Does Regulatory Compliance Provide Serious Security?
Chovanes, Michael H., Security Management
IN THE BANKING AND financial industry, it is said that if you are in compliance, you are secure and in control of your institution's assets. Nothing could be further from the truth.
During the heyday of compliance, enforcement by the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and individual state banking regulators stung many financial institutions and led to the formation of compliance departments, internal control functions, and oversight divisions. This response was an effort to demonstrate to regulators that the institution was sincere about efforts to comply with the rules. In other business disciplines, regulatory compliance is often included in the objectives of the corporate legal or security staff.
Many financial institutions decided instead that the answer to sound security needs for the corporation was to create an umbrella bureaucracy, folding all similar functions, such as physical security, protection policy and procedure development, loss prevention, investigations, special protections, crisis management, and cash controls, under the compliance umbrella.
While this may have demonstrated to regulators that institutions were serious about complying with laws and regulations, how effective is this type of structured focus in addressing the preventive concerns of security? Should security objectives for financial institutions encompass only the stated regulatory minimums for compliance? Should compliance become part of the overall security program that seeks to reduce exposure to risk of loss in any form, including non-compliance?
Complying with laws and regulations is viewed by many bank executives as assurance that their financial institution's transaction are as safe as they can be. Therefore, the protection of assets has been met. The question is, has it? A review of some of the more well-known regulatory requirements for control and compliance is valuable in determining how far beyond the regulation an institution should go to provide a sound security program.
The 1968 Bank Protection Act, amended in 1991, was the first federal attempt to require a security program for all financial institutions. It was prompted by an increase in financial crime, such as bank robberies, check fraud, forgery, and burglary, and it was aimed at addressing the large disparity of efforts toward crime prevention practiced by regulated financial institutions. The 1991 revision to the act streamlined the original to allow regulated institutions more leeway in designing an effective security program.
The Bank Secrecy Act--Title 31 U.S. Code--has not changed markedly since it was originally enacted. It sets up reporting requirements for the transaction of money. One of the objectives of the Bank Secrecy Act, for example, is to detect money laundering.
These are the major pieces of government regulation that must be complied with in the security program. Many security programs are structured around this legislation and, in some cases, little may be accomplished beyond this focus. But what about the effectiveness of the compliance-driven security program in protecting the assets of the corporation?
According to William C. Cunningham, John J. Strauchs, and Clifford W. Van Meter, authors of The Hallcrest Report II: Private Security Trends, 1970-2000, "perhaps the largest indirect cost of economic crime has been the increase in civil litigation and damage awards over the past 20 years. This litigation usually claims inadequate or improperly used security to protect customers, employees, tenants, and the general public from crimes and injuries."
In the recently completed study, Major Developments in Premises Security Liability, authors Norman D. Bates and Susan J. Dunnell write that the average settlement for litigation stemming from criminal acts on business property where the plaintiff is injured is $545,000. The average jury award is $3. …