THE SPECIAL DEMANDS MADE ON BANK SECURITY IN THE BALTICS

The pre­si­dents of privat banks in­for­ma­ti­on gathering journeys and visits to modern banks were always followed by extensive eva­lua­ti­ons from which sprang all sorts of ideas and concepts for their own in­sti­tu­ti­ons. And bank security was for the most part also included in this process. No one disputes that bank security, along with all other banking tech­no­lo­gies in eastern Europe, is in need of mo­der­niza­ti­on, or even complete over­hau­ling. What these banks require are solutions which will take them into the future, which are guided by European norms and the criteria which ab­so­lu­tely must be met if a bank wishes to do business on the in­ter­na­tio­nal stage. Yet banks must also take into account the unique bank security needs in the Baltics. So what they require are new solutions, not carbon copy concepts taken from their as­so­cia­tes in western Europe or America. Nor should they adapt the European standards without careful analysis. 

On the road to European Union mem­bership and to par­ti­ci­pa­ti­on in the in­ter­na­tio­nal banking community, the Baltic states must first consider the security re­qui­re­ments unique to their banks and the con­di­ti­ons in the Baltic states in general and then sensibly draw on the in­ter­na­tio­nal­ly tried and tested pro­ce­du­res and expertise to meet these con­di­ti­ons. I am convinced that they will be suc­cess­ful in in­sti­tu­ting both the in­ter­na­tio­nal standards as well as very coun­try-spe­ci­fic mo­di­fi­ca­ti­ons and gui­de­lines. The variety of ways one can structure a tour of western Europe or America is matched by the variety of security systems which have been suggested or are already in use. These stretch from true quality products to com­ple­te­ly un­ac­cep­ta­ble systems. The latter are those based on non-cer­ti­fied tech­no­lo­gy which does not comply with European security standards nor with the criteria of property insurance companies. Such systems simply do not belong in any modern in­ter­na­tio­nal bank. I shall con­cen­tra­te on some of the more specific security re­qui­re­ments for private banks in the Baltics. In so doing, I shall draw on my ex­pe­ri­ence from nearly six years as a security adviser and from my current position as owner of two security companies, ISG In­ter­na­tio­nal tätig SI­CHER­HEITS­GE­SELL­SCHAFT mbH, based in Berlin, and SIA Krup­pa-SI­CHER­HEIT with offices in Riga. In par­ti­cu­lar, I shall discuss the results these companies have had in their dealings with the state banks in Latvia and Lithuania as well as with many private banks in Latvia, Lithuania and Russia. 

Allow me to begin by focusing on the private banks. The security needs of private banks differ widely from the es­pe­cial­ly stringent demands of STATE BANKS. We usually speak of the normative re­gu­la­ti­ons for private banks. In state banks, the security systems and complex re­gu­la­ti­ons are always UNIQUE, in­di­vi­du­al solutions which each bank develops as a con­se­quence of its in­ter­na­tio­nal ex­pe­ri­ence. Such systems require in addition special advice and concepts, an area I would be most happy to help you with should you wish. It is true that a good many of the following state­ments will apply to state banks too, but their security ar­ran­ge­ments are si­gni­fi­cant­ly broader than those of private banks and the security phi­lo­so­phies between the two differ as well.

