LogoRegulatory Alerts
2018-01-01

Instructions No. 6 of 2018 Regarding Security and Safety Requirements for ATMs

The Palestine Monetary Authority issued Instructions No. 6 of 2018 mandating comprehensive security and safety protocols for all licensed banks operating ATMs in Palestine. The regulations require banks to implement rigorous risk assessments, maintain updated security policies, and install specialized alarm, CCTV, and anti-skimming equipment at all ATM sites. Additionally, the directives enforce strict monitoring procedures, cardholder protection measures, physical anchoring standards, and enhanced safeguards for high-risk and offsite locations.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

Palestine Monetary Authority

PALESTINE MONETARY AUTHORITY

Instructions No. (06) of 2018

Regarding Security and Safety Requirements for ATMs

Based on the provisions of Decision-Law No. (9) of 2010 regarding Banks, particularly Article (72) thereof, and in accordance with the powers delegated to us, and in pursuit of the public interest, we have issued the following Instructions:

Article (1)

Objective and Scope of Application

  1. These Instructions aim to take measures ensuring the highest levels of protection for ATMs and ATM sites to mitigate potential risks.
  2. The provisions of these Instructions apply to all banks licensed by the Palestine Monetary Authority to conduct banking business in Palestine.

Article (2)

Security Policy

Banks must prepare a dedicated ATM security policy that is reviewed and updated at least once every two years, or whenever necessary, based on the bank's risk assessment results.

Article (3)

ATM Site Selection

When selecting and equipping an ATM site, the bank must take the following measures:

  1. Risk assessment and classification of the site by the Risk Department.

Article (4)

Equipping Plan

Before commencing the procedures for ATM installation, the bank must designate the responsible party for the following:

a. Installation and testing of all alarm equipment. b. Compliance with all general security and safety requirements for the site. c. Provision of all documents related to the establishment of the ATM site. d. Results of the site risk assessment process.

Article (5)

Cash Vault Protection

When selecting cash vault specifications or the surrounding environment for the ATM, the bank must adhere to the following procedures:

Article (6)

Alarm Equipment Requirements

When installing alarm equipment, the bank must comply with the following:

  1. Proper installation of all alarm equipment according to the manufacturer's specifications, with the bank required to provide the implemented specifications in writing.
  2. Provision of a mechanism for central networking and control to manage all alarm equipment at the ATM site through the bank's central monitoring and control room.
  3. Automatic linking of theft alarm devices in ATMs with the police department.
  4. Conducting an inspection of all alarm equipment in the ATM room after installation to verify that the central monitoring and control room can receive all signals.
  5. All communication lines and wiring must be concealed and protected.
  6. Provision of a special, secure locking cabinet to protect all alarm devices and systems inside the ATM room.
  7. The alarm system must be capable of sending multiple signals based on the type/severity of the threat/problem, following an escalating sequence from management to the relevant security authorities.

Article (7)

Alarm Equipment

The bank must provide the following alarm equipment at the ATM site:

  1. Seismic/Stress Detectors on various parts of the ATM and the cash vault door.
  2. Magnetic Contact switches on the ATM door and the main ATM room door.
  3. Volumetric Detectors on the ATM room wall, capable of detecting any movement in the area surrounding the ATM.
  4. Personal Attack Alarms located very close within the ATM room and as near to the machine as possible.
  5. Installation of the Alarm Control Panel in the area adjacent to the ATM as much as possible, under adequate and appropriate protection measures to prevent tampering or damage.
  6. Implementation of Access Control restrictions to the rear of ATMs, along with providing a theft-resistant door to control entry into the ATM room, with remote signal monitoring through the control room.
  7. Heat/Smoke Sensors inside and outside the ATMs.

