Robbers Can't Bank on Lax Security
Good news in the war against crime is rare in Mexico, but banks there are making progress. They have reduced the amount of money stolen from their branches, ATMs, and armored cars through a steady investment in technology, training, and improved cooperation with the police. In 2006—the latest year for which data are available—Mexican bank robbers made off with about as much money as they did in 2005, even though the number of assaults went up by nearly one-third. The average take in each assault dropped from nearly $11,000 in 2005 to about $8,000 in 2006. Although up-to-date survey data are lacking, the same trend continued through 2007 and 2008, says Miguel Angel Carlos Jaime, director for prevention and corporate security at Santander in Mexico.
Mexico’s banking industry has grown up fast since a financial crisis pushed most local banks into bankruptcy a decade ago, following a 30 percent devaluation of the Mexican peso. Today, all but one of Mexico’s big banks are owned by international groups such as HSBC of the United Kingdom, Santander and BBVA of Spain, and U.S.-based Citibank.
As they came under new management, Mexico’s banks increased security budgets, raised the standard of security professionals, invested in technology, and transferred best practices from around the world to Mexico.
In 2003, the banks negotiated a standard 10-point code of security practice with government financial regulators. The code, presented in a manual, includes common transmission standards for protocols of CCTV feeds, linking bank alarms to local police stations, and stricter certification of security personnel. The manual also specifies standard security features for ATMs, magnetic cards, and checks. Banks can only open new branches if they are fully compliant with these standards.
Banks have spent $200 million to upgrade their branches to meet the requirements of the code, with each bank making additional modifications to conform to their individual corporate security codes. The changes have made banks less attractive to robbers.
The news is not all good, however. Mexico still operates a huge cash economy, where even large transactions are often settled in cash either to evade taxes or to sidestep burdensome regulations. This situation creates opportunities for criminals, and it exposes individuals and businesses to heightened risk.
Banks have made considerable progress in tightening security inside their branches. They have reduced the amount of cash held on site, restricted managers’ access to branch vaults, improved CCTV coverage, and increased training, says Jorge Septien, head of security at Banamex, Mexico’s second-largest bank, which is owned by Citibank.
But it is a constant battle as criminals adapt. For example, thieves began to loiter inside branches to identify people making large cash withdrawals so that they could rob them in the street or follow them home. The Mexico City Public Security Department now publishes fliers and posters warning bank clients that thieves lurk outside branches or beside ATMs.
Banks have also reacted, hiring hostesses to greet and orientate clients as they enter the branch, helping them to fill in forms or directing them to the appropriate bank officer. These hostesses are trained to determine who might be a threat and either convince them to leave or discreetly raise the alarm.
Another challenge is the spread of ATMs, which has opened a wealth of new opportunities for criminals. A fully loaded ATM can hold more cash—more than $100,000—than most branches. And Mexico now has almost 26,000 ATMs—20 percent more than two years ago, according to the Association of Mexican Banks. Most of this growth has taken place in off-branch locations such as malls, office buildings, stores, and gas stations.
The police have increased their patrols in high-risk areas, and CCTV networks can monitor machines installed outside bank branches, but most of the growth in installations is taking place in other locations. Criminals working at night ram machines, use loaders to lift them, or simply open them up with welding equipment.
“We have done a lot to improve security at our branches, but ATMs are the vulnerable point, especially those in third-party locations or isolated areas,” says Jaime.
Banks are improving their countermeasures. They are upgrading security features of ATMs, such as equipping them with devices that spray cash with indelible dye if they detect movement, says Jaime.
Criminals are always evolving their tactics as well. Some enterprising criminals are known to have installed fake ATMs at beach resorts, stores, and malls in heavily traveled tourist spots.
These fake ATMs read and record credit card data and PIN numbers but do not release any cash. A message on the screen tells users that the network cannot reach their bank. However, their credit card details are immediately used to create new “cloned” cards.
Extortion and intimidation of bank employees by organized crime is also a permanent threat. Gangs hold the families of managers or tellers hostage and force them to open bank vaults or to hand over large amounts of cash. Septien says banks have countered this threat by holding less cash, equipping tellers with more discreet alarms, and using CCTV to monitor branches.