The first problem with which I was con­fron­ted and which still exists in many banks is the focus those re­spon­si­ble for bank security place on pro­tec­ting persons and premises. This re­p­res­ents a quite un­ac­cep­ta­ble narrowing and con­cen­tra­ti­on of a bank's efforts on one area. It is a con­se­quence of past ex­pe­ri­en­ces, when an increased de­ploy­ment of personnel was used to attack the numerous security problems. Security personnel were supp­le­men­ted by technical systems and backed up by the power of the state. The technical systems and the as­so­cia­ted technical standards in the Baltic States were developed in the belief that the size of the system was the main guarantor for security. Three months ago I was permitted to have a look at and analyze a modern and well-known bank in Vilnius. I was to state in my analysis whether the security equipment which had been installed met European security norms. Let me first say that even though the system was much too broad in scope - and therefore too expensive - it was in com­pli­an­ce neither with European security standards nor with those of property insurance companies. After coming to this con­clu­si­on, I was then expected to report it in my analysis, so that the bank wouldn't have to pay the company which installed the system. This I refused to do because I knew that the bank had been made well aware - before the system had been installed - of the fact that you cannot achieve quality bank security at modern standards when you have no well-thought-out concept and use cheap, non-cer­ti­fied tech­no­lo­gy. Besides good, by which I mean certified, tech­no­lo­gy and the good equipment built using it, of vital im­port­an­ce is first of all a good concept which can result in an ac­cre­di­ted system. As a rule, modern banks have at least six separate security systems which represent only one of many elements of their bank security. You can compare this to baking a cake. Good in­gre­dients are a pre­re­qui­si­te to a good cake but the recipe de­ter­mi­nes the outcome. Too many banks still con­cen­tra­te only on the in­gre­dients and even save money on them while the recipes they use are worthless or even non-exis­tent. This is often the result of one person wanting to do ever­y­thing alone, or of placing trust in the wrong baker or of simply being too miserly.

Bank security is more than just pro­tec­ting persons and premises. It includes elements which serve overall
security, such as

• the pro­tec­tion of func­tio­nal ope­ra­ti­ons against robbery, fraud and ma­ni­pu­la­ti­on;
• the pro­tec­tion of managers and their families;
• the pro­tec­tion of employees, par­ti­cu­lar­ly in the customer service areas, and ensuring that they know how to correctly respond to threats;
• the pro­tec­tion of premises and high security areas;
• the pro­tec­tion of money transport both inside and outside the bank;
• the pro­tec­tion of data during pro­ces­sing and transfer;
• the pro­tec­tion of technical in­stal­la­ti­ons;
• and the pro­tec­tion against economic espionage of all channels of com­mu­ni­ca­ti­on to include the spoken word.

And these are just a few important examples. Another point to be added is the ap­pro­pria­te response to mistakes and dis­rup­ti­ons, which should be based on clearly spelled out or­ga­niza­tio­nal in­struc­tions. For this to be achieved courses must be given, personnel must be trained and all elements of security ope­ra­ti­ons must function as one. Take a walk around your own bank with a more critical eye, and don't just look at the guards with their pistols or at the visible security systems. Of course, systems can be designed which are ab­so­lu­tely im­pe­ne­tra­ble, even for those who are familiar with them. But such ar­ran­ge­ments hinder the proper func­tio­ning of the bank and are only rarely eco­no­mi­cal­ly ju­sti­fia­ble. What you need are com­pre­hen­si­ve security solutions, in which all elements are coor­di­na­ted and back each other up while at the same time function to support the bank's ope­ra­ti­ons.

A second problem involves the risk factor in the Baltics and in eastern Europe, which has changed relative to that of western European banks. It must be em­pha­si­zed that a state of security is not material; you can't earn money with it, you can only protect the money you have hopefully earned. Of course this is also a quite useful function! Your pre­si­dents and you have made many dis­co­ve­r­ies on your trips to western Europe. A list of them would include con­sul­ting services of widely differing quality which you have taken advantage of. Dif­fi­cul­ties arise when you try to bring your dis­co­ve­r­ies in the field of modern bank security tech­no­lo­gy in line with what for you is possible and with the specifics of banking in the Baltics. Bank security in these states must operate in an en­viron­ment which is quite distinct from that of modern west European and American banks in several fun­da­men­tal ways. This leads us to the con­clu­si­on that the re­gu­la­ti­ons governing security in western Europe cannot simply be in­tro­du­ced into these cir­cum­stan­ces. One reason for this are the special con­di­ti­ons which determine the risk factor in the Baltic states. Some of these con­di­ti­ons are

1. Because cashless payment tran­sac­tions are in­suf­fi­ci­ent­ly developed in your banks, a high share of transfers are done in cash. This is also a burden on money transport services, which are much more widely here used than, for example, by your west European partners.

