attacks will frequently involve drilling or oxyacetylene equipment and are known to take as little as three minutes to get to the cash inside the safe.

To combat all three methods of attack, various preventative measures have been developed and employed including enhanced anchoring systems, upgrading safe specifications, ceramic anti-drill / cut devices, oxyacetylene flame resistant parts / deflectors, individual cassette locking equipment and much more.

Was the effort worth it? Of course! Over the past two years the ATM industry has experienced a sustained reduction in attacks; in 2006 attacks were down by 11.1% compared to 2005, with losses down by 13.4%, in 2007 attacks were further reduced by 17% compared to 2006, with losses down by 29.9%.

It is right to say that the number of attacks has not returned to the 2002 level and, given the dramatic increase in the number of ATMs deployed in the UK since that time, it is highly unlikely that this will ever be achieved. However, the all important attack rate per thousand ATMs deployed has reduced significantly from the 2005 level and with a little more effort will undoubtedly return to or surpass the 2002 figure.

More recent developments will help secure further reductions.  In December 2007 the UK ATM industry reassessed how it dealt with the two main elements of ATM crime, namely fraud and physical attacks.  In an effort to totally break down all partnership barriers the ATM Crime Group, previously reporting through the Association for Payment Clearing Services, will in future only deal with fraud issues and report through LiNK Interchange. The ATM Security Working Group, which is supported by the ATM Industry Association and whose membership contains many IADs, will now deal with all issues relating to ATM physical crime and has opened its membership to the financial institution sector of the industry.

This strategic realignment and simplification of reporting structures will ensure that everyone involved in the ATM security lifecycle is up-to-speed with the latest attack data, security procedures and preventative solutions – working in isolation is no longer an option!

Alan Townsend MBE