Financial Institution Security Requirements in New Mexico

Financial institution security requirements go far beyond cybersecurity — and most small banks and credit unions in New Mexico are missing critical pieces on the physical side. The Federal Financial Institutions Examination Council (FFIEC) sets the security standards that federal examiners use to evaluate every bank, credit union, and savings association in the country. Failing to meet them can result in fines up to $2 million, administrative orders, and in extreme cases, the loss of deposit insurance. The physical security requirements are real, they are specific, and examiners check them.

This guide breaks down what FFIEC physical security requirements actually cover, what examiners look for during an examination, and how the right security system keeps your institution compliant and protected in 2026.

Why Physical Security Is Part of FFIEC Compliance

Most financial professionals associate FFIEC compliance with IT security, cybersecurity frameworks, and data protection. That's a big part of it. But the FFIEC Information Security framework explicitly covers physical safeguards as a core component of an institution's overall security program.

The Gramm-Leach-Bliley Act (GLBA) requires all financial institutions to protect member and customer information from both digital and physical threats. The NCUA's 12 C.F.R. Part 748 requires every federally insured credit union to develop a written security program designed to protect against robberies, burglaries, larcenies, and unauthorized access to member records. Banks fall under equivalent FDIC and OCC requirements.

Physical and digital security are treated as one integrated program — not separate concerns. A breach that starts with someone walking into an unlocked server room is just as reportable as a ransomware attack. Examiners look at both.

Financial Institution Security Requirements: What FFIEC Examiners Actually Check

FFIEC examiners use the IT Examination Handbook's physical security section as their guide. Here's what they evaluate across five key areas.

1. Facility Access Controls

Controlling physical access to your building — and specifically to the areas where sensitive data and systems are stored — is a foundational FFIEC requirement. This applies to teller areas, back offices, server rooms, and vaults.

FFIEC guidelines require financial institutions to:

• Limit access to sensitive areas to only those staff with a legitimate business need — not everyone on the payroll
• Implement formal authorization processes for granting, reviewing, and revoking access rights — access must be role-based and documented
• Control and verify all non-employee access — every vendor, contractor, auditor, or visitor must present identification and be signed in before accessing any restricted area
• Escort non-employees in sensitive areas at all times — they should not be left unattended near servers, network equipment, or financial records
• Immediately revoke access when an employee leaves the institution — this is explicitly cited by examiners and is frequently cited as a gap

Traditional keys fail almost every one of these requirements. There is no audit trail, no way to verify who used a key and when, and no way to instantly revoke access when someone leaves. A shared key passed between employees or left at the front desk is a citable finding.

Wired installs Verkada access control systems that replace keys with individual credentials — keycard, fob, or mobile access. Every door event is logged with a timestamp and the exact credential used. When an employee leaves, access is revoked instantly from any device. Examiners get a clean, searchable audit trail that covers every requirement in this section.

2. Video Surveillance

FFIEC guidelines specifically call for closed-circuit surveillance equipment as part of a comprehensive physical security program. This requirement applies to both customer-facing areas and restricted back-office and data areas.

What examiners look for includes:

• Camera coverage of all entry and exit points — including lobby entrances, drive-through lanes, ATM areas, and any employee-only entry doors
• Coverage of teller and transaction areas — all POS and cash-handling locations must be recorded
• Coverage of server rooms and data centers — the FFIEC IT Handbook specifically calls out protecting IT infrastructure with physical surveillance
• Continuous monitoring and recording — footage must be retained long enough to support any incident investigation or examiner request
• Tamper-proof storage — recordings must be protected from deletion, theft, or physical damage
• Regular maintenance logs — examiners can ask to see documentation that cameras are regularly tested and maintained

A common gap in smaller New Mexico institutions is a camera system that covers the teller line but has blind spots over the back office, IT closet, or employee entrance. If a breach or theft happens in an uncovered area, there is no footage to support the investigation — and that is a problem for both law enforcement and your examiner.

Wired's security camera installation team designs coverage plans for financial environments. We map every required area, eliminate blind spots, and install Verkada cameras that record in 4K with cloud-based storage. Footage is secured with role-based access so only authorized personnel can view or export recordings. The system alerts you immediately if any camera goes offline — so you're never unknowingly unprotected.

3. Alarm Systems and Intrusion Detection

FFIEC guidelines require financial institutions to have intrusion detection systems that actively protect against unauthorized access — not just cameras that record it after the fact.

Required and expected controls include:

• Physical intrusion alarms with sensors on all perimeter entry points — doors, windows, and any exterior access point
• Continuous monitoring by a central station or equivalent — alarms must be actively monitored, not just installed
• Motion detection and circuit-break sensors that trigger alerts when electrical circuits are broken or movement is detected in restricted areas after hours
• Documented response procedures — the institution must have written procedures for how staff respond to alarm events, and those procedures must be tested
• Environmental monitoring — server rooms and data areas should also have sensors for fire, smoke, heat, and moisture to protect against environmental threats

Many community banks and credit unions in New Mexico have alarm systems that were installed years ago and have never been formally tested or updated. An alarm that is not actively monitored, or that has sensors covering only some perimeter doors, is an examiner finding waiting to happen.

