Regulation on Minimum Security Requirements

Under Article 35, paragraph 1, sub-paragraph 1.1 of Law No. 03 / L-209 on the Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, nr.77 / 16 August 2010) and Article 1, Article 20 paragraph 1, subparagraph 1.3 and Article 85 of Law No. 04 / L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (Official Gazette of the Republic of Kosovo, No. 11 / May 11, 2012), the Board of the Central Bank of the Republic of Kosovo at its meeting held on March 26, 2015 approved the following: REGULATION ON MINIMUM SECURITY REQUIREMENTS Section 1 Purpose and Scope

1. This regulation shall set out the minimum security requirements in the financial and banking activities conduction premises, with the purpose of normal and safe conduction of these activities.
2. This Regulation shall apply to all banks and branches of foreign banks licensed by the Central Bank to operate in the Republic of Kosovo (hereinafter: the bank). Section 2 Definitions All terms used throughout in this regulation shall have the same meaning with those defined in Article 3 of Law No. 04 / L-093 for banks, microfinance institutions and non-banking financial institutions (hereinafter: the Law on Banks) and / or with the following definitions for the purposes of this Regulation:
3. “Bank counter” – shall imply the room which provides the establishment of a security distance between the bank tellers’ area and the customers’ area;
4. “Bank tellers’ area” – shall imply the entity premise, serving as a location place for the bank tellers;
5. “Saving and management area of monetary values” – shall imply the area within the bank premises where the bank vault is placed;
6. “Area of servers” - means the area where servers and other auxiliary equipment needed for communication services, signalling and other electronic devices that preserve bank’s notes are located;
7. “Conditions for safety” - include: 5.1. conditions for the physical protection;

5.2. conditions for the protection with personnel; and 5.3. conditions for the electronic protection; 6. “External security”- shall imply the service provided with personnel and conducted outside the external premises of the bank; 7. “Internal security” – shall imply the service provided by personnel and conducted within the internal premises of the bank; 8. “Private security company (PSC)” - means a legal person licensed by the Ministry of Internal Affair to provide security services in accordance with Law No. 04 / L-004 “On the security service” Section 3 Policies and procedures on the technical and security conditions

1. The Board of Directors of the bank shall approve policies for security and technical conditions of the bank, while the management board shall issue the necessary procedures and implement the policies of the bank.
2. The bank must have in its organizational structure a separate unit for drafting, monitoring and implementing procedures for technical and security procedures.
3. An employee, in the branches and banking agencies, in addition to the duty he carries out, shall be charged with the implementation of practices on the technical and security conditions.
4. The bank shall review and update regularly the policies and procedures on technical and security conditions. Article 4 General technical conditions for the activity conduction on premises of the bank
5. The bank carries out the activities within the premises, which meet the following requirements: 1.1. Have the space necessary and adequate temperature, light and moisture conditions for the employees, customers, for the maintaining of documentation and monetary values; 1.2. Have the adequate fire equipment; 1.3. Have an evacuation plan in case of emergency; 1.4. Are easily accessible by specialized units of the security and defence; 1.5. Have these areas clearly separated: 1.5.1. the customer’s area; 1.5.2. the bank tellers’ area, 1.5.3. the area for the store of physical monetary values 1.5.4. the area of cash storage; 1.5.5. the area where servers or the information technology equipment are installed.

1.6. Are equipped with a second and continuous source of power. 2. The banks shall inform the Police Station in the districts where the new branches and/sub branches shall be opened. 3. The banks shall sing a contract with PDSC (Physical Defence and Security Company), with regard to: a) the receiving and verification of alarm signal; b) security services; c) the transport of monetary values. Section 5 Standards on the security of bank teller’s area

1. Bank tellers' area must meet the following safety requirements: 1.1. to be a safe place, completely separated from the other areas of the bank; 1.2. to have in place monitoring system by cameras; 1.3. to have alarm buttons in each teller’s desk; and 1.4. have safety box or drawer dedicated solely to holding cash. Article 6 Conditions for the area of store and management of monetary values
2. The banks shall meet the following security conditions for maintenance and management of the monetary values area: 1.1. to be a safe place, completely separated from the other areas of the bank 1.2 to have in place electronic protection: 1.2.1. seismic detection sensors, 1.2.2. motion detection sensors, 1.2.3. smoke detection sensors; 1.3. to have in place monitoring system by cameras for: 1.3.1. the entrance in this area, 1.3.2. the internal premise.

Article 7 Conditions for the area where information technology systems (servers) are placed

1. The Servers shall be placed in a special area within the bank premises.

2. To enable storage of data and business continuity (as backup) in case of accidents or natural disasters, banks shall also assign a backup to another location, where to put the necessary servers. The backup location must be placed at a distance from the head office of the bank, according to international standards in this field.

