Bank CCTV Design 2026: Zone-by-Zone EN 62676-4 Identify + GDPR DPIA + AML + NDAA §889

Why bank CCTV is not "cover the lobby"

A retail branch looks like a small commercial space. A regulator looks at it and sees five overlapping legal regimes — GDPR Article 9 special-category data risk on every transaction, anti-money-laundering evidentiary retention on every teller window, sanctions-screening Know-Your-Customer reconstruction on every account opening, NDAA Section 889 procurement controls on every camera body, and EN 62305 lightning protection on every exterior ATM. Each of those regimes pins down a different parameter of the same camera: the lens, the retention window, the model brand, the surge-protection device. Get one wrong and the design fails commissioning. Get two wrong and the design fails procurement.

Sitting underneath all four legal regimes is EN 62676-4 — the technical standard that defines what "the camera saw the face" actually means in numbers. It is often underweighted in tender briefs, which is why so many designs meet the camera-count requirement and miss the pixel-per-metre threshold. The October 2025 amendment introduces the OODPCVS framework (Overview, Outline, Discern, Perceive, Characterise, Validate, Scrutinise) as a finer-grained vocabulary layered on top of the familiar Detection / Observation / Recognition / Identification (DORI) levels. The thresholds do not change; OODPCVS just gives auditors a more precise language for intermediate cases. For the rest of this article we use DORI numbers, with the OODPCVS mapping in the table below for cross-reference.

DORI (legacy)	px/m	OODPCVS (2025)	Typical bank use
Identification	250	Validate / Scrutinise	Teller face, ATM user, entry, vault axis, safe-deposit entry
Recognition	125	Characterise	Cash drawer, vault perimeter overlap, drive-through approach
Observation	62	Perceive / Discern	General lobby, car park sweep
Detection	25	Outline / Overview	Minimum to justify recording at all

This article walks zone-by-zone with the math explicit. We spend an unusual amount of attention on pixel-per-metre arithmetic because, in our experience auditing branch designs from European mid-tier banks, the single biggest reason commissioning fails is that the design met the camera-count brief but missed the px/m threshold on the teller window. The lobby was fine. The vault was fine. The teller — the AML-critical zone — was 14% short of Identification. That is the failure mode that costs a redesign and a six-month delay.

Reference card. Identification 250 px/m · Recognition 125 px/m · Observation 62 px/m · Detection 25 px/m. Bank teller, ATM user, entry, vault axis and safe-deposit entry all sit at Identification. Everything else is a defensible step down with documented rationale.

Zone 1 — Branch entry: every face, two-camera overlap

The branch entry is the simplest zone to design correctly and the easiest one to underspec. Every regulator expects an Identification-level face capture on every adult who walks through the door — without exception. The use case is downstream investigation: when fraud, theft, robbery or assisted-suspect identification surfaces in a later AML alert, the entry footage gives you the timestamp anchor and the first clean face shot. A blurred entry frame is one of the most common reasons a fraud disposition stalls.

Worked example — 4MP camera, 4mm lens, 4m to entry door

PPM @ 4m = (4 × 2560) / (5.376 × 4) = ~476 ppm → Identification ✓

PPM @ 6m = (4 × 2560) / (5.376 × 6) = ~317 ppm → Identification ✓

Headroom of 1.9x over the 250 ppm threshold at 4m means the design tolerates partial occlusion, dim winter mornings and small mounting-height errors without falling under Identification. The 6m position is the back of the vestibule — past the inner door, where the customer transitions from public to bank-controlled space.

Why two cameras and not one? The two-camera entry pattern is anti-tamper as well as anti-occlusion. A single entry camera is a single point of failure: spray paint, hat occlusion, sun-glare from the wrong angle, or — in the most cynical case — physical tampering during the robbery itself. Two cameras mounted mirror-handed at opposite ceiling corners observe each other and the entry simultaneously. The second camera also catches the angle the first one loses to umbrellas and tall hats. The marginal hardware cost is one device and a couple of hundred metres of Cat6 — small relative to the cost of one disputed Identification.

Privacy by design: the entry camera lawfully records every customer who enters because the lawful basis is legitimate interest under GDPR Article 6(1)(f) — preventing financial crime is one of the recital-49 recognised cases — combined with explicit signage at the door. Your DPIA needs to document the necessity test (could you reach the same evidentiary outcome with less data?), the proportionality test (is two-camera overlap necessary or excessive?) and the subject-rights mechanism. The standard answer for entry cameras is yes, yes and a posted contact-DPO procedure.

