Tell us
what you think
Our Sponsors
 |
Our Sponsors
|
Question & Answer
Question: Can you tell me if my financial institution hires an outside source (a consultant or a group) as a security officer instead of using an employee, are we still in compliance with the minimum security regulations (Regulation P) as required by the Bank Protection Act?
Answer: "Probably." "Which is to say, maybe." "It hasn't yet been challenged, but we have our doubts." "I've never heard of it, but ... well…"
These are among the answers we got when we went to the officials and experts with this question.
Let's take a look at what the regulations really say and determine the real intention of each citation.
For starters, review 12CFR, Part 216, Regulation P, Federal Reserve. (FDIC, OCC, OTS, and CUNA are basically the same.)
- "It is the responsibility of the member bank's board of directors to comply with this regulation…"
- "…a bank's board of directors shall designate a security officer who shall have the authority, subject to the approval of the board, to develop and administer a written security program for each banking office."
Reg P says "designate", which would imply "appoint". You could "contract" with an outside source, but can you "appoint" or "designate" one?
The regulation also says the security officer shall have the "authority"- and therefore according to various legal opinions, shares in the liability. This leaves a very gray area. How does the outside source share in liability? You would have to be quite certain the outside contractor carries sufficient liability insurance so that if anything occurred where both the institution and the outside source were sued, the lines of liability would be clearly defined. Finding an outside source that is not only qualified, but carries the right kind of liability insurance may be more difficult than you might think.
The intent of the law is to see that security is addressed, and it is to be done at a reasonable cost. If the board of directors feels that no employee within the institution is qualified to carry out the duties as specified in Regulation P, it may very well feel that out-sourcing with a qualified and trained consulting person or group will result in a better program for the institution.
Even if the financial institution's board of directors decided to use an outside source, it probably would be best to still designate an employee as the institution's "security officer of record" who may then contract with whomever to develop and implement the program. That employee then would act as the official interface with the board, and would make the annual report to the board of directors, as is required by regulation.
(Thanks to Robert Rosberg, Director, Anti-Crime Bureau; the FDIC; and Ken Arnold, Director of Security, Twelfth Federal Reserve District for information and input on this response.)
Copyright © 1994 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 4, No. 12, 7/94
Rate This Article
Current Rating For the Feature:
| Total Ratings for this Feature: 0 |
|