3. Banks in their head offices and on locations for storing backup data shall meet the following safety requirements for the area of servers: 3.1. to have the necessary equipment to maintain the temperature at proper level; 3.2. to have the necessary equipment for proper humidity level; 3.3. to have in place electronic protection equipped with: 3.3.1. seismic detection sensors; 3.3.2. motion detection sensors,; 3.3.3. smoke detection sensors. 3.4. to have in place a monitoring system with cameras for: 3.4.1. the entrance in this area, and 3.4.2. its internal premise.

4. Paragraph 3 of this Article is also applicable to branches and sub-branches of banks, with the exception of subparagraph 3.2, which can be applied in those branches and subsidiaries for which is deemed necessary by bank officials for the maintenance of servers. Article 8 Conditions for protection by means of electronic equipment

5. The banks shall take measures on the protection via electronic equipment of the premises where they conduct their activity.

6. The banks, for protect via electronic equipment (of observation, registration and other) of the premises, shall meet the following security conditions: 2.1. have in place cameras which record in an uninterrupted way, the following areas: 2.1.1. external surface area of the bank; 2.1.2. the entrance within the internal premise, 2.1.3. the customer’ area; 2.1.4. the bank counter; and 2.1.5. the locations of cash withdrawal machine sites (ATMs), shall be protected with additional electronic equipment, as determined by the bank, depending on their risk assessment to the specific location of the ATM. 2.2. have in place a special digital appliance for the recording of views. This appliance should be: 2.2.1. placed in a safe environment, excluding the area for storage of monetary values; 2.2.2. time of records to be not less than thirty (30) days; and 2.2.3. be supported by devices that enable other location overlooking the split.

7. in cases when there are no direct views the monitoring of the bank shall be carried out, from: 3.1. manager's office; or 3.2. the office of security manager

8. have in place electronic protection provided by: 4.1. seismic sensors; 4.2 motion detection sensors; 4.3. smoke detection sensors; 4.4. alarm system mounted at manager's office or at the office of the officer responsible for the safety of employees; 4.5. internal alarm siren; 4.6. external alarm siren.

9. are directly related to sending alarm signals to: 5.1. the Police Station covering the area where the bank is located when this is feasible or physical security company that provides security services to the bank; and

5.2. the bank's monitoring centre. Article 9 Conditions for protection with personnel

1. Banks shall take measures for protection with personnel of the premises within which they conduct their activity.

2. Protection with personnel of bank’s premises and building includes: 2.1. the external security of bank branches and sub – branches, over the business time, shall be carried out by private companies or other security institutions, that is to be established or not, depending on the risk rate perception; 2.2. the internal security of main branches of the bank over the business time shall be carried out by private companies or other security institutions while for sub-branches it shall be established or not, depending on the risk rate perception;

3. At the request of the banks, the Central Bank may grant exemption from certain requirements set forth in paragraph 2 of this article for bank’s branches and sub-branches. Article 10 Requirements for the transport of cash and cash insurance

4. Banks shall take measures for the secured transport of cash.

5. Transport of cash shall be carried by private security companies equipped with the adequate license.

6. Banks shall always possess insurance policy for insuring cash in treasury and cash on the move, with any of the insurance companies licensed by the CBK.

7. If the private security company performing transports of cash to the banks possess the adequate insurance policy for transporting cash, banks may be exempted from the requirements of paragraph 3 of this Article, but cash transport should at any time be covered by adequate insurance police issued by any insurance company licensed from the CBK. Article 11 Exemptions from minimum security requirements

8. Minimum safety equipment shall be present in all branches and sub-branches of banks. Security system for other small bank offices (e.g customs, vehicle technical control centres, vehicle registration centres), working with limited value of cash, shall be decided by the banks in each case individually, depending on the assessment of operational risk exposure to these offices.

9. CBK may continuously require compliance with minimum safety requirements for certain offices by paragraph 1 of this Article. Article 12 Implementation, remedial measures and civil penalties Any violation of the provisions of this Regulation shall be subject to remedial and punitive measures, as defined in the Central Bank Law and the Law on Banks. Article 13 Repeal With the entry into force of this Regulation shall be repealed Amended Rule XXVII on minimum security equipment and procedures adopted by the Board of CBK on 4 April 2007 and any other provisions that may be in violation of this Regulation. Article 14 Transitional Provisions Banks shall meet the requirements of this Regulation within three (3) months from the date of entry into force. Article 15 Entry into force This Regulation shall enter into force on 1 April 2015. Chairman of the Board of Central Bank of the Republic of Kosovo

---

Bedri Peci