Security for Banks and Financial Institutions | CloseProtectionHire

Physical security in the financial sector is one of the oldest, most documented, and most legally regulated areas of the discipline. Banks have been robbed since the nineteenth century. The countermeasures are well understood. The failures that still happen are nearly always attributable to corner-cutting, complacency, or failure to apply controls consistently – not to lack of knowledge about what works.

This guide covers the primary physical security domains for banks and financial institutions: branch access and robbery prevention, cash-in-transit, ATM crime, insider threat management, and executive protection in the banking context. It closes with the specific challenges of operating branch networks in P1 high-risk cities.

Branch Security Fundamentals

A bank branch is not a standard commercial premises. It holds currency, provides access to customer funds, and processes high-value transactions. That creates a distinct physical security obligation.

The British Security Industry Association (BSIA) publishes Form 128, its Security in the Banking Sector guidance, last updated in conjunction with the UK Finance Fraud Losses Annual Review. Physical access controls in UK branches are regulated by the Financial Conduct Authority’s systems and controls requirements (SYSC 6), which mandate that firms maintain arrangements proportionate to their risk profile.

Minimum standards for branch physical security include: electronic access control on all non-public areas, CCTV with a minimum 30-day retention (aligned with NPCC guidance on retention periods), a panic alarm system linked to an Alarm Receiving Centre (ARC) with an agreed response protocol, and a documented cash handling procedure that limits the amount of currency accessible during customer-facing hours.

The retail cashier counter barrier – whether traditional counter or screen – is a design decision with direct security implications. Screens reduce the probability of a cash grab and create a physical separation layer, but they create their own vulnerabilities if staff are trained to override them (opening the secure door to help customers) under social engineering pressure. Social engineering and distraction-based entry are consistent attack vectors at branch locations. Staff awareness training is not optional.

Cash-in-Transit Security

The movement of currency between branches, ATMs, cash centres, and retail clients is the highest-risk physical security activity in the financial sector. UK Finance data for 2023 recorded approximately 500 cash-in-transit robberies in the UK – a reduction from peak years but still a significant operational risk.

LPCB (Loss Prevention Certification Board) certifies CIT vehicles and equipment under the EN 1143 safe classification and BS EN 1522/1523 standards for bullet-resistant glass. SIA regulations require that all personnel carrying cash hold the SIA Keyholding licence (Security Industry Authority, SIA: Licensing Criteria, 2024).

The operational security of a CIT run depends on four variables: vehicle specification, route selection, crew discipline, and time variation.

Route selection is the most frequently neglected of these. Predictable routes are the primary intelligence input for any planned CIT robbery. A crew that leaves the same branch at the same time on the same weekday and takes the same road to the same cash centre has effectively planned their own robbery. BSIA recommends route variation for every run – not weekly rotation, every run.

Crew discipline covers: communications security (no public discussion of routes or schedules), awareness of surveillance (vehicles parked in observation positions before a run), and physical demeanour during transfer. A crew that loads cash openly in public view and then stops for fuel on a predictable route has given an attacker everything they need.

In P1 cities, CIT operations carry substantially higher risk. Lagos, Nairobi, Karachi, Mumbai, and Manila all have documented histories of armed CIT robbery. In these markets, the vehicle specification must reflect local threat levels, armed guards are standard (with the appropriate legal framework and licensing in each jurisdiction), and route intelligence – not just route variation – is a standing requirement.

ATM Crime

ATM crime has three distinct categories that require different countermeasures.

Skimming and data theft: Criminals attach hardware to ATM card readers to capture card data and a camera or false keypad overlay to capture PIN numbers. This is overwhelmingly the highest-volume ATM crime type globally. EAST (European ATM Security Team) reported 1,212 skimming attacks across Europe in 2023, a 26% increase on 2022. Physical countermeasures include: anti-skimming overlay detection software, regular hardware inspection (daily in high-risk locations), and jitter card readers that disrupt skimming device functionality.

Ram raids and explosive attacks: Physical attacks on ATM enclosures – using stolen vehicles or, in the UK and Germany particularly, gas or liquid explosive attacks – target the cash cassettes inside the machine. These attacks have increased in the UK. The National Counter-Terrorism Security Office (NaCTSO) notes that ATM explosive attacks often involve the same criminal networks that conduct other serious organised crime. Countermeasures are structural: anti-ram bollards around ATM enclosures, time-lock access to cash areas, and GPS-tracked cash cassettes that make the stolen cash traceable.

Customer-targeting crime: Shoulder surfing (observation of PIN entry), distraction theft, and robbery of customers who have just withdrawn cash. CCTV placement must cover the customer zone, not just the machine face. Design choices – positioning ATMs in well-lit areas with clear sight lines – reduce vulnerability.

Insider Threat in Financial Institutions

The financial sector has a persistent and well-documented insider threat problem. CIFAS, the UK fraud prevention service, reported in its 2023 Fraudscape report that insider fraud represented 17% of all fraud cases reported by its membership. The financial sector is overrepresented in insider threat data precisely because it combines privileged system access with privileged physical access.

Physical insider threat in a financial institution typically manifests as: theft of physical assets (currency, cheques, bond certificates, customer data on removable media), facilitation of external robbery (sharing schedule or route information), and unauthorised access to restricted areas to access documents, servers, or vault contents.

