Dr. jur Lutz Viëtor,

General Manager of the ISG-group of companies in Germany and Latvia

THE SPECIAL DEMANDS MADE ON BANK SECURITY IN THE BALTICS

The presidents of privat banks information gathering journeys and visits to modern banks were always followed by extensive evaluations from which sprang all sorts of ideas and concepts for their own institutions. And bank security was for the most part also included in this process. No one disputes that bank security, along with all other banking technologies in eastern Europe, is in need of modernization, or even complete overhauling. What these banks require are solutions which will take them into the future, which are guided by European norms and the criteria which absolutely must be met if a bank wishes to do business on the international stage. Yet banks must also take into account the unique bank security needs in the Baltics. So what they require are new solutions, not carbon copy concepts taken from their associates in western Europe or America. Nor should they adapt the European standards without careful analysis. On the road to European Union membership and to participation in the international banking community, the Baltic states must first consider the security requirements unique to their banks and the conditions in the Baltic states in general and then sensibly draw on the internationally tried and tested procedures and expertise to meet these conditions. I am convinced that they will be successful in instituting both the international standards as well as very country-specific modifications and guidelines.

The variety of ways one can structure a tour of western Europe or America is matched by the variety of security systems which have been suggested or are already in use. These stretch from true quality products to completely unacceptable systems. The latter are those based on non-certified technology which does not comply with European security standards nor with the criteria of property insurance companies. Such systems simply do not belong in any modern international bank.

I shall concentrate on some of the more specific security requirements for private banks in the Baltics. In so doing, I shall draw on my experience from nearly six years as a security adviser and from my current position as owner of two security companies, ISG International tätig SICHERHEITSGESELLSCHAFT mbH, based in Berlin, and SIA Kruppa-SICHERHEIT with offices in Riga. In particular, I shall discuss the results these companies have had in their dealings with the state banks in Latvia and Lithuania as well as with many private banks in Latvia, Lithuania and Russia.

Allow me to begin by focusing on the private banks. The security needs of private banks differ widely from the especially stringent demands of STATE BANKS. We usually speak of the normative regulations for private banks. In state banks, the security systems and complex regulations are always UNIQUE, individual solutions which each bank develops as a consequence of its international experience. Such systems require in addition special advice and concepts, an area I would be most happy to help you with should you wish. It is true that a good many of the following statements will apply to state banks too, but their security arrangements are significantly broader than those of private banks and the security philosophies between the two differ as well.

The first problem with which I was confronted and which still exists in many banks is the focus those responsible for bank security place on protecting persons and premises. This represents a quite unacceptable narrowing and concentration of a bank's efforts on one area. It is a consequence of past experiences, when an increased deployment of personnel was used to attack the numerous security problems. Security personnel were supplemented by technical systems and backed up by the power of the state. The technical systems and the associated technical standards in the Baltic States were developed in the belief that the size of the system was the main guarantor for security.

Three months ago I was permitted to have a look at and analyze a modern and well-known bank in Vilnius. I was to state in my analysis whether the security equipment which had been installed met European security norms. Let me first say that even though the system was much too broad in scope - and therefore too expensive - it was in compliance neither with European security standards nor with those of property insurance companies. After coming to this conclusion, I was then expected to report it in my analysis, so that the bank wouldn't have to pay the company which installed the system. This I refused to do because I knew that the bank had been made well aware - before the system had been installed - of the fact that you cannot achieve quality bank security at modern standards when you have no well-thought-out concept and use cheap, non-certified technology.

Besides good, by which I mean certified, technology and the good equipment built using it, of vital importance is first of all a good concept which can result in an accredited system. As a rule, modern banks have at least six separate security systems which represent only one of many elements of their bank security. You can compare this to baking a cake. Good ingredients are a prerequisite to a good cake but the recipe determines the outcome. Too many banks still concentrate only on the ingredients and even save money on them while the recipes they use are worthless or even non-existent. This is often the result of one person wanting to do everything alone, or of placing trust in the wrong baker or of simply being too miserly.

Bank security is more than just protecting persons and premises. It includes elements which serve overall
security, such as

- the protection of functional operations against robbery, fraud and manipulation;

- the protection of managers and their families;

- the protection of employees, particularly in the customer service areas, and ensuring that they know how
  to correctly  respond to threats;

- the protection of premises and high security areas;

- the protection of money transport both inside and outside the bank;

- the protection of data during processing and transfer;

- the protection of technical installations;

- and the protection against economic espionage of all channels of communication to include the spoken word.

And these are just a few important examples. Another point to be added is the appropriate response to mistakes and disruptions, which should be based on clearly spelled out organizational instructions. For this to be achieved courses must be given, personnel must be trained and all elements of security operations must function as one. Take a walk around your own bank with a more critical eye, and don't just look at the guards with their pistols or at the visible security systems. Of course, systems can be designed which are absolutely impenetrable, even for those who are familiar with them. But such arrangements hinder the proper functioning of the bank and are only rarely economically justifiable. What you need are comprehensive security solutions, in which all elements are coordinated and back each other up while at the same time function to support the bank's operations.

