Our News

Security is a process, not a product

1 February 2016

Keeping safe deposit box vaults secure from attack requires much more than physical security argues Christopher Barrow of Metropolitan Safe Deposits.

The Hatton Garden safe deposit heist in April 2015 raised much initial press speculation about the professionalism and audacity of the gang in what became known as the “largest burglary in English legal history”. As more details emerged, however, it became apparent that this small vault in the heart of London’s jewellery and diamond quarter was not such a hard nut to crack.

It is well-known in the military world that security should incorporate multiple layers of defence, otherwise known as ‘defence in depth’, in order to resist rapid penetration by an attacker. Similarly, the IT industry talks about ‘layered security’ to prevent hackers from gaining unauthorised access to information systems and data.

The same philosophy or strategy should apply to safe deposit vaults and strong rooms. The existence of multiple layers is designed to mitigate the threat resulting from a single point of weakness. A classic example is interlocking doors with an airlock, allowing controlled entry through the first door which must close before the individual can pass through the second door. This not only prevents piggybacking and tailgating, but also, at the very least, delays the intrusion of an attacker.

Another example is the use of overlapping alarm systems deploying different technologies provided by different companies and monitored by separate alarm receiving centres. Such multiple layers of security should be integrated into reinforced physical barriers (walls, doors and windows), CCTV surveillance, alarm systems, detection sensors and access control systems. A typical access control system today uses touch cards and biometric fingerprint identification together with a set of unique keys provided only to the customer. Each step should be verified by computer and monitored by a security officer in a control room.

When customers are informed that a safe deposit vault is certified in accordance with the European standard EN-1143-1 or, for that matter, the doors have passed a Grade VIII explosive and core drill test, very few would understand the value of this information. These certifications simply confirm that the products have passed some form of performance and quality assurance tests. These are important, but they tell only part of the story. When a vault is open for business, the strength of a vault door is somewhat academic. Even when closed, product certification is meaningless if systems and operational procedures are below par.

Another underrated factor is the quality of staff. Physical strength, sophisticated systems and comprehensive operational procedures are only secure if a business has high-quality and well-trained staff. In the UK, the safe deposit industry is regulated for anti-money laundering (AML) and counter-terrorism purposes. Understanding the importance of KYC (Know Your Customer) is critical to the smooth management and commercial viability of a business. Any firm involved in acting as a custodian of high-value items on behalf of customers should employ smart, motivated and disciplined employees. It is those employees who ensure that, not only the customers receive an efficient and friendly service, but that law-abiding individuals become customers in the first place.

No safe deposit business should turn a blind eye to criminal activity. Not only is it an illegal practice but, fundamentally, lawful customers do not want to share a vault with criminals. KYC obligations are therefore critically important to the long-term health of any business. The initial procedure for new customers wishing to rent a safe deposit box in the UK is to prove their identity with acceptable forms of photographic identification and proof of address. In order to meet regulatory AML obligations, a safe deposit firm should deploy extensive customer due diligence measures.

Regulations require that all customer-facing employees of safe deposit firms must be aware of their obligations relating to money laundering and terrorist financing, and are regularly trained in what to do if they know or suspect that money laundering or terrorist financing may be taking place. Essentially, it means that the business must comply with the Proceeds of Crime Act 2002, which includes the requirement to make a disclosure to the National Crime Agency of any such suspicious activity. It is also recommended by regulators that an appropriate, risk-based procedure must be formalised for dealing with those customers who pose a higher risk, including Politically Exposed Persons. These higher-risk customers require an increased level of enhanced due diligence and ongoing monitoring.

In order to assess its own security infrastructure and methodologies, a safe deposit business should subject itself to regular internal and periodic external security risk audits. This should be in the form of a systematic on-site analysis and risk assessment of all security aspects. The scope of an external survey should include a thorough understanding of the company structure and organisation, business policies, culture and working practices. It should evaluate the threats and risks to the business and its staff, especially in terms of armed robbery and burglary. It should cover the physical security of the vault and surrounding areas, technology equipment such as surveillance and alarm systems, operational procedures, facilities, staff recruitment and training. An external audit should be carried out by a professional security consultant with specialist knowledge and expertise of the specific industry. Recommendations should be graded on the basis of the level of risk with any severe vulnerability (that represents a major business risk) requiring immediate preventative action.

The Hatton Garden robbery should have alerted all operators of safe deposit facilities, whether they are banks or independent businesses, that security is a complex process that requires substantial investment in sophisticated systems and the highest professional standards of business practice. Trust can take a long time to build, but it is very easy to destroy. Customers storing their belongings in a vault should carry out their own due diligence to satisfy themselves that their hard-earned or inherited valuables are in safe hands.