Security Program

Security Program For ABC CREDIT UNION (ADDRESS)

Program Overview

This security program was developed to comply with the requirements of section 205(e) of the Federal Credit Union Act (12 U.S.C. 1785 (e)) and Part 748 of Title 12 of the Code of Federal Regulations promulgated by NCUA. The program establishes security procedures and specifies devices to discourage robberies, burglaries, larcenies and embezzlement; to assist in identification and prosecution of persons who commit such crimes; and to prevent the destruction of vital records at this credit union’s main office and each branch office.

Approval by Board of Directors

The Board of Directors at its regular meeting on ______adopted this program, and it was entered into the minutes of that meeting.

Program Administration

1. Initial development of a written security program and subsequent modification of such security program as circumstances or revised federal regulations may require.

2. Implementation of security procedures and internal controls prescribed by the security program.

3. Selection, testing, maintenance and operation of security devices prescribed by the security program.

4. Protection of vital records at each credit union office.

5. Provision for the initial and periodic training of employees in their responsibilities under the security program, and in proper employee conduct during and after a robbery, burglary or larceny.

6. Monitoring the effectiveness of the security program at each credit union office and conducting periodic security audits at each office.

7. Consultation with local law enforcement agencies to develop coordinated robbery and burglar alarm response plans for each credit union office.

There will be an annual review by the Board of Directors on the implementation, administration and effectiveness of the security program at each credit union office. The Board of Directors

of 34 may, at its discretion, require any additional reports it deems necessary to fulfill its responsibility for supervision of the administration of this security program.

Internal Controls

The Board of Directors has adopted organizational and operational procedures to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to the prescribed managerial policies of this credit union. Many of these internal controls are designed to protect the credit union against crimes of embezzlement, and are included by reference as a part of this security program.

Accounting Controls

The Board of Directors has adopted an accounting system in accordance with the Accounting Manual for Federal Credit Unions and generally accepted accounting principles. The system incorporates internal controls to provide reasonable assurance that:

1. Transactions are executed in accordance with management's general or specific authorization.

2. Transactions are documented and recorded promptly to permit accurate preparation of financial statements and to maintain accountability for assets.

3. Access to assets is permitted only with management's authorization; and

4. The recorded accountability of assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

Audit Policy

The Supervisory Committee shall oversee a continuous program of internal auditing for such procedures as bank reconcilements, as well as an annual outside audit by a firm of independent public accountants.

Control of Currency Levels

1. Maximum currency levels will be assigned to each office. It is the responsibility of [Title of Person Responsible] to ensure that currency is maintained at or below the specified level.

2. If the office exceeds the maximum level, the [Title of Person Responsible] will immediately arrange for the removal of excess currency by means of armored transport services or other insured mode of transportation.

3. Random cash audits will be performed at each office at least once per month. If excess currency is discovered, it will be reported to the [Title of Person Responsible].

of 34 4. Maximum currency levels for tellers will be established by the [Title of Person Responsible] and reviewed by the Teller Supervisor. The [Title of Person Responsible] is responsible for assuring the specified level is not violated.

5. If a teller accumulates currency over the assigned amount, the excess will be transferred to a locked vault, safe, or other secure place at the earliest possible time.

6. Random audits of teller currency levels will be made to ensure that each teller will be checked at least once per month. Excess currency violations will be reported to the [Title of Person Responsible].

Wire Transfer Procedures

The banking industry uses several electronic networks for funds transfer services, including (1) the Fed Wire, (2) CHIPS, (3) Bank Wire, (4) SWIFT, (5) Telex, and (6) ACH. Our credit union uses only two of these, Fed Wire and ACH. This paper is our statement of procedures and internal controls for wire transfer activities.

Several different services are provided by the Fed Wire, including (1) transfers of funds, (2) securities sales and purchases, (3) sales and purchases of cash, (4) reserve position inquiries, (5) TT&L status reports, and (6) ACH debits and credits. This procedure statement only applies to transfers of funds; as needed, the other four subjects are addressed elsewhere in the manuals.

Wire Transfer Control Policies And Procedures

To the extent possible, we avoid using the telephone as a funds transfer instrument. The telephone does not create a sufficient audit trail, nor does it allow for signatures or written records of transactions. When the telephone must be used, a callback procedure will be followed whereby an employee of the credit union calls a previously agreed upon telephone number to verify the identity of the caller. Telephone requests are then documented on a wire transfer request form, with the caller's name written in the signature block, and credit union employee’s initials being placed next to this name.

Test words are used to authenticate wire transfer messages. Test words consist of a series of numbers signifying different types of information. Test words precede the wire transfer message. A current list of test words is kept in the credit union under lock and key and is only available to authorized wire transfer personnel. The person receiving the incoming request is not the same person that verifies the test word; a dual control person does this. Tests words and messages are tightly controlled.

Before honoring a request for a wire transfer, the wire transfer clerk will call the bookkeeping department and verify that sufficient collected funds are on hand to cover the transfer. At the same time, the bookkeeping department will be asked to place a hold on the account for the amount of the wire transfer.

of 34 No one person shall be responsible for the origination, testing, processing, and balancing of a wire transfer. Instead, someone other than the wire transfer clerk does testing and the accounting department does balancing. A credit union manager must initial any “adjustment” to a wire transfer operation.

We control wire transfer equipment, codebooks, terminal facilities, etc., so that access is limited to authorized personnel. The wire transfer equipment has locking devices that prevent their use during other than normal credit union hours. Computer programming personnel are never allowed in the transfer area, as wire transfer personnel are never allowed in the computer area.

Processing Outgoing Wire Transfers

Outgoing wire transfers represent an extremely significant fraud vulnerability to the credit union. Consider the consequences of a $2,000,000 unauthorized wire transfer; within hours, the funds will have been withdrawn from the receiving credit union and will have permanently disappeared.

All outgoing wire transfers will be tightly controlled. The person authorizing the transfer will be someone incapable of actually sending the message. All outgoing wire transfers will be accompanied by completion of the following form:

Incoming Wire Transfers

Each incoming wire transfer will be recorded in a bound logbook. Each entry in the logbook will contain the following information: (1) date, (2) time, (3) name of sending credit union, (4) dollar amount, (5) member to be credited, (6) account to be credited, and (7) initials of the credit union employee processing the transfer.