2. Func­tio­nal ope­ra­ti­ons are still struc­tu­red in a manner that involves large amounts of paperwork and staff and any switch to new struc­tures is wrought with un­cer­tain­ty. The path to the new tech­no­lo­gies is the only path at your disposal, but each step brings with it a number of trans­for­ma­tio­nal problems which ne­ga­tively impact bank security.

3. The transport of money both inside and outside the bank has been, and still is, in­suf­fi­ci­ent­ly secured and in­ef­fi­ci­ent­ly organized. As banks do not as yet trust private service companies, each bank must organize its own transport. This re­p­res­ents a major dif­fe­rence to as­so­cia­ted banks in the West, where the demands placed on personnel, or­ga­niza­tio­nal struc­tures and equipment are of a com­ple­te­ly different nature.

4. Many risks exist in con­nec­tion with the in­tro­duc­tion of elec­tro­nic data pro­ces­sing and data transfer which were also common in western banks in the sixties and seventies. But entirely new forms of crime have evolved as a result, such as computer crime. Much is known about how to prevent such crime, but to be effective the risk in one's own bank must first be de­ter­mi­ned by means of a data security analysis. The attitude of the Baltic banks towards such analyses, and to concepts in general, has been largely one of re­luc­tan­ce. But this is not the place to cut corners!

5. The majority of banks are still doing business in old buildings which have not yet been adapted to the new con­di­ti­ons. And the re­con­struc­tion which is underway also brings with it new threats. Walls and safes are often in­suf­fi­ci­ent­ly resistant, high security areas are not phy­si­cal­ly separated to the extent they should be and the necessary lock systems are lacking. It is precisely in this area that in­ter­na­tio­nal re­gu­la­ti­ons are most clear.

Let me point out that I will not go into the details of the unique crime situation in the Baltics with its par­ti­cu­lar forms, struc­tures and impact on society. But crime must of course be taken into account when drawing up a SECURITY STRATEGY for a bank. The Baltic crime situation has given birth to a security phi­lo­so­phy which assumes that the criminal must be appre­hen­ded inside the bank. This viewpoint is based on the fact that, in com­pa­ri­son to western Europe, police and fire fighters in the Baltics currently take too long in arriving at the scene of a bank crime, and they are in­suf­fi­ci­ent­ly equipped to im­me­dia­te­ly track down the suspects. And the influence these criminal struc­tures have is not known. This phi­lo­so­phy, although differing from that in western Europe, is for the present com­ple­te­ly un­der­stan­da­ble, and it is decisive in devising a security strategy. There are tech­no­lo­gy-ba­sed systems which are wholly suf­fi­ci­ent for west European banks but are not ap­p­lica­ble under the pre­vai­ling con­di­ti­ons in the Baltics. So the option of simply imitating such systems is out of the question. Of course you may opt for the cheapest solution available and save the expense of de­ve­lo­ping a security strategy. But if you do, do not then ask west European insurers to insure your prmises or your money trans­ports and do not expect in­ter­na­tio­nal banks in western Europe to extend loans to you. All you can do is hope that the criminal struc­tures are blind to the gaps in your security net. I would like to offer you solutions which meet west European standards, which are sanc­tio­ned by property insurers, which take into account the special con­di­ti­ons in the Baltics and which are ne­vert­he­less eco­no­mi­cal­ly ac­cep­ta­ble. If you take a look at the Deutsch-Let­ti­sche bank in Riga and if you can recognize the six security systems in place there, then you will have found such a solution. Here the standards laid down by the German Union of Insurers (Verein deutscher Sach­ver­si­che­rer) were used as a basis. Please don't misun­der­stand me, these standards do not apply in any of the Baltic states. But as they are re­co­gnized by insurers active on the in­ter­na­tio­nal markets as proof of quality, they may well act as a guide when you design your stra­te­gies. We must also dif­fe­ren­tia­te between certified equipment and the cer­ti­fi­ca­ti­on of a system following in­stal­la­ti­on. You should always demand certified equipment, but a system cer­ti­fi­ca­te is not necessary. It has no formal legal force in the Baltics and little practical value because un­for­t­una­te­ly the special re­qui­re­ments we have mentioned are on the whole often not entailed in the cer­ti­fi­ca­te. What is more important is that the system in­stal­la­ti­on is done according to ap­p­lica­ble gui­de­lines with the goal of achieving the accepted standards.
 
