Those ISOs that are targeting ATM markets should make sure their financial statements are in order before approaching potential sponsor financial institutions or ATM Acquirers. Additionally, ISOs should follow the same recommendations for any employed service provider that they use.
   In a recent report on best practices for ATM acquiring entities, the Electronic Fund Transfer Association's ATM integrity task force recommended that sponsoring financial institutions and ATM Acquirers carefully review, including a review of current audited financial statements as part of the due diligence of any third party (such as an ISO) that they wish to sponsor.
   EFTA further recommended that Acquirers, financial institutions and ISOs review the responsible parties (i.e., corporation, partnership, principal owner or executive office) business tax returns, statements of net worth and liabilities and proof of ability to support any liabilities incurred.
   Validate identification of the principals and key agents, including name and Social Security numbers, residency, business records available from searchable databases, etc., EFTA suggested.
   "Credit and other investigations should be conducted in accordance with applicable law, including the appropriate use of credit reporting agencies, and appropriate notice to the party being investigated to the extent required," according to EFTA.
   To ease any concerns of sponsoring entities, an ISO might want to offer a self-audit of procedures for PIN, data security and privacy that the entity can review. EFTA recommended that sponsoring financial institutions audit ISOs and other business partners themselves or independently review an ISO's self audit. Providing the self-audit up-front saves the financial institution one step (and the associated costs), which could give an ISO a competitive advantage when attempting to develop a business relationship with a financial institution.
   EFTA further recommended that networks provide financial institutions and its ISOs network-approved training sessions on network rules and obligations. Networks should also require that the ISOs attend training sessions when they are first signed up.
   These training courses would include information on terminology and definitions, technology and operations overview and system integrity and security ­ including terminal requirements, data privacy requirements, PIN encryption and management processes and other operational requirements.
   Additionally, fraud should be covered in these training sessions. The fraud training agenda should include information on financial exposure and practices and on liability under network rules.
   EFTA recommended that networks consider instituting cross-acceptance of training across networks, under which training courses would be certified as covering some basic material. A third party, such as an ISO, passing one of these courses wouldn't have to go through it again for admission to another network. However, the EFTA task force noted that the major roadblock to developing such a common certification is that aside from general material, today's training usually includes network specific rules that differ from network to network.
   The EFTA also urged sponsoring parties maintain current records on the name or address changes of any ISOs as well as the assumption of a new business name (DBA) by an ISO, and report to the network within "a reasonable time" any termination of a relationship with an ISO.