As soon as an incoming wire transfer is received, the message will be logged and the debits/credits necessary to effect the transaction will be completed. A control person must initial the debits and credits before the funds can be disbursed (or credited to one of our member's accounts).

Security Policies and Procedures

General Safekeeping Policy

The [Title of Person Responsible] will be responsible for implementation of security procedures at each credit union office to provide for the safekeeping of currency, negotiable securities, similar valuables and vital records at all times. Management in other departments will be responsible for safekeeping of vital records affecting their areas. All employees at each office will be familiar with and follow the prescribed security procedures.

of 34 Dual Controls and Segregation of Duties

It is the policy of [your credit union] that management assigns duties to employees and departments so that no one person may dominate any transaction from inception to termination. In addition to this formal segregation of duties, teams of at least two employees will exercise dual control under the following circumstances:

1. When deposits from night depositories and ATMs are retrieved and posted;

2. During audits of vaults, safes, cash drawers, un-issued negotiable instruments and cash funds; and

3. When verifying currency being shipped or received.

Key and Combination Control

1. A record of key holders will be maintained in a secure location within each office and a copy of such record will be filed with the [Title of Person Responsible].

2. All excess keys will be kept in a locked box in a secured area.

3. Employees will return office keys when they are transferred or when their employment is terminated. If a terminated employee fails to return keys for any reason or is otherwise suspect, the [Title of Person Responsible] will have the locks changed on all exterior doors.

4. Dual control will be maintained over vault and safe at each credit union office. Knowledge of combinations and possession of keys necessary to access the vault or safe will be split between two employees so that no single employee is capable of accessing the vault alone. An appropriate number of employees will be assigned at each office to ensure access when employees are absent.

Personnel Policies

1. Prospective employees of the credit union will be screened for criminal history. This screening will include asking appropriate questions on application forms and during interviews through HRS.

2. All employees responsible for currency or negotiable securities must telephone their supervisor to explain all absences from work.

3. If an absent employee fails to telephone and explain an absence, the employee's residence will be called to determine the reason for the employee's absence.

4. If telephone verification cannot be made, the employee's cash will be counted immediately.

of 34 5. All employees who are responsible for currency or negotiable securities are required to take at least one straight week of vacation each year.

6. All employees are expected to adhere to acceptable business principles in matters of personal conduct, and to exhibit a high degree of personal integrity at all times. Employees are required to acknowledge and sign the Fraud Policy (sample policy statement is attached).

Safekeeping of Currency, Valuables and Vital Records

1. All currency, negotiable securities and other valuables will be stored in a locked, burglar- resistant vault or safe during non-business hours.

2. Vital records at each office will be stored in a locked, fire-resistant vault, or record safe container during non-business hours.

3. Vital records include:

• Cash journals and other reports of original entry;

• General ledger and supporting subsidiary ledgers, including members' individual share and loan ledgers;

• Loan notes and supporting documents if the loss of such instruments would preclude the credit union from collecting the outstanding balances of the loans:

• Securities, certificates, and other documents, which are evidence of investments, owned by the credit union: • Minutes of the Board of Directors, and other committee minutes, which represent the historical actions of management; and,

• The credit union's charter, bylaws, and related amendments.

4. Blueprints of specification documents for credit union offices, vaults, and any other structures in which currency or other valuables are stored or handled will be kept in a secure area at a central location. The [Title of Person Responsible] will maintain a record of all such documents and their storage location.

Security Devices

The [Title of Person Responsible] shall provide testing, selecting, operating, and maintaining the following security devices at each credit union office:

1. A burglar-resistant vault or safe for protecting cash and other liquid assets, which provides, at minimum, protection equivalent to ______[UL approved Class I].

of 34 2. Burglar-resistant safes or money chests for protecting cash deposited at night depositories and automated teller machines, which provide, at minimum, protection equivalent to ______[UL TL-30].

3. A fire-resistant record safe or vault for protecting vital records which provides, at minimum, protection equivalent to ______[UL Class 350].

4. A lighting system for illuminating, during the hours of darkness, the area around the vault due to the vault being visible from outside the credit union office. Additional security lighting is listed as follows; lighting to illuminate the parking lot, the area surrounding the credit union office, the outer lobby, ATM and night depository. The Emergency lighting has back-up power, which is ______.

5. A covertly actuated silent alarm system to be used in the event of an attempted or perpetrated robbery. The system is monitored by the nearest responsible law enforcement agency.

6. A burglar alarm system comprised of perimeter alarms to detect attempted or perpetrated intrusion into the credit union offices. Area alarms to detect unauthorized activity on the office floor, and/or point alarms to detect attempted or perpetrated intrusion into vaults, safes, night depositories and ATM's. The system will be monitored by ______[named security firm].

7. Tamper-resistant locks on all exterior doors and windows that may be opened.

8. Surveillance cameras that record activities at the credit union offices and at remote ATM's and night depository facilities.

9. Bullet-resistant glass enclosures around drive-up teller windows.

10. A prominently displayed decal, which states that the Federal Bureau of Investigation has jurisdiction to investigate felonies committed against the credit union.

11. Such other devices as the [Title of Person Responsible] may determine to be appropriate, taking into consideration the factors listed in the Procedure for Selecting Security Devices.

Procedure for Selecting Security Devices

The [Title of Person Responsible] is charged with selecting security devices for each credit union office, subject to Board approval. In making such selections, the [Title of Person Responsible] will consider the following factors:

1. The incidence of crimes in the area in which the credit union offices are located.

2. The location of the nearest law enforcement offices, guards or security personnel and the time required for such personnel to arrive at the office.

of 34 3. The amount of currency or other valuables exposed to robbery, burglary, or larceny.

4. Other security measures in effect at the credit union offices or within the surrounding areas.

5. The physical characteristics of the credit union's office structures and surroundings, including the physical vulnerability of the offices themselves and visual obstructions nearby caused by architectural or landscaping features, which might provide places for criminals to hide.

