Technical Standards on the Physical Security of Automated Teller Machines

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 1 of 9 CNBCR-03/2024 NRP-61 TECHNICAL STANDARDS ON THE PHYSICAL SECURITY OF AUTOMATED TELLER MACHINES Approval: 02/29/2024 Effective Date: 03/15/2024

THE COMMITTEE OF STANDARDS OF THE CENTRAL RESERVE BANK OF EL SALVADOR, CONSIDERING:

I. That Article 70 of the Banks Law establishes that banks will carry out the operations and provide the services foreseen in Article 51 of this law, and Article 41 of the Investment Banks Law establishes the operations to be carried out by Investment Banks, in accordance with the provisions of the Commercial Code and other applicable laws, adhering to sound practices that promote the security of said operations and services and ensure adequate attention to users. (1)

II. That Article 154 of the Law on Cooperative Banks and Savings and Credit Societies establishes that the provisions of Book Two of said Law, regarding Savings and Credit Cooperatives, shall be applicable to federations, insofar as they do not contravene specific norms.

III. That Article 155 of the Law on Cooperative Banks and Savings and Credit Societies establishes that savings and credit societies shall be subject to the provisions of the Banks Law, except as provided in Book IV of said Law.

IV. That Article 2, first paragraph, of the Law on Supervision and Regulation of the Financial System establishes that the Financial Supervision and Regulation System aims to preserve the stability of the financial system and ensure its efficiency and transparency, as well as to ensure the security and solidity of the members of the financial system in accordance with what is established in said Law, other applicable laws, regulations, and technical norms issued for this purpose, all in concordance with international best practices on the matter.

V. That Article 2, second paragraph, of the Law on Supervision and Regulation of the Financial System establishes that the proper functioning of the Financial Supervision and Regulation System requires, from the members of the financial system and other supervised entities, compliance with current regulations and the adoption of the highest standards of conduct in the development of their businesses, acts, and operations, in accordance with what is established in this Law, other applicable laws, regulations, and technical norms issued for this purpose.

VI. That Article 7 of the Law on Supervision and Regulation of the Financial System establishes the entities subject to the supervision of the Superintendence of the Financial System.

VII. That Article 99, third paragraph, literal b) of the Law on Supervision and Regulation of the Financial System establishes that it is the responsibility of the Committee of Standards of the Central Reserve Bank of El Salvador to approve technical norms, so that

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 2 of 9 CNBCR-03/2024 NRP-61 TECHNICAL STANDARDS ON THE PHYSICAL SECURITY OF AUTOMATED TELLER MACHINES Approval: 02/29/2024 Effective Date: 03/15/2024 members of the financial system provide the public with sufficient and timely information on the legal, economic, and financial aspects of each one, in accordance with what is established in the laws regulating them, as well as the products and services they offer.

VIII. That in accordance with Article 101, fourth paragraph, of the Law on Supervision and Regulation of the Financial System, the powers to approve, modify, and repeal technical norms that must be complied with by members of the financial system and other supervised entities are transferred to the Central Reserve Bank of El Salvador.

THEREFORE, in virtue of the regulatory powers conferred by Article 99 of the Law on Supervision and Regulation of the Financial System,

AGREES to issue the following:

TECHNICAL STANDARDS ON THE PHYSICAL SECURITY OF AUTOMATED TELLER MACHINES

CHAPTER I OBJECT, SUBJECTS, AND TERMS

Object Art. 1.- These Standards aim to establish minimum specifications on the physical security of automated teller machines (ATMs) with the purpose of preventing risks to the assets of the entities obliged to comply with these Standards and of the users who access them.

Subjects Art. 2.- The subjects obliged to comply with the provisions established in these Standards are: a) Banks constituted in El Salvador; b) Branches of foreign banks established in the country; c) Cooperative banks; d) Savings and credit societies; e) Federations regulated by the Law on Cooperative Banks and Savings and Credit Societies; f) The Mortgage Bank of El Salvador, S.A.; g) The Agricultural Development Bank; insofar as it does not contradict its Creation Law; h) Societies that, in accordance with the Law, integrate financial conglomerates, or that the Superintendence declares as such, that issue payment instruments such as credit or debit cards; (1)

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 3 of 9 CNBCR-03/2024 NRP-61 TECHNICAL STANDARDS ON THE PHYSICAL SECURITY OF AUTOMATED TELLER MACHINES Approval: 02/29/2024 Effective Date: 03/15/2024 i) Societies that offer complementary services to the financial services of the members of the financial system, particularly those in which they participate as investors, that are owners of automated teller machines and that offer assistance and maintenance services for them; and (1) j) Investment banks. (1)

