By Lourdes O. Pilar, Researcher
THE RECENT GLITCHES in the local banking sector brought significant concern to consumers amid increased enhancement of technologically advanced systems to serve consumers.
As the industry continues to adapt to digital platforms and systems, these banking-related glitches — double-posting of deposits, withdrawals, etc. — are inevitable.
“Cybersecurity and technology-related incidents are not completely avoidable,” the Bangko Sentral ng Pilipinas (BSP) said. “This is due to the inherent vulnerabilities in systems, technologies, processes, and people, as well as the persistent risks from cyber threat actors.”
Based on BSP monitoring, incidents involving banking-related glitches are “minimal” and are generally within the financial institutions’ capability to contain and manage.
“The speed of incident resolution varies depending on the severity or criticality of the incident. BSP-supervised financial institutions (BSFIs) prioritize the remediation of high-risk vulnerabilities within the shortest possible time to minimize further losses or disruptions,” BSP said.
The state-run Development Bank of the Philippines (DBP) said these snags came from human errors.
“Nonetheless, there are layers of control to immediately contain errors and ensure that the bank’s systems are able to continuously serve and maintain its integrity,” Michael O. de Jesus, president and chief executive officer (CEO) of DBP, said.
“DBP also ensures that access to systems and information is strictly limited to internal personnel with a business need to know,” he added. “As such, occurrences of events attributed to an outsider have been seldom to none.”
Bank of the Philippine Islands (BPI) first experienced major glitch in June 2017 when it discovered an error that caused multiple accounts reflecting incorrect balances. The Ayala-led bank shut down its automated teller machines (ATMs) as well as online and mobile app-based facilities as it corrected an “internal data processing error” that doubled postings of transactions conducted between April 27 and May 2, 2017.
In early January 2023, BPI reported that transactions of its account holders experienced another double-debit transaction incident. Transactions made via its automated teller and cash accept machines as well as debit transactions via point-of-sale terminals and e-commerce platforms between Dec. 30 and 31 last year were posted twice.
BPI worked to reverse the duplicate transactions and the issue was resolved immediately.
BDO Unibank, Inc. (BDO), the largest lender in terms of assets, also reported a system problem that forced the lender to deactivate all its online services for two days in June 2017 due to reports that some of its clients lost funds from their accounts. BDO said that some of its cardholders lost cash due to unauthorized transactions from their bank accounts.
In December 2021, BDO and Union Bank of the Philippines (UnionBank) had been under monitoring by the BSP when complaints posted on social media platforms by some bank customers who claimed their accounts were hacked and their funds stolen.
Some Facebook users, who claimed to be BDO clients, posted screenshots of allegedly unauthorized fund transfers from their accounts to UnionBank account to a certain Mark Nagoyo which later confirmed that two or more UnionBank accounts received the unauthorized fund transfers from BDO clients.
Security Bank Corp. also encountered an error in June 2017. The bank reported a delay in posting banking transactions in its systems, but assured the incident has zero effect to the bank accounts of its clients.
UnionBank experienced a three-day systems glitch in June 2021 where its deposit and auto reversal system is not working. The lender blamed the “unplanned maintenance” of a storage appliance.
In a survey disclosed by the Rural Bankers Association of the Philippines (RBAP), the most common technical glitch encountered by rural banks is an interruption in internet connectivity, lasting an average of 11 and a half hours (in the aggregate) over a one-year period.
Affected banks spent approximately P23,000 on average to address these internet service glitches, according to RBAP. The next most common technical problem was downtime in the bank’s core banking system.
ACTIONS AND RECOMMENDATIONS“It is important for BSFIs to implement sound technology and cybersecurity risk management as laid down in BSP regulations and guidelines,” the central bank said.
BSP also conducts examinations for BSFIs encountering major or high-severity cyber or disruptive events. Supervisory enforcement actions are applied as stated under Section 002 of the Manual of Regulations for Banks, to ensure that BSFIs address the root cause and prevent the recurrence of the incident.
