When banks are suffering their biggest losses from fraud-related and cyber crimes, it is easy to overlook the importance of such mundane things as physical security standards. But even if their loss figures are lower, bank robbery and bank burglary are still significant threats, says Doug Johnson, vice president of risk management for the American Bankers Association. “Physical crime can have a potentially significant impact on the customers and the employees,” he says. “A bank robbery is something you remember. So regardless of what the loss might be, it is safe to say it’s a significant event, and that’s why we take it so seriously.”

One 41-year-old piece of federal legislation sets physical security standards for banking institutions. Has it improved security against the stated physical threats it targets? Does it provide the best protection in the very different banking environment of today?

The Bank Protection Act of 1968

The Bank Protection Act was passed in 1968 in response to an increase in the rate of bank robberies in the United States. The Act placed minimum security guidelines on banks “to discourage robberies, burglaries, and larcenies and to assist in the identification and apprehension of persons who commit such acts.”

It designated four Federal supervisory agencies — the Comptroller of the Currency; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; and the Director of the Office of Thrift Supervision — to promulgate minimum security standards for the banks or S&Ls they regulate. The four resulting sets of rules are basically identical.

On the management side, they make the bank board of directors accountable for compliance, and they require that banks create a written security plan, designate a security officer, establish opening and closing procedures, provide training for officers and employees, and present annual reports to the board on the effectiveness of the security program. Regarding technology, they state that banks must:

Use some method of identifying robbery or burglary suspects;
Have devices in place to protect cash (such as a vault);
Have lighting for the vault if it is visible from outside the office;
Have tamper-resistant locks on doors and windows;
Have an alarm system; and
Have other devices deemed necessary by the security officer.

By all accounts, banking has changed remarkably since the advent of this legislation, and even since its amendment in 1991. That fact alone is enough to warrant a fresh examination of what the Bank Protection Act (BPA) does and does not accomplish.