I. INTRODUCTION
State and national banks are required to comply with minimum standards for security devices and procedures pursuant to the Bank Protection Act of 1968 (82 Stat. § 296). Regulations implementing this Act are found as follows:
National Banks Comptroller of the Currency (12 C.F.R. Part 21)
Non-member Banks FDIC (12 C.F.R. Part 326)
Member Banks Federal Reserve Board Regulation H (12 C.F.R. Subpart F)
Penalties for noncompliance: Civil money penalties and expanded enforcement powers for regulatory agencies set forth in FIRREA.
Although banks must meet the prescribed minimum security standards and prepare required reports as set forth in the regulations, banks may take whatever additional, appropriate action it deems necessary to address security needs to discourage robberies, burglaries, and larcenies and to assist in the identification and apprehension of persons who commit such acts. Such programs may be as elaborate as the bank chooses to develop.
The scope of the security regulations require each bank to adopt appropriate security procedures to discourage robberies, burglaries, and larcenies, and to assist in the identification and prosecution of persons who commit such acts. It is the responsibility of the bank’s board of directors to comply with this regulation and ensure that a written security program for the bank’s main office and branches is developed and implemented.
II. DESIGNATION OF BANK SECURITY OFFICER
FDIC Regulation § 326.2 (§ 208.61(b) of FRB Reg. H) requires the bank’s board of directors to designate a security officer who shall have the authority to develop (subject to board of director approval, within a reasonable time not exceeding 180 days from the date of issuance of federal deposit insurance) and maintain a written security program for each “banking office.”
FDIC Regulation § 326.4 [FRB Reg. H § 208.61(d)] requires the security officer to report at least annually to the bank’s board of directors on the implementation, administration and effectiveness of the security program.
The term “banking office” includes any branch and the main office of the bank. Offices where loans are neither approved nor funds disbursed do not meet the branch definition and are not subject to the regulation.
The 180 day maximum given as a deadline for developing a written security program is presumably designed for new banks since the time period is tied to the issuance of federal deposit insurance and existing banks should already have some form of written security program in place.
III. SECURITY PROGRAM CONTENTS
The security program must:
A. Establish procedures for opening and closing for business and for the safekeeping of all currency, negotiable securities, and similar valuables at all times;
B. Establish procedures that will assist in identifying persons committing crimes against the bank and that will preserve evidence that may aid in their identification and prosecution; including, but are not limited to:
1. Retaining a record or any robbery, burglary, or larceny committed against the bank;
2. Maintaining a camera that records activity in the banking office; and
3. Using identification devices, such as prerecorded serial-numbered bills, or chemical and electronic devices;
C. Provide for initial and periodic training of officers and employees in their responsibilities under the security program and in proper employee conduct during and after a robbery, burglary or larceny; and
D. Provide for selecting, testing, operating and maintaining appropriate security devices, as specified in the minimum security devices rule (See, below).
These requirements are found in FDIC § 326.3(a) [FRB Reg. H § 208.61(c)(1)].
IV. MINIMUM SECURITY DEVICES
Each bank is required to have, at a minimum, the following security devices:
A. A means of protecting cash or other liquid assets, such as a vault, safe, or other secure space;
B. A lighting system for illuminating, during the hours of darkness, the area around the vault, if the vault is visible from outside the banking office;
C. An alarm system or other appropriate device for promptly notifying the nearest responsible law enforcement officers of an attempting or perpetrated robbery or burglary;
D. Tamper-resistant locks on exterior doors and exterior windows that may be opened; and
E. Such other devices as the security officer determines to be appropriate, taking into consideration:
1. The incidence of crimes against financial institutions in the area;
2. The amount of currency or other valuables exposed to robbery, burglary, and larceny;
3. The distance of the banking office from the nearest responsible law enforcement officers;
4. The cost of the security devices;
5. Other security measures in effect at the banking office; and
6. The physical characteristics of the structure of the banking office and its surroundings.
Authority: FDIC § 326.3(b) [FRB Reg. H § 208.61(c)(2)].
V. CONCLUSION
Revised regulations issued in 1991 eliminated certain reports and other specifics, however the revised regulations still require a written security program, designation of a security officer and Board of Directors oversight. The 1991 regulations provide more flexibility and discretion for bankers but certain minimum contents of a security program and security devices are provided in the revisions.
In a Financial Institutions Letter dated July 7, 1995, (See, FIL- 46-95), the FDIC noted that complaints from several law enforcement agencies indicated that a number of banks are complying with the letter of the regulation while showing some disregard for its intent. These complaints suggested that some banks are maintaining the required minimum security devices but failing to recognize and evaluate the need for additional equipment or procedures. The FDIC was told that in some cases, security programs and procedures approved by the bank’s board of directors have not been followed. In other cases, security devices apparently have failed to perform as designed due to lack of proper maintenance.
As a result, the FDIC recommends the “banks review their security devices and procedures to ensure both are adequate. A review by local law enforcement officers also may be adequate. Security devices should be maintained in accordance with the manufacturer’s suggested program. By providing adequate security devices and procedures, banks can fulfill their responsibilities to protect employees, safeguard the bank’s assets, and aid law enforcement authorities in apprehending and convicting persons who commit crimes against financial institutions. Banks also must recognize the potential liability to customers who may be injured on the banking premises as a result of inadequate security measures.”