The ATM industry in the United States is facing a set of regulatory and operating rule deadlines that might impact the industry as much as similar deadlines did during 2005–08. Back then, ATM owners were required to upgrade their terminals to support the more secure Triple Data Encryption Standard (3DES) to safeguard ATM transaction messages during transmission. To comply, ATM owners faced the expense of hardware and software upgrades. Because a number of ATM independent sales organizations (ISOs) were operating older machines that required replacement rather than upgrades, they sold off their businesses claiming they could not support these additional expenses. Although the total number of ATMs is difficult to determine, most people in the industry agree that the 3DES requirement resulted in fewer of them.

Now it's "déjà vu all over again" for many ATM owners. Two recent changes to regulatory and operating rules require additional investment in their ATM fleets. The first of these is the accessibility provisions of the 2010 American with Disabilities Act (ADA) that include, but are not limited to, a voice guidance requirement, Braille signage, and input controls for visually-impaired individuals. These provisions were published in September 2010. ATM owners had a compliance date of March 2011 and an enforcement date of March 2012. An online Wall Street Journal article written near the 2012 deadline estimated that half of the ATMs in the United States did not fully comply with the new requirements. Because many ATM owners were in near compliance at the time of the deadline, the current level of incomplete compliance is not known. I understand, however, that several ATM owners, particularly ISOs with low-volume cash dispensers, have still not upgraded their ATMs. Despite a number of lawsuits filed by visually-impaired individuals against noncompliant ATM owners, many appear to be continuing to operate while hoping to go undetected. The act allows an exemption to an ATM owner if the upgrade would be an "undue burden," but the burden is on the owner to seek the exemption and prove the burden.

The second change comes from the recently announced liability-shift roadmaps for EMV chip implementation by Visa and MasterCard. MasterCard set a deadline of October 2016; Visa, a year later. Currently, the card issuer bears losses from fraudulent card transactions at the ATM. After those dates, if a counterfeit card is used at an ATM that has not been upgraded to handle EMV cards—in which case the ATM has to read the card's magnetic stripe back-up—the ATM owner will bear the loss resulting from that fraudulent transaction.

Even more pressing is MasterCard's liability shift for non-U.S.-issued Maestro card transactions at U.S. ATMs, scheduled for April 19, 2013. The National ATM Council, an industry group for ATM ISOs, has formally requested MasterCard to both delay this shift and push back the overall liability shift deadline to synchronize with Visa's 2017 date. Already struggling with the increased costs resulting from the upgrade decision, ISO ATM owners fear that absorbing counterfeit card losses would devastate their financial condition. I suspect that as many of them have done with the ADA requirements, many may continue to postpone upgrade expenses and just hope that their machines are not targeted. However, as I noted in a recent post, criminals tend to attack the weakest elements of their target.

ATM usage continues to face competition from debit POS (purchases and cash-back) as well as the expanding mobile payments channel. With ATMs being such a high fixed-cost operation, the impact of additional upgrade expense at a time when usage is decreasing is likely to take a toll on the number of operating ATMs. What do you think?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed