When banks are suffering their biggest losses from fraud-related and cyber crimes, it is easy to overlook the importance of such mundane things as physical security standards. But even if their loss figures are lower, bank robbery and bank burglary are still significant threats, says Doug Johnson, vice president of risk management for the American Bankers Association. “Physical crime can have a potentially significant impact on the customers and the employees,” he says. “A bank robbery is something you remember. So regardless of what the loss might be, it is safe to say it’s a significant event, and that’s why we take it so seriously.”
One 41-year-old piece of federal legislation sets physical security standards for banking institutions. Has it improved security against the stated physical threats it targets? Does it provide the best protection in the very different banking environment of today?
The Bank Protection Act of 1968
The Bank Protection Act was passed in 1968 in response to an increase in the rate of bank robberies in the United States. The Act placed minimum security guidelines on banks “to discourage robberies, burglaries, and larcenies and to assist in the identification and apprehension of persons who commit such acts.”
It designated four Federal supervisory agencies — the Comptroller of the Currency; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; and the Director of the Office of Thrift Supervision — to promulgate minimum security standards for the banks or S&Ls they regulate. The four resulting sets of rules are basically identical.
On the management side, they make the bank board of directors accountable for compliance, and they require that banks create a written security plan, designate a security officer, establish opening and closing procedures, provide training for officers and employees, and present annual reports to the board on the effectiveness of the security program. Regarding technology, they state that banks must:
Use some method of identifying robbery or burglary suspects;
Have devices in place to protect cash (such as a vault);
Have lighting for the vault if it is visible from outside the office;
Have tamper-resistant locks on doors and windows;
Have an alarm system; and
Have other devices deemed necessary by the security officer.
By all accounts, banking has changed remarkably since the advent of this legislation, and even since its amendment in 1991. That fact alone is enough to warrant a fresh examination of what the Bank Protection Act (BPA) does and does not accomplish.
The Evolution of Banking
Banking in 1968 was about face-to-face transactions — a customer walked into the bank office or branch and did all his or her business with a teller or cashier. ATMs were not rolled out in scale until the 1970s, and their use did not begin to explode until the 1990s. Today, a single commercial bank may maintain more than 18,000 ATMs — approximately the total number of ATMs in the United States in 1980. And while American Bankers Association surveys year after year have shown that customers still prefer branch banking above other methods of banking by a nose, the survey results released this September revealed that the lead has finally been lost. For the first time, more bank customers (25 percent) prefer to do their banking online compared to any other method. Seventeen percent of respondents prefer ATM banking over other methods, and 1 percent would rather use PDAs and mobile devices.
All these changes in banking methods and trends mean changes in the nature of risk for banks and bank customers. The BPA does not expressly regulate the media for any of these trends — mobile devices, ATMs and online banking methods. Do its minimum security requirements adequately address the evolved risk picture? Perhaps we should first answer the question: Should they?
Has It Been Successful?