Preparation Priorities: Twenty Areas To Check NOW
The events of September 11, 2001 affected the entire nation in one way or another - and those events will continue to affect the nation's financial institutions for years to come. Even if the war on terrorism ends today, our institutions will experience significant changes in their operations, security, and disaster recovery functions that they never anticipated.
We had a practice run on risk management and disaster recovery procedures for Y2K, and we learned our lessons well. It's safe to say that every financial institution in the United States has some type of a "plan" for disaster recovery.
Now we need more.
Requirements for today's disaster recovery plans must expand to include policies, procedures, and training programs starting with management and working its way through the entire financial institution. In addition to programs already in place, operations will have to address money-laundering, "Know Your Customer", and OFAC. Security will have to research, evaluate, and institute preventive measures, responses to bioterrorism, facility design and maintenance, and background investigations. Human resources will expand their duties to include pre-employment screening, identification, and managing emergency responses. Our front line staff must be better trained and more observant than ever. Our auditors and compliance officers will have to translate and train the changing regulations and requirements that have been enacted by a motivated U.S. Congress.
To help in your considerations, we asked numerous experts in the country to give us some hints and starting points. Here is what they suggested:
Update Your Contact List: Know how to reach every one of your employees at any time.
Review Opening/Closing Procedures: Add to the search, outside and in, any packages, items, brief cases, or devices that could be suspicious. The searcher should know what action to take if any are discovered.
Common Areas: Restrict entry into any unobserved areas of the bank. Close and lock day gates. Put locks on doors and keep them locked.
Institute Log-In Sheets: For any visitor, workman, delivery, service, or cleaning person who accesses non-public areas.
Rest rooms: Not to be available to the public. Lock them. (Maybe an "Out Of Order" sign.) If a known customer asks for key, you can choose to allow them access.
Lobby: Remove covered, closed trash receptacles. Use small, open trash buckets if any at all. Eye scan all areas periodically during the day. Get boxes and other non-necessary containers out of the public areas.
Mail: If mail is received at the branch, do not allow it to be dropped on a desk or on the teller counter. Have a depository box, lined with plastic, closed. (Cooler is best) Have one person with proper equipment and training open mail in a closed area. (See handling of mail below)
Work environment: Clean it up. Get boxes and other non-necessary containers out of the public areas. Know what belongs and what doesn't in case you have to do a bomb search, etc.
Air conditioning and filtration: Know where all the air ducts are, and make sure everyone knows how to turn the air circulation system OFF.
Masks: Supply all with a terry cloth hand towel and a bottle of water. A wet hand towel used over the nose and mouth will provide temporary breathing protection for evacuation
Safe Deposit Box Area: Clear ALL applications against the OFAC list. If a request to rent a box is by an unknown, non-account holder - accept the application, and inform that the box will be available after the information given by the individual is verified. This should be a complete and detailed application, similar to an account application. Take into consideration:
- the length of the relationship
- the number of people having access to the box and their relationship to each other.
- does the applicant own or rent their home? (Al Qaida rents - 1st floor)
- the identification provided. What is the nationality of the applicant? Citizen? On a visa? "Student"?
Post and enforce the following, and enforce it uniformly: "In view of recent events we have instituted a temporary policy of cursory inspection of packages destined for the safe deposit area."
Review all new safe deposit rentals, especially since September.
ATM Deposits, Night Deposits: Should be handled the same secure manner as incoming mail. Open NOTHING on the Institution's Computer! The growth in e-mail-borne viruses has been phenomenal. One in 300 e-mails is now likely to be virus infected as against one in every 700 in October last year.
Workmen on premises: Know who they are. Make no assumptions. Make sure they understand it is imperative to clean up everything when done. Make sure work area is inspected each time they leave. If substances must be left at closing, make sure all employees have knowledge of what they are and where they are.
Cleaning products and companies: Make sure all cleaning powders and chemicals are secured. If someone uses them all employees need to be made aware. Make sure residues are cleaned up so it is not misinterpreted if found later. Review contract cleaning companies - how do they check their employees and what precautions and training do they have?
Contacting Law Enforcement: Use common sense when determining when to call law enforcement. Is there an explanation for whatever caused concern?
