Using a polygraph to ensure the security of a commercial bank.
The development of market relations in Russia and the emergence of commercial enterprises of various forms of ownership have led to the emergence of a new class of crimes in the country, which have existed abroad for many decades and are united by the common name of “crime against business”.
Today, strengthening the stability of the financial and banking systems remains an important area of ensuring the country's economic and national security. A significant component of this problem is increasing the level of protection from illegal encroachments by commercial banks.
Unlike countries with developed market economies, which have time-tested traditions of combating crimes and other offenses against private property in the financial and banking sectors, Russia's experience in this area is determined by a very significant historical circumstance.
Namely: a historical break in the very existence of the institution of commercial banks, which was restored only in the recent past. Due to this reason, the country lost a significant part of its experience in ensuring banking security in the pre-Soviet period.
At present, this gap is being actively filled by domestic scientists and practitioners. Modern means and methods of protecting commercial banks are being developed.
On this path, there are certain difficulties caused by the peculiarities of the organization and functioning of the bank protection system, ensuring the security of new areas of banking activity and new banking technologies.
The role of the bank security service
One of the features of ensuring the security of credit institutions is that the legislator has assigned the main work on organizing protection from criminal activities to the banks themselves. For this reason, the overwhelming majority of banks are forced to include in their structure the bank's own security services (protection of interests), which perform the specified functions.
The named units actively interact with state law enforcement agencies in the areas of protecting banks from penetration by organized crime groups; protecting banking institutions and their employees from criminal attacks; developing and implementing special technologies for technical strengthening and protection of banking facilities and communications.
Together with law enforcement agencies, they improve security systems for the collection and transportation of funds, as well as banking facilities: currency exchange offices, vaults, offices, etc.; implement measures aimed at preventing and solving crimes, etc.
However, despite such a wide range of areas of joint activity, the tasks of the bank's security service have accents that distinguish them from the tasks of law enforcement agencies. First of all, they concern the relationship between preventive measures and measures of criminal-legal influence in the sphere of ensuring security.
Undoubtedly, the interests of ensuring the security of a bank (as well as any object of protection) are largely associated with the use of such means and methods of prevention that allow preventing the criminal intentions of subjects before committing a crime and initiating a criminal case. Moreover, from the standpoint of the object of protection itself, the named preventive measures are preferable and should be implemented in the first place.
A similar position is declared by law enforcement agencies, but in the real situation the share of preventive measures in their activities and the activities of bank security services differs significantly. The preventive functions in the work of investigative bodies occupy more than a modest place.
In addition, it should be emphasized that threats to the security of banking activities (in the broad sense of the word) are not limited to criminal encroachments.
A very extensive list of actions dangerous for the bank appears in the form of civil torts and official misconduct. For this reason, the functional responsibilities of the security service also include tasks related to the identification and investigation of official misconduct of employees, violation of labor and civil law, internal (local) regulations of the bank, with ensuring compensation for damage caused by these misconducts.
The bank's security service is involved in the implementation of internal control tasks, conducts internal investigations, prepares materials for making decisions on the full financial liability of an employee or a team (brigade) of employees. In addition, based on internal investigations conducted by the security service, decisions are made to terminate an employment contract with an employee directly handling monetary or commodity assets due to the loss of trust in him/her by the employer. Specific tasks for ensuring the security of the bank's infrastructure are related to the protection of the personnel and business reputation of the credit institution.
The need to use new technologies
The solution to the above-mentioned problems requires qualitatively new methods and means of research, verification and evaluation of information, on the basis of which decisions are made in the field of security. This is especially true in cases where, due to the specifics of the technology (operations), traditional methods and means do not make it possible to identify the specific culprit of the event (in areas where the said events occur, an agreement on collective (team) responsibility is usually concluded with workers).
New scientific and technical means of research (observation) are also needed to improve the quality and reduce the time required to check candidates for employment at a bank and in a number of other cases. The polygraph is one of these innovations, which is becoming increasingly widespread in the practice of domestic law enforcement agencies and non-governmental security services.
