Printer Friendly

Much ado about nothing?

BANKS, LIKE MOST BUSINESSES, favor government regulations that leave managers room to work out their own solutions. That is just what the federal banking agencies provided when updating rules to the revised Bank Protection Act of 1968 (BPA). Ironically, security managers, unaccustomed to such regulatory freedom, may be reading too much into the agencies' language.

The BPA was originally enacted by Congress in 1968 in response to a rise in robberies and other crimes against financial institutions. The legislation required federally supervised banks to institute minimum security measures. Implementation was governed by detailed regulations issued by the various federal banking regulatory agencies. The rules included two appendixes: one with specific minimum standards for security equipment; and another with specific requirements that instructions be given to employees regarding their conduct during and after a robbery.

Congress amended the BPA in 1991, and the regulatory agencies issued a more flexible set of rules, without the detailed appendixes. But the new rules are still causing confusion nearly two years after their issuance.

In A Midsummer Night's Dream, Shakespeare noted that fear can combine with the shadows of the night to make one mistake a bush for a bear. Security managers wary of government's intentions, peer into the broad regulatory language of the revised BPA and see many bears. Some security professionals find in the revised BPA a mandated annual security survey of each branch. Others see a requirement for separate security programs for each branch, as well as a mandate to obtain crime statistics for the area within a quarter-mile radius of each branch. While these are good ideas, they are not specifically required.

Vendors sometimes contribute to the confusion. A vendor may imply that there are degrees of compliance with the BPA. Buying certain high-security alarm components, for example, is recommended for banks that want to strictly adhere to the law. The revised BPA requires an alarm system, but it does not require any specific alarm system components. Furthermore, as with any law or regulation, a company is either in compliance, not in compliance, or the issue is in dispute. A business is not more in compliance with one type of alarm component than with another.

Of course, bank security professionals also have a vested interest in security requirements. The more specific the law is about duties of the bank security officer, the more he or she has job security. But the revised BPA is not specific about the duties of the bank security officer. In fact, the new regulations leave a great deal to the security professional's discretion.

JUST WHAT DOES THE REVISED BPA REquire? Perhaps no more than it says. Why would the government behave so uncharacteristically? Consider the history of the BPA. The original statute was enacted when crimes against financial institutions were increasing at an alarming rate. Many financial institutions had no security program and no designated security officer.

Most financial institution offices were not designed and equipped to deter crimes or provide evidence to assist in the identification and apprehension of perpetrators. Financial institution employees were, to a large extent, untrained in what to do during and after a robbery. Many night depositories had no protection against fishing or trapping of deposits nor adequate safeguards to prevent burglary.

While excellent vaults and vault doors were available, their use was not required. Many safes were inadequate. Many financial institutions had no cameras. In short, banks lacked a commitment to security. The 1968 legislation was written to address that lack of commitment.

For a law to be effectively enforced, it must be specific. Indeed, most laws and regulations are specific ad nauseam. The original BPA was quite detailed. It addressed such issues as keeping currency and other negotiables locked in a safe or vault during nonbusiness hours, keeping currency to a reasonable minimum, and designating a person or persons to ensure that security devices are turned on and that offices are locked at night. Security managers take those measures for granted today, but it was not always so.

The original legislation had a positive impact. Today, financial institutions have some of the best security programs in the private sector. Security officers are, on average, well qualified and experienced. Greater cooperation exists between law enforcement and bank security officers. When the security officer of a financial institution runs across an unusual problem, help is as close as the telephone.

The expanded market and increased competition among security vendors spawned by the BPA have resulted in vastly improved security equipment. As a result of these combined factors, robbery, burglary, and larceny losses are probably lower than they would have been without the legally mandated safeguards, and employees and customers are safer.

At the same time, the demand from the financial services community and other industries for more effective and reliable equipment has resulted in an explosion of technology. The new technology has rendered many of the minimum standards of the old BPA regulations obsolete. Composite materials that are more resistant to attack than steel or reinforced concrete are available. Alarm systems have been vastly improved. Constant video surveillance is replacing standby film camera surveillance. Remote video surveillance is within reach. Electronic measures are available for protecting currency.

Today, average bank robbery losses are surprisingly low. Injuries to employees and customers are rare. Bank vault burglaries are also extremely rare. A high percentage of bank robbers are apprehended and convicted. Sentencing is harsh. In short, a clear commitment to security now exists.

The regulatory agencies' background information pertaining to the BPA suggests that these factors--new technology, greater professional expertise in financial institution security, and a higher commitment to security--created the right environment for the revised BPA and the less onerous regulations.

The record suggests that regulatory agencies and Congress were convinced that the time had come to turn over the responsibility for developing an effective security program to the financial institution security officer. Oversight of the program would go to each financial institution's board of directors.