6. The size of the credit union and number of its employees at each branch.

7. Whether the device meets or exceeds current industry standards. (Consult with law enforcement officers, security specialists, our bonding company and vendors of security devices).

Operation of Security Devices

The [Title of Person Responsible] shall establish procedures to ensure that security devices are operated properly at each credit union office. Such procedures shall include:

1. Training on the operation of security devices for all office personnel.

2. A schedule indicating when each security device should be turned on and turned off.

3. Visual and operational inspection of security device controls to ensure they are working properly.

4. Logging and retention for at least six months of data recorded on the surveillance systems.

5. Immediate notification to the [Title of Person Responsible] when any security device fails.

Procedures for Testing and Maintaining Security Devices

The [Title of Person Responsible] will schedule tests and preventive maintenance inspections for all security devices. The tests and inspections will include, but not limited to those listed below.

Testing and Inspecting of Alarm Systems

1. All robbery alarms will be tested semi-annually.

2. All actuating devices will be included in the tests and all office personnel will participate in the procedure.

3. Preventive maintenance inspections of all burglar and robbery alarm systems will be conducted at least once every six months by an authorized service contractor.

Procedures for the Operation of Surveillance Systems

of 34 1. The surveillance cameras/monitors located in each credit union office will be actuated during any robbery or robbery attempts unless it is unsafe to do so.

2. The surveillance camera/monitor will be actuated whenever a credit union employee observes suspicious behavior of any person in the office.

3. Each employee will receive training in operating the surveillance camera/monitor and what constitutes suspicious behavior.

Testing and Inspection of Surveillance Systems

1. Camera/Monitor indicator lights and data/footage dials will be checked on a daily basis to ensure the system is operational and it contains enough storage/film to operate continuously for at least ______(three) minutes.

2. Surveillance systems will be tested on at least a monthly basis.

Procedures for Operation of Surveillance Systems

1. Surveillance systems will continuously monitor and record activity in each credit union office.

2. Data from surveillance systems will be retained for a period of at least six months before being purged and reused.

Testing and Inspection of Surveillance Systems

1. Surveillance systems will be tested daily before opening by recording and playing back one minute of tape/data to ensure the system is operating properly.

2. VCR recording heads, where applicable, will be cleaned routinely.

Opening and Closing Policies

All employees at each office will be familiar with and follow the prescribed opening and closing procedures.

Opening Procedures

The first employee to arrive will observe the surroundings of the credit union office. If a suspicious vehicle or person is observed, the opening will be aborted and the observer will contact the [Title of Person Responsible] and/or the police.

of 34 2. Upon arrival, the employee will inspect the exterior of the office for signs of forced entry. If any such signs are visible, the opening will be aborted and the police will be summoned immediately at ______[number for local police].

3. If the inspection reveals no signs of forced entry, the employee will enter the office and relock the door.

4. Once inside, the employee will inspect all interior areas of the office for intruders or signs of burglary or other criminal activity.

5. Finding none, the employee will ensure that all security devices intended for use during the business day are operating, and display a prearranged "all-clear" signal at the drive up window to advise employees that it is safe to enter the office.

6. No unauthorized personnel will be admitted to the office prior to opening.

7. Arriving employees will ascertain that the all-clear signal has been displayed before leaving their cars or approaching the entrance.

8. Employees will enter the office briskly and avoid gathering outside the doorway.

9. Once inside the office, no employee will leave the premises until the office is open for business. If circumstances require an employee to leave the premises before the office is open, the employee will not be in possession of a key.

10. Office vaults and safes will be opened at the latest practicable time prior to the start of business in the presence of at least two employees.

11. The all-clear signal, which advises employees that it is safe to enter the office, will be changed at least once per month on a staggered timetable.

Closing Procedures

1. All employees are instructed to be especially alert for strangers or suspicious behavior at the end of the business day. Employees will actuate surveillance cameras if suspicions are aroused and immediately notify [Title of Person Responsible or Manager on duty].

2. At closing time, the office doors will be locked.

3. The door will be relocked after each member leaves.

4. No unauthorized personnel will be admitted into the office after the doors are locked.

5. All currency, negotiable securities, and similar valuables will be secured in the office vault or safe at the earliest practicable time.

of 34 6. All vital records will be stored in a fire-resistant record safe, container or vault at the earliest practicable time.

7. The [Title of Person Responsible] will check all interior areas open to the public to assure that all members have left the building.

8. The manager will check to see that all exterior windows and doors are securely locked and do an inspection of potential hiding places.

9. After all other employees have left the office, the manager will perform a final inspection of the office, and assure that all alarms, lighting, and security devices intended for non-business hours are operating at each office.

Transportation of Currency by Armored Car

1. Currency will not be released for shipment until armored car personnel have been positively identified.

2. Should the guard be unknown to credit union employees, the guard's identity will be verified by telephone with the armored car company. (To avoid possible hostage situations, the guard will not be told that his identity is being checked by telephone.)

3. A signed receipt will be issued for each shipment sent or received.

4. Currency shipments received will be bulk counted in the presence of the armored car personnel unless the count is guaranteed by the armored car agency.

5. Each shipment will be verified under dual control and secured in the vault or safe immediately upon receipt.

Servicing Remote ATMs

1. Two or more employees will service the credit union's ATM's during business hours.

2. If a suspicious vehicle or loiterer is observed, the employees will go back in the credit union office and notify [Title of Person Responsible and/or police].

3. The teller on duty at the drive up window will be the observer for any suspicious activity near and around the ATM.

4. After servicing the ATM, one employee shall survey the area outside through viewing ports or CCTV monitor to ensure there is no suspicious vehicle or person (s).

5. Then they will turn on the security system, lock the door and walk back to the credit union office.

of 34 Visitor Identification and Access to Restricted Areas

1. Access to nonpublic areas within the credit union offices will be restricted by doors and gates that are locked at all times.

2. An assigned employee will accompany the visitor at all times while the visitor is in restricted areas of the office. (A manager may make exceptions to this rule on a case-by-case basis.)

