Regulation H – Bank Security Procedures
Often, we see institutions overlooking or not providing enough attention to, Regulation H Subpart F, Section 208.61, more commonly known as Bank Security Procedures. As with any other regulation, not adhering to these requirements can lead to examiner criticism.
The Federal Reserve Board (FRB) requires that all institutions have a well-written formal Bank Security Program that includes specific procedures to protect the bank’s assets. The regulation states: “Member banks are required to adopt appropriate security procedures to discourage robberies, burglaries, and larcenies, and to assist in the identification and prosecution of persons who commit such acts.”
Regulation H also requires a formal designation of the Security Officer by the Board of Directors, and this appointment is typically addressed in the annual organizational meeting. The Board will also need to approve the Security Program with very specific minimum requirements.
While many institutions will comply with the establishment of a formal program listing the regulatory requirements, they tend to fall short on the required procedures.
The first requirement is to establish procedures for opening and closing procedures not only for the facilities but also for the vaults, teller drawers, and negotiable instruments such as supplies of cashier or official checks. These will and should include dual controls. Allowing an employee to enter the building or have access to currency or other securities on their own not only puts the bank assets at risk but also the employee. Both the institution’s safety and the employees’ safety need to be considered when establishing these procedures. It is common for institutions to use an all-clear signal and always require a minimum of two employees on the premises. Access to vaults should also be logged, showing times entered and exited and initialed by at least two employees. It is also recommended that codes be split to ensure that no one person has access to both. All of these steps will need to be clearly stated in the written procedures so that there is no confusion about the expectations of the employees.
The next step is to establish and implement procedures to assist the Security Officer in identifying any persons committing a crime against the institution, such as where cameras are placed or if there is a requirement for a security guard to be present. Cameras should capture not only the interior areas of the institution but also the exterior. Some institutions go a step further and require the consumers to identify themselves prior to being allowed access to the building. Most institutions will not allow wearing hats, sunglasses, or hoodies while on premises. Do ensure your procedures include precautions to protect assets as well as employees.
A sample of several questions to ask when determining the procedures are: Are tellers behind inaccessible counters or behind protective glass? Is the vault behind a guard gate inaccessible without a key or code? Are doors self-locking? Are there tamper-resistant locks? How are the premises illuminated? Are there panic buttons and alarms, and who has access to them? Does the institution use dye packs? Are local authorities automatically notified, and when?
Then, most importantly, the Security Officer will need to ensure all employees are adequately trained not only in their part in complying with the Security Program but also in how to conduct themselves during a robbery. Step-by-step robbery procedures are often missed in this process. These procedures need to ensure that each of the employees knows exactly how to conduct themselves before, during, and after to keep themselves and those around them as safe as possible. These procedures should include step-by-step instructions on what to do, who to contact and when, and how to always protect themselves.
And finally, the Security Officer must have an established formal process for periodic testing and/or auditing security procedures and devices critical to that success. Each applicable device should be tested to ensure they are functioning properly. Testing criteria and results should be formally documented. This can be accomplished with an internal or external process or a combination of both.
As part of the regulatory requirement, the Security Officer is to provide an annual report to the Board of Directors on any changes to the program, the status of each component, if any issues were noted, and any resolutions to improve identified weaknesses. While there is no specified template, the Security Officer must ensure that the Board is well informed on the effectiveness of the program’s adherence to regulatory requirements.