Is It Time for a Fresh Look at the Bank Protection Act?

Chris Swecker and the Security Executive Council examine the 41-year-old physical security legislation

• Issues of repeat victimization. Bank branches that have already been robbed once are often robbed again. Several studies bear out that a branch that has never been robbed faces a low risk of robbery, and a previously robbed branch has a substantially higher risk. It would be helpful for banks and branches to maintain a schedule for escalating security measures after an event to mitigate the increased risk that event represents.

• Risk assessment. The word “risk” does not appear in the BPA or any of the four supervisory agencies’ resultant requirements. A risk assessment is a must to adequately protect any individual branch against these kinds of physical threats.
These are the issues that some feel the BPA neglects, even if read strictly as a law targeting traditional methods of robbery, burglary and larceny. A case can also be made that the terms robbery, burglary and larceny do indeed encompass newer crimes than the 1968 Act could have foreseen, and this introduces more concerns.

A Broader Interpretation

Does uprooting an ATM with a pickup truck and a chain constitute burglary? What about installing a card skimmer on one? Is online banking crime, like theft or cracking of usernames and passcodes are a form of larceny? Or are such things more properly referred to as fraud?

In that same vein, can a broader interpretation be given to the mission of the BPA? It is very possible that its full intent was to address burglary, larceny and robbery only, and to leave other risks to other legislation. It is also possible that legislators meant it to address the predominant security threats to banks and bank customers, which legislators at the time viewed as burglary, larceny and robbery.

If we espouse this broader interpretation, the BPA should be addressing the security threats that are of importance to banks and their customers now. If that is so, it appears to fall short in two specific areas: ATM crime and data security or online banking crime. Other federal legislation and guidelines exist to deal with the latter (see this month’s Compliance Scorecard below for a discussion of one such rule), so we will focus on the former.

The American Bankers Association’s Doug Johnson cites ATM skimming as the biggest physical security risk that bank customers are facing today, and one of the threats that’s most front-of-mind for bank security officers. Skimming is the practice of installing some physical device on an ATM that reads information from the swiped or inserted card. The ABA is actively looking at expanding its existing bank robbery database to track where ATM skimming devices have been found in real time.

Another ATM crime, in which perpetrators physically pull the machine off its base and haul it away, is less insidious but also widespread.

While states including New York, Nevada, Washington, Oregon, Georgia, Louisiana, Maryland and Florida have passed laws on ATM security, there is no federal law that sets security standards for ATMs at financial institutions or in other locations. The BPA certainly does not. Laws, standards or guidelines — such as a revised BPA, perhaps — could protect ATMs from removal by requiring or recommending the placement of bollards around them, that GPS devices be included in them, or that they include some other mechanism to deter or prevent the machines from being pulled from their bases. They could also require or recommend the use of anti-skimming devices of various sorts to be installed on ATMs. Some of these recommendations would have to be met by manufacturers and others by bankers.

Should the Law Be Revised?

The question is, are the concerns we have discussed better dealt with by legislation or by industry cooperation and best practice?

“I do think (revision) is a worthwhile tact to take,” says Richard Lefler, Dean of Emeritus Faculty of the Security Executive Council and former CSO of American Express. “The Act addresses the brick and mortar security issues. But banks have become virtual. So the applicability of the old rules has to be adjusted to reflect the reality of the banking world today.”

Johnson disagrees: “We as a regulated industry are fairly accustomed to having the flexibility in our environment to look at the risks we have. It’s in the financial institutions’ best interest to make sure the customer is protected. I think as an industry we generally come to these conclusions without legislation.” Johnson goes on to say that the ABA’s Security Committee, which includes the security leaders from 15 of the nation’s top banks, do not feel that improving the BPA needs to be a top priority at this time.