THE Senate Committee on Banks, Financial Institutions and Currencies believes that the systems glitch that hit two of the country’s biggest banks were caused by human error and theft, as it ruled out hacking or terrorist attack.
The panel headed by Sen. Francis Escudero, heard the testimonies of representatives of the Bank of the Philippine Islands (BPI) and Banco de Oro (BDO) who explained the causes of system glitches that affected millions of their clients early this month.
“What happened with BPI is a case of human error while the BDO incident involved theft or skimming affecting depositors using ATMs (automated teller machines),” Escudero concluded.
The probe was based on the resolution filed by Senate President Aquilino Pimentel 3rd.
BPI admitted during the hearing that the systems glitch it encountered on June 6, 2017 that affected their clients was caused by human error and not by external attack or hacking.
BPI President and Chief Executive Officer (CEO) Cezar Consing admitted that a data processing error caused “mispostings” in the accounts of at least 1.5 million of the bank’s eight million depositors.
To fix the problem, the bank took down its electronic channels which include ATM, internet and mobile banking; and point-of-sale transactions for 26 hours.
“I can assure the honorable chairman that we will continue to do everything we can to regain our standing with our regulators, clients, the lawmakers and the public,” Consing said.
BPI Executive Vice President Ramon Jocson said one of their lead technical persons who was tasked to extract a transaction report dated May 26 to 29 mistakenly accessed a different date from the their backup files.
Since she has access to the files and is familiar with the system, the staff could have tried to expedite the process and extracted a file dated April 27 to May 2 instead of May 26 to 29. Thus, all transactions made from April 27 to May 2 were extracted from the system leading to the creation of a new file which reflected in all ATM transactions made on June 6, 2017.
“So instead of the transactions on June 6, the batches were updated using transactions from April 27 to May 2,” Jocson explained.
The system affected by the error was the information switching technology system which runs the ATMs, cash acceptance machines and the point-of-sale system or the express payment system (EPS).
Jocson said transactions that were posted in the accounts of some BPI clients on June 7 were old transactions that they made between April 27 and May 2.
“These are all past transactions that were reposted,” he added.
Jocson said the claims made by some individuals that their BPI accounts have been credited billions of pesos were not true.
“The documents they presented to the public and to television, and radio stations were all doctored and fake,” he said.
“Categorically I can state that those who claimed getting P12 billion, P8 billion or even P1 billion on their account are all false,” he added.
A BDO official meanwhile said the bank’s ATMs were targeted in a “localized skimming tack.”
Edwin Romualdo Reyes, the bank’s executive vice president and head of transaction banking group, said seven ATM machines in three locations were affected based on the cases reported by clients.
To prevent further unauthorized transactions, BDO disabled the ATM cards.
“As a general rule, we validate all complaints received and begin the process of rectification immediately once validated,” Reyes told senators.
He gave assurances that the bank will reimburse all clients affected by unauthorized withdrawals.
ATM skimming is the unauthorized copying of the magnetic stripe information of ATM cards. Reyes said skimming is done using illegal devices that could read ATM card’s magnetic stripes while transactions are being done.
A second device is also used to obtain the ATM pin code. In the Philippines, a small pinhole camera is used to record the entry of the pin during transaction.
The BDO executive also gave assurances that the bank has started upgrading its ATM to prevent skimming.