Today, the monographic educational and practical manual “Commercial Bank Security” is of undisputed interest in the financial and banking sphere. The work in question provides a systematic description of the features of common crimes that infringe on the security of commercial banks, the ways in which they are committed, as well as rational methods and techniques for identifying, preventing and suppressing criminal attacks committed in the credit and financial spheres.
In particular, the authors cite data showing that “about 90% of abuses in the financial sector related to violations in the field of information security occur with the direct or indirect participation of current… bank employees” (p. 150), and also refer to judicial statistics, according to which 30% of criminal attacks on the interests of commercial structures are committed by “their own employees” (p. 171).
As a result, it is stated that “the staffing of a bank with highly professional and reliable personnel capable of achieving high labor productivity (profit), skillfully protecting the rights and interests of the bank… is one of the main conditions for ensuring the economic security of the bank” (p. 163).
At the same time, it should be emphasized that, having paid considerable attention to the “human factor” in ensuring the security of a commercial bank, the authors only briefly mentioned a few times the possibility of using a polygraph for the purpose of preventing criminal attacks and during official proceedings when solving crimes committed by “their own employees.”
Considering the fact that the issues of using a polygraph for the specified purposes were not adequately reflected in the training and practical manual, we will dwell on them in particular.
Two classes of crimes
From the point of view of the practice of using a polygraph, the entire variety of criminal attacks on the property or infrastructure of a bank can be divided into two large classes:
• crimes committed by third parties who are not bank employees or without the assistance of the latter.
• crimes that cannot be committed without the participation of bank employees.
The second class includes two groups:
a) crimes committed only by bank employees (without the participation of third parties).
b) crimes committed with the complicity of bank employees.
Crimes of the first group include, for example, various types of theft and illegal use of cash and equivalent funds, as well as criminal offenses related to the abuse of official powers, caused by commercial bribery, when the subject of the crime can only be a person performing managerial functions, or implemented in the field of computer security. In the latter case, in addition to third parties (hackers or employees of a competing bank), the most qualified categories of bank employees with the greatest knowledge of automated systems, such as system administrators and other employees of bank automation services, often take the criminal path.»
The second group of crimes (committed with the complicity of bank employees) should include, for example:
a) theft of money from current and settlement accounts of clients, when money is transferred to other accounts using forged payment orders
b) misappropriation of bank funds by stealing expense documents (money checks) located in the cash register: the perpetrators of such thefts may be the client himself or a bank employee in collusion with him
c) illegal acquisition of confidential information by stealing documents or unauthorized access to computing equipment or automated systems.
Unfortunately, the above lists of criminal offenses are not exhaustive.
To summarize the brief overview of crimes committed by bank employees or with their participation, it can be stated that a fairly large «risk group» is formed among bank employees. These are employees who, on their own initiative, due to external circumstances or under the influence of structures unfriendly to the bank, are inclined to commit criminal offenses.
Such a «risk group» primarily includes:
• persons vested with administrative functions in relation to valuables, property and confidential information, making decisions on conducting banking operations and transactions in financial markets (managers of the bank and its divisions, chief accountant).
• persons having access to banking operations related to transfers and issuance of funds (operators of the electronic settlement system).
• persons having permanent access to money (currency), valuables and securities (cashiers, collectors).
• persons having information related to banking secrecy and other confidential information (including the procedure for storing and moving money and other valuables).
• persons ensuring the functioning of automated control systems (ACS): operators, programmers, engineers.
• employees involved in the implementation of bank operations (transactions) in financial markets.
It is easy to see that the “risk group” potentially includes a very large number of bank employees and, in the absence of an adequate system of protection and preventive measures, along with external factors, poses a significant threat to the security of a commercial bank. That is why among domestic experts there is an established opinion that “a modern bank is an extremely complex and risky enterprise.”
The bank's existing security system
In order to assess the assistance that the introduction of a polygraph can provide in protecting the bank's commercial interests, we will briefly dwell on the basic principles of organizing the fight against illegal attacks on its economic activity (in the implementation of which, to one degree or another, bank employees are involved) and the currently established system of measures to ensure the security of work with personnel.
