A lesson in surveillance planning, risk reduction and bank safety for financial institutions, by Omar Valdemar, CPP, Banking & Financial Services Business Development Manager at Hanwha Vision America.

Risk management

Banks and financial institutions have unique conditions that require equally unique security and surveillance solutions.

Money changes hands, sensitive information is shared, confidential plans are discussed.

These are only a few of the scenarios occurring in a banking and financial environment.

Security professionals in these industries therefore need intelligent video solutions that keep colleagues, clients and members safe and safeguard assets, intellectual property and private data.

It is crucial for a bank security program to have a solid risk management program in place because it helps identify, assess and mitigate potential risks and vulnerabilities that could impact the security of the bank’s assets and customer data.

A robust risk management program allows banks to proactively identify and analyze potential threats, such as cyber-attacks or fraud and implement appropriate controls and safeguards to minimize the impact and likelihood of these risks.

It also helps banks comply with regulatory requirements and maintain the trust and confidence of their customers by demonstrating a strong commitment to security and protecting their financial interests.

Ultimately, a good risk management program ensures the overall resilience and stability of the bank’s security program, safeguarding its reputation and preserving its long-term success.

The first step for growth

In recent years, the Office of the Comptroller of the Currency (OCC) in the US has introduced Heightened Standards to ensure enterprise risk management programs are implemented at financial institutions.

When a financial institute grows to manage $50 billion in consolidated assets, it triggers the OCC Heightened Standards requirements.

Of course, it’s easier to make changes when a bank is smaller and nimble, and the overall risk is low.

Once significant growth begins occurring, configuring the right surveillance system gets more complicated with more considerations to evaluate.

One crucial aspect of these standards is implementing the Three Lines of Defense model.

This model helps banks strengthen their risk management practices.

The impact of the Three Lines of Defense

The Three Lines of Defense model is a risk management framework that establishes clear responsibilities and accountabilities within an organization.

It delineates roles and functions across three lines, namely:

1. First Line of Defense: the first line of defense consists of employees directly involved in day-to-day operations and risk-taking activities. This line is responsible for identifying, assessing and managing risks
2. Second Line of Defense: the second line of defense comprises risk management and compliance functions that oversee risk identification, measurement and mitigation. This line provides guidance, monitoring and independent assurance to the first line
3. Third Line of Defense: the third line of defense includes internal audit functions that provide independent and objective assurance on the effectiveness of risk management and controls established by the first and second lines

The implementation of the Three Lines of Defense model has several positive implications for bank safety and security programs at banks:

Enhanced risk identification and mitigation

With the Three Lines of Defense model, financial institutions are better equipped to identify and assess potential risks related to bank safety and security.

The first line of defense, comprising front-line employees, is responsible for identifying risks and taking necessary measures to mitigate them promptly.

Strengthened oversight and monitoring

The second line of defense plays a critical role in overseeing bank safety and security programs.

They provide guidance and ensure appropriate controls are in place to manage risks effectively.

Compliance functions within the second line ensure adherence to regulations and industry best practices, strengthening security measures.

Independent assurance and accountability

The third line of defense, consisting of internal auditors, provides independent assurance of the effectiveness of bank safety and security programs.

They conduct audits, evaluate controls and identify areas for improvement.

Their objective perspective ensures accountability and helps financial institutions continuously enhance bank safety and security measures.

Improved regulatory compliance

By implementing the Three Lines of Defense model, banks can demonstrate a robust risk management framework to regulatory authorities.

Compliance with OCC Heightened Standards is essential for maintaining a secure banking environment and meeting regulatory requirements.

In the US, the top 45 banks meet this threshold, so most financial institutions may never have to implement Heightened Standards.

Organizations implement enterprise risk management programs with a mixed level of maturity.

Security practitioners should understand security risk assessments and bank/financial institution security professionals should understand the Heightened Standards framework and potentially build their programs to mature as their organization matures.

Bank safety and security

Bank security practitioners should consider the following:

• Does your bank safety and security operation provide the first line of defense services?
• Does your bank safety and security operation have processes to assess risk to your services, validate strengths and identify gaps?
• Is the risk to the services you provide shared with other operations who own the asset risk?
• Are you reporting gaps to the asset risk owners or are you responsible for mitigating them?
• Although you may be responsible for mitigating risks, do you have a duty to report gaps to the asset owners? Do you have a process to manage this?
• Does your organization have bank safety and security subject matter experts who can provide second line of defense governance or does the organization look to the safety and security team to provide that governance?
• If your bank safety and security team provides first line and second line roles, is there clear delineation, separation of duties and reporting structure defined for both lines?
• Do your first line operations conform to the governance process of all other risk disciplines, for example, the proper lifecycle management of technology devices, business continuity of your operations, third-party vendor management, etc.?
• Is there an enterprise safety and security culture which fosters personal ownership and good “citizenship” in ensuring safety and security controls are followed and risk issues are reported immediately?

The OCC Heightened Standards Three Lines of Defense framework can significantly impact bank safety and security programs at financial institutions.

By clarifying roles, responsibilities and accountabilities, this model enhances risk management practices, strengthens oversight and ensures regulatory compliance.

With the implementation of the Three Lines of Defense, banks can mitigate risks effectively, safeguard their operations and provide customers with a secure banking environment.

There’s no one-plan-fits-all approach for bank security and surveillance.

Financial institutions have unique risk profiles, are located in different geographic areas and vary in terms of the clients they support and services they offer.

Banks of all sizes must have baseline plans ready to deploy and meet any cybersecurity and physical security scenario.

Choosing the right type of surveillance system and the right type of surveillance solutions partner can be the right transaction for keeping employees, customers and data safe.

This article was originally published in the Special February Influencers Edition of Security Journal Americas. To read your FREE digital edition, click here.