Several banks and non-banks may have been used to transfer the stolen cash from BDO Unibank Inc. when its cybersecurity system was hacked last weekend, based on the initial investigation of the Bangko Sentral ng Pilipinas (BSP).
The BSP did not identify the other banks involved in the BDO hacking crisis, other than Union Bank of the Philippines (Unionbank), or the names of the non-banks which could be e-money services, remittance/foreign exchange centers, or even pawnshops.
**media**
BSP Director Melchor T. Plabasan of the Risk and Innovation Supervision Department said on Friday, Dec. 17, that Unionbank may not be the only destination or receiving bank for the hacked accounts.
“Based on surveillance, there are other financial institutions both banks and non-banks, but we are not yet at liberty to disclose because we have to confirm that by our investigation,” said Plabasan during an online BSP press briefing.
The BSP has created its own task force last Monday, Dec. 13, to conduct its own investigation with the cooperation of both BDO and Unionbank, legal and cybersecurity experts, as well as anti-money laundering experts.
With the involvement of other banks and non-banks, Plabasan said the BSP is expanding the scope of their investigation. “There may be other institutions -- other than Unionbank -- which may have been used to funnel away the stolen funds. We also want to get to the bottom of that particular issue or concern,” he said.
Meantime, the central bank is also currently looking into these allegations from the affected depositors as to the issue of BDO requiring hacking victims to sign quitclaim forms before reimbursing losses.
“The quitclaim form is actually a waiver of the right of the customer to pursue further actions against the bank. It’s a consumer protection issue and probably a public policy consideration. We are now reviewing parameters of this waiver and we’re also engaging our legal experts in the BSP to check whether they are consistent with our financial consumer protection policies,” said Plabasan.
As of this moment, Plabasan said less than one percent of the total banking market have fallen victims to cyber-related crimes.
“We’re checking the number of accounts which have been compromised – not only with this incident (BDO) but some of the phishing incidents. It’s still way, way below one percent relative to the total size of the market,” he told reporters. “The chances of you becoming a victim of this incident is very minimal,” he added.
Plabasan said the BSP is working closely with the industry to ensure that the losses will be reimbursed and for the banks to continuously upgrade their security systems.
“I think it’s still generally safe to use our banking system. We are not underestimating the losses that were suffered by those customers who were unduly affected by this incident,” he said.
The BSP task force is expected to submit its recommendation to the Monetary Board after 30 days or by mid-January next year. Recommendations include sanctions and penalties to be imposed on the involved banks and possible other non-banks.
BDO has tagged 700 clients with hacked accounts and they are in the process of returning their deposits as Dec. 17.
Unionbank, in the meantime, has identified at least six “persons of interest” during the course of its own investigation to clear out its system of fraudulent accounts.
“It’s still premature or too early to tell whether we are going to resort enforcement action of monetary or non-monetary sanctions. But then again, imposing sanction is also part of the regulatory framework to ensure that we are able to achieve the desired change and also to mitigate further risk,” said Plabasan.
The BSP’s task force will identify vulnerabilities and non-compliance with central bank expectations in managing cyber and anti-money laundering related risk.
The taskforce will be led by BSP Deputy Governor Chuchi G. Fonacier, Plabasan, and the Anti-Money Laundering Council.