21 June 2017
SENATE HEARING: BANK GLITCHES

 

     
 



TRANSCRIPT

SENATOR CHIZ ESCUDERO (CHIZ): The hearing on Committee Banks, Financial Institutions and Currencies is hereby resumed. Chair would like to recognize our distinguished Minority Floor Leader Senator Franklin Drilon. Good morning, Sir. For the record, may I ask the Committee Secretary to kindly acknowledge the presence of our invited guests for this morning's meeting?

COMMITTEE SECRETARY (COMSEC): Good morning, your Honors.

CHIZ: Good morning. Chair would like to make some preliminary remarks. Chair would like to clarify that the basis for this inquiry in Section 2 of the rules and inquiries in aid in legislation taking into consideration the resolution filed by Senator Koko Pimentel, namely PSRN Resolution 403. Under the current rules in inquires in aid of legislations, any Senate committee can look into any matter within his jurisdiction especially given the current situation with respect to what happened to both BPI and BDO.

The objective in view of the Committee is, we would want this venue to placate any further speculation with respect on what's going on, placate any concerns that serving public may have with respect to the security of our banks, and to outline the procedures so how this can be avoided in future and also how any depositor may have been affected can file a grievance or a claim in order to recover what may have been lost if any.

Liliwanagin ko rin po, ang layunin namin dito hindi maglahad ng anumang sikreto na maaring makuha ng sinumang gustong magsamantala mula sa mga bangko kaya buong pag-iingat naming aalagaan sa pagdinig na ito, anumang impormasyong hihilingin at maaring ibigay. We reserve the right to call on executive session if necessary but I don't think that will be the case given that I've already expressed my intention to the representatives of the banks. To explain in layman's terms what happened para maunawaan lang ng publiko na hindi naman na hindi niyo sinasabi 'yung mga sikreto niyo sa safeguards sa mga IT at computer systems ninyo na maaring magamit naman para sa mga masamang balak o masamang balakin kaugnay sa mga programang ginagamit ng mga bangko.

So, to re-establish it, number one: we would like to find out from BPI and BDO exactly what happened; number two, what has been done and what will be done moving forward to avoid similar occurrence from what is happening; number three, what have you done or what is being done with respect to depositors that may have been affected.

Unawain din natin na may mga nagsasamantala sa sitwasyon at nagsasabi nawalan sila bagaman hindi. For the record too, based on previous discussions with BSP and some bank officials na kumakalat na may nadagdagan daw ng P1-B o P2-B o P12-B that's clearly fake because given the circumstances surrounding what happened that is a sheer impossibility. Unang-una hindi mo kayang ideposito 'yung ganung kalaking pera sa ATM. Isusuka nung makina 'yun and also to clarify what rights a depositor may have, should this situation happened in the future para naman makatulog siya gabi na kung mangyari man ito OK lang mababawi kung ano man ang mawawala at kung ano ang liability ng mga bangko kung meron man kung mangyari po 'yan. With the permission of Senator Drilon, may I start by asking BPI?

SENATOR FRANKLIN DRILON (FD): Mr. Chairman, can we make preliminary statement?

CHIZ: Yes, the distinguished minority floor leader is recognized.

FD: Mr. Chairman, in a TV interview this morning, the Chairman very clearly emphasized that he would exercise extreme caution and the conscience of the fact that the hearing this morning could lead a lot of unnecessary conclusions and I'm glad that the chair is referring to the record of purpose of calling this session because I join-in in putting on the record that we should exercise extreme caution so that this hearing would not resort in our public trust being eroded in our banking system.

We have two of the biggest banks here before us, BPI and BDO and I think it's our responsibility to reassure our people that the banking system is stable that this hearing being is conducted in order to final what happened but at the same time, we should never forget that this single incident should not in any manner throw any doubt on the stability of our banking system.

Mr. Chairman, I defer to your judgment. I will not raise any questions on our ability to hear this case when the resolution was filed after the Congress joins in the bill. The chair raises Section 2, in the meantime we defer to the opinion of the chair out of respect and with the proceeding on those grounds, Mr. Chair.

CHIZ: Chair would like to thank Senator Drilon, our distinguished Minority Floor Leader for his comments and statements and opening remarks. Moving forward, in proceeding since first thing time, first thing right may I ask BPI first.

Ulitin ko po, in layman's terms without revealing any security and safeguards in your IT systems. What exactly happened that resulted in several transactions being reposted on June 6 that resulted in some decrease or increase in the amounts of deposits some of your depositors thru an ATM Card? Who will speak, Mr. Consing?

RESOURCE PANEL (RP): Honorable Chairman, may I be allowed to be appreciated?

