The document discusses how regulatory and technological changes are increasing pressures on financial institutions to improve security. The new regulations eliminate specific security requirements and place greater responsibility on institutions to develop their own security programs tailored to their needs. This represents a shift away from prescriptive rules towards giving institutions more flexibility but also more responsibility. Security roles are becoming more complex and important given new technologies, growing liability risks, and stricter regulatory scrutiny of security compliance.

1. NEW PRESSURES PUT
SECURITY OFFICERS ON GUARD
Regulatory and technological
changes call for a closer
focus on the right protections
"We're so small, I'm the president,
too."
Robert York's comment describes
most security officers at small to mid-
sized financial institutions. For the
president of the $24 million First Trust
Savings Bank in Jacksonville, Fla., the
responsibility for ensuring the security
of his institution's customers and em-
ployees is only one role among many
that he plays.
Part-time attention to the job has
been common since enactment of the
Bank Protection Act of 1968, when the
regulatory agencies were directed to
detail minimum security standards for
institutions.
In turn, implementing regulations
required each institution to:
• Name a security officer.
• Develop a written security program.
• Install vaults, lights, alarms and
other devices as needed.
• Train employees to perform specific
procedures during a robbery.
• File reports to regulators on com-
pliance with the above requirements.
In most cases, the reponsibility for
compliance went to officers with other
duties.
Indianapolis attorney Buddy Pylitt,
who specializes in financial security
matters, recalls a recent meeting with a
security officer who said he refilled the
paper in automatic teller machines and
clipped the bushes near the ATMs.
The security role may become more
complex, however, given technological
advances, growing risks of liability and
a recent rewrite of the regulations im-
plementing the Bank Protection Act.
The new regulation from the Office
of Thrift Supervision on "mini-
mum security devices and proce-
dures" was issued in March and out
for comment until late May. Generally,
its aim is to put greater emphasis·on
the security-related responsibilities of
officers and directors (see box on page
36).
The OTS collaborated with the
Federal Reserve, Office of the Comp-
troller of the Currency and the Federal
Deposit Insurance Corporation in
drafting the revision; those agencies
are expected to release virtually identi-
cal versions.
The regulation is best known by
security professionals as Regulation P,
the Federal Reserve designation.
The revision does away with out-
dated equipment specifications, de-
tailed procedures for internal
monitoring of security procedures and
specific guidelines for employee con-
duct during a robbery.
The upshot of the revision is that
regulators are backing off from their
earlier, more specific mandates and,
instead, are providing more general
directives. Financial institutions would
simply be required to "train employees
in their responsibilities under these-
curity program" and "maintain appro-
priate security devices."
Moreover, periodic security reports
to regulators will be eliminated and
replaced by annual reports to institu-
tions' boards of directors.
ONUS ON INSTITUTION
"Under the new Regulation P, there
will be more responsibility in the
hands of security officers," says Boris
Melnikoff, senior vice presi-
dent of First Wachovia Bank,
Atlanta, and vice chairman of the
American Bankers Association's secu-
rity and risk management committee.
"Before, [security procedures] were
defined. Now, the onus is on these-
curity officer, and there is greater re-
sponsibility and liability for the
institution," he adds.
Donald Imrie, a security profes-
sional who also is senior vice president
for First Gibraltar Bank FSB, Dallas,
Tex., agrees. "I don't think [institu-
tions] can rely on what has been done
in the past, which is to give these-
curity responsibility to some other
bank officer."
Not surprisingly, the regulators see
fewer problems.
The regulatory changes "might re-
quire a little more expertise because
[security officers] will have to think
some," says Larry Clark, senior trust
specialist for compliance programs at
the OTS. "In my opinion, the draft
regulation makes the job easier be-
cause it offers a lot more latitude."
Clark says the OTS hopes to publish
a final version of the regulation in the
fall.
BUDGETS VS. REGULATORS
Several observers note that security
officers will have to be vocal advocates
for their mission in the institution's
budget process. At least two experts,
however, fear that tight budgets could
result in lax security.