Training: Review all evacuation training procedures in all areas of the financial institution. There should be NO exceptions.
Each individual within your institution who handles or opens packages or mail must be trained on what to look for and how to respond to suspicious letters or packages.
Supplies for the Mailroom:
- Latex or vinyl gloves
- Zipper-type or Zip-Lock plastic bags
- Plastic garbage bags
- Aerosolized face masks (3M painters mask's can be purchased from any paint supplier)
- Antiseptic or anti-bacterial soap
- "Igloo-cooler" type sealed container
- A couple of generic one-size-fits all robes or sweat suits for affected persons to change into
- The local FBI telephone number
- The phone number for your local police if your area does not have 911 service
- Your evacuation procedure
- The illustrated "What Should You Do" advisory from the FBI. (It is available on our web site or from the FBI. Print it out and circulate copies.)
What to look for:
Items arriving that are unexpected or from an unfamiliar source;
- it is marked "Personal" or "Confidential" or "To be opened in the privacy of" or "Your lucky day is here" or "Prize enclosed"
- there is no return address, or the return address does not check out as legitimate;
- there is excessive postage;
- it comes via foreign mail, air mail, or special delivery;
- it is hand-delivered, or "dropped off for a friend";
- the addressee information has one or more of the following flaws:
- improper spelling of common names, places, or titles;
- incorrect titles;
- titles but no names;
- misspellings of common words,
- addressed to someone no longer with your organization;
- appears to have foreign writing, addresses, or postage,
- it has no postage
- non-canceled postage;
- shows inconsistencies, such as a difference between the city and state shown in the postmark and the return address
- it is tied with string or twine;
- it has excessive tape or other material to secure it;
- it has oily stains or discolorations;
- it has powdery substance on or in it;
- it has protruding wires, tin foil or strange odors;
- it has lumps, bulges, or protrusions;
- it is lopsided or heavy-sided, or is an unusual weight for its size, or is oddly shaped;
- the package or letter arrives before or after a phone call from an unknown person asking if the item was received;
In other words, just looking at the letter or package raises questions in your mind. Don't hesitate - Investigate!
First, try to call the person listed on the return address to verify the contents - OR call the person to whom it is addressed to see if they are expecting it.
What to do if you suspect Anthrax: Briefly - Don't handle or shake, put it in plastic and/or cover it, get out of the room, shut the door - allow no entry, wash thoroughly, change clothes, call law enforcement. Review detailed procedures from the FBI instructions thoroughly.
We cannot assume that bombs or mailed chemical powders are our only threats. What appears above is only the beginning of your list! Think like a terrorist. How would you do it to your institution - and where? Find your weak spots and fix them.
"?with a pencil"
As security expert Dana Turner often advises, "Be prepared to run your financial institution with a pencil." There should be a copy or a supply of every form you use in at least two homes of your officers. If you were locked out of your institution today, you could still be up and in business tomorrow.
Basic needs: One last thought. During a major hurricane disaster in Florida, one banker said the worst problem was water. They had no water for six days. Drinking water was NOT the problem! Check with your employees and learn which ones have self contained RVs, or camping Port-A-Potties that could be used in an emergency.
We're a target. The more prepared we are, the less inviting we are for terrorism and disruption of our business. This writer can't say it any better than FDIC Chairman Donald Powell, who told the Risk Management Planning Seminar sponsored by the Federal Financial Institutions Examination Council in San Francisco, "Our experience has been that financial institutions that survive with a minimum of damage have done comprehensive planning and preparations. They have well-tested contingency plans that address a full range of different kinds of disasters. Throughout history, the banking industry has responded to all sorts of adversity and crisis. In every case, the banking industry provided a source of recovery and operated as an engine of real economic growth. It will be that engine again this time."
Editor's Note: Our thanks to HOTLINE advisors Mary Beth Guard and Dana Turner, and the many security officers, law enforcement officers, and government agents who contributed information for this article. Updated information, and more ideas and tips are also available on our web page, www.BankersOnline.com
Copyright © 2001 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 11, No. 11, 11/01
First published on 11/01/2001