3. The visitor's identity and authorization will be verified by telephone to the visitor's company or office unless credit union personnel know both the visitor and the reason for the visit. To avoid possible hostage situations, the visitor will not be told of this verification procedure.

Safe-Deposit Security Procedures

1. Before providing access to the vault, each renter's identity will be positively verified.

2. Safe Deposit box cards will be pulled, a signature will be obtained, and current authorization for entry will be verified.

3. A credit union employee will escort the renter into the vault. Under no circumstances will a member be left alone in the vault.

4. A credit union employee will never handle a member's key or safe-deposit box unless it is in full view of the member. The member must always accompany the employee into the vault to access the box.

5. After the box is accessed, the box door will be locked. The renter's key will remain in his/her possession.

6. A member will not be permitted to leave his/her box unattended in the safe-deposit box booth. If the member needs to leave the booth to transact business elsewhere in the credit union, the box must be secured in the vault. If further access to the box is required, standard procedures will be followed to regain access to the box.

7. Safe-Deposit box booths will be inspected immediately after each use. Any articles found during an inspection will be delivered to credit union management and maintained under dual control.

Safekeeping of Office, Vehicles, Equipment and Supplies Policy

To discourage larcenies involving the theft of office equipment and supplies, and to ensure the early discovery of such crimes, the CEO will implement the safekeeping procedures prescribed by this security program at each credit union office.

Safekeeping of Office Vehicles, Equipment and Supplies Procedures

of 34 1. An inventory of all office equipment will be maintained at each credit union office. A record of the inventory containing a description of the item, make, model and serial number will be kept in a secure location.

2. An inventory audit of office equipment will be conducted at least annually. Any equipment found to be missing should be reported immediately to the [Title of Person Responsible].

3. The number of keys to office vehicles will be kept to a minimum and a record of all key holders will be kept in a secure location.

4. All spare keys and the titles to office vehicles will be secured in a vault or safe.

5. All office vehicles will be locked with the keys removed when not in use.

6. Office supplies will be kept in a locked room/cabinet and allotted to employees on an as- needed basis.

7. Employees will report missing office equipment or other valuables to the their supervisor immediately.

Policy for the Identification, Apprehension, and Prosecution of Criminals

In order to assist in the identification, apprehension, and prosecution of persons who commit or who attempt to commit crimes of robbery, burglary, larceny or embezzlement at any office of [Your] Credit Union, the [Title of Person Responsible] will be responsible for implementing the procedures prescribed in this security program.

Procedures for Maintaining Records of Crimes

1. A copy of the police report or other detailed record of any robbery, burglary, or larceny at any credit union office will be kept at the main office and filed with the [Title of Person Responsible].

2. A Criminal Referral Form will be filed any time an officer, director, employee or agent of the credit union is suspected of embezzlement.

3. The CEO will report all such incidents promptly to the Board of Directors, unless a member of the Board is suspected of the crime. If a member of the Board is a suspect, the report will be made only to the other members of the Board.

4. Records of such crimes and supporting documentation will be kept for at least ten years from the date of the report.

Procedures for the Maintenance of Bait Money

of 34 1. Bait money will be kept at each teller station and in the vault or safe where currency is kept at each credit union office.

2. Bait money will consist of used Federal Reserve Notes in nonconsecutive order with no obvious markings. If the notes are strapped, the dated strap will be kept current.

3. A record of bait money listing the denomination, bank of issue, series year, and serial number for each note will be kept in a secure location away from currency and other valuables at each credit union office. The preparer and a second employee who verifies that the record is correct will sign the record.

4. Periodic audits of bait money will be conducted at each office on a random basis. A record of these audits will be maintained. All bait money violations will be reported to the [Title of Person Responsible].

Height Reference Markers

1. Height reference markers or visible strips of tape at a six-foot height will be on doorframes at all office entrances.

2. All employees will be trained to use these markers to estimate a suspect's height.

Rubbish Retention Procedures

1. All waste paper from the teller stations and other areas where transactions are conducted will be kept in separate bags or containers, labeled and dated.

2. The labeled bags or containers will be retained for a period of at least one week.

3. After the retention period has expired, discarded documents (e.g. discarded deposit or withdrawal receipts, voided checks, applications, etc.) will be shredded, incinerated or disposed of by a bonded recycling contractor who guarantees their destruction.

Security Training Policy

It is the policy of [Your] Credit Union to provide a program of initial and periodic security training for each employee as prescribed herein.

Security Training – Security Officer

The Security Officer will receive periodic training designed to foster effective administration of this security program. This training program will keep the Security Officer of current industry standards for security devices and procedures; criminal activity in the area and security related issues. The Security Officer shall document training received. The training will include, but not be limited to:

of 34 1. Periodic consultation with law enforcement officials.

2. Membership in professional security organization (s) and/or attendance at organization meetings.

3. Periodic consultation with security consultants or security equipment vendors regarding current industry standards for security devices and procedures.

4. Attendance at security training seminars or classes.

Security Training – Employees

The Security Officer will develop and implement a program to provide initial and periodic training of employees in their responsibilities under this security program, including operation of security devices. And in proper employee conduct during and after a robbery, burglary or larceny. Employees newly hired or transferred to a new position must complete initial security training before being put on permanent assignment. Periodic training for each employee will be scheduled at least twice a year. Such training will include both a review of material contained in the initial training, and new material designed to address current security concerns.

Employee Response to a Burglary or Larceny - Alarm Not Sounded

Each employee will be trained to follow this procedure upon the discovery of an apparent burglary or larceny:

1. Immediately report the apparent crime to the supervisor, VP/Manager of Member Services, local law enforcement officials and the FBI.

2. Cordon-off the crime scene. To protect physical evidence, avoid disturbing or handling any object the criminal may have touched.

3. Cooperate with the police investigation.

4. Discuss the crime only with designated credit union and law enforcement officials.

Burglar Alarm Response

Each credit union office will prepare a list of employees who have keys to the office and are authorized to respond to a burglar alarm. The list will include the employees' telephone numbers. Copies of this list will be filed with the [Title of Person Responsible], and the alarm monitoring service (Security Service). When a burglar alarm is sounded, the monitoring service will contact an employee on the list to assist in the alarm investigation. Responding employees will be trained to follow this procedure.

of 34 1. When contacted by the monitoring service (Security Service), proceed to the credit union office. If the police have not arrived, wait in a locked vehicle a safe distance from the office for their arrival.