Terms Art. 3.- For the purposes of these Standards, the terms indicated below have the following meaning: a) Central Bank: Central Reserve Bank of El Salvador; b) Safe or strongbox: Armored equipment located inside the automated teller machine for the safeguarding of cash; c) Automated Teller Machines (ATMs): Machines equipped with electromechanical devices that allow users of financial services to perform, among other services, cash and check withdrawals, balance inquiries, payment of family remittances for clients of the entity, and transfers between accounts and payments for services, through the use of debit or credit cards. Automated teller machines are known by their acronym in English ATM (Automated Teller Machine); d) Internal Automated Teller Machines: Those installed inside the offices and agencies of the entities; e) External Automated Teller Machines: Those installed in buildings or facilities other than the offices and agencies of the entity, such as: airports, hotels, supermarkets, shopping centers, and others. This definition includes automated teller machines located outside bank branches, such as ATMs to be operated from vehicles and pedestrian access ATMs; f) Entity: subject obliged to comply with these Standards; g) UL-291 Security Standard: Security Standard for the Construction of Automated Teller Machines issued by Underwriters Laboratories, which is an independent global safety certification organization. h) PIN: Secret key that allows the user to access the automated teller machine system; i) Foreign ATM Network: All automated teller machines that do not belong to the issuer of the credit or debit card; j) Own ATM Network: All automated teller machines that are the property of the issuer of the credit or debit card; k) Physical Security: All measures that allow reducing the risk in the operation and execution of transactions in an automated teller machine; l) Superintendence: Superintendence of the Financial System; m) Foreign Cards: All credit or debit cards when not used in the electronic ATM network owned by the issuer;

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 4 of 9 CNBCR-03/2024 NRP-61 TECHNICAL STANDARDS ON THE PHYSICAL SECURITY OF AUTOMATED TELLER MACHINES Approval: 02/29/2024 Effective Date: 03/15/2024 n) Credit Card: Private, signed, nominative, and non-transferable instrument, resulting from a credit opening contract, that allows the holder or cardholder to use it as a means of payment to acquire goods and services in affiliated businesses or institutions, or to withdraw cash at the financial entity and at dispensers authorized by the issuer; o) Debit Card: Payment instrument that allows its holder to dispose of their deposits, to acquire goods or services from affiliated providers or merchants, as well as to withdraw cash at automated teller machines, through the use of a plastic card with a magnetic stripe; p) International Cards: All credit or debit cards issued by a foreign financial entity and used in the ATM network located in the country; and q) Own Cards: Credit or debit cards owned by the issuer that are used in their electronic ATM network;

CHAPTER II UTILIZATION AND INFORMATION OF AUTOMATED TELLER MACHINES

Responsibility of ATM owners Art. 4.- The installation, operation, quality, and security of the operations of automated teller machines are the responsibility of their owners. The aforementioned activities may be delegated to third parties that provide these types of services, which will be done through a service contract in which the conditions and responsibilities to which the provider is obligated are specified, based on the risk analysis carried out by the entity.

Confidentiality of information Art. 5.- In order to preserve the confidentiality of user data, receipts issued by the automated teller machine that expose confidential information, such as the account number and card number, must hide part of said information. When the operation is a cash withdrawal at the entity's ATM network located nationwide, they may issue, upon the user's express request, the physical, electronic receipt, or display on screen the information of the transaction carried out by the user, which must contain as a minimum the withdrawn amount and current balance, when applicable. (1)

Identification of the automated teller machine Art. 6.- Every automated teller machine must be properly signposted with the identification or logo of the entity to which it belongs and the international brands to which it is affiliated.

Balance inquiries and last applications Art. 7.- Every automated teller machine must be programmed so that the user can, at a minimum, consult their balances of the accounts associated with the debit card in the own ATM network.

Identification key Art. 8.- The automated teller machine must be programmed to require the user to enter their secret key (PIN) or other identification mechanism before starting the session. The user may change their secret key (PIN) whenever required and in accordance with the provisions issued by the corresponding issuing entity, provided that a debit or credit card is used in the own ATM network, which does not apply to international cards.

Limit on operation amounts Art. 9.- Clients of the entities may perform daily cash withdrawals using debit cards, credit cards, or other means with prior authorization from the Central Bank, according to the conditions defined by the entity, respecting the limit of amounts and daily withdrawals established by them, even in successive operations, both in own ATMs and those of other entities. Additionally, they may perform cash deposits in Multifunctional ATM machines.

Location conditions Art. 10.- Automated teller machines must be installed in places that provide the best service to users, so they must be installed in accessible places that have the minimum security conditions according to the risk analysis carried out by the entity.

Information on enabled operations Art. 11.- Entities are obliged to provide users of their automated teller machines with information on the operations they can perform and on the charges and commissions charged for the use of different services in own network ATMs and with own cards.

CHAPTER III MINIMUM SECURITY SPECIFICATIONS

Art. 12.- Among the minimum security specifications that automated teller machines must meet, in any of their applications to safeguard and minimize the risks to which both users and the equipment itself are exposed during their operation, are the following:

a) Minimum physical security requirements i. The external automated teller machine must come from the factory with the necessary preparations in its base to be anchored with expansion bolts to the floor at its four vertices in order to avoid being easily removed. External ATMs embedded in the wall are excepted, which must meet the requirement of being anchored to the wall; ii. As a peripheral element to the installation of the automated teller machine depending on the model, it must have a secure base manufactured in sheet metal that protects the floor anchors. Likewise, and depending on the risk analysis of each entity, the automated teller machine must have a security cabinet to protect voice, data, and electrical power cabling, in those cases where cables cannot be hidden in the wall or buried in the floor. Said cabinet must have a security lock and reinforced ventilation grilles; and iii. The material of the walls of the safe of the automated teller machine must meet at least the UL-291 security standard.