Article (8)

Monitoring and Control

The bank must comply with providing the following monitoring procedures:

  1. Establishment of an Alarm Receiving Centre (ARC) that operates as follows: a. Monitoring alarm systems through the bank's central management monitoring and control room 24/7. b. An alarm signal should be automatically generated in case of communication line failure or disconnection.
  2. Provision of approved standard operating procedures for monitoring and control room staff to determine required actions upon receiving an alarm signal, and to coordinate with relevant parties within the bank or external contracted entities according to the approved response hierarchy, directing personnel to the risk location within the specified timeframe.
  3. In the event of alarm or protection system failure for any reason, necessary measures must be taken regarding the specific issue and placed under strict monitoring.
  4. Installation of CCTV monitoring systems according to the following procedures: a. Provision of high-quality night-vision surveillance cameras for ATMs capable of capturing all details of external ATM users and the surrounding area (excluding the ATM keypad), as well as internal staff. b. Provision of sufficient recording capacity to store footage in a secure location for no less than three years. c. Provision of a backup recording line for surveillance cameras within the central monitoring and control room, or direct linking of camera recording to the control room, to compensate for the loss/theft or damage of the on-site recording device. d. Provision of effective 24/7 monitoring through the central monitoring and control room.

Article (9)

Cardholder Protection

The bank must comply with the following procedures to protect ATM-using customers:

  1. PIN Protection by taking measures that limit the ability to view the ATM PIN entry keypad from any source (cardholders in the queue, passersby, mirrors, etc.), such as using an ATM keypad cover.
  2. Card Data Protection by taking measures that limit the ability to electronically copy card data through Intelligent Anti-Skimming or Anti-Skimming devices.
  3. Anti-Card Trapping by taking measures that limit the ability to tamper with the ATM card reader slot and trap the card inside the reader.
  4. Anti-Cash Trapping by taking measures that limit the ability of attackers to hold cash inside the ATM during a customer's withdrawal transaction.

Article (10)

ATM Anchoring and Fixing

When installing and anchoring the ATM, the bank must comply with the following:

  1. Determining the appropriate method for anchoring the ATM, according to the nature of expected risks previously identified through the site risk assessment process.
  2. Ensuring the ATM is securely fixed to a mounted base through its structure.

Article (11)

Stand-Alone and Offsite ATMs

The bank must comply with the following additional procedures regarding Stand-Alone and Offsite ATMs:

  1. Monitoring ATMs via a system to ensure no fraudulent attachments not belonging to the original device are present, such as skimming or card copying devices.
  2. Preparing and approving response procedures in case any risks or fraudulent attachments are discovered at the site.
  3. The ATM site inside buildings must be away from glass enclosures.
  4. Installing ATMs in visible and well-lit areas to reduce vandalism risks and increase user safety.
  5. Cash removal or replenishment must be carried out according to bank procedures or an outsourcing agreement.
  6. The bank must provide a degree of Defensible Space privacy for ATM users, and post a sign indicating that no more than one person should enter the ATM's safe zone during customer use.
  7. Removal of cash during maintenance operations to avoid potential risks.

Article (12)

High-Risk Areas

The bank must comply with providing additional procedures for high-risk areas:

  1. Providing protection for the external area of the ATM site through certain measures after obtaining necessary approvals from competent authorities, such as: anti-ram bollards, vehicle-arresting systems, (high rise kerbs, reinforced lamp posts).
  2. Equipping the ATM with a Tracking System to enable relevant security authorities to locate it in case the ATM is stolen from the building.

Article (13)

Implementation and Enforcement

All competent authorities, each within their respective scope, shall implement and apply the provisions of these Instructions from the date of their issuance.

Issued in Ramallah on Tuesday, dated 2018/06/12

Supervision and Evaluation Department
Palestine Monetary Authority

Ramallah - Palestine PO. Box 452 | Tel: +970 2 2415250 | Fax: +970 2 2415310 | +970 2 2415310: Fax | +970 2 2415250: Phone | P.O. Box 452 Ramallah - Palestine
Gaza - Palestine PO Box 4026 | Tel: +970 8 2825292 | Fax: +970 8 2844487 | +970 8 2844487: Fax | +970 8 2825292: Phone | P.O. Box 4026 Gaza - Palestine
Email: info@pma.ps | info@pma.ps: Email
www.pma.ps

Share