"In two years, you may see are-
laxation of security programs for cost
reasons," says Barry Schreiber, a
SAVINGS INSTITUTIONS. JULY 1990 35

2. criminologist at St. Cloud (Minn.)
State University.
Savings institutions "may attempt to
fund other programs at the expense of
security programs," says Brian
McGinley, vice president for corporate
security and loss prevention at Citi-
bank FSB, Chicago.
Institutions, however, can expect
more attention on security from reg-
ulators. Clark at the OTS says ad-
herence to minimum security
standards and consumer protection
regulations is being reviewed by sepa-
rate, "specialized" examination teams
who are trained in security and con-
sumer protection issues.
Although the security examination
may not necessarily be more in-depth
than in the past, it is intended to
produce more uniform review of all
institutions, some of which have not
had a security review in years.
The examiners "never questioned us
about [our security program] before
this last exam. They spent some time
on it," says John Whetstone, senior
vice president and chief financial of-
ficer- and security officer- for
United Savings Bank FSB, Smyrna,
Ga.
"There was a two-part audit," says
Whetstone. "One was a traditional [fi-
nancial] audit, and the other a com-
pliance audit," where examiners
inspected security devices and asked
about security procedures.
Will tougher examiner scrutiny also
lead to harsher penalties for future
security violations?
The Bank Protection Act calls for a
$100-per-day fine for noncompliance.
36 SAVINGS INSTITUTIONS, JULY 1990
However, says Clark, "Our general
feeling is that there have not been any,
or only a minimal number of, mone-
tary citations."
A recent Federal Reserve memo
adds: "Compliance with Regulation P
is not especially difficult because most
of the requirements involve common
sense actions."
But one proponent of improved se-
curity believes that the regulators
should get tougher about levying
fines.
"The majority of banks and savings
institutions don't take security matters
seriously enough," says C.R. Calla-
han, vice president for administration,
Home Federal Savings Bank,
Hagerstown, Md. "We need some real
teeth in the [Bank Protection Act] .
There are no teeth in it."
COMPLEX TECHNOLOGY
Because ensuring security is "much
more complex now, the best thing an
institution can do is take it very se-
riously and get the best possible train-
ing," says Chuck Steinmetz, an FBI
spokesman. "It's no longer a part-time
job."
Accelerating that complexity, for
one, is more sophisticated security
technology.
The Federal Reserve cited the rapid
evolution of technology in its decision
to initiate a revision of Regulation P.
Regulatory standards for sur-
veillance cameras have been surpassed
by subsequent technological develop-
ments that can produce better pictures
at a lower cost, says Jerry Adams,
national marketing manager for elec-
REVISED RULES FOR
SECURITY CALL FOR
PROACTIVE RESPONSE
The OTS is the first
to issue changes in
security requirements
Alarmed by a nationwide surge in
bank robberies - which rose from
753 nationwide in 1960 to 2,259 in 1967
- Congress in 1968 passed the Bank
Protection Act, requiring each com-
mercial bank or savings institution to
name a security officer and adopt cer-
tain security procedures.
The various federal financial reg-
ulatory agencies collaborated on draft-
ing and now revising the regulations
implementing the act.
While the Federal Deposit Insur-
ance Corporation, Office of the Comp-
troller of the Currency, Office of Thrift
Supervision and Federal Reserve
Board technically have separate reg-
ulations, they are virtually identical
and commonly all known as Regula-
tion P, the Fed designation.
The number of bank robberies con-
tinued to rise through the 1970s, total-
ing nearly 8,000 in 1980; the trend has
since stabilized, remaining around
the 6,000-to-7,000 level each year in
the 1980s.
Despite the stability in crime ac-
tivity, emerging technologies and a
general effort to prune regulatory lan-
guage has led to a recent revision of
Regulation P; the new version elimi-
nates many specific requirements and
focuses more on officers' and direc-
tors' responsibilities for security.
OTSACTION
The Office of Thrift Supervision
was the first regulator to issue a newly
proposed regulation on March 20.
Comments were due May 21, says
Larry Clark, senior trust specialist for
compliance programs at OTS. He says
the OTS hopes to publish a final reg-
ulation in the fall.