One of the most important components of the system of protection against criminal attacks committed by bank employees or with their participation is the establishment and strict observance of administrative control measures that strictly regulate the official duties of bank employees and the procedure for their implementation. In the event of the detection of a crime committed by bank employees (or with their participation), or the discovery of signs indicating the possibility of such a crime, the internal control service and the security service conduct an investigation into this fact (using overt and covert measures) in order to establish the damage caused, localize the zone of criminal attack or prevent the threat that has arisen.
To obtain information confirming the fact of a criminal attack, the security service uses methods of private investigation and forensics. At the same time, as stated above, some crimes remain undetected, and official investigations into a number of types of crimes are associated with significant difficulties and do not always lead to the discovery of the perpetrator. The latter, for example, applies to the illegal actions of cashiers at currency exchange offices, which consist in the fact that these persons can appropriate funds received as a result of a monetary transaction, or issue counterfeit certificates for the export of currency for a fee. It is difficult to combat these criminal acts because they are very difficult to detect: they can only be detected as a result of control exchange operations and detective (operational-search) activities, when the criminal is literally “caught red-handed”.
It is well known that when committing an illegal act, the criminal, as a rule, destroys its traces, thereby complicating or making it impossible to use private investigation and forensic methods. As a result, the official investigation is delayed for a long time or becomes unsuccessful.
At the same time, traces of illegal acts inevitably remain. These are the so-called “ideal traces” of the crime, that is, images of events (their circumstances, signs, etc.) stored in a person’s memory, and a polygraph survey serves as a reliable means of establishing (forensic diagnostics) the presence or absence of such traces in memory.
World practice and accumulated domestic experience indicate that a polygraph survey allows for the effective identification of information hidden by persons subjected to this procedure.
A polygraph examination (PUE) is a complex psychological and psychophysiological procedure and is a non-traumatic and harmless to life and health procedure for interrogating a person using special methods using control and assessment of physiological reactions that are recorded using sensors placed on his body. The purpose of the PUE is to assess the reliability of information previously obtained from the person being interviewed by recording the physiological reactions of the person being interviewed to the questions asked. Traditionally, the psychophysiological processes recorded are breathing, changes in the electrical resistance of the skin and the activity of the human cardiovascular system. In the interests of the PUE, other dynamic psychophysiological processes occurring in the human body can also be used, however, the three above are strictly mandatory in the world practice of performing PUE.
At present, the technology of using the polygraph for the specified purposes has been developed to a sufficient extent and gives the right to confidently state that the IIP can be successfully applied in the course of official proceedings in relation to any of the crimes of both of the above-described groups.
Possible situations for using the IIP
The use of the IPR is especially effective in three classes of situations, which, in relation to the practice of conducting official investigations carried out by the security service of a commercial bank, can be characterized as follows.
The first class includes situations in which the security service has no opportunity to obtain the information necessary for solving and investigating a crime without involving a specific person.
The second class consists of situations in which obtaining the information necessary for the security service is possible using traditional operational means or forensic methods, but this is associated with large material and/or time costs or the involvement of significant operational forces. The use of IPR allows you to choose the most rational way out of the situation, while saving the aforementioned resources.
The third class includes situations that require urgent (within a few hours or one or two days) receipt of information, and no other traditional methods or ways can provide the security service with the required speed of response. Only a polygraph that establishes the presence (or absence) of the required information in the memory of a specific person can solve such a problem.
However, for security services, the practical possibilities of using the polygraph technology are not limited to the sphere of official proceedings.
Screening polygraphs
For many decades, a number of countries around the world have been using the polygraph very effectively to ensure the quality of personnel work.
The emergence of screening OIPs was due to the fact that the employer — a government agency or a commercial enterprise — sought to use the labor of employees who, while performing their official duties, would not cause him any harm, damage, or violate discipline. To do this, the employer established a number of qualification, social and psychological requirements that the employee hired by him had to meet.
In essence, screening OIPs are aimed at improving the quality of official activity by identifying individuals who have concealed the presence of risk factors, i.e. the presence of non-compliance with certain requirements established by the employer. Thus, the screening use of a polygraph ensures the prevention of offenses or crimes that could be committed in the workplace (or related to the performance of official duties) by individuals of the specified category.