BSP also issued BSP Circular No. 808 or Guidelines on Information Technology (IT) Risk Management for All Banks and Other BSP Supervised Institutions and BSP Circular No. 982 or Enhanced Guidelines on Information Security Management to provide comprehensive framework, set of principles, and basic hygiene practices that the BSFIs must observe to protect themselves from threat actors.
Threat actors are individuals or groups that involve in cyber-attacks or other malicious activities scheming of causing harm or stealing sensitive information in an institution. They can be motivated by financial gain, political or ideological beliefs, or personal gain.
For RBAP, they take a proactive approach to operational risk management by regularly coordinating with member banks on the latest software, hardware, connectivity issues and IT best practices. Through its sister organization, the Rural Bankers Research and Development Foundation, RBAP also conducts IT awareness and security year-round for bank employees.
“Moreover, at least twice a year, RBAP hosts IT security and bank security professionals in short roundtable discussions with banks. RBAP also has a permanent representative to the Joint Anti-Robbery and Cybercrime Committee, a multisectoral body (banks and law enforcement) that convenes to addresses security issues on a quarterly basis,” RBAP Executive Director Rafael Francisco D. Amparo said in an e-mail.
Meanwhile, DBP established a set of mechanisms for detecting system glitches and has an in-placed escalation process to systematically resolve such events based on the gravity or impact of the issue.
The bank also established incident response team which plays a crucial role in minimizing and containing the damage and impact that may arise from a potential information communication technologies-related incident.
“Further, progress resolution for such is periodically monitored and reported to the management as part of its risk management measures. More importantly, the bank ensures that all stakeholders, including its customers, are informed of such issues and disruptions, whenever necessary,” said Mr. De Jesus in an e-mail.
In 2014, the central bank ordered the Philippine banks to complete the shift to Europay Mastercard Visa (EMV) technology, which makes use of microchips rather than magnetic stripes on cards, by June 30, 2018.
The EMV card system is the international standard as it is safer compared to the magnetic strip cards which are prone to skimming — usually done by illegally tapping into ATM terminals to steal client data.
Former President Rodrigo R. Duterte signed Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act, last year as reinforcement to its mandate of protecting the investing public. The law seeks to make sure that mechanisms in line with global best practices are put in place to shield consumers of financial products and services.
The report on the Philippine Financial System for the first semester of 2022 showed that bank deposits grew owing to the economy’s recovery and the depositors’ continued confidence in the banking system, BSP added.
Further, BSFIs continue to enhance their technology risk and cybersecurity management to address evolving threats and risks.
‘NO ONE IS PERFECT’“We regret the incident and its effect on our customers,” BPI President and CEO Jose Teodoro K. Limcaoco said in a statement posted on various social media platforms in January.
“No one is ever perfect, and when you stumble, you admit and address. We regret the incident and its effect on our customers. No one is ever perfect, and when you stumble, you admit and address,” he added.
BPI said that the bank will continue to review and improve existing banking systems, processes, and controls to address gaps and pursue enhancements to prevent recurrence.
Maybank Philippines, Inc. (MPI) said that these glitches — either caused by system or human errors — can not be eliminated but can be minimized.
“It is important that a proper response and remediation process is in place to immediately identify, rectify and develop preventive actions to address issues. MPI follows these principles through our risk incidence monitoring, reporting and remediation policies,” MPI said in an e-mail.
MPI said that it is important that communication lines are open between the bank and its clients, and that the remediation is done as quickly as possible to minimize losses and inconvenience on the clients’ side.
DBP is committed to continually improve on its existing internal incident response process and procedures.
“However, it is worth mentioning that any deviation from standard operating procedures could result in disruptions and inconvenience to the public when not employed properly, this is why proper and diligent conduct of IT Change Management should remain of utmost importance when employing necessary enhancements and adjustments in the banking system,” DBP’s Mr. De Jesus said.
“Proper layers of controls that involve adequate testing, process reviews, and quality assurance must be properly observed,” he added.
RBAP said that there is inadequate emphasis on cybersecurity, as many rural and cooperative banks are content with core banking system vendor-provided security.
“Considering the sophistication of today’s cybercriminals, there needs to be more focus on upgrading cybersecurity capabilities,” RBAP’s Mr. Amparo said.