The Federal Reserve Board, FDIC
and OCC are expected to follow with
virtually identical regulations.

3. The proposed regulation is only
half as long as its predecessor. House
cleaning accounts for some of the re-
duction in volume; redundant defini-
tions and statutory language as well as
references to obsolete equipment have
been removed.
KEY CHANGES
The more substantive changes in
the OTS regulation include:
• Purpose: In place of stating the reg-
ulatory agency's right and duty to es-
tablish and enforce security
standards, the proposal states: "It is
the responsibility of the association's
board of directors to comply with this
regulation and ensure that a security
program...is developed and imple-
mented."
• Security officer: Previous language
required the security officer to admin-
ister a program that "equals or ex-
ceeds" regulatory standards; now,
more general phrases call for protect-
ing offices and helping to apprehend
criminals.
• Reports: Required reports to reg-
ulators are eliminated, with the un-
derstanding that regulators can have
access to internal reports as needed.
However, reports on security must be
made to an institution's board of di-
rectors at least annually.
• Devices: Requirements for a lighted
vault, alarm system and tamper-resis-
tant locks remain, but an entire ap-
pendix with technical specifications
for these devices has been eliminated.
• Robbery procedures: A general refer-
ence requiring periodic employee
training in security procedures re-
places a 10-item list of instructions for
proper conduct during a robbery.
In that earlier list, institutions were
required to train employees to avoid
actions that might be dangerous, but
to activate alarms, give the robber bait
money, observe the robber, preserve
evidence and avoid comment except to
authorized persons after the event.
tronic security products at Diebold,
Inc., North Canton, Ohio.
He adds that alarm standards have
been surpassed by systems that now
can detect both motion and body heat,
thus reducing false alarms caused by
falling objects or blowing fans .
At a minimum, institutions will still
be required by regulations to have tam-
per-resistant locks, an alarm system
and a "secure place" -vault- for
cash that is well-illuminated if visible
from the outside.
But, beyond these minimum re-
quirements, the regulation calls for
"such other devices as the security
officer determines to be appropriate."
As such, institutions will have to rely
on their own expertise to decide which
emerging security technologies to
adopt.
For instance, says Ben Miller, pub-
lisher of Personal identification News,
large institutions are already using
new technologies for internal controls
that will almost certainly be adapted
for retail customers at institutions of all
sizes.
Among the choices on the high-tech
horizon:
• Biometrics, which can identify a per-
son's features (fingerprint, hlnd geom-
etry or retinal pattern) or behavioral
characteristics (voice signature and
typing patterns).
• "Smart cards," portable devices with
integrated circuits to be used for iden-
tification and authentification.
• Electronic imaging, where individu-
als can be identified through a video
camera linked to a computerized sys-
tem.
"The important part of the [security
officer's] job will not be to identify the
individual technologies, but to be able
to do a good job in screening out
installers," says Miller.
But Imrie at First Gibraltar questions
that practice, saying that "smaller
banks often rely on equipment ven-
dors for expertise, and I'm not so sure
they can afford to do that, since the
burden [of responsibility] is on the
bank."
Fortunately for institutions, Regula-
tion P and its revision explicitly allow
security officers to consider the cost of
security devices when considering
which ones to use.
Furthermore, the cost of new tech-
nologies falls almost every year, ac-
cording to Miller, who says that some
biometric units have fallen in price
from $8,000 in 1985 to $2,000 now.
Im'proved camera surveillance of
transactions has allowed significantly
greater recovery of losses in fraudulent
transactions, adds Diebold's Adams.
"We're getting to the point where we
can cost-justify security systems now
and not just treat them as overhead."
EXPOSED AT ATMs
In addition to new technological
pressures, the risks of legal liability for
inadequate security also are putting
new pressures on institutions.
Indeed, crimes against customers at
automatic teller machines loom as a
potential new source of civil liability
for institutions.
Seen as a precedent for ATM lia-
bility, bank security literature fre-
quently refers to a $1 million jury
SAVINGS INSTITUTIONS, JULY 1990 37

4. award in 1988 for a Florida man
nently injured when he was robbed at
a night depository. During the trial,
the bank in question admitted respon-
sibility for inadequate security mea-
sures.