The following pheno­me­non should be kept in mind: There is a lot of talk about the German Union of Insurers standards, everyone wants them, every installer offers them, but very few people really know what they are. The bank in Vilnius which I mentioned earlier was also misled. Be sure you keep a clear head when con­clu­ding contracts and take advice be­forehand. Another serious problem are the relevant cer­ti­fi­ca­tes. Their si­gni­fi­can­ce in Germany or in western Europe is often mis­re­p­re­sen­ted by those using them and I have even come across coun­ter­feits. You are of course currently operating under un­fa­vor­able cir­cum­stan­ces. There are no outline di­rec­tives from insurers, no building standards for banks and no le­gis­la­ti­on governing specific re­qui­re­ments for bank security which are re­co­gnized by law in the Baltic states. This is why we still find here in the majority of cases, alongside the un­der­stan­da­ble search for in­ter­na­tio­nal ori­en­ta­ti­on, more or less firmly laid down sti­pu­la­ti­ons as well as many rulings by local aut­ho­ri­ties made to suit the situation of the day. The le­gis­la­ture and the national aut­ho­ri­ties are called upon to act more quickly in creating a stable legal en­viron­ment in this area. This would also help to further squeeze out cor­rup­ti­on and bribery and boost the chances for serious companies. With modern tech­no­lo­gy, banks will no longer be forced to achieve quality merely through quantity. The systems and the in­di­vi­du­al alarms monitor each other. This means that, for example, two fire alarms per room are often no longer necessary, although they are still required under national standards. Good business for the in­stal­la­ti­on firms, but for the banks an un­war­ran­ted expense.
  
Thirdly, let us examine some of the unique bank security features which must in­cor­po­ra­te, from the con­cep­ti­on of a security strategy onwards, new solutions which reflect the Baltic and not the West European ex­pe­ri­ence. European security standards remain an important guideline, not least for in­ter­na­tio­nal insurers. From our ex­pe­ri­ence we can predict that these standards can be very widely applied and adapted to the special features in the Baltics. The road to the European Union offers no other al­ter­na­ti­ve. 

What features are utmost in my mind?

1. Topping the list is the permanent presence of personnel to guard bank premises. Please keep in mind that this special situation makes demands on personnel, and equipment, which differ from those in western Europe. This feature makes some in­ter­na­tio­nal­ly re­co­gnized security systems un­sui­ta­ble for eastern Europe. As your bank is not locked from the outside at night, a cer­ti­fi­ca­te from the German Union of Insurers will not be of any use either. The permanent in­ter­ac­tion between people and equipment will indeed take on a new character over the next few years, but not to the point that the permanent guarding of premises is abandoned. Such a move would go against the pre­vai­ling mentality which demands the visible presence of security. It is in any case not feasible due to the lack of local social sub­struc­tures and the East European crime situation in general. Police and fire fighters still take too long in arriving at the scene of emer­gen­cies, private services are not yet suf­fi­ci­ent­ly mobile and the criminal struc­tures are wi­des­pread. Private security agencies are de­ve­lo­ping rapidly, however, and banks should re­con­s­ider their re­luc­tan­ce to shift some work to private companies. You could, for example, in as­so­cia­ti­on with ex­pe­ri­en­ced service providers in western Europe, found your own private money transport service. This would reduce costs sub­stan­ti­al­ly and, as it would clear the way for com­ple­te­ly new solutions, also increase security. 