2. After the police have surveyed the exterior of the office for signs of forced entry, permit their access to the facility and assist in their investigation when they indicate it is safe to do so. (Use extreme caution because an intruder may be hiding in the office.)

3. Conduct an interior inspection of the office with the police. Thoroughly examine all six sides of the vault or safe for signs of forced entry.

4. If a burglary has been attempted or committed, immediately notify the CEO and the FBI.

5. Cooperate with the police investigation.

6. To protect evidence, avoid disturbing or handling any object the burglar may have touched.

7. Discuss the crime only with designated credit union and law enforcement officials.

Employee Conduct During a Robbery

In the event of a robbery, the safety of members and employees is of primary importance. All employees will be trained to follow this procedure during a robbery.

1. Remain composed-try not to panic. Avoid sudden movements or any action that might provoke the robber.

2. Follow the robber's commands exactly without hesitation or resistance. Avoid making overt movements other than those ordered by the robber.

3. Activate the silent alarm and include the bait money if it is safe to do so. Any other personnel should squeeze the hold-up alarm if it can be done so undetected by the robber and accomplished safely.

4. If the robber demands a certain amount of money, surrender the exact amount. Do not volunteer additional currency or information about where additional funds are stored.

5. If a note is passed, handle it carefully. Hold it near the edges to preserve fingerprints. Set the note aside; return it only if the robber asks for it.

6. Be observant. Memorize the robber's physical features, voice, clothing, weapon and any other distinguishable characteristics, which may be useful for identification. Remember everything the robber touches and report it later to the police. If more than one robber is present, concentrate on the nearest one.

7. Lock the doors immediately after the robber (s) exits the office and secure the crime scene.

of 34 8. Call police by telephone immediately after the robber (s) has left the area and provide them with as much information as possible (i.e., description and direction of travel, get away vehicle, etc.)

9. Cooperate with the law enforcement investigation by providing witness/victim statements and completing description forms.

10. Preserve any evidence left behind by the robber or other items found material to the case.

Employee Conduct After a Robbery - [Title of Person Responsible]

After a robbery, the [Title of Person Responsible] should take the following actions. In the event the [Title of Person Responsible] is absent or incapacitated, another manager may be required to fulfill these responsibilities. All employees will be trained to follow this procedure:

1. Distribute Robbery Assignment Cards #1 through #6 to available personnel (sample cards are attached).

2. Meet the victim teller or employee at door or window.

a. If robber is still in view, hold your position to observe direction of escape and description.

b. Relay this information to assistant calling police.

3. Lock all doors and place Office Temporarily Closed signs in clear view.

4. Wait at the door for police to arrive and control access to building.

5. When certain the robber has left the area or, when instructed to do so by the police dispatcher, direct an employee to exit the building carrying the All-Clear Placard aloft and wait for the police.

6. Coordinate the investigation with law enforcement, employees and members.

7. If requested, provide law enforcement with copies of the Record of Bait Money Form for the currency stolen.

8. Discuss the robbery only with designated law enforcement and credit union officials.

9. Fill out a Description Form/Ident-A-Card of the robber (see attached sample).

Teller Conduct After a Robbery

Steps to follow immediately after a robbery:

of 34 1.Remain at your workstation.

2. Secure all remaining currency and valuables.

a. Complete any transaction in process and inform all other members that the office is temporarily closed for further business.

b. Lock your cash drawers.

3. Protect physical evidence.

a. Rope or block off areas around your station where the robber might have been.

b. Do not touch any object the robber might have handled.

4. List the names and addresses of the last few members you waited on prior to the robbery (these members may have witnessed the robber's arrival.)

6. Fill out a Description Form/Ident-A-Card of the robber.

Employee Conduct After a Robbery

Certain actions must be taken immediately after a robbery. In some cases (e.g., a robbery involving a lone note passer) the victim employee may be the only person aware that the robbery has taken place.

All employees will be trained to follow this procedure…

1. Actuate the silent alarm as the robber is leaving the office, even if it has been actuated once before.

2. Lock cash drawers to secure any remaining cash or valuables.

3. Notify [Title of Person Responsible] that a robbery has occurred as soon as it is safe to do so.

4. After the robber has left the office, carefully approach a window or door to observe the direction of escape. Observe any accomplices or witnesses outside. If a vehicle is used, try to obtain its description and license plate number.

6. Fill out a Description Form or a Description Form/Ident-A-Card of the robber.

of 34 Personnel Given Robbery Assignment Card #1

The employee who is given the Robbery Assignment Card #1 shall complete the following steps immediately after the robbery:

a. Lock the doors. b. Observe escape vehicle and route (do not exit branch). c. Records vehicle license number and description, if known. d. Close blinds or curtains. e. Post sign on door and at the drive-in window to alert members (see attached sample). f. Assign a staff member to stand at the door to admit authorized persons only.

Personnel Given Robbery Assignment Card #2

a. Call the police at 911 to report the robbery. b. Provide the police dispatcher with your name, the address of the branch and the telephone number at the branch that the robbery has taken place. c. Remain on the telephone until instructed to hang up by the police dispatcher.

a. Notify credit union management at ______. b. Provide the branch location, address and telephone number. c. Remain on the telephone with management until instructed to hang up.

a. Activate the alarm if not already done. b. Isolate the victim teller(s). c. Lock all teller drawers. d. Rope off victim teller window/area. e. Place evidence (note) in plastic pouch.

of 34 The employee who is given the Robbery Assignment Card #5 shall complete the following steps immediately after the robbery:

a. Ask members and other witnesses present to gather in the member service waiting area. b. Instruct them not to discuss their observations with anyone until they have completed a witness forms and have been interviewed by law enforcement. c. Distribute staff badges to employees d. Distribute description forms to all witnesses for completion (see sample attached). e. List the names, addresses and telephone numbers of all witnesses on a Robbery Witness Record. f. If you need assistance, appropriate dialog can be found on the reverse side of Card #5 and is enumerated herein:

1) No Injuries

“We have experienced a robbery. There do not appear to be any injuries. The robber has left the branch and the doors are locked. Telephone calls to appropriate law enforcement and credit union personnel are being made. Please have a seat in the member service waiting area and do not discuss the robbery with anyone. The police will arrive soon and they will take your statement. I am going pass out robbery witness forms for you to complete. The forms are self-explanatory, but if you have any questions, I will be glad to assist you.”