"The 'big club' in the area of security
compliance is the risk of litigation,"
says Criminologist Schreiber, an expert
on ATM security .
"[Security preparations] are not
done to comply with federal law;
they're done to keep [you] out of a
courtroom," adds Robert Rosberg, di-
rector of the anti-crime bureau of
Mosler, Inc., Hamilton, Ohio.
But the courts have not left institu-
tions open to unlimited liability. Apart
from the widely publicized Florida
jury award, courts in Illinois, Alabama
and California have made rulings lim-
iting bank responsibility for customer
safety and recognizing the customer's
responsibility to accept risks and act
prudently.
Although claiming that a glut of law-
yers has resulted in imaginative- or
"absurd"- attempts to make liable
anyone perceived to have "deep
pockets," Attorney Pylitt believes
courts have been generally reasonable
in their rulings regarding the liability
of financial institutions for their cus-
tomers.
"It is my opinion that if banks do
their job- establish [security] pro-
cedures, check lighting and clip
bushes [at ATMs], there's not going to
be any responsibility or liability," Pylitt
says.
Aside from courtroom challenges,
regulators and lawmakers have been
38 SAVINGS INSTITUTIONS. JULY 1990
I
slow to mandate new ATM security
measures.
In the late 1980s, bills and ordi-
nances mandating lighting, visibility
and "panic buttons" at ATMs were
introduced at the local, state and
federal levels in the wake of highly
publicized crimes involving these
units, like the murder of a Chicago
woman and a series of rapes perpe-
trated by a California man.
With the exception of a few Califor-
nia cities, however, no governments
have enacted ATM security require-
ments, according to industry obser-
vers.
A Chicago task force on ATM se-
curity formed after the June 1989
murder of Dana Feitler recommended
against an ordinance. The task force
instead called for greater consumer
education on ATM security and more
cooperation between institutions and
police.
"I am not aware of specific legislation
regarding ATMs," says Anne Brown,
senior director of member services for
the Electronic Funds Transfer Associa-
tion.
"The only state legislature I know to
be considering it is in California, and
there are folks on Capitol Hill looking
on."
According to experts, two factors
have stalled further ATM security mea-
sures:
• A recognition that the number of
incidents is still relatively small: one
victim per 3.5 million transactions, ac-
cording to a 1987 Bank Administration
Institute study.
• A lack of consensus over what is
I
VARIOUS EXPERTS
OFFER TIPS TO BOOST
INTERNAL SECURITY
Clearly, management must make its
own decisions to shape the right se-
curity strategy to protect both em-
ployees and customers.
However, various experts offer the
following tips that can guide manage·
ment planning:
• Alert customers: Don't shy away
from discussing security precautions
with customers for fear of making
them uneasy.
Consumer education was cited as
the best deterrent to crimes at auto-
matic teller machines by task forces 01
ATM security organized by the City o
Chicago and the Bank Administratio
Institute, Rolling Meadows, Ill.
Moreover, some lawsuits filed by
injured customers have cited the
bank's failure to warn them of poten-
tial hazards.
• Design for deterrence: If building or
remodeling branches, take note of
new research findings that link bank
design and security.
Challenging the long-held belief
that visibility into a bank enhanced
its security, the BAI now recommend!
that tellers be at rear locations. Man-
agers should be situated by windows
near the entrance, where they can
screen traffic and possibly prevent a
robber from "casing" the bank.
• Reevaluatingguards: Use of guards,
once the mainstays of bank security,
has fallen steadily over the years due
to cost and the risk of accidents. In
fact, even after being robbed, many
institutions still show no interest in
using them.
"History shows that it usually
doesn't matter if there was a guard
there; a robbery would have hap-
pened anyway," says Boris Melnikof
vice chairman of the American Bank-
ers Association's Security and Risk
Management Committee.
• Train employees: Regular training tc
prepare employees for robberies and
other emergencies is essential to pro-
tect them and customers, say sources.