Of course, the regulators have not entirely given up regulating. Many of the original BPA's standards have carried over into the new rules. That carryover can be seen by a brief comparison. The old rules required the following:

* A lighting system for illuminating the area around the vault during the hours of darkness if the vault is visible from outside the banking office.

* Tamper-resistant locks on exterior doors and exterior windows designed to be opened

* An alarm system or other appropriate device for promptly notifying the nearest responsible law enforcement officers of an attempted or perpetrated robbery or burglary

* Such other devices as the security officer, after seeking the advice of law enforcement officers, shall determine to be appropriate for discouraging robberies, burglaries, and larcenies and for assistance in identifying and apprehending persons who commit such acts

The act went on to describe considerations for determining which other devices might be appropriate and, in the appendixes, to establish minimum standards for such devices. The rules required banks to document reasons for any deviations from those standards. The regulations also implied the requirement of a vault or safe in the section on procedures by requiring that currency and other valuables be locked in a vault or safe during nonbusiness hours.

The original BPA required four types of security equipment, including the implied requirement of a vault or safe: a lighting system at required times, tamper-resistant locks, an alarm system, and either a vault or safe. Other equipment was left to the discretion of the security officer so long as he or she sought the advice of law enforcement officers. The act did not specify that such law enforcement officers have any expertise in the field of financial institution security.

The revised act requires the following information:

* A means, such as a vault, safe, or other secure space, of protecting cash or other liquid assets

* A lighting system for illuminating the area around the vault during the hours of darkness if the vault is visible from outside the banking office

* An alarm system or other appropriate device for promptly notifying the nearest responsible law enforcement officers of an attempted or perpetrated robbery or burglary

* Tamper-resistant locks on exterior doors and exterior windows that may be opened

* Such other devices as the security officer determines to be appropriate, taking into consideration several factors

Those factors include the incidence of crimes against financial institutions in the area; the amount of currency or other valuables exposed to theft; the distance of the banking office from the nearest responsible law enforcement officers; the cost of the security devices; other security measures in effect at the banking office; and the physical characteristics of the bank's structure and its surroundings.

The actual equipment requirements of the revised act are remarkably similar to the original act except for two differences. First, the revised act specifically requires a secure space for protecting cash and other valuables, not necessarily a vault or safe but a secure space. Second, the revised act no longer requires the security officer to seek the advice of law enforcement officers before determining which other security devices may be appropriate.

GIVEN THE SIMILARITIES BETWEEN THE original BPA and the revised act with respect to required security equipment, why would four of five equipment manufacturers who submitted written comments oppose the revision? Probably because the act clarifies the discretion given to the security officer. The rules do not significantly increase that discretion. At least with respect to security equipment, they simply clarify it. In addition, the deletion of appendix A from the revised act opens the door for more competition because security officers, no longer bound by dated specifications, may be more inclined to consider new products and technology.

Security officers should be pleased by the opportunity to exercise more discretion. Some security officers, however, believe the lack of specificity in the revised act, with respect to both equipment and procedures, will make it more difficult to convince senior management of the need for an effective security program.

Senior management is undoubtedly more inclined to take steps required by regulation than to listen to the recommendations of the security officer, especially if those recommendations will cost money. The revised BPA has, however, addressed the possibility that senior management will become less committed to security by making the financial institution's board of directors responsible for oversight of the security program and for evaluating its effectiveness.

Previously, financial institutions were required to report periodically to the appropriate regulatory agency to certify compliance with the BPA. That requirement has been eliminated. The amended regulation requires the security officer to report instead to the bank's board of directors at least annually on the implementation, administration, and effectiveness of the program. It seems clear that the board of directors is responsible for ensuring not only a security program's existance but also its effectiveness.

Since publication of the revised regulations, the meaning of the word effectiveness has been much discussed. Effectiveness is a subjective term that can mean different things to different people. Its inclusion in the revised regulations is unfortunate but necessary. It implies a serious responsibility on the part of the security officer and the board of directors to review the security program with care.

Directors would be well advised not to simply rubber-stamp an institution's security plan. Ultimately, the measure of effectiveness is how well the security program works.

* Are losses within acceptable limits?

* How do losses compare with previous years?

* How do losses compare with those of other financial institutions in the same market?

* Have incidents involving violence and injury to employees or customers occurred?

* Might losses and injuries be avoided with better training, different procedures, or additional security devices?

* Would the cost of additional security devices exceed the anticipated benefits?

The security officer should consider these questions while preparing the annual security report. The board should review the report with these points in mind.

The question of cost is another issue that has caused some concern among security professionals and vendors. Cost should not be a consideration in determining whether a security measure is appropriate. The revised regulations, however, permit consideration of cost in determining the appropriateness of security devices beyond those that are required. This is reasonable.

