BSP creates task force to investigate hacking incident

The Bangko Sentral ng Pilipinas (BSP) has set up a task force of cyber, anti-money laundering and legal experts to get to the bottom of the weekend hacking incident of BDO Unibank Inc. and KYC (Know Your Customer) lapses of Union Bank of the Philippines (Unionbank).

BSP Governor Benjamin E. Diokno said the task force will submit a recommendation after 30 days to the extent and gravity of penalties and sanctions that will be imposed against the two banks for cybersecurity breaches and possible violations of the KYC rules.

BSP Governor Benjamin E. Diokno

“We are forming a task force of cyber and anti-money laundering specialists and legal officers to determine the root causes and possible control lapses involving the incident,” said Diokno during a late press briefing on Monday, Dec. 13.

“Guided by relevant laws and regulations, penalties and/or sanctions will be imposed depending on the results of the examination. I have instructed that recommendation should be submitted in 30 days,” he told reporters.

Diokno said the BSP will identify vulnerabilities and non-compliance with central bank expectations in managing cyber and anti-money laundering related risk.

The taskforce will be led by BSP Deputy Governor Chuchi G. Fonacier, Director Mel Plabasan of the Technology Risk and Innovation Supervision, as well as the Anti-Money Laundering Council chaired by Diokno. Fonacier is the head of the BSP’s Financial Supervision Sector.

The BSP on Sunday issued public assurances that they have been coordinating with BDO and Unionbank for quick remedial measures and reimbursement of affected accounts, and to initially identify the source of the hacking crisis.

“What BDO told us is that it has taken some initial steps to manage what they identified as ‘sophisticated fraud technique’ affecting their clients. Getting to the bottom of this will entail a complex cyber forensic investigation to determine the actual number of affected customers and how much they lost from this fraud,” said Diokno.

“They have assured us, however, that affected customers will be duly reimbursed for the losses. We will make sure that this happens as soon as possible,” he added.

Diokno also said that BDO has confirmed that the incident emanated from a 10-year old web service that is due for phaseout early next year. “What we also know is that some affected customers reported they did not click any links nor where they asked to supply sensitive information,” he said.

The SM Group banking unit, BDO, is the country’s biggest lender while the Aboitiz-owned Unionbank is one of the top 10 banks and one of the six local banks that were granted a digital bank license this year.

BDO said that they have implemented additional security controls “to block further attempts” and continue to ensure to protect bank credentials of their clients.

Unionbank, for its part, said it has began to take legal action against suspected clients. The stolen deposits hacked from BDO accounts were transferred to Unionbank accounts.

The BSP regularly reminds banks to act immediately on customers’ complaints and verification requests in relation to SmiShing, phishing and SMS spoofing to minimize financial losses to their clients.

The BSP has been calling for the immediate passage of an anti-cybercrime law for the enhanced protection of financial consumers. Senate Bill No. 2380 or the "Bank Account, E-wallet, and Other Financial Accounts Regulation Act" is a measure that recognizes the need to protect the public from cybercriminals and syndicates who target bank accounts and e-wallets, said the BSP.

The BSP said passage of the bill will inspire confidence in the use of electronic payments more since it covers illegal activities such as phishing where a scammer posing as a legitimate or trusted entity obtains sensitive information by illegally accessing an individual’s online account.

The bill will also prevent the opening of an e-wallet account under a fictitious name or using the identity or identification documents of another to receive and transfer or withdraw proceeds derived from a suspicious activity or cybercrime, said the BSP.