Back Custom print Link Text Only Rich Text Print

  • OM-5.1 OM-5.1 Security Measures for Retail Banks

    • General Requirement

      • OM-5.1.1

        Retail banks must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

        Added: January 2020

      • OM-5.1.2

        In order to maintain up to date PCI-DSS certification, retail banks will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

        Added: January 2020

      • OM-5.1.2A

        Conventional retail bank licensees must take appropriate measures to counter fraudulent phishing attempts (such as through telephone or WhatsApp calls, SMS or WhatsApp messages, emails and other media) that request customers to provide sensitive personal information that can lead to frauds. The licensees must also enhance their surveillance and monitoring systems to detect suspicious account activity caused by such fraudulent attempts on a timely basis.

        Added: October 2020

      • OM-5.1.2B

        Conventional retail bank licensees must raise customer awareness about fraudulent phishing messages by launching extensive customer alert campaigns through media and social media channels. Customers must be warned of such attempts and advised to only use the licensee’s official website, telephone or other channels for communication with it.

        Added: October 2020

    • External Measures

      • OM-5.1.3

        All head offices/main offices are required to maintain Ministry of Interior ("MOI") guards on a 24 hours basis. For branches that satisfy the criteria mentioned in Paragraphs OM-5.1.4 to OM-5.1.16 below, they may maintain MOI guards during opening hours only. Furthermore, banks will be allowed to replace MOI armed guards with private security guards subject to the approval of the MOI. Training and approval of private security guards will be given by the MOI.

        Added: January 2020

      • OM-5.1.4

        Public entrances to head offices/main offices and branches must be protected by steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire. Other external entrances must have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances must have the following security measures:

        (a) Magic eye;
        (b) Locking device (key externally and handle internally);
        (c) Door closing mechanism;
        (d) Contact sensor with alarm for prolonged opening time; and
        (e) Multifactor or combination access control system (e.g. access card and key slot or swipe card and password).
        Added: January 2020

      • OM-5.1.5

        External windows must have security measures such as anti-blast films and movement detectors. For ground floor windows, banks must add steel grills fastened into the wall.

        Amended: April 2021
        Added: January 2020

      • OM-5.1.6

        Branch alarm systems must have the following features:

        (a) PIR motion detectors
        (b) Door sensors
        (c) Anti vibration/movement sensors on vaults
        (d) External siren
        (e) The intrusion detection system must be linked to the bank's (i.e. head office) monitoring unit and also the MOI Central Monitoring Unit.
        Added: January 2020

    • Internal Measures

      • OM-5.1.7

        Teller counters must be screened off from customers by a glass screen of no less than 1 meter in height from the counter work surface or 1.4 meters from the floor.

        Added: January 2020

      • OM-5.1.8

        All areas where cash is handled must be screened off from customers and other staff areas.

        Added: January 2020

      • OM-5.1.9

        Access to teller areas must be restricted to authorised staff only. The design of the teller area must not allow customers to pass through it.

        Added: January 2020

      • OM-5.1.10

        Panic alarm systems for teller staff must be installed. The choice between silent or audible panic alarms is left to individual banks. Kick bars and/or hold up buttons must be spread throughout the teller and customer service areas and the branch manager's office. The panic alarm must be linked to the MOI Central Monitoring Unit.

        Added: January 2020

    • Cash Safety

      • OM-5.1.11

        Cash, precious metals and bearer instruments must be kept in fireproof cabinets/safes. These cabinets/safes must be located in strong rooms.

        Added: January 2020

      • OM-5.1.12

        Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and have a steel shutter fitted. Dual locking devices must be installed in strong room doors. Strong room doors must be located out of the sight of customers.

        Added: January 2020

      • OM-5.1.13

        Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.

        Added: January 2020

    • CCTV Network Systems

      • OM-5.1.14

        All head offices/main offices and branches must have a CCTV network and alarm system which are connected to a central monitoring unit located in the head office/main office, along with a Video Monitoring System (VMS) and to the MOI Central Monitoring Unit.

        Added: January 2020

      • OM-5.1.15

        At a minimum, CCTV cameras must cover the following areas:

        (a) Main entrance;
        (b) Other external doors;
        (c) Any other access points (e.g. ground floor windows);
        (d) The banking hall;
        (e) Tellers' area;
        (f) Strong room entrance; and
        (g) ATMs (by way of internal or external cameras) Refer to Section OM-5.3 for specific CCTV requirements related to ATMs.
        Added: January 2020

      • OM-5.1.16

        Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. Delayed transmission of pictures to the Central Monitoring Unit is not acceptable. The CCTV system must be operational 24 hours per day.

        Added: January 2020

    • Training and Other Measures

      • OM-5.1.17

        Banks must establish the formal position of security manager. This person will be responsible for ensuring all bank staff are given annual, comprehensive security training. Banks must produce a security manual or procedures for staff, especially those dealing directly with customers. For banks with three or more branches, this position must be a formally identified position. For banks with one or two branches, the responsibilities of this position may be added to the duties of a member of management.

        Added: January 2020

      • OM-5.1.18

        The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

        Added: January 2020

      • OM-5.1.19

        Banks must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. Is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All banks are required to hold an Insurance Blanket Bond (which includes theft of cash in its cover).

        Added: January 2020