The Bangko Sentral ng Pilipinas (BSP) on Wednesday, Jan. 4, said it has directed Bank of the Philippine Islands (BPI) to submit regular or even hourly updates on how it is resolving the technical glitch after the Ayala-owned bank issued an advisory on the incident.
“The BSP has instructed BPI to submit a timeline and updates on the reversal of its erroneous transactions,” said BSP in a statement.
The BSP also assured the banking public that “it is closely coordinating with BPI in relation to the double debit transaction incident affecting BPI accountholders.”
“(BPI) already identified the root cause of the operational error and committed to reverse the erroneous transactions and restore mobile and internet banking services the soonest possible,” said the BSP.
In an advisory on Jan. 4 @TalktoBPI on Twitter, BPI stated that some automated teller machines (ATM), cash accept machines (CAM), point-of-saie or POS, and e-commerce debit transactions from Dec. 30 to 31 were posted twice.
BPI in an update said, "please be informed that we expect correction of the duplicate transactions within the day (Jan. 4)." It added that "given the high volume of inquiries on our banking online channels, you may experience intermittent access to our web and mobile app platforms. Rest assured that your account is safe and secure."
Since November 2018, the BSP has issued rules for the quick reporting on technical glitches and other cyber-related issues of banks.
Banks deal with threats of cyber-related attacks on their cash machines on a daily basis. Other threats that banks and non-banks had to watch out for every day are data breach and financial losses resulting to compromised cyber security systems.
The BSP recognizes a need for public disclosure of such incidents such as technical glitches.
In the past, banks were required to report cyber-related issues within 10 days after it happened. However in 2018, the BSP approved a new rule directing banks to report cyber-related incidents such as technical glitches within two hours of first detecting the crime. This is to prevent further disruptions of financial services and operations such as when a data breach has occurred, described by the BSP as “an incident in which sensitive, protected or confidential data or information has potentially been viewed, stolen, leaked, used or destroyed by unauthorized persons.”
When or if hit, local banks are ordered to submit to the BSP a follow-up report within 24 hours of the incident and this should contain information such as the manner and time of initial detection, impact of the incident, and initial remedial response.
Quick reporting is key in stopping cyber-related crimes or internal operational glitches from spreading. The BSP said this is necessary due to the “speed of exploitation, proliferation of attack tools and actors, and potentially massive extent of damage”.
BSP Circular No. 1019 (Technology and Cyber-Risk Reporting and Notification Requirements) detailed the guidelines for banks’ periodic reports or annual IT profile and event-driven reports on cyber-related issues.
Reportable major cyber-related crimes are everything that would “seriously jeopardize the confidentiality, integrity or availability of critical information, data or systems of BSP supervised financial institutions.” These would include “compromised state” when someone or something has maliciously broken into networks, systems and computers; data breach; hacking; pharming (a form of cyber attack that redirects website traffic to a fake website); spearphishing; and threat actor (a person, an organized group or government that has superior capabilities to cause major damage to institutions).
What doesn’t need immediate reporting or not considered as major reportable incidents are security events and/or attacks which could be stopped by security systems. However, these could become major incidents if there are a multitude of customer accounts that were hit such as fraudulent transfer of large sums of money.