Foreign experience has shown that polygraph tests in HR work, depending on the need, should be used in three situations:
a) when hiring personnel.
b) during periodic (scheduled) personnel checks.
c) during random (unscheduled) personnel checks.
Obviously, these three situations are similar in essence, however, when performing the corresponding screening OIP, as a rule, different sets of risk factors are examined.
The list of risk factors submitted for verification during the IIP is determined by the social order established by the employer. Risk factors are usually negative — from the employer's point of view — biographical facts (for example, connections with criminal groups, commission of criminal offenses or criminally punishable acts not recorded by law enforcement agencies, etc.) or undesirable personal inclinations (alcoholism, drug addiction, a penchant for gambling, etc.). This list is formed, on the one hand, under the influence of the specifics of a particular type of activity that the hired or already employed employee is to carry out, and on the other hand, under the influence of the socio-psychological and economic conditions in which this activity is carried out. Risk factors may appear or, on the contrary, disappear depending on changes in the conditions of the activity or the external (socio-economic) environment.
The formation of the tasks of screening IIPs, i.e. the identification of risk factors, is carried out by the employer. If the list of risk factors is incomplete or incorrectly compiled, the purpose of the screening IIP will not be achieved, and persons who have concealed the presence of deviations from the employer's requirements may remain undetected.
In the case of performing screening IIPs in a commercial bank, the sources of information for forming the list of risk factors are the HR department, the internal control service and the security service, which carry out the corresponding control functions.
One should agree with the opinion of foreign experts that “polygraph tests are not carried out in isolation. They are carried out in the context of a broader program…During screening, a polygraph test is never used as the only means for making a decision. It is an addition to the existing personnel verification system.” It is clear that deviation from this principle inevitably entails a methodologically unjustified overestimation of the significance of the result of the screening IPR with all the ensuing consequences.
Based on the above comments, we will evaluate the possibilities of using screening IPRs in the fight against illegal attacks on the personnel support of the bank's activities.
One of the strategic tasks of the security service, internal control service and personnel service, as is rightly noted, is to protect the bank from the penetration of undesirable persons into its personnel. The use of a polygraph to solve this problem should be carried out in several directions.
Firstly, the IIP should become a systemic measure that helps improve the quality of selection of people hired by the bank. Considering the fact that the previously existing accounting system has been largely destroyed, obtaining reliable information about a job candidate is very difficult or simply impossible in many cases. The use of the IIP, based on a study of the memory of a specific person, allows us to check the most important facts of his biography, identify risk factors that he is hiding, and establish a reliable barrier against the introduction of special employees («moles») into positions in the bank that allow them to gain direct access to information and documents, or to secretly collect confidential information in the process of official (production) activities.
Secondly, the use of IPR will prove to be a very effective means of ongoing control over the activities of bank employees. First of all, the manuals identified by the authors and the six categories of employees mentioned above who fall into the “risk group” should be subject to periodic polygraph tests. World practice shows that periodic screening IPRs, in addition to their direct preventive effect, have a noticeable disciplinary effect on the working personnel. In relation to a commercial bank, this means that its employees are aware of the need to undergo a polygraph test, and all violations of established standards of official activity (and, especially, criminal offenses) committed by them will inevitably be identified.
The third area of application of screening IPRs, unscheduled (random) polygraph tests, has a more pronounced disciplinary effect. Employees of categories 1, 2, 3, 4 and 6 from the above-mentioned “risk group” should be subject to such IPRs, i.e. those persons who have access to “strategic” information about the activities of a commercial bank.
Legal basis for using a polygraph
Naturally, the reader may have a reasonable question: what is the legal basis for using a polygraph to ensure the security of a commercial bank?
The use of the information obtained as a result of the check when making a decision to refuse employment does not require special argumentation from the employer. Since in this case we are talking about the freedom to conclude an employment contract, the employer (bank) has the right to give preference to the candidate whose professional and personal qualities are recognized as preferable.
The authors' point of view on this issue is consonant with the opinion of G. Borland, one of the leading US experts in the field of using the polygraph, who, touching on the possibility of using the IIP in personnel selection, noted that «society must always balance between a person's right to privacy and the employer's right to hire the best, most honest and most productive workers.»