A second problem involves the risk factor in the Baltics and in eastern Europe, which has changed relative to that of western European banks. It must be emphasized that a state of security is not material; you can't earn money with it, you can only protect the money you have hopefully earned. Of course this is also a quite useful function! Your presidents and you have made many discoveries on your trips to western Europe. A list of them would include consulting services of widely differing quality which you have taken advantage of. Difficulties arise when you try to bring your discoveries in the field of modern bank security technology in line with what for you is possible and with the specifics of banking in the Baltics. Bank security in these states must operate in an environment which is quite distinct from that of modern west European and American banks in several fundamental ways. This leads us to the conclusion that the regulations governing security in western Europe cannot simply be introduced into these circumstances. One reason for this are the special conditions which determine the risk factor in the Baltic states. Some of these conditions are

1. Because cashless payment transactions are insufficiently developed in your banks, a high share of transfers are done in cash. This is also a burden on money transport services, which are much more widely here used than, for example, by your west European partners.

2. Functional operations are still structured in a manner that involves large amounts of paperwork and staff and any switch to new structures is wrought with uncertainty. The path to the new technologies is the only path at your disposal, but each step brings with it a number of transformational problems which negatively impact bank security.

3. The transport of money both inside and outside the bank has been, and still is, insufficiently secured and inefficiently organized. As banks do not as yet trust private service companies, each bank must organize its own transport. This represents a major difference to associated banks in the West, where the demands placed on personnel, organizational structures and equipment are of a completely different nature.

4. Many risks exist in connection with the introduction of electronic data processing and data transfer which were also common in western banks in the sixties and seventies. But entirely new forms of crime have evolved as a result, such as computer crime. Much is known about how to prevent such crime, but to be effective the risk in one's own bank must first be determined by means of a data security analysis. The attitude of the Baltic banks towards such analyses, and to concepts in general, has been largely one of reluctance. But this is not the place to cut corners!

5. The majority of banks are still doing business in old buildings which have not yet been adapted to the new conditions. And the reconstruction which is underway also brings with it new threats. Walls and safes are often insufficiently resistant, high security areas are not physically separated to the extent they should be and the necessary lock systems are lacking. It is precisely in this area that international regulations are most clear.

Let me point out that I will not go into the details of the unique crime situation in the Baltics with its particular forms, structures and impact on society. But crime must of course be taken into account when drawing up a SECURITY STRATEGY for a bank. The Baltic crime situation has given birth to a security philosophy which assumes that the criminal must be apprehended inside the bank. This viewpoint is based on the fact that, in comparison to western Europe, police and fire fighters in the Baltics currently take too long in arriving at the scene of a bank crime, and they are insufficiently equipped to immediately track down the suspects. And the influence these criminal structures have is not known. This philosophy, although differing from that in western Europe, is for the present completely understandable, and it is decisive in devising a security strategy. There are technology-based systems which are wholly sufficient for west European banks but are not applicable under the prevailing conditions in the Baltics. So the option of simply imitating such systems is out of the question. Of course you may opt for the cheapest solution available and save the expense of developing a security strategy. But if you do, do not then ask west European insurers to insure your prmises or your money transports and do not expect international banks in western Europe to extend loans to you. All you can do is hope that the criminal structures are blind to the gaps in your security net. I would like to offer you solutions which meet west European standards, which are sanctioned by property insurers, which take into account the special conditions in the Baltics and which are nevertheless economically acceptable. If you take a look at the Deutsch-Lettische bank in Riga and if you can recognize the six security systems in place there, then you will have found such a solution. Here the standards laid down by the German Union of Insurers (Verein deutscher Sachversicherer) were used as a basis. Please don't misunderstand me, these standards do not apply in any of the Baltic states. But as they are recognized by insurers active on the international markets as proof of quality, they may well act as a guide when you design your strategies. We must also differentiate between certified equipment and the certification of a system following installation. You should always demand certified equipment, but a system certificate is not necessary. It has no formal legal force in the Baltics and little practical value because unfortunately the special requirements we have mentioned are on the whole often not entailed in the certificate. What is more important is that the system installation is done according to applicable guidelines with the goal of achieving the accepted standards.
 

The following phenomenon should be kept in mind:

There is a lot of talk about the German Union of Insurers standards, everyone wants them, every installer offers them, but very few people really know what they are. The bank in Vilnius which I mentioned earlier was also misled. Be sure you keep a clear head when concluding contracts and take advice beforehand. Another serious problem are the relevant certificates. Their significance in Germany or in western Europe is often misrepresented by those using them and I have even come across counterfeits.