Verkada's integrated alarm system connects directly to cameras and access control so that when an alarm triggers, the monitoring team sees live footage of the triggered location immediately. Every alarm event is logged automatically. Wired documents all system tests and maintenance visits — giving you the maintenance records examiners can ask for at any time.

4. Server Room and Data Center Physical Security

This is the area where small financial institutions are most vulnerable — and where examiners pay the closest attention. Your core banking system, member records, and transaction data all live on physical hardware. That hardware needs physical protection.

FFIEC requirements for IT infrastructure areas include:

• Restricted access to server rooms and network closets — limited to only IT staff and authorized personnel with a documented business need
• Individual access credentials — shared keys or access codes for server rooms are a direct examiner finding
• No identifying signage — the FFIEC IT Handbook specifically states that data centers and server rooms should not be identified or advertised by signage or other indicators
• Camera coverage of the server room itself — the room housing your recording devices and servers must be monitored
• Environmental controls — sensors for fire, smoke, flooding, and excessive heat are required to protect IT infrastructure
• Formal hardware removal authorization — there must be a documented process for any hardware or media leaving the premises

A server closet with a standard door lock and no camera is one of the most commonly cited physical security gaps in community financial institutions. It doesn't take a sophisticated attacker — a disgruntled employee, a contractor left unsupervised, or even a confused visitor who opened the wrong door can create a reportable incident.

Wired installs credential-based access control on server and network rooms, combined with Verkada camera coverage. Every entry is logged with a timestamp and user identity. Access can be revoked instantly and audit logs are searchable and exportable for examiner requests.

5. Written Security Program and Maintenance Documentation

Behind every physical safeguard is a documentation requirement. FFIEC compliance is not just about having the right equipment — it requires proving that equipment is working, maintained, and tested on a regular basis.

Financial institutions must maintain:

• A written security program that covers physical and information security together — credit unions must have this under 12 C.F.R. Part 748, and banks face equivalent requirements
• Maintenance logs for all physical security devices — cameras, alarms, access control systems, and environmental sensors all need documented service records
• Periodic testing records — examiners want evidence that systems are regularly tested, not just installed and forgotten
• Access control policy documentation — written policies governing who gets access, how access is granted and revoked, and how non-employees are handled
• Incident logs — any physical security incident, unauthorized access attempt, or alarm event should be documented and retained

A camera system that was installed three years ago with no service records, no testing documentation, and no written policy governing its use is a compliance gap — even if the cameras are working fine. Examiners ask for documentation. Without it, the equipment might as well not exist from a compliance standpoint.

Wired provides written maintenance records for every service visit, firmware update, camera test, and system check we perform — in the format examiners expect. Our ongoing service relationship means your documentation stays current between examinations, not just scrambled together before one.

What Most Small New Mexico Financial Institutions Are Missing

Based on common examination findings for community banks and credit unions, these gaps show up most often:

• Shared keys or access codes for server rooms and back-office areas with no individual accountability
• No camera coverage of IT rooms, network closets, or employee-only entrances
• Outdated alarm systems that haven't been tested or serviced in years
• No formal visitor log or escort policy for vendors and contractors in restricted areas
• No maintenance documentation for any physical security equipment
• Access never revoked for former employees — credentials still active months after departure
• Disconnected systems — cameras, alarms, and access control from different vendors with no integration and no unified audit trail

Each of these is a citable finding. Together, they represent serious regulatory exposure — and in the event of an actual incident, they can transform a manageable situation into a federal enforcement action.

How One Integrated System Covers Every Requirement

Trying to meet FFIEC physical security requirements with equipment from three different vendors creates gaps and makes documentation a nightmare. A unified platform that handles access control, surveillance, alarms, visitor management, and maintenance records in one place is both easier to manage and far easier to demonstrate to an examiner.

Here's how Wired's solutions map to FFIEC physical security requirements:

• Facility and server room access control: Verkada door readers with individual credentials, full audit logs, and instant remote revocation
• Video surveillance: 4K Verkada cameras covering all entry points, teller areas, back offices, and IT rooms — with cloud storage, role-based access, and automatic offline alerts
• Alarm and intrusion detection: Integrated monitoring with central station support, perimeter sensors, and motion detection in restricted areas
• Visitor management: Verkada Guest logs every non-employee entry with ID verification, escort assignment, and a searchable digital record
• Maintenance documentation: Wired provides written records of every service visit, firmware update, and system test — audit-ready at any time
• One platform: Everything managed remotely from a single dashboard, with complete audit trails accessible from any device

Don't Wait for an Examiner to Find the Gaps

FFIEC physical security requirements protect your institution, your members, and your operating license. Meeting them shouldn't be reactive. Wired works with community banks, credit unions, and financial offices across Albuquerque, Santa Fe, Rio Rancho, and throughout New Mexico to design and install security systems built around what examiners actually look for — and built to protect your facility every day.

Ready to see where your institution stands? Contact Wired today for a free security consultation. We'll walk through your facility, identify any compliance gaps, and build a plan that covers every FFIEC physical security requirement.