Physical controls that reduce insider threat include: dual-key or dual-authorisation requirements for vault access (no single individual has sole access to high-value areas), access logs that are reviewed regularly and independently (not by the person whose access is being reviewed), and segregation between cash-handling staff and back-office staff.

The insider threat security posture in a bank branch is partly a hiring problem – vetting, reference checking, and ongoing monitoring – and partly a design problem. If the security architecture requires trusting individuals without verification, the architecture has a vulnerability regardless of who fills those roles.

See our insider threat guide for the broader framework applicable across corporate sectors.

Executive Protection in the Banking Sector

Senior banking executives operate in a distinct personal threat environment. The threat profile is not constant – it changes materially during periods of institutional controversy.

Regulatory investigations: A bank under FCA or US DOJ investigation, or a bank that has experienced a public failure (PPI mis-selling, LIBOR manipulation, sanctions violations), may have senior executives named publicly. Named executives in visible investigations receive increased hostile attention – from protest campaigns to targeted physical contact. The 2012 period following the LIBOR rate-rigging revelations saw multiple senior bankers at Barclays and Deutsche Bank receive personal harassment campaigns at their residential addresses. Control Risks documented a sustained pattern of this type of targeting in its 2013 and 2014 financial sector assessments.

Activist and protest campaigns: Anti-capitalist and environmental activist campaigns have targeted banking executives specifically – at AGMs, at headquarters, and at residential addresses. This is not a new phenomenon. The security implication is that executive residential security reviews should be conducted proactively, not only after a threat is received.

P1 city targeting: International banking executives travelling to Lagos, Nairobi, Manila, Karachi, or Istanbul carry profile risk simply through being identified as senior staff at a major international financial institution. They are perceived as high-value targets for KFR (kidnap, fraud, and ransom) and express robbery. The vetted driver and advance hotel briefing protocols that apply to any P1 city travel apply equally – and should not be waived for “routine” banking trips.

Physical cyber convergence: Server rooms, trading floors, and data centres within financial institutions are targets for physical intrusion to enable digital compromise. A tailgater who gains access to a trading floor or server room and installs a hardware keylogger or network tap has bypassed the institution’s entire digital security perimeter. Physical access control to technology infrastructure is a cybersecurity issue, not only a physical security issue.

See our physical and cyber security convergence guide for the integrated assessment framework.

P1 City Branch Network Operations

International banks with branch networks in Lagos, Nairobi, Karachi, Manila, and Mumbai operate in threat environments that require security programmes substantially beyond UK or European standard.

Lagos: Branch armed robbery is a documented and recurring risk. Apapa branch locations carry additional risk from the port corridor criminal environment. Nigerian law permits armed private security. The Nigerian Security and Civil Defence Corps (NSCDC) regulates private security companies. Building relationships with the Nigeria Police Force commercial crime unit is standard practice for major branch networks.

Nairobi: Armed robbery at Kenyan bank branches has decreased since the implementation of stronger access controls and the deployment of armed guards at major locations. The Private Security Regulatory Authority (PSRA) licenses armed guards. The most significant threat shift in recent years has been from physical robbery toward electronic fraud – but the physical security infrastructure is still required.

Karachi: Bank robbery is a documented risk in the context of broader P1 city criminal activity. Branch security in Karachi typically involves perimeter barriers, armed guards, and vehicle access control at premises. Cash management in Karachi requires CIT protocols appropriate to an armed robbery threat environment.

The guard force command authority structure in armed markets is a distinct management challenge for UK-based security managers. Policies on rules of engagement, use of force authorisation, and incident reporting must be written and approved before operations begin – not drafted after an incident.

Sources

UK Finance Fraud Losses Annual Review 2024. BSIA Form 128: Security in the Banking Sector 2024. SIA: Licensing Standards and Criteria 2024. CIFAS Fraudscape 2023. LPCB: Loss Prevention Standards for Cash-in-Transit Equipment. EAST: European ATM Crime Report H2 2023. NaCTSO ATM Explosive Attack Guidance 2024. OSAC Nigeria/Kenya/Pakistan Country Security Reports 2024. Control Risks RiskMap 2025. FCA SYSC 6 (Senior Management Arrangements, Systems and Controls). INTERPOL Financial Crime Unit Report 2024. ASIS International: Banking and Financial Institution Security Guidelines 2024.

James Whitfield is a Senior Security Consultant with 20 years of experience in corporate security, financial sector risk management, and executive protection across high-risk environments globally.

For private banking and wealth management professionals – relationship managers who travel to P1 cities to meet HNWI clients, carrying sensitive client portfolio data and facing both personal KFR risk and regulatory criminal exposure – see our security for private banking and wealth management professionals guide. For central bank operations – where gold reserve vault security, currency-in-transit standards, SWIFT CSP compliance following the Bangladesh Bank heist of February 2016, and governor personnel security in P1 markets create a distinct institutional security profile – see our security for central banks and currency operations guide. For cash-in-transit security – SABRIC South Africa 179 heists/51 fatalities in 2023, Brazil SINPRO 1,200 annual attacks, BS 7958:2015, SIA CIT licensing, EN 1522 armoured vehicle standards, and Mexico Bajio cartel corridor ambush risk – see our cash-in-transit and CIT operations security guide.