Minimum Automated Banking Machines Service-Level Standards To Strengthen Consumer Protection for Customers of Deposit-Taking Institutions

GUIDANCE ON: 1 Availability of Cash 2 Maintenance and Management of Disruption of Service 3 Fraud Minimization 4 ABM Fees and Charges 5 Deployment of Machines 6 Safety and Security of Customers 7 Financial Education 8 Accessibility and Ease of Use MINIMUM AUTOMATED BANKING MACHINES SERVICE-LEVEL STANDARDS TO STRENGTHEN CONSUMER PROTECTION FOR CUSTOMERS OF DEPOSIT-TAKING-INSTITUTIONS

Market Conduct & Consumer ProtectionThematic Working Group BANK OF JAMAICA & FINANCIAL SERVICES COMISSION April 2, 2024

1 N O T E S : Outlined below are guidelines for DTIs with respect to their oversight and management of ABM operations and the attendant risk exposures to promote fair treatment and enhanced protection for financial consumers: 1

1. Availability of Cash Despite the increasing use of electronic payment methods, a significant proportion of the Jamaican population is still reliant on cash to conduct transactions. As such, DTIs should facilitate convenient access to cash for customers from their accounts, especially given that some DTIs have reduced their branch networks. It is within this context that Bank of Jamaica has decided to provide guidance that outlines new norms regulating cash accessibility. a. At a minimum, 90.0 per cent of each DTI’s inventory of ABMs should be operational with at least 95.0 per cent uptime; b. The replenishment of an ABM by an external service provider should be the sole responsibility of the DTI that entered into an agreement with them for cash provisioning; c. Each DTI should establish a board-approved ABM cash￾risk-management policy and procedures that aid in assessing the demand for cash at various ABMs and ensure that cash levels are adjusted accordingly to prevent shortages. These policies and procedures, at a minimum, should provide for the following: i. Periodic (i.e. semi-annually or more frequently as necessary) review of a DTI’s schedule of restocking its ABM to ensure that the existing timetable of restocking is adequate to meet the anticipated demand for cash given the season, holidays, and other circumstances. The review/study should also identify the factors leading to a machine’s lack of cash. The DTI should employ adequate measures to mitigate these factors; ii. Each DTI should ensure that the cash level in an ABM does not fall below its determined cash threshold (‘minimum floor’). This determined 1This list is not exhaustive and does not preclude a financial institution from adopting and implementing other industry best practices.

2 N O T E S : minimum floor should be based on, among other things, the DTI’s assessment of the demand for cash at ABMs and the DTI’s ability to replenish the ABM in accordance with item (iii) below. DTIs should restock their ABMs when the cash level reaches this minimum floor; iii. DTIs should have the appropriate technology that will alert them when each machine reaches the minimum floor and when it is out of cash; iv. ABMs should not be without cash for more than sixty (60) consecutive minutes in urban and tourist areas and one hundred and eighty (180) consecutive minutes for remaining areas. Each DTI should file with the regulator a monthly report indicating whether these targets were observed during the period and an accompanying action plan where there is non￾compliance; v. Each DTI should determine its daily withdrawal limit per customer segment. This withdrawal limit should be disclosed to customers; vi. Each DTI should develop and implement contingency plans to address unexpected events, such as sudden spikes in demand or technical failures, to minimise disruptions in the cash supply. 2. Maintenance and Management of Disruption of Service: An element of a DTI’s ABM cash-risk-management policy and procedures should include a maintenance framework that seeks to achieve the following: a. DTIs should be aware, in real-time, when an ABM is out of service. Therefore, a DTI should apply a suitable mechanism to be alerted when a machine begins malfunctioning; b. DTIs should apply suitable methods to alert their customers within a specified geographical radius with information on ABM facilities offered, including the nearest ABM(s) through which banking services are provided;

3 N O T E S : c. Any downtime should not be more than three (3) consecutive hours. Where this is not practicable, customers should be duly informed through an appropriate suite of channels that may include the financial institution’s website, social media or other channels. Where possible, consumers should be provided with, or advised of, alternative service solutions during the interruption; and d. ABM maintenance registers or logs should be appropriately maintained and made accessible to the regulator when requested. 3. Fraud Minimization Ineffective fraud prevention and detection result in financial losses for both the DTI and customer. It is important that the consumer is protected from loss of assets, that could result from the procurement of banking services. a. DTIs should conduct annual assessments of ABMs to determine whether enhanced measures (including policies, procedures, protocols or technology) are needed to remedy emergent security/fraud risks. If the results of this assessment show the need for new technology, then the DTI should submit to Bank of Jamaica an action plan outlining the process by which this new technology will be implemented. b. The Board-approved ABM cash-risk-management policy should set out, at a minimum, the following: i. DTIs should ensure the security of ABMs by implementing measures identified at a). These measures may include, but are not limited to: ▪ Appropriate measures to limit the possibility of the “shoulder surfing” of customers’ PIN pad entries at the ABM; ▪ Anti-skimming devices to prevent the magnetic stripe from being read; and ▪ Sensors to detect the presence of skimming devices that send alerts to the operator and shut down the ABM. c. Financial transactions (especially those involving the movement of funds related to a customer’s bank