To help protect its branches, Citibank operates a centralized surveillance and response system from a nondescript office building in downtown Mexico City that bears no identifying signs or logos. Inside, working from a control room dominated by a huge plasma screen covering the wall, teams of security managers work day and night. They monitor cameras in the bank’s branches that are linked to their system in real time by Internet connections. In a crisis, they can coordinate responses with branch managers, Citibank security executives in Mexico City, and the police.
As soon as an event is detected at a branch, staff can use cameras or telephone connections to the affected branch to determine what has happened—an armed robbery, a hostage situation— and take necessary action, such as alerting police and advising staff.
Most alerts are false alarms, says Septien, but the system has improved response time and coordination with the police. The next step will be to extend this network to all Citibank branches in Latin America and centralize control in Mexico City.
Although Mexican banks have stabilized the threat from armed robberies, the threat from increasingly sophisticated and polished criminals is on the rise. Criminals are learning that well-executed fraud and credit card scams are less risky and yield a higher return than old-style bank robberies. However, these operations require sophistication, planning, and inside knowledge not available to run-of-the- mill Mexican bank robbers.
As a result, says Jaime, “The great danger is coming far more from white collar employees and through electronic transactions.”
One tactic used by organized crime is “to infiltrate their people into our banks whenever we hire staff,” explains Jaime. Another approach criminals take, he explains, is that “they try to turn an employee who may have some financial or personal problems into an ally. They use blackmail and intimidation.”
Vetting of prospective employees and periodic screening of current staff is a key element in maintaining security. Background checks have become common practice in Mexico, but they are harder to do than in the United States.
Public and private databases are incomplete. Some information, such as criminal records, is not released officially, although investigators can access such records on an informal basis by using their law-enforcement connections. Banks avoid resorting to informal verifications, because they are undocumented, unreliable, and require small bribes to government officials.
Instead, verifications are subjective and often include a visit to an applicant’s home and neighborhood. In these cases, investigators interview residents to verify the applicant’s background.
Existing employees also need to be screened, says Septien. “The risk exists that even an employee who checked out okay may have had some misfortune. Maybe he needs some money and drug traffickers or criminals will offer him money to facilitate their actions,” Septien explains.
And if money does not work as an incentive, intimidation usually does. “Local people know where everyone in the neighborhood works. It is hard to resist threats,” he says.
Another concern among Mexico’s financial services sector is the emergence of newer banks with limited experience in security that are unwilling to invest in more than the absolute minimum needed to comply with regulations. Established banks complain that these new entrants are undermining some of the progress the industry has made against crime.
These startups “do not want to invest the amounts needed to ensure security in their systems. That opens vulnerabilities in the banking system’s interconnected networks and makes us all vulnerable to hackers and to fraud,” says the head of security at one foreign bank with facilities in Mexico.
“The big banks have state-of-the-art technologies, and they can adapt quickly to changes in the threats they face. We follow global best-practice standards that are stricter than local legal requirements,” he says. “The small banks are not moving as fast as we would desire. They are an open door to criminals.”
Mexico’s banks face a constant danger from drug-money launderers. Usually, they prefer to recycle their profits through shell companies, offshore banks, and fake accounts at local banks. However, a U.S. Congressional Research Service report highlights how the gangs have evolved into tightly managed enterprises that penetrate banks by intimidating or bribing government officials and bank employees or by infiltrating gang members into financial institutions. Although money laundering is not theft, the techniques facilitate crimes by helping the perpetrators obscure the origins of their money.
Despite the efforts of Mexican banks, crime still pays very well. The risk of detection is low, due to inefficient, poorly trained and corrupt police forces. A report from the Mexico City government says 307 police officers were fired for corruption in 2007.
Once a crime has occurred, there is little chance that the criminals will ever be caught and prosecuted, says the head of security at a bank in northern Mexico. “We have to do our own investigation, because we can’t rely on the police to do their work,” he says. “The police need to do better intelligence work. It’s not just a question of more resources.”
Meanwhile, impunity only encourages robbers to keep trying their luck, even as the return on each assault keeps falling.
John Barham is a former Security Management senior editor.