2. At par­ti­cu­lar risk are those employees who come in direct contact with customers. They are often in the same room with guards. Effective coope­ra­ti­on means that these employees can be placed in high­ly-de­man­ding si­tua­ti­ons: being th­rea­te­ned by weapons, bombs, hostage takers, abandoned con­tai­ners or ag­gres­si­ve robbers. Joint training and the all-im­portant practical proper response training are still rarities. The trig­ge­ring of the robbery alarm must be reported not only to the head office, but to the staff in the customer service area as well. 

3. The equipment selected must be able to operate under these con­di­ti­ons. This applies to fire alarm equipment, robbery and burglary alarms, clo­sed-cir­cuit sur­veil­lan­ce systems, locking and access control systems, an­ti-bug­ging devices as well as equipment for the safe­guar­ding of data processed and trans­fer­red and the for pro­tec­tion of people. I recommend that special attention be given to the safety vaults. These areas often fail to live up to the standard of security which the amount of money stored there demands. Related to this are the money transport routes, in­ter­locks for personell and armoured security vehicles as well as and emergency exit routes. In these areas gui­de­lines must be coor­di­na­ted in a single concept. Encoded cards are being in­cre­a­sin­gly employed in modern access control systems. These function without contact and seal off the customer service area from the ad­mi­nis­tra­ti­ve area and the high-se­cu­ri­ty area from all others. The use of certified equipment is vital, as is the proper in­stal­la­ti­on which takes many system com­pon­ents and coor­di­na­tes into a well-func­tio­ning system. Security tech­no­lo­gy, too, is con­ti­nuous­ly advancing. There are, for example, many new types of fire alarms, such as beam detectors, sensor cables and gas fire extin­gu­is­hing systems. Some of these have already been installed in Riga. New in­stal­la­ti­ons include equipment which produces a pa­ra­ly­sing vapor, con­ta­ct­less access control systems with widely spaced antennas which also oversees vehicles and mobile money trans­ports, com­pre­hen­si­ve building control systems which monitor the security equipment and technical in­stal­la­ti­ons, modern clo­sed-cir­cuit te­le­vi­si­on systems with hard disk recording devices and sensors for targeted sector mo­ni­to­ring. And this is just a sampling. For a more complete picture, please visit our ex­hi­bi­ti­on.
  
4. Bank security managers are still overly fixated on the safe­guar­ding of premises. Sometimes the guards and the security equipment operate se­pa­ra­te­ly, each having distinct functions. Then there are people re­spon­si­ble for elec­tro­nic data pro­ces­sing or for technical in­stal­la­ti­ons. Bank security should also have its ordered place in the or­ga­no­gram. Alongside the personnel re­spon­si­ble for its oversight, ma­nage­ment too must be assigned well-de­fi­ned re­spon­si­bi­li­ties for security in their areas, to include securing against internal threats. But this is not their main function, which is precisely why they should be made aware of their re­spon­si­bi­li­ty for the defense of the bank and its security against any possible threat. Let me just remind you of the in­ter­na­tio­nal­ly well-known cases of bank fraud. Most were never made public for fear of harming the re­pu­ta­ti­on of the bank.
  
5. I would also like to draw your attention to an evolving trend in bank con­struc­tion and con­ver­si­on. Where the contract for technical security is not allocated se­pa­ra­te­ly it becomes a part of the general contract. Here you must be certain that the general con­trac­tors have the expertise to execute such work. These firms are, as a rule, first and foremost con­struc­tion companies. In such a case you are advised either to hire a security advisor or to clearly define who bears the re­spon­si­bi­li­ty for bank security before con­struc­tion begins. Our ISG group of companies is following this in­ter­na­tio­nal trend. We, in coope­ra­ti­on with respected German building companies and ma­nu­fac­tu­rers of technical in­stal­la­ti­ons in eastern Europe, can offer you the com­pre­hen­si­ve solution. So you can be sure that your bank security system will be installed correctly and com­pe­tent­ly. Let me now draw to a close. 

Thank you very much for your kind attention