Security needs vary with location and other factors. In the absence of some extraordinary circumstance, it would not be logical to expect a branch that averages one robbery every other year with average losses per robbery of less than $3,000 to employ a security officer at an annual cost of $20,000. A similar branch in a high-crime location, however, might not remain open without an officer.

The revised regulations also require that the bank's security program do the following:

* Establish procedures for opening and closing for business and for the safekeeping of all currency, negotiable securities, and similar valuables at all times.

* Establish procedures that will assist in identifying persons committing crimes against the bank and that will preserve evidence that may aid in their identification and prosecution. Such procedures may include retaining a record of any robbery, burglary, or larceny committed against the bank; maintaining a camera that records activity in the banking office; and using identification devices, such as prerecorded serial-numbered bills, or chemical and electronic devices.

* Provide for initial and periodic training of officers and employees regarding their responsibilities under the security program and conduct during and after a robbery, burglary, or larceny. (The revised regulation issued by the Office of the Comptroller of the Currency, which regulates national banks, does not specifically require that officers be included in security training nor that training cover proper conduct during and after burglaries and larcenies.)

With respect to procedures, the revised regulations cover the same ground as the old regulations but, again, with less specificity. Certain suggestions are made regarding identification of perpetrators and preservation of evidence, but they are not requirements.

The regulations require development and administration of a security program for each banking office. There is no reference to a separate written program for each branch. For large banks, that would be a daunting task. The regulations require that the security program recognize the differences between branches and accommodate those differences. Most financial institutions develop a security manual with sufficient flexibility in procedures to accommodate differences between branches. A copy of the manual is distributed to each branch.

The regulations also require that the security officer consider crimes against financial institutions in the area when determining the appropriateness of security devices. Obtaining crime statistics within a quarter-mile radius is one way to do that but not the only way and not the best way. Some bank branches do not have another financial institution within a quarter-mile radius. Many law enforcement agencies are unable or unwilling to provide such statistics.

A good way to find out about crimes against other financial institutions in the area is to ask them. They each have a security officer, and the security officer has a telephone. It is in the interest of financial institutions to share information about crimes perpetrated against them. They have common problems and common enemies.

Some financial institutions form local associations for sharing information. Such organizations meet regularly and invite federal and local law enforcement agencies to address crime problems at area financial institutions. The Georgia Association of Bank Security in Atlanta is a good example. It distributes a cumulative monthly list of area bank robberies.

Security officers may also want to form local associations to compare security programs. Today, security officers and senior managers of financial institutions should be greatly concerned about liability for crimes perpetrated against employees and customers. One of the issues likely to arise in such a case is whether a financial institution uses security measures that are up to local industry standards. Are the bank's security measures at least as good as those of other financial institutions in the same area? If they are not, even though the institution may be in compliance with the BPA, it could face a serious liability problem.

What about the annual security survey of each branch? The regulations require that the security officer take certain circumstantial and physical characteristics of each branch into consideration when determining the appropriateness of security devices. The security officer must report at least annually to the board of directors on the effectiveness of the security program, as indicated earlier. An annual survey is a good idea even though it is not specifically required.

A security survey need not be tedious if little has changed since the last one and if good records are maintained. Some financial institutions require a monthly security survey in the form of a checklist by each branch manager. The checklists, certified by the branch manager, may be reviewed by the security officer and retained in his or her files.

The revised BPA does not require substantially more or less of financial institutions. There has simply been a shifting of responsibility and an increase in the discretion of security officers and boards of directors to develop security programs and use equipment that best meet the needs of their respective financial institutions.

As long as security officers and members of the board take their security responsibilities seriously, the revised regulations should be good for the banking industry. Financial institutions that were in compliance with the BPA before the revision should have no difficulty complying in the future.

Bill Clark is director of security for SunTrust Service Corporation, in Orlando, Florida. He is a member of ASIS.

@ @
COPYRIGHT 1993 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:security professionals' concerns over Bank Protection Act
Author:Clark, Bill
Publication:Security Management
Date:Jan 1, 1993
Previous Article:Coors brews security success.
Next Article:Trends in competitive intelligence.

Related Articles
A smart investment.
Examining 1993 changes and 1994 challenges.
Statement by John P. LaWare, Member, Board of Governors of the Federal Reserve System, before the Subcommittee on Telecommunications and Finance of...
Report finds banks returning to lax appraisal policies.
Statements to Congress.
Statement by Susan M. Phillips, Member, Board of Governors of the Federal Reserve System, before the Subcommittee on Financial Institutions and...
Are security managers meeting new needs?
A mad, mad millennium?

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters