The Security Officer's Role, Part IV
by Dana Turner, Security Education Systems
The Institution's SECURITY PROGRAM
Your institution's Board of Directors should participate in the development and annual review of the Security Program. The Bank Protection Act and other regulations require your directors to ensure that a written Security Program for the institution's main office and branches is developed and implemented.
The literal requirements for having a Security Program may not be enough for your institution. The regulatory language - except for reporting requirements - leaves you considerable flexibility in designing the Security Program. While this flexibility allows a Program that truly meets the special needs of your institution, it also may promote the creation of a Security Program that, while it meets regulatory standards, is actually ineffective or even hazardous.
To be truly effective, your Security Program must contain policies and procedures that regulate the routine activities of every function and department within your institution. The goals of these policies and procedures must be to:
1 - Reduce or eliminate the opportunity for mistakes, misunderstandings and crimes to occur;
2 - Protect all persons on the premises;
3 - Identify and promote the prosecution of offenders; and
4 - Recover missing, stolen or lost funds.
These policies and procedures should be designed to address three major areas. First would be routine business operations - not only in the branches, but also in operations and bookkeeping. Also areas not usually thought to be the responsibility of the security department, such as the mail room, the couriers, and shipping and receiving areas.
Second - target unusual or suspicious events that are not crimes, such as wearing of costumes in the branches on Halloween, or the giving of gifts to employees.
Lastly, your policies and procedures must take into account your institution's potential exposure to internal and external crimes, which can be described as:
- Crimes committed by document, device or technology;
- Crimes committed by trickery or deceit; and
- Crimes committed by force or fear
Creating written policies and procedures for your institution should not be a complex task - although it may be a time-consuming one. If the process is complex, the resulting policies and procedures will be complex and difficult to implement and enforce. Choose a format for creating your institution's security policies and procedures that complements the style of your existing manuals, workbooks, training guides and related documentation. Simply create an effective Security Program by making it accurate in content, legal in application and reasonable and appropriate for your institution's needs. To be really effective, it should also be easy to understand, simple to use, and provide employees and trainers with an educational vehicle as well as a reference tool.
Using the Security Audit Checklist that is available on www.BankersOnline.com, a specific suggested table of contents for your policies and procedures may include most or all of the following areas and subjects:
- Lighting Systems
- Vaults, Safes
- Alarm Systems - including Perimeter Alarms, Area Alarms, Point, Motion or Burglar Alarms & Silent Alarms
- Surveillance Cameras
- Night Depository
- ATMs
- Walk-up/Drive-in Teller Stations
- Lobby Teller Stations
- Teller/Employee Procedures - i.e. currency handling
- Currency Levels
- Check-Cashing Procedures
- Savings Withdrawals Procedures
- New Account Procedures
- Safe Deposit Operations
- Opening, Closing Procedures
- Key and Combination Control
- Bait Money, Dye Packs, Electronic Homing Devices
- Height Markers
- Unissued instruments - i.e. travelers checks, starter kits
- Transportation of Currency
- Visitor Identification Procedures
- Computer Security
- Rubbish Retention
- Evidence Protection
- Guards
- Fire Security
- Training
Many security techniques should be included in your policy, but not distributed for training purposes. This part of your policy would include security practices that are transparent to both employees and customers most of the time - in other words, the security function often works best in "stealth mode". Examples of transparent security practices and techniques include:
- Background investigations - including credit review and contacting references;
- Event investigations - including conducting interviews and interrogations;
- Making camera monitors inaccessible to non-security personnel; and
- Marking vault currency with invisible dye to identify an employee suspected of stealing.
- Other security practices and techniques should be highly visible to both employees and customers all of the time - they should serve as reminders that "security" is always "on duty". Examples of visible security practices and techniques that should be in your policy include:
- Employee handbook sign-off;
- Cameras, height markers and robbery-awareness signs located in the cash-handling facility's lobby;
- Surprise teller audits of cash and negotiable documents; and
- Facility inspections.
Your policy may be even more lengthy than this. The important thing is to spell out exactly what your procedures are. The first document to be subpoenaed in the case of a lawsuit against your financial institution would likely be a copy of your policies and procedures. It must reflect what you actually do, not what you should be doing but is not actual practice! Use the Audit checklist to help you with your writing. It will make your job a lot easier.
(This series of training pages is for new or experienced Security Officers. Dana Turner is a security practitioner and author of the Financial Institution Security Library. He is a moderator on BankersOnline.com's Security Forum and a frequent contributor to the Bankers' Hotline. Contact Dana at (830)535-6500 or at danaturner@email.com)
Copyright © 2005 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 14, No. 11, 1/05