For a complete walkthrough of the pixel-per-metre arithmetic that backs the numbers above, see the DORI calculation walkthrough, or jump straight to the free DORI calculator to validate your specific camera-and-lens choice.

Zone 2 — Teller line: per-window face + over-shoulder cash drawer

The teller window is the most overlooked zone in a typical branch design and the one most likely to fail a commissioning re-measure. The temptation is to install a single overhead dome that sees the whole counter — efficient, cheap, easy to wire. The problem is that a single overhead device cannot satisfy two distinct DORI targets at once: the customer face at Identification (250 ppm) and the cash drawer at Recognition (125 ppm). One lives at roughly eye level looking horizontally; the other lives at hand level looking vertically. The geometry is fundamentally different.

A note on why the same camera spec passes Entry and fails Teller. A 4 MP / 4 mm / 1/2.8" camera at 4 m line-of-sight delivers ~476 ppm on a face — easily Identification. The same body on the same lens, dome-mounted at 2.7 m height looking down at a teller customer 4 m away across the counter, faces the customer at an oblique angle. The effective face plane is foreshortened by roughly cos(35°) ≈ 0.82, and the diagonal line-of-sight is closer to 4.8 m than 4. The effective ppm on the face is closer to ~325 — still above Identification but with no headroom for glare film, winter lighting or a tall customer. That is why the teller-line design uses a camera mounted at face height on a column or counter front, not an overhead dome. Same spec, different geometry, different outcome.

Worked example — 6 MP camera, 1/1.8" sensor (7.20 mm horizontal), 8 mm lens, column-mounted at customer face height

PPM @ 3m = (8 × 3072) / (7.20 × 3) = ~1138 ppm → Identification (deep headroom) ✓

PPM @ 5m = (8 × 3072) / (7.20 × 5) = ~683 ppm → Identification ✓

The 6 MP / 8 mm / 1/1.8" combination is the workhorse teller-line camera. The headroom over 250 ppm is deliberate — it absorbs anti-glare film on the counter, low winter ambient lighting, varying customer heights, and the inevitable small mounting-position drift over a 10-year operating life. The 5 m number is the position of a customer one step back from the counter, still at Identification.

The companion camera mounts overhead, behind the teller, looking down at the cash drawer. Typical choice: 4MP with a 2.8mm wide lens at 1.2m line-of-sight to the drawer surface. This camera records denomination handling — counting, packing, sorting — and is the evidentiary anchor for any cash dispute. It does not need to see the customer face (the window camera does that). It does need to see hands and bills clearly, which means at least Recognition on a roughly 0.6m-wide drawer footprint.

Privacy boundary — PIN-pad masking. Neither camera covers the keypad of the PIN-pad on the customer side. PCI guidance is explicit that any device recording PIN entry triggers PIN-handling controls — encryption at rest, key custody, audit. You do not want your CCTV system to inherit PCI scope. The standard answer is either to mount cameras at angles that physically cannot see the keypad face (acute angles from the side), or to mask the keypad region in the camera firmware (most professional ONVIF cameras support per-zone privacy masking). Either way, the design document should state which method you used and why.

The per-window pattern scales linearly: a 6-position teller line gets 6 face cameras + 6 cash-drawer cameras = 12 devices on the teller side. That sounds like a lot until you compare it with the alternative of one disputed cash transaction that lacks evidence and ends up at the supervisor. The marginal cost of two cameras per position is far below the cost of one inconclusive dispute.

Zone 3 — ATM: face Identify + screen behaviour + perimeter / plate

ATMs deserve three cameras each. The face camera identifies the user. The screen camera records behaviour — keypad covering, shoulder surfing, social engineering. The perimeter camera covers approach and exit, and on drive-up units it captures the vehicle plate. Each camera answers a different category of fraud or attack: card skimming (face + behaviour), card-trapping (behaviour), distraction theft (perimeter), drive-up robbery (perimeter + plate), and account-takeover reconstruction (face).