Thus, touching upon the first of the areas of using the OIP polygraph in ensuring personnel security of a commercial bank, it can be confidently stated that at present there are no legal barriers to the use of the OIP in the interests of checking persons hired for work. The need for a job candidate to undergo the OIP and his voluntary consent to this procedure must be reflected in the questionnaire, which is filled out when submitting documents to the HR service.
The possibility of using a polygraph in the second and third areas of ensuring personnel security must be enshrined in one of the regulatory legal documents governing the internal activities of a commercial bank. For the convenience of further exposition, we will use the draft regulatory legal documents provided in the appendix to the above-mentioned educational and practical manual «Commercial Bank Security».
If we refer to the “Model Regulation on the Organization of the Protection of Confidential Information Constituting a Banking, Commercial, and Official Secret”, then such a regulatory consolidation for a significant number of bank employees from the above-mentioned “risk group” can be made in section “4. Organization of lawful access of employees to information constituting a commercial secret”, clause 4.1 of which should be set out in a new version (the proposed addition is highlighted in bold), namely: “Persons wishing to obtain the right to work related to information constituting a banking, commercial, or official secret undergo a check (including a survey using a polygraph) in order to identify possible circumstances that impede their access to protected information” (p. 199). In this case, one of the grounds for denying a person access to the bank’s protected information may be (clause 4.4.3) “the person being checked evading verification measures (including a polygraph test) and/or knowingly providing false personal data” (p. 200).
The legal consolidation of the application of the IIP should be duplicated, for example, by introducing a separate provision into the “Model Agreement on the Registration of an Employee’s Access to Banking, Commercial, and Official Secrets,” which is an appendix to the employment contract. For example, in paragraph 2 of this document (“Terms of the Agreement”), the obligations assumed by the employee should be expanded: he is obliged “not to evade verification measures (including questioning using a polygraph) and not to knowingly provide false personal data” (p. 204).
In order for a polygraph to be used during an official investigation, the commercial bank’s regulatory and legal acts must provide for the procedure and, most importantly, the mandatory participation of bank employees in this procedure.
Thus, the proposed manual “Model instructions on the procedure for conducting an investigation into the facts of illegal receipt and disclosure of information constituting a banking, commercial and official secret, violation of the procedure for confidential office work” (pp. 206-209) should be supplemented accordingly. At present, employees assigned to conduct the investigation are granted the right (clause 3.5.1) “to invite employees for a conversation… (and) receive from them written explanations on the facts related to the subject of the investigation.”
It would be appropriate to supplement this clause with a provision stating that these employees have the right to “use, if necessary, a polygraph test on individuals involved in the subject of the investigation.” In order to ensure that employees conducting the investigation do not encounter a refusal from bank employees when it is necessary to use a polygraph on them, the above-mentioned “Model Agreement on Processing an Employee’s Access to Banking, Commercial, and Official Secrets” (which is an appendix to the employment contract) should be supplemented with a clause establishing the employee’s obligation to “actively assist in the official investigations being conducted and, if necessary, undergo a polygraph test.”
In conclusion, it can be stated that at present in Russia there are no laws or regulations that would prohibit the use of polygraph interrogations for the purpose of ensuring the security of non-governmental structures and, in particular, commercial banks.
Profitability of the OIP
In conclusion of the article, it is necessary to briefly dwell on the profitability of using the OIP in the practice of ensuring the security of a commercial bank.
A modern domestically produced computer polygraph (including the computer) costs about $6,500. Training a polygraph specialist, conducted in the amount of 200 training hours according to the program approved by the State Standard of Russia, costs about $3,000. Thus, it is easy to see that the costs of purchasing a computer polygraph and training a polygraph examiner
are incomparably less than the damage that can be prevented by timely “culling” of disloyal job candidates or bank employees as a result of their polygraph testing.
Source:
Gamza V.A.,
candidate of legal and economic sciences,
Chairman of the Board of Directors of OJSC «Agrokhimbank»,
Kholodny Yu.I..,
doctor of legal sciences, candidate of psychological sciences,
head of department of the Institute of Criminalistics of the FSB of Russia