b) Minimum electronic security requirements i. Entities owning ATM networks must carry out and keep updated a risk analysis of their automated teller machines, which must include physical, electronic, and other types of security measures required by the equipment, being at least the following:

1. Open safe sensors;
2. Electronic monitoring of operation; and
3. Physical monitoring of equipment maintenance, which detects foreign objects to the equipment or any anomaly in it. ii. For the storage and verification of information on transactions carried out, the automated teller machine must have the capacity to record transactions electronically, as well as to identify in the audit tape the delivery of bills; iii. All automated teller machines, including internal ones, must have good resolution surveillance cameras that allow recording at least video by proximity or motion sensors of people, what occurred in the physical space where it is installed, in order to observe service users; iv. Those responsible for the administration of automated teller machines must implement periodic monitoring and maintenance programs for their premises and the automated teller machines installed in them, as well as ensure the proper functioning of their security, surveillance, and support systems; in addition, entities will safeguard ATM security videos for a minimum period of ninety days; however, if there are claims within the ninety days, the video will be kept until the case is resolved in the corresponding instances;

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 7 of 9 CNBCR-03/2024 NRP-61 TECHNICAL STANDARDS ON THE PHYSICAL SECURITY OF AUTOMATED TELLER MACHINES Approval: 02/29/2024 Effective Date: 03/15/2024 v. Entities responsible for the administration of automated teller machines must maintain a historical statistical record of incidents that have occurred, for at least two years, that have affected the physical security of their automated teller machines and of the cases that originated complaints before the corresponding authorities, provided that own cards are used in the own ATM network. This does not apply to international cards; vi. Entities responsible for the administration of automated teller machines must include in their annual internal audit work plan the evaluation of the functioning of automated teller machines; and vii. Financial entities owning automated teller machines must keep audit tapes active and safeguard them for a minimum period of six months.

c) Minimum characteristics of physical spaces The design of the physical spaces or external booths where external automated teller machines are installed must guarantee the security of their clients in the execution of operations, according to the risk analysis of each entity and depending on the location.

d) Other specifications i. Entities contracted to provide services to automated teller machines must adhere to the technical specifications for installation, as well as to the maintenance recommendations provided by the manufacturer; ii. Whenever the personnel in charge supplies cash to the automated teller machine, they must review that they do not have any type of device for fraud or that attempts to compromise the physical or electronic security of said machine; iii. The screens of automated teller machines must be installed at appropriate angles, or have anti-reflective measures, to avoid that the action of sunlight reflection affects the adequate operation by the user, according to the risk analysis of each entity; iv. Entities must receive suggestions, attend to user complaints, provide assistance in fraud prevention, and inform about procedures for blocking and unblocking cards. For this effect, entities operating with automated teller machines must have a 24-hour emergency user attention telephone line, every day of the year, this attention service will be free of charge for the user of the service; and v. In case of claims due to the automated teller machine not performing the requested transaction, entities must technically prove that the machine functioned correctly, to refute such claims.

CHAPTER IV OTHER PROVISIONS AND EFFECTIVE DATE

Dissemination Art. 13.- Entities owning automated teller machines must carry out financial education campaigns on the use of automated teller machines and their security measures for clients.

Information to the Superintendence Art. 14.- Entities must communicate to the Superintendence by electronic means and quarterly, the location of automated teller machines, identifying new ones, relocated ones, and withdrawn ones.

Sanctions Art. 15.- Non-compliance with the provisions contained in these Standards will be sanctioned in accordance with what is established in the Law on Supervision and Regulation of the Financial System.

Repeal Art. 16.- These Standards repeal the [Text corrupted/missing in source, likely referring to previous norms] for Physical Security of [Text corrupted/missing], approved by the Board of Directors of the Superintendence of the Financial System in Session No. CD-23/2010 of June 9, 2010, whose Organic Law was repealed by Legislative Decree No. 592, which contains the Law on Supervision and Regulation of the Financial System, published in the Official Gazette No. 23, Volume 390, dated February 2, 2011.

Transitory Art. 16-A.- To comply with the provision established in Article 5, second paragraph, of these Standards, entities will have a maximum period of three months from the entry into force of said article to make the corresponding adjustments for its implementation. (1)

Unforeseen Aspects Art. 17.- Aspects not foreseen in regulatory matters in these Standards will be resolved by the Central Bank through its Committee of Standards.

Effective Date Art. 18.- These Standards will enter into force as of March 15, 2024.

MODIFICATIONS: (1) Modifications in Consideration I and in Articles 2 and 5 and incorporation of Article 16-A, approved by the Central Bank through its Committee of Standards, in Session No. CN-10/2025, of December 17, 2025, with effect from January 2, 2026.

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 9 of 9 CNBCR-03/2024 NRP-61 TECHNICAL STANDARDS ON THE PHYSICAL SECURITY OF AUTOMATED TELLER MACHINES Approval: 02/29/2024 Effective Date: 03/15/2024