2) Possible Injuries

”We have experienced a robbery. The robber has left the branch and the doors are locked. Telephone calls to appropriate law enforcement and credit union personnel are being made. If you have been injured, please let me know at once. Please have a seat in the member service waiting area and do not discuss the robbery with anyone. The police will arrive soon and they will take your statement. I am going pass out robbery witness forms for you to complete. The forms are self-explanatory, but if you have any questions, I will be glad to assist you.”

a. Pull drive window shades. b. Recall drive-in tubes. c. Turn on lane-closed lights.

of 34 Dealing With the Media After a Robbery

1. The [Title Of Person Responsible] will be the designated official spokesperson. All other personnel will refrain from making any public statements.

2. Do not allow members of the press to enter the building until the police and the FBI have given clearances.

3. Do consult with law enforcement officials before releasing any information about the robbery to avoid hampering their investigation.

4. If there are no objections by law enforcement officials, the [Title Of Person Responsible] may release the following information:

a. Their name, title & business telephone number as the official spokesperson.

b. The time the robbery occurred.

c. A brief statement assuring members that all deposits are insured against robbery losses.

Extortion And Bomb Threats

Each extortion attempt and bomb threat is a unique situation. There are common features, however; and there are common actions, which are appropriate. When and extortion or bomb threat telephone call is received, the following principles apply:

1. Remain calm; make notes of the conversation, noting the time the call as received, the sex, race, accent, speech defects, mannerisms, approximate age, any background noises, etc.

2. Obtain as much information as possible from the caller in order to ascertain the nature and validity of the threat as well as the details of the demand.

3. Always stall for time, always request additional time to meet the demands.

4. If possible, use the attached kidnap/hostage call checklist. Follow the instructions on the checklist

5. After the caller has hung up, immediately call the following:

a. The FBI,

b. The local police, and

c. The credit union security officer.

6. The attached checklist should be kept immediately available.

of 34 Extortions

In addition to the above, a system should be in effect in all branches whereby the person receiving the call can signal or otherwise notify another person in the branch to contact the recipient's family by phone for immediate verification of the seriousness of the threat. If possible, this should be done while the caller is still on the phone. The credit union has an extortion pack of $______of 10's and 20's. None of the straps on the money has been dated, and each bill has been microfilmed. If we have to deliver cash to an extortionist, this money will be delivered. Later, it will be relatively easy to track the cash.

Bomb Threats

In addition to the above, no evacuation should be made without attempting to obtain authorization from the security officer, the president, or the executive vice president. The branch manager may take independent action only when he/she cannot contact one of these people, and the threat is imminent.

Credit Union Officer Personal Profiles

Most kidnap/hostage threats are directed at credit union officers; therefore, confidential personal identification files will be kept on each officer by the credit union's security officer (see following pages). The information will be sealed in an envelope, and the information will be used to compare known information to that stated by the extortion caller.

The security officer will also:

1. Not indicate on the envelopes their intended use.

2. Not allow the profile sheets to be reproduced by anyone.

3. Instruct the officers filling out the forms that they are not to keep a copy.

4. Restrict access to the envelopes to the security officer only. In his or her absence, the president, executive vice president, or the personnel officer should have access to the envelopes if an extortion is attempted.

Civil Disorders, Fire, And Floods

Planning in advance for emergencies of these types can reduce risk to employees and loss to the credit union. Each branch manager will develop specific branch plans that contain the following:

1. Specific duty assignments for each employee.

2. Planned escape routes from the premises and by car from the area.

of 34 If Trouble Appears to be Imminent

1. Notify the security officer.

2. Close the branch. Lock all doors and close all drapes and blinds.

3. Place the following into the vault:

a. Currency, including coin if possible.

b. Counter work, including deposits, cashed checks, night deposit bags, cashiers checks, money orders, travelers checks, records, etc.

c. Working supplies, including cashiers checks, savings bonds, certificates of deposit, incoming and outgoing collections, etc.

d. Loan records including notes, negotiable collateral, payment cards, etc.

4. If time permits, also place the following secondary items in the vault:

a. Check files (paid checks and deposits for current month).

b. Checking and savings ledgers and printouts.

c. Signature cards of all types.

d. Any other important branch records.

5. The vault is to be closed and locked without setting the time clocks.

If Trouble is Not Imminent

If the branch manager has advance information that trouble is likely, he or she should prepare by placing the items listed above in the vault except for those items absolutely necessary to keep the credit union open. Cut cash to minimum levels. Also, call the security officer and discuss the situation.

Fire Plan

1. Never shout, "Fire."

2. Never use elevators. Keep calm.

3. Remove personnel in immediate danger.

of 34 4. Close all doors to confine fire and smoke and to cut down on drafts.

5. Call the local fire department.

6. Combat the fire with extinguishers as much as possible.

7. Placed primary and secondary items in the vault and close it.

8. Clear all hallways and corridors of equipment.

9. Evacuate the building.

10. Proceed to designated assembly area.

11. Set up controls to preclude anyone other than firemen form entering the building.

Security Training Meetings

Each branch manager will conduct regularly scheduled training meetings covering all areas of security involving that branch. The credit union requires these training sessions be conducted monthly and that each session last at least fifteen minutes. These meetings should insure that:

1. All employees are familiar with the material contained in this security plan.

2. All employees are properly instructed in the use of the alarm systems.

3. Opening and closing procedures are in effect and are being followed but are changed periodically. Employees should avoid particular patterns of arrival and departure.

4. All employees are "security conscious," watching for loiterers and suspicious-looking individuals, especially those seeking change or attempting to open a small account.

5. It is mandatory that all workmen or others requesting access to the credit union provide proper identification and that this is thoroughly examined.