Worked example — three-camera ATM cluster

Face camera — 4MP, 1/2.8", 6mm lens at 1.5m to user face:

PPM @ 1.5m = (6 × 2560) / (5.376 × 1.5) = ~1905 ppm → Identification (deep headroom for motion blur and low light)

Screen / behaviour camera — 4MP, 1/2.8", 2.8mm wide lens at 1m to keypad area:

PPM @ 1m = (2.8 × 2560) / (5.376 × 1) = ~1333 ppm → Identification (lens choice records arm and hand motion)

Drive-through plate camera — 8MP, 1/1.8", 12mm lens at 5–8m to plate:

PPM @ 5m = (12 × 3840) / (7.20 × 5) = ~1280 ppm → plate-readable with fast-shutter margin for night

Drive-through angle and shutter derating. Plate cameras are the one place in a branch where static-position arithmetic understates the lens you need. A vehicle approaching the ATM at 5 km/h is moving roughly 1.4 m/s, and the plate is rarely perpendicular to the camera axis — typical approach angle is 20°–35°. The effective ppm on the plate characters is derated by cos(angle): at 30° you lose ~13%, at 45° you lose ~30%. On top of that, motion blur smears characters unless shutter is ≤ 1/500 s, which forces wider aperture or higher gain in night conditions. Rule of thumb: double the focal length you would pick for a static face capture at the same distance. For a 5 m drive-through, 12 mm not 6 mm. See the license-plate distance and focal-length guide for the full plate-readability arithmetic.

Outdoor ATM = lightning protection zone. EN 62305 classifies any outdoor exposed-pole or canopy-mounted device as a Lightning Protection Zone, and the BOM must include surge protection devices on both the power line and the data line. A standard PoE camera without SPD is a single thunderstorm away from a write-off — and the surge often takes the NVR port with it. Your design PDF should explicitly list the SPD model per outdoor camera, the LPZ classification, and the bonding to the building lightning system if one exists. Typical PoE budget for an outdoor ATM camera with heater and SPD: 25–30 W per drop on a PoE++ (60 W) switch port. Indoor domes run 5–7 W. Size the switch and the closet UPS accordingly.

Zone 4 — Vault and money room: dual-camera overlap, linked to access control

The vault and money-counting room is the highest-stakes zone in any branch and the easiest one to over-specify and under-engineer at the same time. Over-specification looks like four wide-angle 4K cameras pointing at the same wall. Under-engineering looks like a single high-resolution camera with no second angle. The right pattern is two cameras with overlapping fields, mounted in opposite corners, each at Identification-level pixel density across the central axis of the room.

Worked example — 4MP pair, 4mm lens, opposite corners at 2.7m height

PPM @ 4m (central axis) = (4 × 2560) / (5.376 × 4) = ~476 ppm → Identification ✓

Each camera covers the room from one corner. The 30–40% angular overlap along the central axis means a tamper attempt at one device leaves the second device as an independent witness, and the Identification headroom (~1.9x over threshold) absorbs reasonable mounting tolerance and lighting variation.

Event-trigger video tagging. The vault footage needs to be tagged to the access-control event log. Every door-open event in the vault should automatically attach the corresponding camera-pair video segment to the event record in the NVR. This is what AML auditors are looking for when they ask to "see vault entries for the past 90 days": not a long timeline of empty room, but a list of access events with a pre-attached 2-minute clip per event. Most professional NVR platforms support event-trigger video tagging — the design just needs to specify the linkage, the retention rule (typically the longer of access-log and AML retention windows), and the access-control vendor compatibility.

Retention for vault footage is the longest of the regimes that touch it. In the EU, AMLD-translated practice runs 6 months for general vault access and indefinite for flagged events. In the US, BSA / FFIEC guidance pushes 1 year minimum for vault and 5 years for any footage tied to a Suspicious Activity Report. A note on long retention: GDPR's storage limitation principle (Article 5(1)(e)) cuts the other way — indefinite retention needs an auditable trigger (the SAR flag, the investigation ID) tying each preserved segment to its lawful purpose. Blanket 5-year retention without segment-level justification is itself a finding. Consult counsel for cross-border designs. The CCTVplanner storage calculator does the math at /calculator/storage with retention per camera as a per-zone variable.

