Incidents like the RCBC money laundering scandal are a reminder for banks that the best defense against security breaches is constant attention to strong fundamental best practices, especially the standards applied to bank executives and employees.
A few years ago, the story of the stunning electronic robbery of Banglasdesh’s central bank would have existed only in a movie script. That institutions like the Federal Reserve Bank of New York and the highly secure SWIFT communication system could be rather easily ensnared in a globe-spanning operation—which eventually embroiled the RCBC bank in the Philippines as the landing place of the pilfered funds—seemed unreal. But there it was, splashed across the headlines every day for a couple of months.
One can hardly have a conversation about banking issues now without the story and the larger topic of banking security being brought up. That, Maybank Philippines President and CEO Herminio Famatigan Jr. seems to think, is a good thing.
“That wasn’t a wakeup call, it was a reminder,” he said in a discussion I had with him and Maybank PH corporate affairs head Eric Montelibano earlier this week. The security risks are real, and if anyone in the banking sector had become a little complacent, the stark facts that the SWIFT system, which had never been breached and was generally thought to be ironclad, the US Fed, and even RCBC, which in terms of safety and security was considered as sound as any other respectable bank, were all compromised definitely should have, in Famatigan’s view, brought everyone back to reality quickly.
“It reminds us to constantly monitor and strengthen our fundamentals,” Famatigan explained.
“That’s really where security begins. Solid fundamentals – know your customer, due diligence. It’s become a lot more complicated. That’s true. It used to be that you would always know exactly who your client was, but with electronic transactions happening in the background all the time, it’s become more of a challenge. Even so, the fundamentals are still the same.”
Naturally, Famatigan was very complimentary towards his own bank’s management of security.
“Maybank has one of the highest standards I’ve seen,” he said. To his and Maybank’s credit, however, that is not a completely biased view. The Maybank group, the largest banking group in Malaysia, was one of the first, if not the first outside bank to cut all connections with the scandal-ridden Malaysia governmentowned 1MDB development firm when uncomfortable questions about its finances began piling up a few years ago.
In terms of Maybank Philippines has done in the wake of the trouble that beset RCBC, Famatigan explained that the scandal across town spurred a comprehensive review of bank policies and a stern reminder to the people within the organization to redouble their efforts to follow sound fundamental best practices. “We also are testing all our policies and procedures, and updating things if we have any concerns,” he added.
Maintaining a firm level of banking security is a constant job, Famatigan stressed. “You have to invest in protection. The security risks are constantly evolving, your processes and safeguards have to evolve, too,” he said.
Knowing that the Philippines’ banking sector is, for the most part, being managed by people with Jun Famatigan’s sensible perspective is reassuring, but it also reminds us that the one permanently weak element in any bank’s security framework is its people. In the Bangladesh Bank heist, in spite of the skill of the hackers in breaching the SWIFT system and the internal systems of the bank in Dhaka, what they accomplished would not have been possible without people in the right places to bypass other more basic safeguards. There was evidently involvement of insiders at Bangladesh Bank, at least in terms of leaving a few gates unlocked in the bank’s systems; and, of course, there was clear involvement of people at RCBC.
The risk of a rogue in the organizatio n can probably never be entirely eliminated, but it may be one area where attention to fundamentals should be revisited. Standards for banking personnel as handed down by the BSP are rather general in nature; beyond specifying that business conflicts of interest, delinquent financial obligations, or actual criminal activity are grounds for disqualification, they only mandate that the banks choose their people on the basis of sound ethical character and appropriate education and competence. The banks and the BSP would argue those conditions are adequate boundaries on banks’ managerial judgment to choose their own people, and they would be right . . . right up until the time the standards fail to prevent an international incident involving tens of millions of dollars.
No matter how sophisticated any system to prevent fraud or loss is, it is ultimately reliant on the weak variable of the human personality to make it work effectively. In any bank’s security and risk reduction strategy, people should have a permanent place as the first item on the list.