BPI, BDO take preventive measures to avoid repeat of glitches, fraud

MANILA, Philippines – Two of the country's biggest banks assured the public there is no need to worry despite the glitches and scam that hit them recently, affecting customers.

Representatives of the Bank of the Philippine Islands (BPI) and BDO Unibank said this on Wednesday, June 21, during a hearing of the Senate committee on banks, financial institutions, and currencies.

They also said preventive measures have been put in place to prevent a repeat of these incidents. 

BPI president and chief executive officer Cezar Consing maintained there was no hacking involved when the bank's system had to be shut down for at least 26 hours in June. The problem was caused by one of their programmers' "error in judgment." (READ: BPI system glitch causes mispostings on client accounts)

"We regret the error and we are working to ensure that there'll be no repeat of this unfortunate incident. We informed the regulators that there was no breach of data privacy. I can assure you, we will continue to do everything we can to gain our standing with our regulators, clients, the public, and you, lawmakers," Consing said.

Ramon Jocson, BPI executive president and head of the Enterprise Services Group, told the Senate panel that the programmer owned up to her mistake and was already transferred to another area.

Jocson also said the programmer, who belonged to the top of her class, has no links to syndicates or groups.

BPI's system glitch happened on June 6 and lasted until June 8. It affected 1.5 million of the bank's 8 million clients, with the bank suspending its online and electronic services for a total of 26 hours.

Senate Minority Leader Franklin Drilon also allayed the public's fears, saying the issue is now "under control."

"It's under control. There is no reason to worry. It's a glitch, human error, no malice. The important thing is the bank is able to respond," Drilon said in an interview outside the hearing.

BDO, for its part, reported that 7 of its automated teller machines (ATMs) had been "compromised" due to skimming, but assured the public there is no need to be alarmed.

"BDO adheres to principles of quality control. BDO assures the public that there is no cause for worry," said Edwin Romualdo Reyes, executive vice president and head of the Transaction Banking Group.

Senator Francis Escudero, committee chair, said the probe has so far shown that the two banks are not liable.

"Magkaka-liability lamang kapagka intentionally may ginawang mali or may ginawang mali sa kapabayaan o negligence. Kung talagang pagkakamali o honest mistake, 'ika nga, maski sa ordinaryong buhay natin, walang liability ang nagkamali lang talaga. Maliban na lang kung negligent 'yung pagkakamali or intentional," Escudero said.

(There would only be liability if there was an intentional wrongdoing or an error out of negligence. But if it was an honest mistake, just like in our ordinary lives, there is no liability unless it's out of negligence or intentional.)

Escudero said he would still study the possibility of holding a second hearing on the matter.

Steps taken

To prevent another massive error in the future, BPI said it has set up 4 mechanisms, including the creation of so-called "automatic circuit breakers" that would warn the bank of high-volume transactions. The bank would then be able to check the reason for such high volume. If nothing extraordinary is spotted, the bank would give a go signal for transactions to continue.

Second, the bank is setting up multiple "restore points" to expedite the recovery of its system should it experience problems.

During the glitch, BPI spent a long time fixing its system because it had to post back a total of 6 days worth of transactions in a single day.

"Ang importante with any complex system is you have the ability to recover. In the future, we will avoid reoccurrence. This gives us something to think about. What we need are more restore points. At least every step makaka-recover kami agad," BPI said.

(What is important in any complex system is the ability to recover. In the future, we will avoid a reoccurrence. This gives us something to think about. What we need are more restore points, so that in every step we could easily recover.)

The bank is also optimizing its "memo posting program process" to upgrade its deposit system. This means it doesn't have to shut down its online system while conducting batch runs at the end of the day.

"Kasi 'yung ginagawa namin, hindi ho namin na-optimize for two years, 'di namin nagalaw. (What we did, we were unable to optimize it for two years.) We're now in the process of upgrading our deposit system. So by the end of this year, deposit system will be 24/7. Meaning to say, we do not have to stop the online system habang tumatakbo kami ng batch runs (while we're doing batch runs)," BPI said.

Ultimately, to be informed of any discrepancies ahead of everyone else, the bank has moved its "branch reconciliation process," or the process of going to BPI branches to check on the availability of cash, to an earlier time, from their usual 8 am to 4 am.

This is because BPI found out about the glitch from its customers around 6:30 am of June 6, or nearly two hours before their scheduled branch visits. At the time, the public had already expressed grave concern over "lost money" and other "mispostings."

"Bakit 'di nahuli nang mas maaga? In fact, the warning flag came from our clients. We learned that around 6:30 [am]. There is a process that we do called reconciliation. Before the branches open at around 8 am, we take a look at the cash on hand, kailangan mag-deliver ng pera. Kailangan magbalanse ng ledger, kailangan we deliver cash, we fill up ATMs. We could have seen that earlier," the bank said.

BDO, for its part, is set to upgrade all its 3,700 ATMs nationwide by the end of the year to prevent new types of theft.

BDO, as ordered by the Bangko Sentral ng Pilipinas, is migrating its clients from the 50-year-old magnetic strip ATM cards to the EMV chip, which is more secure against skimming.

The bank has also set up its fraud team to anticipate cybercrime attempts or threats. – Rappler.com

Camille Elemia

Camille Elemia is Rappler's lead reporter for media, disinformation, and democracy. She won an ILO award in 2017. She received the prestigious Fulbright-Hubert Humphrey fellowship in 2019, allowing her to further study media and politics in the US. Email camille.elemia@rappler.com

image