Zone 5 — Safe-deposit corridor: identify entry, never capture contents

Safe-deposit is the zone where the privacy boundary is sharpest and most underwritten by case law in every European jurisdiction. The customer has an explicit privacy expectation around the contents of their box. CCTV in the corridor is acceptable — sometimes mandatory — but coverage of the box interior or even the customer's interaction with their open box is challengeable on Article 8 ECHR grounds in several jurisdictions. The standard design pattern is: cover the corridor entry, cover the box-room door from inside, never aim a camera at the box rack itself.

Worked example — 4MP / 4mm at corridor entry, 3–5m view depth

PPM @ 5m = (4 × 2560) / (5.376 × 5) = ~381 ppm → Identification ✓

Customer is identifiable at the corridor entry. A second camera inside the box room covers the door but is angled so the box rack is outside the frame. The customer is on tape entering and exiting; their interaction with their own box is not.

This is the most explicit privacy-by-design pattern in the whole branch and the one supervisors reward most generously in DPIA review. By documenting the angle constraint, the camera-fields-of-view diagram with the box rack outside every frame, and the operator training on no-zoom-into-box policy, you turn an otherwise risky zone into a clean compliance demonstration. The CCTVplanner project PDF includes a per-camera "captured-content scope" annotation specifically for this kind of regulator-facing documentation.

Network architecture: VLAN, management plane, NDAA-of-software

NDAA §889 does not stop at the camera body. The 2023–2024 enforcement guidance from federal agencies makes clear that video management software, NVR firmware, and cloud-management back-ends from covered entities are equally restricted. A "compliant" Hanwha or Axis camera connected to a Hikvision NVR is still a §889 violation. Your design needs to attest the full stack: camera body, recorder, VMS, and any cloud or mobile-management service.

Network segmentation is not optional either. A bank CCTV network is a high-value target — both because the cameras themselves are a privileged vantage point on cash handling, and because PoE switches with default credentials are a documented lateral-movement path into the corporate network. The minimum design:

Dedicated camera VLAN, no routing to corporate LAN, no internet egress except to whitelisted vendor cloud endpoints.
Management plane on a separate VLAN with multi-factor authentication on the VMS console.
Firmware update process documented — air-gapped manual update or signed-firmware-only auto-update, never plain HTTP pull.
Default credentials removed at commissioning, documented in the handover.

This is the layer that turns a CCTV system from a compliance liability into a compliance asset. Auditors increasingly ask for the network diagram alongside the camera schedule.

Multi-branch standardisation at 10+ sites

A retail bank with 50 branches has the same five zones in every branch — but the branches differ in size, layout and street geometry. Hand-rolling each design from scratch is how compliance drift starts: branch 23 gets a 6mm lens at the entry where everyone else uses 4mm, because the designer that day misremembered. Three months later commissioning finds that branch 23 hits Recognition not Identification at the entry, and the whole branch has to be redesigned.

The standardised model uses three archetype templates — typically small (2-teller, single ATM, no drive-through), medium (4-teller, two ATMs, no drive-through), and large (6+ teller, drive-through, multi-vault). Each archetype is a fully solved EN 62676-4 design with the camera count, lens choice, mounting heights and DORI calculations baked in. Each actual branch starts as a fork of the closest archetype, with site-specific overrides for perimeter cameras and floor-plan geometry. The compliance carries through; only the geometry varies.

The CCTVplanner project model is built for this pattern. The "duplicate project" action clones an archetype with all zones, all DORI calculations and all compliance metadata intact. The duplicated project then accepts a new floor plan, a new satellite map, and per-branch camera adjustments without losing the EN 62676-4 baseline. Each branch produces its own auditor PDF, but the underlying design rules are identical and re-verifiable.

BOM, retention storage and the auditor PDF

A bank design that does not produce a one-file deliverable for the auditor is not a finished design. The PDF carries:

Floor plan with every camera marked
Zone matrix with DORI level per camera per zone
Camera schedule with model + lens + mounting + power
Cable runs and PoE budget per closet (typical: 25–30 W per outdoor ATM camera, 5–7 W per indoor dome)
NVR + storage sizing for the per-zone retention windows
SPD list for outdoor LPZ devices
NDAA §889 flag per camera, recorder and VMS component
Network architecture diagram (VLAN, management plane, firmware policy)
GDPR Article 35 DPIA worksheet skeleton

Each of those sections answers a regulator question. The zone matrix answers "did every face that mattered get Identification?". The camera schedule answers "are any banned brands present in a federally adjacent branch?". The retention table answers "do you keep ATM footage long enough to support the BSA 90-day rule, and short enough to respect GDPR storage limitation?". The DPIA worksheet answers "did you apply Article 35 to this processing?". A single PDF that maps cleanly to those questions reduces the regulator interview from a half-day to a half-hour.

