Governance & Integrity

We are committed to acting responsibly and with integrity in all of our interactions with our customers, suppliers, regulators and our other stakeholders.

 

Ethics and Compliance

We are guided by our Code of Business Conduct and Ethics and our compliance policies that apply across our company and all of our subsidiaries.  Cardtronics maintains a robust business ethics and anti-corruption program. Our enterprise risk management strategy provides a ‘bottom-up’ review of current and potential risks which could impact the business, which is reviewed not less than quarterly by our Board.

Our Code of Business Conduct and Ethics sets forth our prohibition of bribery, as well as our guidelines for what is considered unacceptable and acceptable behavior. The Audit committee of our Board of Directors has ultimate oversight for our business ethics and compliance programs, with our Legal and Accounting departments holding day-to-day responsibility for administering our compliance programs. We also maintain an internal audit function with a direct line of reporting to our Audit committee. We use technology and automated tools to monitor and report on compliance matters.

To help ensure compliance, we maintain a whistleblower program. The Cardtronics Whistleblower Hotline offers anonymous, confidential, independent, 24/7 reporting of any ethical concern with information and contact details provided on our company website and intranet, included within our Code of Conduct and Supplier Code of Conduct. Employees, suppliers, or other parties may report suspected or known misconduct confidentially and anonymously by telephone (1.800.963.5731) or online (www.ethicspoint.com). All reported incidents are investigated until resolved and all matters are reported to our Audit Committee.

All employees receive extensive compliance training and must certify compliance with our Code of Conduct annually. We have expanded our compliance training strategy from four mandatory courses in 2017 to nine mandatory courses in 2020. This effort was implemented to mitigate organizational risk and ensure compliance with global regulations, country-specific laws, and organizational governance.

GDPR

2020 mandatory compliance courses and training include the following:

  • Modern Slavery & Human Trafficking
  • Sanctions
  • GDPR
  • Information Security
  • Global Anti-Bribery
  • Information Security II
  • Tax Evasion
  • Global Anti-Money Laundering
  • Global Business Ethics

 

 

 

 

 

Metrics Chart

*numbers do not include enrollments/completions of employees who left the company in 2019.

 

 

Data privacy and cybersecurity

SASB TC-SI-220a.1, SASB TC-SI-230a.2

Cardtronics recognizes the necessity of strong cybersecurity and data governance to its customers and to its business. Cardtronics operates a security platform built on best-in-breed technology and manages cybersecurity risk through a dedicated security team. The security team is made up of information security professionals across the globe working 24/7 to keep data and information safe. Our approach to information security and data protection is an integral part of every system, process and business interaction.

We have established a robust information security program aligned to the ISO 27001 information security standard and NIST Cyber Security Framework. Our cybersecurity and data protection strategy is informed by executive, regulatory and business requirements, and is continually adjusted based on indicators surfaced by our information risk management and governance programs.

Our Chief Information Security Officer (“CISO”) has management responsibility for our cybersecurity programs and policies including our Information Security Management policy and Information Security Program.  The Audit Committee of our Board of Directors oversees risk management related to privacy and data security and cybersecurity.

Our payment network is compliant with security requirements and industry regulations created to protect customer data. We invest in our technology and people to provide an evolving, multi-layered defense. Our relentless pursuit of excellence around security protects the company and its customers from impacts related to cyber events.

stacked security

To ensure operating effectiveness, we have built a set of critical continuous monitoring capabilities:

  • Security Monitoring: We work to prevent macro events by assessing the core threats to the enterprise and deploying controls wherever possible.
     
  • Breach Response: Data Loss prevention is a key focus of our efforts to remove risk from our customers, partners and enterprise. We work to prevent service disruptions by deploying business continuity protocols across the world. Our audit log collection practices and response timelines are aligned to regulatory and contractual requirements. 
     
  • Security Testing: We have integrated security testing into both our ATM and systems operations functions including penetration testing, continuous vulnerability management, and ongoing threat assessments. We conduct at least annual internal and external security audits and vulnerability assessments.
     
  • Education and Awareness: All new hires, including contractors, are required to take our Cybersecurity Training and Privacy training.  We conduct semi-annual company-wide cybersecurity training, with specific role-based requirements, that is similarly required for all employees, including full-time, part-time and contractor staff. We supplement our twice a year mandatory training with periodic training, such as phishing simulations, throughout the year.

We are committed to developing and maintaining privacy policies and procedures in line with evolving legislation and practice, to protect the privacy and data of our customers, suppliers and employees. Our Data Privacy Officer, supported by our internal privacy committee that meets monthly, oversees our data privacy program and policies. Our privacy policy applies to all of our businesses and subsidiaries and sets forth our commitment to collect and apply user data limited to its stated purpose, explicit guidelines on data use by third-parties, and commitment to obtain user data through transparent means.

 

Supply Chain

Our commitment to responsible and ethical business practices extends to our supply chain. Our Cardtronics Supplier Code of Conduct sets forth our policies and requirements, applicable to all of our subsidiaries. The Code sets forth our requirements, including anti-corruption, human rights, and employment practices requirements.

 

 

 

Environment

Environment

Learn More

 

Social

Social

Learn More

 

Governance

Governance

Learn More

Top