You are of course currently operating under unfavorable circumstances. There are no outline directives from insurers, no building standards for banks and no legislation governing specific requirements for bank security which are recognized by law in the Baltic states. This is why we still find here in the majority of cases, alongside the understandable search for international orientation, more or less firmly laid down stipulations as well as many rulings by local authorities made to suit the situation of the day. The legislature and the national authorities are called upon to act more quickly in creating a stable legal environment in this area. This would also help to further squeeze out corruption and bribery and boost the chances for serious companies. With modern technology, banks will no longer be forced to achieve quality merely through quantity. The systems and the individual alarms monitor each other. This means that, for example, two fire alarms per room are often no longer necessary, although they are still required under national standards. Good business for the installation firms, but for the banks an unwarranted expense.
 

Thirdly, let us examine some of the unique bank security features which must incorporate, from the conception of a security strategy onwards, new solutions which reflect the Baltic and not the West European experience. European security standards remain an important guideline, not least for international insurers. From our experience we can predict that these standards can be very widely applied and adapted to the special features in the Baltics. The road to the European Union offers no other alternative. What features are utmost in my mind?

1. Topping the list is the permanent presence of personnel to guard bank premises. Please keep in mind that this special situation makes demands on personnel, and equipment, which differ from those in western Europe. This feature makes some internationally recognized security systems unsuitable for eastern Europe. As your bank is not locked from the outside at night, a certificate from the German Union of Insurers will not be of any use either. The permanent interaction between people and equipment will indeed take on a new character over the next few years, but not to the point that the permanent guarding of premises is abandoned. Such a move would go against the prevailing mentality which demands the visible presence of security. It is in any case not feasible due to the lack of local social substructures and the East European crime situation in general. Police and fire fighters still take too long in arriving at the scene of emergencies, private services are not yet sufficiently mobile and the criminal structures are widespread. Private security agencies are developing rapidly, however, and banks should reconsider their reluctance to shift some work to private companies. You could, for example, in association with experienced service providers in western Europe, found your own private money transport service. This would reduce costs substantially and, as it would clear the way for completely new solutions, also increase security.

2. At particular risk are those employees who come in direct contact with customers. They are often in the same room with guards. Effective cooperation means that these employees can be placed in highly-demanding situations: being threatened by weapons, bombs, hostage takers, abandoned containers or aggressive robbers. Joint training and the all-important practical proper response training are still rarities. The triggering of the robbery alarm must be reported not only to the head office, but to the staff in the customer service area as well.

3. The equipment selected must be able to operate under these conditions. This applies to fire alarm equipment, robbery and burglary alarms, closed-circuit surveillance systems, locking and access control systems, anti-bugging devices as well as equipment for the safeguarding of data processed and transferred and the for protection of people. I recommend that special attention be given to the safety vaults. These areas often fail to live up to the standard of security which the amount of money stored there demands. Related to this are the money transport routes, interlocks for personell and armoured security vehicles as well as and emergency exit routes. In these areas guidelines must be coordinated in a single concept. Encoded cards are being increasingly employed in modern access control systems. These function without contact and seal off the customer service area from the administrative area and the high-security area from all others.

The use of certified equipment is vital, as is the proper installation which takes many system components and coordinates into a well-functioning system. Security technology, too, is continuously advancing. There are, for example, many new types of fire alarms, such as beam detectors, sensor cables and gas fire extinguishing systems. Some of these have already been installed in Riga. New installations include equipment which produces a paralysing vapor, contactless access control systems with widely spaced antennas which also oversees vehicles and mobile money transports, comprehensive building control systems which monitor the security equipment and technical installations, modern closed-circuit television systems with hard disk recording devices and sensors for targeted sector monitoring. And this is just a sampling. For a more complete picture, please visit our exhibition.
 

4. Bank security managers are still overly fixated on the safeguarding of premises. Sometimes the guards and the security equipment operate separately, each having distinct functions. Then there are people responsible for electronic data processing or for technical installations. Bank security should also have its ordered place in the organogram. Alongside the personnel responsible for its oversight, management too must be assigned well-defined responsibilities for security in their areas, to include securing against internal threats. But this is not their main function, which is precisely why they should be made aware of their responsibility for the defense of the bank and its security against any possible threat. Let me just remind you of the internationally well-known cases of bank fraud. Most were never made public for fear of harming the reputation of the bank.
 

5. I would also like to draw your attention to an evolving trend in bank construction and conversion. Where the contract for technical security is not allocated separately it becomes a part of the general contract. Here you must be certain that the general contractors have the expertise to execute such work. These firms are, as a rule, first and foremost construction companies. In such a case you are advised either to hire a security advisor or to clearly define who bears the responsibility for bank security before construction begins. Our ISG group of companies is following this international trend. We, in cooperation with respected German building companies and manufacturers of technical installations in eastern Europe, can offer you the comprehensive solution. So you can be sure that your bank security system will be installed correctly and competently.

Let me now draw to a close. Thank you very much for your kind attention