5. The quickness of most robberies
may prevent employees from doing
anything wrong, but efforts to ap-
prehend the perpetrator may be foiled
if employees fail to give bait money,
activate alarms or get a good descrip-
tion.
"Without proper training, the vic-
tims may not be looking for the right
things," says Melnikoff.
• Protect ATMs: "Panic buttons" at au-
tomated teller machines are not fa-
vored by experts, and research has
found that enclosures pose some
risks.
But there is consensus that ATMs
should be well-lit and visible to the
surrounding area. A task force of the
Electronic Funds Transfer Association
recommends installation of wide-an-
gle transaction cameras- continuous
operation ones, if possible.
• Know the vendor: The technology
for surveillance cameras, access tech-
nologies, alarms, vaults and locks has
grown increasingly complex.
As a result, experts advise institu-
tions to carefully screen and cultivate
their vendors. Apart from checking
the vendor's service record, ask to see
certifications from Underwriters Labo-
ratories for equipment and installa-
tion, says Jerry Adams, national
marketing manager for electronic se-
curity products for Diebold, Inc.,
North Canton, Ohio.
• Spread the word: Institutions are ad-
vised to share information about crim-
inal activity with law enforcement
officials and nearby institutions.
Dan Imes, director of marketing
and security officer for First Federal
Savings, Bakersfield, Calif., says a
"hot line" established among com-
mercial banks and savings institu-
tions in Bakersfield alerted the
institution to a robber working the
area. When she appeared at First
Federal, employees were ready with
bait money and quickly alerted po-
lice, who apprehended the offender
soon after the robbery.
needed beyond good lighting and
good visibility, which is what most
institutions already provide and cus-
tomers demand.
Law enforcement officials advised
against proposals to require panic but-
tons or emergency telephones, for fear
of being deluged with false alarms.
Some argued for requiring enclosed
vestibules, but the BAI cautions that
street people use ATM enclosures for
shelter. Moreover, Pylitt says police
have told of victims becoming trapped
wi"thin an enclosure with their at-
tackers.
Some institutions, like Home Sav-
ings of America, provide telephones
linked to 24-hour operators who can
screen false alarms and notify police of
robberies, as well as provide customer
service.
McGinley at Citibank says closed-
circuit television viewing of ATM
transactions by security personnel can
become "one of the hottest things," if
technology can evolve to the point
where constant images can be trans-
mitted over telephone wires at low
cost.
As it is, "slow scan" monitoring can
only send video "snapshots" with
eight-second delays over telephone
wires. That is still prohibitively expen-
sive to most institutions, according to
McGinley.
CONFLICTING ADVICE
The debate over ATM security re-
flects another dilemma that confronts
institution security officers: contradic-
tory theories on the appropriate se-
curity strategies. (For various views on
security measures, see box at left.)
The Bank Security Report criticizes
bank interiors that offer robbers unim-
peded escapes; the publication sug-
gests that an institution would be less
of a target if there were some obstruc-
tions.
But security officer Joe Rostowsky at
Elmhurst (Ill.) Federal Savings says the
top priority of his staff during a March
robbery was to get the offender out as
quickly as possible without incident,
as others recommend. They did so
successfully.
Rosberg at Mosler decries what he
feels is a dangerous lack of employee
training for bank robberies but ac-
knowledges that employees almost al-
ways act correctly in robberies,
perhaps because there is virtually no
time to do anything wrong.
The new Regulation P suggests that
institutions use dye packs and elec-
tronic tracking devices to help ap-
prehend robbers. But Steinmetz of the
FBI says that the safety of people
comes first, and "we don't want to
overburden people with an inves-
tigative role."
Despite the challenges involved in
protecting an institution, the best
course for security officers, according
to experts, may be the simplest: Exer-
cise common sense.
"There are some regulations that
regulators feel they have to adopt to
make institutions do what they would
not do voluntarily," says Clark at OTS.
"There are other areas where it's in the
institution's best interest to comply,
and [security] is one of those." lllJ
Joseph Harrington
SAVINGS INSTITUTIONS, JULY 1990 39