6. All employees are given holdup cards, description forms, etc. The purpose for each form should be explained.

7. The importance of keeping cash to a minimum should be explained. Also, each teller must be trained in handling the robbery pack.

8. The telephone numbers for the appropriate local police department, the local FBI office, and appropriate fire department station should be posted throughout the credit union.

of 34 9. It is of major importance both for the safety of individuals and to the security of the credit union that each branch employee is familiar with the conduct expected of him in case of a holdup or any other emergency.

Suspicious Activity Report Form

The Suspicious Activity Report (SAR) is required by NCUA for reporting criminal activity.

Since money laundering and structuring transactions to avoid currency-transaction reporting are federal crimes, apparent violations of these types should be reported to the NCUA, the US Attorney, and the local office of the IRS's Criminal Investigation Division. On a voluntary basis, suspicious currency transactions can be reported to the IRS's (and other law enforcement authorities). Such "suspicious transactions" might involve deposits and withdrawals in amounts of less than $10,000 when circumstances suggest an illegal purpose. Certain reporting requirements are voluntary. For example, losses or apparent violations aggregating less than $5,000, where the credit union has no substantial basis for identifying a possible suspect, may be reported, but it is not a mandatory requirement. It is also permissible for a credit union to report loses under $1,000, where the credit union has a substantial bases for identifying a possible suspect. Please note, however, when a credit union employee (or agent) is suspected, a report must be submitted regardless of the amount of money involved.

of 34 Sample Letter To Family Members

TO: The Families of All Credit Union Officers

FROM: The Board of Directors and the President

RE: PROCEDURES IN THE EVENT OF A KIDNAPPING

During ______03,there were ____ attempted extortions kidnappings involving officers of financial institutions. Of these ____ incidents, in ____ cases hostages were actually taken; seven were credit union employees and ____ were family members of credit union employees. No hostages died during 2003 and only ____ was injured. When we compare these numbers to the fact that there are over 11,000 credit unions in the United States and well over a million credit union employees, the chances of your being involved in a kidnapping or an extortion attempt is quite remote. Nevertheless, it is still prudent that we take a few precautions and prepare for any eventuality.

You have an important role to play in our efforts to keep extortionists from being successful. Before going into these plans, however, let us assure you that your safety, that of your husband, and that of your children is of utmost importance to the credit union. No one at the credit union, at any time, will take any action that will jeopardize your safety. All our plans are built around the cardinal principle: the safety of our people and their families comes first.

THE TELEPHONE REPAIR PLOY

A favorite trick of extortionists is to pretend to be a telephone company employee who is "working on the line." The telephone company almost never "works on the phone line." The extortionist will say if the phone rings, let it ring until they can get it repaired. This way your husband cannot call you because you will not answer the phone.

If an instance similar to this occurs, do not let the individual into the home. Get the person's name, and the name of his or her supervisor; call the telephone company using the number listed in the front of the book and not a number given you by the "employee." Verify the repair work. If the repair work is legitimate, this will only take a few minutes. If it is a ruse, by your actions you will have foiled the effort, and the extortionist will likely flee.

If the telephone company says no such work is in progress, immediately call your husband and tell him what has happened and ask him to call the police. This way your husband has been alerted, the police have been alerted, and the credit union has been alerted. Under the circumstances you are relatively safe even if the extortionist has not left the premises --- help will be on its way to you in a matter of seconds.

If you can, leave the house, go to a neighbor's home, or take whatever action you and your husband have prearranged. The two of you should discuss this letter and work out contingency plans that best fit your personal situation. It may include going to a neighbor, going to the

of 34 children's school, going to a nearby store or church, or locking yourself inside the home. It must be a plan such that your husband will know what you will do. As soon as you arrive at your destination, call your husband; the actions the credit union and the police will take depend very much on our knowing you and the children are safe.

Any suspicious telephone calls or disruption of telephone service should trigger your plan. Any request that you not answer the phone if it rings should trigger preplanned action. The first step in this action should be a telephone call to your husband, to his secretary, or to someone else in the credit union. Let someone near your husband know what is happening immediately.

The odds of your actually being kidnapped are extremely small, less than one chance in a hundred thousand, but it could happen. If it does, even here statistics strongly suggest that you will not be harmed. It is quite seldom that credit union family members are harmed and then only because someone succumbed to panic. If you do not panic and if the people at the credit union do not panic, in almost all cases you or the children will not be harmed. The extortionists are after money and they do not want to spend the rest of their lives in prison. They will not be taking unnecessary chances and neither should you.

Our advice to you is quite simple: Cooperate. If you are taken hostage, do nothing that will increase the chances of your being harmed. At the same time, to the extent that you can, start taking mental notes, be prepared to tell the FBI and the police as much as you can about the incident. Ages, dress, accents, size, car descriptions, recollections of conversations, etc., all become extremely valuable as the FBI and police try to solve the crime.

The credit union is also developing plans for how the incident will be handled inside the credit union. These plans are beyond the scope of this letter; we suggest that you and your husband discuss them in some detail. After these discussions, if you have questions or suggestions, please call our security officer, Mr. ______at XXX-XXXX. He will be glad to answer any questions you might have.

of 34 Information Security

Program Overview

The purpose of this information security policy is to augment the existing policies on Privacy and The Bank Bribery Act with supplemental emphasis on protection of information stored and maintained by this Credit Union. For the purposes of this policy, any transmission of the information about a member’s account or status with this Credit Union are considered the same whether it is done orally in person, orally over the phone, via facsimile, e-mail or in any written form.

The policies have been approved by the Board of Directors and will be followed by management when implementing the information security policy.

Risk Assessment

The credit union will assess risks that may threaten the security, confidentiality or integrity of member information or member information systems by:

1. Identifying all reasonably foreseeable internal and external threats 2. Determine likelihood and potential damage of internal and external threats 3. Determine sufficiency of the credit union’s policies, procedures and member information systems to control the identified risk.

Consideration will include Employee controls, Physical Controls, Hardware Controls, Software Controls, Authentication Controls, Electronic Mail Controls, Information Transmission Controls, Internet Controls, Service Provider Controls Information Disposal Controls, Remote Access Controls.

