Several banks and non-banks could have been used to transfer the stolen cash from BDO Unibank Inc. when their cybersecurity system was hacked last weekend, based on the initial investigation by Bangko Sentral ng Pilipinas (BSP).
The BSP did not identify any other banks involved in the BDO hacking crisis other than the Union Bank of the Philippines (Unionbank) or the names of the non-banks which are e-money services, remittance / foreign exchange centers, or could even act pawn shops.
BSP director Melchor T. Plabasan of the Risk and Innovation Monitoring Department said on Friday, December 17, that Unionbank may not be the only target or recipient bank for the hacked accounts.
“Due to the surveillance, there are other financial institutions, both banks and non-banks, but we are not allowed to disclose this yet as we have to confirm this through our investigation,” said Plabasan during an online press conference of the BSP.
Last Monday, December 13th, the BSP set up its own task force to conduct its own investigations in cooperation with BDO and Unionbank, legal and cybersecurity experts and money laundering experts.
With the involvement of other banks and non-banks, said Plabasan, the GNP is expanding the scope of its investigation. âThere may be other institutions – besides Unionbank – that may have been used to remove the stolen funds. We also want to get to the bottom of this particular problem or concern, âhe said.
In the meantime, the central bank is also currently investigating these allegations by the depositors concerned with regard to the BDO, which requires hackers to sign termination forms before reimbursing losses.
âThe cancellation form is actually a waiver by the customer of further lawsuits against the bank. It is a consumer protection issue and likely a public policy consideration. We are now reviewing the parameters of this disclaimer and are also commissioning our legal experts in the BSP to check whether they are compatible with our financial consumer protection guidelines, âsaid Plabasan.
According to Plabasan, less than one percent of the entire banking market is currently victims of cybercrime.
âWe check the number of compromised accounts – not only for this incident (BDO), but also for some phishing incidents. It’s still well under one percent relative to the total size of the market, âhe told reporters. “The likelihood of becoming a victim of this incident is very small,” he added.
Plabasan said the BSP is working closely with the industry to ensure that losses are reimbursed and that banks continuously update their security systems.
âI think it’s still generally safe to use our banking system. We do not underestimate the losses suffered by the customers who were unduly affected by this incident, âhe said.
The BSP task force is expected to present its recommendation to the Monetary Board after 30 days or by mid-January next year. The recommendations contain sanctions and penalties that are imposed on the banks involved and possibly other non-banks.
BDO has tagged 700 customers with hacked accounts and they are about to pay back their deposits on December 17th.
Unionbank has now identified at least six “persons of interest” as part of its own investigation into its fraudulent account system.
âIt is too early or too early to say whether we will use monetary or non-monetary sanctions in enforcement. On the other hand, the imposition of sanctions is also part of the regulatory framework to ensure that we achieve the desired change and also reduce further risks, âsaid Plabasan.
The BSP task force will identify vulnerabilities and non-compliance with central banks’ expectations in managing cyber and anti-money laundering-related risks.
The task force is led by Deputy BSP Governor Chuchi G. Fonacier, Plabasan, and the Anti-Money Laundering Council.
SIGN UP FOR THE DAILY NEWSLETTER
CLICK HERE TO SIGN IN