The BOM exports separately as CSV for procurement workflow. The DXF export goes to the electrical contractor with cable routes, mounting positions and PoE budget per drop. Both files reference the same canonical PDF so procurement, the installer and the auditor are always looking at the same source of truth. This is the multi-output pattern that distinguishes a bank-grade design tool from a generic camera planner.

Common mistakes to avoid

A single overhead dome covering both face and cash drawer at the teller window
Different DORI targets, different geometry, single device cannot satisfy both. AML audits flag the teller specifically — most commissioning failures land here.
Mixing Hikvision or Dahua into a federally adjacent branch BOM — including the NVR and VMS
NDAA §889 covers the full stack. A compliant camera on a non-compliant recorder is still a violation. Federal-funding pull and re-procurement follow.
Skipping the GDPR Article 35 DPIA on a "minor redesign"
Any change to camera count, mounting, or retention in a branch is a change to the processing activity. Even a "we just added two cameras" project needs the DPIA refreshed. Supervisory authorities are increasingly tracking this.
No surge-protection device on outdoor ATM cameras
EN 62305 requires LPZ classification + SPD on every exposed outdoor camera. A typhoon, a transformer fault or a direct lightning strike on the canopy writes off the camera and frequently the NVR port. The SPD is small money up front.
Single-camera ATM with no backup
A tamper attempt or obstruction on the only ATM camera leaves no evidence. The three-camera ATM pattern (face + screen + perimeter) is anti-tamper as much as it is anti-fraud.
Retention sized to the shortest applicable window
A branch operating across EU + US needs to satisfy both AMLD and BSA. Sizing storage to the EU window when BSA requires longer is the kind of preventable design error that surfaces in the regulator interview six months later. The mirror error — blanket indefinite retention without per-segment justification — fails GDPR storage limitation.
Camera VLAN flat with corporate LAN
Default-credential PoE switches and IP cameras are documented lateral-movement paths. Segmentation is not a "nice to have".

Frequently Asked Questions

→Does a single 4MP dome at 4m height pass EN 62676-4 Identify on a teller window?

Almost never. A 4MP camera with 1/2.8" sensor on a 4mm lens delivers around 476 ppm on a face at 4m straight-line — but at the teller window the camera is dome-mounted at ~2.7m height looking obliquely down at a customer 4m away across the counter. Foreshortening (cos ≈ 0.82 at a 35° face angle) and the longer diagonal line-of-sight (~4.8m) drop the effective face-plane ppm to roughly 325 — above Identification but with no headroom for glare film, winter lighting or a tall customer. To hit 250 ppm reliably you either mount the camera at face height on a column or counter front, or step up to a longer lens (8mm or a 2.8–12mm varifocal locked at 8mm) on a 6MP / 1/1.8" body. The teller window is the one zone in a branch where the lazy 'one dome covers it' rule reliably breaks the AML evidentiary requirement.

→What is the AML video retention window for ATM footage in the EU vs the US?

EU AMLD does not prescribe a fixed retention window for CCTV footage, but national supervisors translate it into practice as roughly 30 to 90 days for general branch coverage and up to 180 days for ATM and teller transaction zones — with the explicit requirement that any footage tied to a flagged transaction be preserved indefinitely until the investigation closes. The US Bank Secrecy Act and FFIEC guidance push 90 days minimum and 1 year for ATM and vault, with the same flagged-event preservation rule. Your design needs storage sized for the longer of the two if you operate in both jurisdictions — but the indefinite retention has to be tied to a per-segment SAR flag or investigation ID, otherwise GDPR storage limitation cuts the other way.

→Is Hikvision banned in every bank branch, or only federal-affiliated ones?

