‘BPI wasn’t hacked, it’s human error’


THE report on unauthorized transactions involving Bank of the Philippine Islands (BPI) accounts two weeks ago will be completed by next month, but the Bangko Sentral ng Pilipinas (BSP) said preliminary findings showed the incident was a result of human error, not hacking.

“We conducted our investigation on BPI incident. It isn’t complete yet, but I can say there was no hacking …
This is human error,” said Chuchi Fonacier, BSP assistant governor for the Supervision and Examination Sub-Sector, told Senators during the hearing on the matter by the Senate Committee on Banks, Financial Institutions and Currencies on Wednesday in Pasay City.

The BSP finding is consistent with the testimony of BPI officials during the same hearing.

“We also informed our regulators that there was no breach of data privacy … An error in judgment on the part of one of or more programmers led to an unscheduled fire generation, causing us to post wrong entries,” BPI President and Chief Executive Officer Cezar Consing said.

For two days starting June 7, BPI disabled its online and automated teller machine (ATM) network to rectify an internal error that double-posted transactions made between April 27 and May 2.

The country’s oldest and third largest bank has more than 800 branches and 3,000 automated teller machines nationwide.

Fonacier said it is too early to talk about penalties because as investigation is ongoing.

“It would warrant a sanction if there were really violations of regulations, on banking laws, but it would also depend on how the banks took action on the problem. So those things need a really holistic assessment of the situation,” she said.

“If it’s a monetary sanction, P30,000 per day maximum … But we can’t also impose other sanctions as well—non-monetary sanctions. But, as I said, it would depend on the nature, whether they violated regulations of banking laws,” she added.

BDO ATMs hacked

Sy-led BDO Unibank told the same hearing only seven out of its 3,700 ATMs were compromised by a skimming hack last week.

“Seven ATMs affected … from three locations. We have disabled cards that we know have been compromised,” BDO Executive Vice President and Transaction Banking Group Head Edwin Romualdo Reyes said.

BDO advised customers last Friday to report unauthorized transactions through their accounts, saying the bank has obtained information about possible ATM fraud.

“The BDO case is different from that of BPI. The case is ATM skimming,” Reyes noted.

Skimming happens when illegal devices are installed to read the magnetic strip of an ATM cards as transactions are ongoing. The bank received 95 complaints of unauthorized transactions that debited ATM accounts.

To prevent this from happening again, BDO is upgrading its ATM network.

The hacking incident points to the vulnerability of the magnetic strip card, BSP Financial Consumer Protection Department Head Pia Roman Tayag said.

“So, as early as 2013, we required banks to migrate to EMV, which is the chip, so they would no longer use the magnetic strip,” she said.

EMV is the global standard for chip-based credit and debit card transactions that are supposedly more difficult
for fraudsters to hack into, compared with magnetic strip cards. The embedded chip contains unique transaction details that are activated each time the card is used. It is also protected by additional layers of security.

“We expected banks to be fully compliant this year. But because of all the requirements and things that have to be done for that to happen, the deadline has been moved to June 2018,” Tayag noted.

“But we put in place mechanisms to address the slight delay. So, as early as end-2016, we have put in place the liability shift framework to make it clear that when there is a compromised transaction, the banks that are not yet EMV-compliant will have the liability,” Tayag said.

The EMV Card Fraud Liability Shift Framework (ECFLSF) protects customers from any liability from the use of magnetic stripe cards. The liability is the burden of the bank or financial institution that is not compliant with the EMV requirement.

The framework is expected to accelerate compliance and speed up the dispute resolution and restitution process for customers who have valid claims as a result of fraud or skimming hack.

The BSP mandated non-compliant banks to earmark provisions for probable fraud losses starting September 30, 2017, until full compliance is achieved.


Please follow our commenting guidelines.

Comments are closed.