4 N O T E S : account) should automatically generate a prompt by providing customers with real-time notifications. Where a customer has provided a mobile number and/or email address, such notification should be immediately sent based on their contact information located on file; and d. DTIs should take the necessary actions if an incident occurs in accordance with the regulator's relevant regulations and guidelines. 4. ABM Fees and Charges Consumers should have the right to accurate and transparent information about products or services they intend to purchase, and this includes details about pricing. DTIs should demonstrate transparent and comprehensive disclosures of ABM fees and charges to customers. DTIs should use various media platforms to reach their customers effectively. The disclosure should be easily understandable to enable customers to make informed decisions. a. Each DTI should represent fees in units of Jamaican dollars (JMD) to avoid ambiguity and ensure consistency in the disclosure of fees. This will allow consumers to know the full costs associated with engaging a service provider and facilitate a comparative analysis of associated costs across providers; b. DTIs are expected to request a non-objection from the regulator prior to making increases to ABM fees; DTIs should increase fees only if: i. The regulator indicates, in writing, a non￾objection to an increase in fees with due consideration to justifications provided; ii. The regulator does not object within 30 days of the date upon which the application was made for a fee increase; and iii. Having received a non-objection, the DTI should give at least 45 days’ notice to the public. c. In instances where fees are to be reduced, no prior notification or delay will be required. d. ABM users should be notified of the relevant fees and charges associated with using the distribution channel. This information should be prominently displayed at the

5 N O T E S : ABM location and available via the DTI's various information dissemination channels. The regulator will be empowered to authorise an independent assessment of ABM realated banking fees to determine their reasonableness and relevance. This assessment can be done on an individual DTI or for the DTI sector. 5. Deployment of Machines: (a) Before an ABM is removed, the DTI should provide the regulator two (2) months’ notice along with appropriate justification for its removal and a plan of action outlining reasonable alternative access for existing customers, as well as the method of notification to customers. Based on the assessment of the plan of action, the regulator may impose reasonable conditions on the DTI before the closure or removal of any ABM. The regulator reserves the right to waive the two-month notice requirement on a case-by-case basis as it deems appropriate; (b) All accepted card schemes/network logos should be visibly and adequately displayed in the ABM terminal for customer information and awareness; (c) All ABMs should have audit trail and logs capabilities that are comprehensive enough to facilitate investigations, reconciliation and dispute resolution; (d) Card readers should be identified by a symbol that (i) represents the card and (ii) identifies the direction in which the card should be inserted into the reader. (e) Contact information for customer support should be visibly displayed within the vicinity of ABM’s for easy access by customers when faced with challenges such as (card confiscation, charges made to account without the issue of cash and other losses incurred from use of machines). DTI’s should also establish and communicate clear service-level-standards for treating with losses incurred by customers when using ABM’s. 6. Safety and Security of Customers a. ABMs should be situated in a manner and location that ensures a satisfactory level of security for users and maintains the confidentiality of their transactions;

6 N O T E S : b. Every ABM should have cameras that view and record all persons using the machines and every activity at the ABM, including but not limited to card insertion, cash withdrawal, cash depositing, card taking, etc. However, such cameras should not be able to record the keystrokes of customers using the ABM; c. DTIs should collect and store security footage obtained from ABMs for at least 180 days and make this security footage available upon request to the relevant regulator and/or authority for investigations; d. Information sufficient to construct a usable card should not be displayed on the screen or printed on a transaction record. This will safeguard against the possibility that such information may become accessible to another person in the event that the cardholder leaves the ABM while a transaction is displayed or discards a printed transaction record upon completing a transaction; e. ABMs should not store customers’ PINs, card information or account numbers; f. DTIs should ensure that cash management service providers take appropriate measures to provide adequate security. Security measures should be reviewed annually based on security audits. Where risks are assessed as being elevated, DTIs are required to consider enhanced security measures, including but not limited to the use of armoured vehicles for transporting cash, making deliveries with a sufficient number of personnel as well as a backup team, and other practices and procedures to reduce the risk of robberies; and g. Each out-of-branch ABM must be situated within a confined space that can be securely closed by the user when in use, except for machines installed within secure third-party establishments.

7. Financial Education Consumer financial education is important for several reasons. It gives the consumer the opportunity to fully exploit the benefits of financial services and protects them from loss. Therefore, the Bank is of the view that:

7 N O T E S : a. DTIs should provide financial education programmes that will increase their customers’ knowledge about the proper use of ABMs and the associated risks; b. DTIs should employ various media to inform and empower their customers to access financial services via various print, online and other digital means; and c. DTIs should inform customers to recognise ABMs that have been tampered with to limit their exposure to fraud. 8. Accessibility and Ease of Use Ensuring easy access to ABMs for persons with disabilities is crucial for several reasons, including reducing the possibility of exploitation by those who may be asked to conduct ABM transactions on their behalf. a. Ramps should be installed at various locations to improve access for disabled persons to ABMs, subject to the relevant legislation; and b. Infrastructure and technology should be in place at ABMs to improve the customer experience for the elderly and the disabled (e.g., the visually impaired), subject to the relevant legislation. No monetary sanctions will be applied as a result of breaches of these guidelines. Notwithstanding, non-adherence may give rise to supervisory concerns around safety and soundness with its attendant supervisory consequences. Monthly reports on the performance of each DTI’s fleet of ABMs will be published with a two-month lag. These reports will feature the geographical distribution of ABMs, the number of machines that were installed, the proportion of ABMs that were operational as at the reporting period, the uptime for operational machines over the period and the recovery time (in hours). -End-