Senate to await BSP report on bank ‘glitch’ before further inquiry

Posted on June 22, 2017

THE BANK of the Philippine Islands (BPI) and BDO, Unibank, Inc. (BDO) faced the Senate Committee on banks, financial institutions, and currencies after separate incidents of deactivation of automated services a week apart, on June 7 and June 16.

Senator Francis G. Escudero, chair of the Senate Committee on Banks, Financial Institutions and Currencies, holds up a sample of an ATM keypad during his committee’s inquiry on Wednesday. -- PHOTO COURTESY OF SENATE
But there was nothing clear about the committee’s next step after hearing assurances from officials of the two banks about their banking service, these incidents notwithstanding.

“Actually, we used it as a venue to placate fears dahil ang daming balitang lumalabas (because there was as lot of news coming out),” Sen. Francis Joseph G. Escudero, committee chairman, told reporters after the hearing that the committee conducted in a mere two-plus hours.

Kung kinakailangan pa magko-conduct kami ng isa pang inquiry pero titignan na muna namin yung final report ng BSP (If we have to, we will conduct another inquiry, but let’s see first the final report of the [Bangko Sentral ng Pilipinas]),” the senator also said, referring to the BSP’s own inquiry into those incidents.

Uulitin ko, para lang mapagbigay alam sa publiko kung ano ba talaga ang nangyari at hindi sila mag-alang alang kaugnay sa seguridad ng kanilang deposito sa bangko,” Mr. Escudero added. (I reiterate, this is just to let the public know what really happened and to ease their concerns about the security of their deposits.) He also said, in a separate text message when further sought for comment, that BSP’s final report “may contain recommended legislation if any.”

BPI officials, in their testimonies and presentation, reaffirmed that the deactivation of their automated services on June 7 was not a result of hacking but an “error in judgement from one of (our) programmers.”

Without naming the programmer, BPI executive vice-president Ramon L. Jocson said: “this particular person is to be blamed,” but that she had also “owned up to committing the mistake.”

BPI president and CEO Cezar P. Consing, for his part, described this episode as being “a case of human error.”

Bank officials stopped short of identifying the since reassigned employee whom they referred to nevertheless as a “she.” Mr. Consing, for his part, quantified this episode’s setback, saying the shutdown, “for a period of 26 hours spread over a period of 37 hours,” affected 1.5 million of the bank’s 8 million clients.

BDO officials, for their part, cited three separate incidents of ATM “skimming” in seven out of its 3,700 machines which compromised the debit cards of at least 95 clients.

Edwin Romualdo G. Reyes, BDO executive vice-president and head of the Transaction Banking Group, also said fraud attempts were observed in May and June even as he emphasized such incidents were isolated. The bank official reminded clients who notice unauthorized withdrawals to file their complaints through the proper bank channels as social media posts are not actionable.

Affected clients would be reimbursed after a proper investigation and card replacements are free.

Those who find their cards blocked can get a free replacement from their branch.

Mr. Reyes also said BDO is upgrading its ATMs, with 1,000 machines already done and the rest of the work to be completed by the fourth quarter of the year.

He assured clients that BDO has a live, real-time fraud system that tracks transactions to determine suspicious or off-pattern withdrawals or purchases. A team also works 24/7 to monitor the system and investigate cases, often anticipating potential skimming attacks and blocking cards to deny fraudsters access to the funds.

Mr. Reyes also said EMV (Europay, MasterCard and Visa) migration, which has been continuing since last year, has made cards more secure and fraud-proof.

Philippine banks are largely relying on the full use of the microchip-based cards, ahead of the deadline set by the BSP, to thwart card skimming and identity theft, with the chip-based system expected to help raise security standards.

BSP Deputy Governor Nestor A. Espenilla, Jr. said shifting to the EMV platform is the “long-term” solution versus skimming, often done by installing data-capturing devices on automated teller machines (ATMs) to steal client data.

“Everywhere in many countries, ATMs are being hacked through skimming so what happens is those who use the ATM get their identities stolen... but it’s very localized. Banks generally make good on those, it’s their responsibility, but the strategic solution is EMV. That’s why the BSP has been urging the banks to implement the EMV as soon as possible,” Mr. Espenilla told reporters late Tuesday during a testimonial dinner hosted by the Bankers Association of the Philippines.

The EMV card system is currently the international standard as it is deemed more secure compared to the magnetic strip cards, as the latter can be easily duplicated by skimmers.

BDO said it is in the middle of distributing EMV-enabled cards to its depositors. “We are EMV-enabled as most banks are. The problem is conversion, because you cannot do one time for all cardholders, point-of-sale terminals, and ATMs,” BDO president Nestor V. Tan said separately.

Among the common skimming devices used by thieves are keypad overlays and secret cameras, as well as deep inserts which are placed on ATMs to copy card data and passwords among unsuspecting bank clients.

Mr. Consing of BPI, for his part, said they will start replacing magnetic strip debit cards starting July this year, ahead of next year’s deadline.

The BSP gave Philippine banks a June 30, 2018 deadline to fully adopt the EMV system, starting with the replacement of all existing debit and credit cards as well as the upgrading of back-end and ATM terminals.

This is well beyond the original Jan. 1 deadline set by the regulator when it announced the EMV migration in 2014.

A year away from the deadline, the BSP also required banks to put up reserves for potential card fraud in its balance sheets to shoulder the burden of possible theft cases for all non-EMV cards still in use.

Both BDO and BPI noted that they are “significantly” ramping up investments on technology upgrades and cybersecurity to catch up with the “very challenging” environment where thieves are able to innovate as the financial entities raise their guards. -- additional report by Melissa Luz T. Lopez and with reports by