Risk Control

Identified risk will be controlled by establishing and maintaining written procedures designed to implement, maintain and enforce the information security program.

The credit union will monitor, evaluate, and adjust, as appropriate, the program in light of any relevant changes in technology, internal or external threats to information, and the credit union’s own changing business arrangements with regular testing of key controls, systems, and procedures. This directive will concern itself with specific threats, as they exist now.

Staff Training

Employees are granted access to information commensurate with their position and will be trained with regard to their responsibilities under this policy.

of 34 Service Provider Arrangements

The credit union will exercise appropriate due diligence in selecting its service providers to ensure appropriate measures are taken by the provider to protect the confidentiality of the member’s non public information.

Review

Reports shall by made regularly (no less than annually) to the Board of Directors on the current status of the information security Program.

General Prevention

The release of any information, other than merchant verification of funding in a member’s draft account, must have written authorization by the member. This authorization can be done by facsimile. E-mail signatures, however, are not sufficient.

Specific Threats to Securing Information

Several areas of immediate concern are dealt with specifically herein, however, two specific areas of concern will be addressed relating to computer hackers and infections by computer viruses.

Hackers-Unauthorized Access to the Credit Union’s Computers

There are two avenues a hacker could enter the ______Credit Union’s computer.

1. Through the Credit Union’s modem/broadband connection on the main computer. This connection has a mechanical switch box/remote access system (RAS). (This switch [RAS] should be turned in a non-support position or turned-off when not needed and whenever the Credit Union is closed.)

2. Through computers on the Credit Union network, which have access to the ______Internet/Intranet. The firewalls between the Credit Union’s server and the Internet/Intranet are the weakest area for a threat to penetrate. The ______(IT Department/Information Services Security Team) monitors all computer activity coming in through its system and has procedures in place to detect and block unauthorized entry into the system.

Virus and Information Attack-

All employees are cautioned not to open emails from outside the credit union network where they do not know the sender. Unfortunately, this is not much of a deterrent to computer viruses. Therefore, the credit union’s server and all computers that are connected to the server are installed with anti-virus software that provides for automated updates to all network computers

of 34 on a daily basis. Employees shall insure that this anti-virus software remains active on their computers, i.e., under no circumstances shall the anti-virus software be deactivated.

Once a virus is detected by the Virus Scan or suspected due to the behavior of the computer, the ______I/T department/Information Security Team should be contacted and their instructions followed. If possible, the affected computer shall be disconnected from the server/other computers so as to isolate the virus’ effects.

Employees who discover that their computer is infected with a virus shall follow the instructions of the ______[IT Department] in order to correct the problem. (All efforts should be made to contain the virus in the computer it initially infected.)

The IT staff currently backs up the data processing system every night and each desktop computer is backed up ______(daily, Fridays, etc} These backups shall be used to restore the computer system in the event of a loss of data resulting from a major disaster or system failure. In some instances all work processed since the last backup may have to be manually re-entered. This decision will be made by the IT Department after the system has been restored from the backup tape.

Pretext Callers- Federal Laws apply to those persons who try to obtain personal financial information under false pretenses. Callers should be told that the information requested is not available over the phone. If a person is trying to obtain information on someone else’s account in person, the staff should attempt to distract that person and notify management who will alert the police.

Verifications over the phone- the staff of this Credit Union should make a practice of not giving information over the phone other than merchant verification of funds on draft accounts. This will discourage pretext callers and the volume of member callers who have other means to access their account information (Audio Response, ATM’s, Internet, etc).

Other Sources Of Reference:

Please refer to any of the following for further guidance in this matter;

The ______Disaster Recovery Plan The ______

The ______Credit Union’s Bylaws, Bank Bribery Act Policy, Security Policy and Privacy Policy.

Various Government and NCUA Letters, Directives and Policies on these issues, i.e., ______.

of 34 FRAUD POLICY

The ______Credit Union considers any form of fraud or dishonesty on the part of its employees as totally unacceptable conduct. Acts which are considered to be either fraudulent or dishonest include, but are not limited to:

1. Manipulation of loan accounts, documents, computer records, and share or share draft accounts.

2. Theft of any kind, including stealing from members’ accounts, overpayment of dividends, and creating fictitious loans.

3. Check/share draft kiting.

4. Forgeries.

5. Unauthorized or unapproved salary advances or overtime reimbursement.

6. Intentional violation of credit union rules, internal controls, regulations, or procedures.

7. Intentionally failing to secure collateral, to properly record a security interest in collateral, or pledging a member’s shares as collateral without that member’s permission.

8. Granting or requesting preferential treatment for ANYONE.

I have read the above Fraud Policy. I understand that management will not tolerate fraudulent or dishonest activities of any kind and that I am not to engage in acts of fraud or dishonesty while employees at the ______Credit Union.

Dated this ______day of ______, 20_____.

______Witness Employee

of 34 Insert credit union name and logo

Security Incident Report

Date Reported Reported by Phone Case File No.

Date of Incident Time of Incident Amount of Loss ___a.m. ___p.m. $ Building/Branch Department ATM? ___ yes ___ no

Type of Incident

__Assault __Criminal Trespass __Scam __Bomb Threat __Robbery __Suspicious Activity __Burglary __Larceny __Other______

Injuries? Weapon used? Victim? ___yes ___no ___yes ___no ___Member ___Visitor ___Employee ___CU ___Other Victim Name: Address:

Home Phone: Business Phone: If member, account no.:

Police Report Police Notified: Time: Agency: __yes __no _____ a.m. p.m. Officer: Report No:

Suspect Suspect Name: Arrested? Arrest Date: Court Date: __yes __no Incident Details:

of 34 NOTICE TO ALL MEMBERS

THIS OFFICE IS TEMPORARILY CLOSED DUE TO A ROBBERY.

THE NEAREST BRANCH OR SERVICE CENTER IS AT (insert address)

WE APOLOGIZE FOR THIS INCONVENIENCE AND APPRECIATE YOUR COOPERATION.

of 34 Robbery Witness Record

Branch: Date:

Name Address Telephone