By Kate Young
A senior manager from one of America’s largest banks prepares for work: he dons a pair of raggedy jeans and his cheapest sneakers, covers his head with a backward cap and slings a rucksack over his shoulders. Then he takes a bus downtown and does what he can to blend in with the nation’s largest concentration of people living on the street. It’s not that he lost a bet. He’s not on a dare, a mission trip or a quest for enlightenment. It’s just part of his job now.
He’s there to watch and assess the rhythms of the community—the habits and stresses if its people and the presence of law enforcement. He’ll be sizing up public lighting, infrastructure placement, transportation patterns and the proximity of local bars. He’s a bank security expert. And these days, what keeps him up at night is less about safeguarding the cash and more about protecting lives and reputations.
It’s no easy task, now that banking has entered the era of the innovative branch. In the words of our old friend Dorothy, we’re not in Kansas anymore. This is all new territory, and for the most cutting-edge banks, physical security remains in constant evolution.
Redefining the branch—reimagining security
Heather Wyson-Constantine, ABA VP for cyber and physical security policy, points out the difficulty of developing security standards for such a rapidly moving target. The so-called “innovative branch” could be anything from a 24/7 automated transaction hub, to a workspace for entrepreneurs, to some variation on the branch-as-coffee-shop concept employed both by community banks and big firms like Capital One. “We’ve heard of express branches, convenience spots and teller-less branches,” she says. “We’ve even heard of cashless branches doing pop-ups.”
The one thing these newfangled branches all have in common is the fact that the job of protecting them is entirely different from anything that came before. Traditional branch security revolves around an old-fashioned setup: a full staff, teller lines, cash windows and other barriers that separate customers from staff—and of course, a vault. An innovative branch may not have any of those features. Staff may be drastically reduced. Cash may be kept in drawers out on the floor. The facility may encourage visitors to linger (or loiter, depending on your point of view) and mingle with the staff. It may offer free, unlocked public restrooms.
How are you securing the cash? What’s your plan for deescalating situations with irate customers who came in expecting traditional service? How are you training your employees to deal with bank robbers who are confused to learn that the branch of the future doesn’t keep much cash on hand? And are you prepared to deal sensitively with local inhabitants who may need social services that you can’t provide?
Approaching physical security as a risk management domain
It’s no longer possible to think of physical security as a standalone field, focused primarily on concrete measures such as locks, alarms, cameras and guards. Michael Bacon, managing partner at Rezolvrizk and a seasoned bank security expert, lists numerous components to physical security that overlap with other areas—training, compliance, incident assessment, quality assurance and investigations, to name a few. He recommends looking at physical security from a “big picture standpoint” and ensuring that all roles and responsibilities are documented and understood across all departments.
Ultimately, he says, it all comes down to risk management. Speaking at ABA’s Risk Management Conference, Michael Schmierer, senior manager for enterprise safety and security at Capital One, agrees. “Everything we do is risk consulting,” he says. He’s worked in security for the U.S. Marines, the State Department and a variety of tech firms—including Apple—so he’s looked at security risk from every angle. “You need to be able to quantify risk and metabolize it,” he says, “and then put some compensating measures in to either transfer that risk somewhere else or avoid it.”
As the security lead for the Capital One Cafés, Schmierer works with stakeholders across the organization—especially real estate. That’s because security for the innovative branch needs to begin before the bank even commits to a location. As a first step, Schmierer asks, “How do we get these key stakeholders identified? How do we get them to the table, and how do we have intelligent risk-based discussions?”
Because Capital One locates its cafés in vibrant urban centers, Schmierer’s due diligence includes spending time on the streets, day and night, to assess the environmental risks. He’ll meet with other merchants in the area to establish benchmark risk measurements. His findings go into a report that details the risks of going to market at that location, along with a recommendation on whether or not to proceed. The report also outlines the risk mitigation measures needed if the executive team decides to go to market against a recommendation.
“Risk acceptance is huge,” Schmierer says. It means that the decision leader understands what’s at stake and is willing to take responsibility for it.
Security that starts with people
One of the core principles for Capital One Cafés comes from the tech world: to start with the customer and work back toward the technologies. “You need to know the folks you’re trying to protect,” Schmierer says. “You’ve got to at least get out there and make yourself known.”
Once Capital One Café employees meet Schmierer, they’re unlikely to forget him. He has a habit of walking into a café and saying something like, “Hey, someone’s just come into the café and has pulled out a needle and inserted it into themselves, and is actively doing drugs in our space. What do you do?’”
Or: “Someone’s come in who’s irate. Their checking account is short $280. They’re coming in to see you specifically because that’s all the money they have until they get paid on the 14th. What are you going to do?”
These are called pop-up drills, and they’re an essential part of café employee training. They demand on-the-spot decision making that drives conversations around specific types of risk. Not only does this make the employees better prepared from a safety and security perspective, but also from a customer service perspective.
What about the non-customers? Some innovative branch concepts may attract people who come in to attend to personal needs—with varying degrees of legitimacy. It may be to use the restroom or the wi-fi, ask for directions, or wait for a friend or colleague. Or it may be to panhandle, use drugs or sleep. At least a few retail brands have been damaged recently by well-publicized incidents involving insensitive, rough or even discriminatory treatment of members of the public. Bacon and Schmierer agree that this poses a massive reputational risk. As such, even the security guards should be considered brand ambassadors. “There’s no other way to put it,” Schmierer says. “I mean, that person represents your business.” Innovative branches require meticulous hiring and enhanced training for such a sensitive role.
Another people-first risk mitigation is for the bank to engage not only with local merchants and law enforcement, but also with community-based programs that can connect people in need with services that can help them. These relationships can help bank staff avoid escalations and incidents that put everyone at risk.
Working toward the technology
If banking technology has reshaped the industry landscape, so too has security technology. With remote surveillance, branch facilities can be monitored by security ops centers or mobile patrol units rather than onsite guards. Bank employees can use their smart watches as duress buttons, quickly summoning help when it’s needed. Cameras with six different lenses can simultaneously watch for internal fraud, external fraud and whatever’s happening at the front door. Video analytics and machine learning enable the collection of vast amounts of data, which in turn generates risk analysis that informs better, more effective hardening and protection measures.
For banks that have them, securing a 24/7 vestibule that houses ATMs, night drops and other amenities is a major challenge. “It’s absolutely huge for us,” Schmierer says. The risk isn’t just theft or vandalism, but also that the vestibule might be used for unsafe or inappropriate purposes. One of the newest solutions is a video device that records the space, displays any activity to a remote security officer, and can learn what is and is not normal customer behavior—in order to create alerts accordingly. If anything is out of the ordinary, the officer can use an intercom to communicate instructions to the person in the vestibule.
Is all of this necessary? Every branch is different, so that’s a story the data will tell. A best practice is to quantify incidents of every type, crime data and security gaps in a living risk register and share it routinely with line-of-business leaders. These data will play a key role in driving decisions. “Be honest and open,” Bacon advises. Be clear about the risk at a given location. Document the specific concerns and possible mitigations. Then hand it over to leadership to make the decision. “These are real risks, right?” Bacon notes. “It’s a life-and-death type of thing.”