Section 889 of the US NDAA prohibits federal agencies and federal-grant recipients from procuring or operating Hikvision, Dahua, Huawei, Hytera and ZTE equipment — and the 2023–2024 enforcement guidance extends that to recorders, VMS software and cloud-management back-ends, not just cameras. In banking that captures government depository banks, branches inside federal buildings, and any bank that takes federal-grant funding (rural development, community reinvestment, certain SBA programmes). Most large retail banks are not directly subject to §889 — but their commercial customers increasingly require Section 889 attestation up the supply chain, and federal regulators have begun citing presence of banned equipment as a procurement-controls weakness in CFPB and OCC exams. Practically, if you operate any federally adjacent branches you should design the whole estate as if §889 applies, because retrofitting later costs more than designing right the first time.

→How many cameras do I need at an ATM — one, two, or three?

Three is the durable answer for a customer-facing ATM. One for face capture at Identification (200–300 ppm on the user's face at the typical 1.2–1.7m standing distance). One for screen-and-keypad behaviour at wide angle (records gestures and obstruction attempts but masks PIN entry per PCI guidance). One for the surrounding area and drive-up plate if applicable. Skipping any of the three creates a defensible gap an investigator can point to: missing face after a fraud, missing behaviour during a skimmer install, or missing context for a wallet theft at the machine. The marginal hardware cost is small compared to the cost of one disputed transaction with no evidence.

→What's the cost difference between an 8MP NDAA-compliant camera and a 4MP Hikvision?

At list price the gap is typically 30 to 60 percent — an 8MP Hanwha or Axis NDAA-compliant bullet runs around $250–$450 at distributor pricing versus $150–$280 for a comparable 4MP Hikvision. The gap closes once you factor in matched specs at higher resolution, longer warranty terms, and the absence of compliance-pull risk. For a 30-camera branch the total uplift is roughly $3,000–$6,000 — typically less than 5 percent of the project's all-in cost including labour, switches, NVR, cable and installation. The compliance insurance is cheap.

→Do I need separate cameras for the teller's face and the teller's cash drawer?

Yes — they are different evidentiary objects with different DORI requirements. The customer face needs Identification at the teller window (250 ppm, typical mounting on a column or counter front). The cash drawer needs Recognition over the denomination handling (125 ppm minimum, typical mounting overhead behind the teller looking down). A single camera cannot meet both simultaneously without an unrealistic lens — the geometry is fundamentally different (one is roughly horizontal at face height, the other is roughly vertical at hand height). Combined-evidence cameras exist but get challenged in fraud disputes when the auditor asks why a single device covered two different DORI targets.

→How does GDPR Article 35 DPIA apply to a bank branch CCTV redesign?

Article 35 requires a Data Protection Impact Assessment when processing is likely to result in high risk to the rights and freedoms of natural persons. Bank branch CCTV almost always qualifies — large-scale systematic monitoring of a public area, special-category data risk where teller windows capture financial transaction context, and behavioural analytics if you add AI overlays. The DPIA needs to document the lawful basis (typically Article 6(1)(f) legitimate interest with the AML/financial-crime balance test), the proportionality of each zone, the retention windows tied to per-segment triggers, the access controls, and the subject-rights mechanism. The CCTVplanner project PDF includes a DPIA-ready section per zone — designed to drop into the assessment with minimal editing.

→Can I reuse one branch's CCTV design across 50 sites?

Yes — that is exactly the multi-branch project model. A baseline branch design (typical small, medium and large layouts) becomes a project template. You fork the template per actual site, swap the satellite map and floor plan, adjust the perimeter cameras to match the real geometry, and the zone-level DORI compliance and BOM logic carries through. What you cannot reuse blindly is the camera count, the cable run, and the lightning-protection zones — those are site-specific. Bank-network designers typically keep three to five 'archetype' templates and treat each branch as an instance of the closest archetype with site-specific overrides.

→Does NDAA §889 cover the NVR and VMS or just the cameras?

The full stack. 2023–2024 enforcement guidance from federal agencies makes clear that recorder firmware, video management software, and cloud-management back-ends from covered entities are restricted on the same terms as the cameras. A compliant camera body connected to a Hikvision recorder, or recorded into a Dahua-branded VMS, or back-ended by a covered cloud service, is still a violation. Your camera schedule needs an NDAA flag column that includes the recorder and VMS rows, not just the camera rows.

Bank CCTV Design 2026: ATM, Vault, Teller & Branch Entry — Zone-by-Zone EN 62676-4 Walkthrough

TL;DR — the 5 things to get right

Table of Contents