OM-6.1 OM-6.1 Physical Security Measures for Retail Banks
General Requirement
OM-6.1.1
Retail banks must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 30th April 2017. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).
Amended: October 2016
Amended: April 2016
Amended: January 2011
October 07OM-6.1.1.A
In order to maintain up to date PCI-DSS certification, retail banks will be periodically audited by PCI authorised companies for compliance.
Licensees are asked to make certified copies of such documents available if requested by the CBB.Added: April 2016External Measures
OM-6.1.2
All head offices are required to maintain Ministry of Interior ("MOI") guards or alternatively MOI trained and permanently licensed private security guards of licensed private security companies, on a 24 hours basis. All branches must also maintain a 24 hour MOI guard. However, if branches satisfy the criteria mentioned in Paragraphs OM-6.1.3 to OM-6.1.22 below, they may maintain MOI guards during opening hours only. Furthermore, branches will be allowed to replace MOI armed guards with private security guards subject to the approval of the MOI. Training and approval of private security guards will be given by the MOI.
Amended: July 2019
October 07OM-6.1.3
Public entrances to head offices and branches must be protected by measures such as steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire.
October 07OM-6.1.4
Other external entrances must have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances must have the following security measures:
(a) Magic eye;(b) Locking device (key externally and handle internally);(c) Door closing mechanism;(d) Contact sensor with alarm for prolonged opening time; and(e) Combination access control system (e.g. access card and key slot or swipe card and password).Amended: July 2011
October 07OM-6.1.5
If additional security measures to those mentioned in OM-6.1.3 and OM-6.1.4 such as security cameras, motion detectors or intruder alarms are installed, the requirement for steel external doors or protection by steel rolling shutters is waived.
October 07OM-6.1.6
External windows must have security measures such as anti blast films and movement detectors. For ground floor windows, banks may also wish to add steel grills fastened into the wall.
Amended: July 2011
October 07OM-6.1.7
Branch alarm systems should have the following features:
(a) PIR motion detectors;(b) Door sensors;(c) Anti vibration/movement sensors on vaults;(d) External siren; and(e) The intrusion detection system must be linked to the bank's (i.e. head office) monitoring unit and also the MOI Central Monitoring Unit.Amended: April 2011
October 2007Internal Measures
OM-6.1.8
Teller counters must be screened off from customers by a glass screen of no less than 1 meter in height from the counter work surface or 1.4 meters from the floor.
October 07OM-6.1.9
All areas where cash is handled must be screened off from customers and other staff areas.
October 07OM-6.1.10
Access to teller areas must be restricted to authorised staff only. The design of the teller area must not allow customers to pass through it.
Amended: July 2011
October 07OM-6.1.11
Panic alarm systems for teller staff must be installed. The choice between silent or audible panic alarms is left to individual banks. Kick bars and/or hold up buttons must be spread throughout the teller and customer service areas and the branch manager's office. The panic alarm must be linked to the MOI Central Monitoring Unit.
October 07Cash Safety
OM-6.1.12
Cash precious metals and bearer instruments must be kept in fireproof cabinets/safes. Preferably, these cabinets/safes must be located in strong rooms.
Amended: July 2011
October 07OM-6.1.13
Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and preferably also have a steel shutter fitted. Dual locking devices must be installed in strong room doors. Strong room doors must be located out of the sight of customers.
Amended: July 2011
October 07OM-6.1.14
Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.
October 07OM-6.1.15
[This Paragraph was deleted in April 2016.]
Deleted: April 2016
Amended: July 2011
October 07OM-6.1.16
[This Paragraph was deleted in April 2016 and requirements were moved to Section OM-6.4.]
Deleted: April 2016
Amended: July 2011
October 07OM-6.1.17
[This Paragraph was deleted in April 2016.]
Deleted: April 2016
October 07OM-6.1.18
[This Paragraph was deleted in April 2016 and requirements were moved to Section OM-6.4.]
Deleted: April 2016
October 07OM-6.1.19
[This Paragraph was deleted in April 2016 and requirements are now covered under Paragraph OM-6.4.14.]
Deleted: April 2016
October 07CCTV Network Systems
OM-6.1.20
All head offices and branches must have a CCTV network and alarm system which are connected to a central monitoring unit located in the head office, along with a Video Monitoring System (VMS) and to the MOI Central Monitoring Unit.
Amended: April 2016
October 07OM-6.1.21
At a minimum, CCTV cameras must cover the following areas:
(a) Main entrance;(b) Other external doors;(c) Any other access points (e.g. ground floor windows);(d) The banking hall;(e) Tellers' area;(f) Strongroom entrance; and(g) ATMs (by way of internal or external cameras) Refer to Section OM-6.3 for specific CCTV requirements related to ATMs.Amended: April 2016
Amended: July 2011
Amended: April 2011
October 2007OM-6.1.22
Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. Delayed transmission of pictures to the Central Monitoring Unit is not acceptable. The CCTV system must be operational 24 hours per day.
Amended: July 2011
October 07Training and Other Measures
OM-6.1.23
Banks must establish the formal position of security manager. This person will be responsible for ensuring all bank staff are given annual, comprehensive security training. Banks must produce a security manual or procedures for staff, especially those dealing directly with customers. For banks with three or more branches, this position must be a formally identified position. For banks with one or two branches, the responsibilities of this position may be added to the duties of a member of management.
Amended: July 2011
October 07OM-6.1.24
The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.
October 07OM-6.1.25
Banks must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. Is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All banks are required to hold an Insurance Blanket Bond (which includes theft of cash in its cover).
Amended: July 2011
October 07OM-6.1.26
Further rules on ATM Physical Security Measures are contained in Section OM-6.4.
Added: April 2016