CHIZ: Mr. Consing, you are recognized, Sir.

RP: Thank you, Honorable Chairman. Honorable Senator Chairman Francis Escudero, Honorable Senator Drilon, Honarable senators, BSP officials, and other officials present today, good morning! I am here today with four of my colleagues, experts in their respective areas. We try to share to you as much detailed as we can about the internal data processing error that occurs during June 6, 2017. I passed on Mr. Jocson is here, head of one of our banks and structure provide you with an IT presentation. I passed you to my right, head of our consumer banks to share with you how the incident affected our customers. Also with me today is Natividad Noel Alejo, head of our micro-finance arm and resident of BPI Family Savings Bank. Rounding out our team is Mayette Gayere is our chief compliance officer.

Your Honors, thank you for the opportunity to explain how this all happened. The actions we took to correct the error, the steps we have taken to prevent the occurrence of similar incidents. We believe that your understanding of the circumstances surrounding the incident and need to reconstruct and file an action and legislation that further strengthens the country's banking system.

The data processing error caused (inaudible) in the accounts of about 1.5 million of our 8 million clients. This misposting amounts much, much smaller than some of the figures that we're circulating prominently in social and other media. To fix the problem we need to take down our electronic channels. Basically these are services related to ATM cards, internet banking, and mobile banking. We took them down for a total of 26 hours spread over a period of 37 hours – from when we first took our channels down to ultimate resolution. This inconvenience may lead to great number of clients. We deeply regret the inconvenience caused by this time-gap. We have been in continuous contract with the BSP and all other regulators since the incident, we share with them the configuration and processes of our IT system, a robust system that handles an average of three and a half million transactions per day.

We also informed them that our investigation revealed that our case of human error and not a hacking. We also informed the regulators that there was no breach of data privacy. Finally, we share the actions we took to make things great from the corrections of mispostings, to the reversals or waivers of penalties and charges, to the longer banking hours, to the continuous streaming of client advisories. I can assure you, Honorable Chairman that we will continue to do everything we can to regain standing with our regulators, clients, the public and you lawmakers. Thank you very much, your Honors.

CHIZ: Mr. Consing, will Mon make a presentation?

RP: Yes, Honorable Chairman.

CHIZ: Again, just to remind you Mon, without revealing any information that may be use by anyone would like to take advantage and without violating any of the current confidential secrecy laws. You may proceed, Sir, with your presentation.

RP: Thank you, Mr. Chairman.

CHIZ: Ipapaliwanag niyo ano ang nangyari.

RP: Mr. Chairman, what I will take you through is, 'ano ang nangyari', 'ano ang ginawa namin', 'ano ang impact' and then 'what we will do in order to avoid any future re-occurrence'. And then, after that your Honor, I will hand it over to my colleague, Mr. Gotuaco who will talk about what we did for the clients.

So let me first start your Honor with this chart. I need to give you first a context of how we do processing in the bank. The banks processes are fully automated or nearly all automated and what we do is there is a process which we call end of day processing. So ang nangyayari po, during the day whenever you transact with us whether through ATMs or teller systems through our page systems and so forth, what are systems does is to post temporary credits or debits to your balances. But it does not update the balance. We do that updating of the balance at night when we run our patch because at night we also do other up kit transactions like computation of interests, updating of loan balances and so on. So your Honor, the system that was in questioned was this one, this is the ATM system, this is the information switching technology system which drives our ATMs, our point of sales systems and our cash acceptance machines. So again your Honor, these are all ATM withdrawals, deposits through our cash acceptance machines and all transactions done through our express payments system using point of sales systems. So this was the system that was affected, your Honor. Before I go on, what happens if this at around 8PM, your Honor, the automated systems fixing and that the files each of the systems so we have the ATM system, the loans system, trade systems, remittances, tellering systems, any system your Honor which passes the transactions to our clients feeds and extracts a file – ang tawag namin diyan transaction log file. So each one of those, your Honor, at 10PM is picked-up by our central data base and that's when we do the update your Honor. So, in a normal day ang mangyayari niyan at 8PM extract siya bawat isa and then at 10PM kukunin ng central server, ia-update niya ang lahat ng balances. And then what we do is we take a copy, flash copy of that data base in that point in time and then we open all electronic channels. Mabilis lang 'yan. Nakikita ng kliyente namin is 15minutes dina-down namin tapos sini-switch namin.

So the other thing about this system, your Honor, this is a closed system, it is not connected to anything external. So again, hindi naka-connect ito sa internet. This is a closed system, ang koneksyon niya lang mainframe, mainframe computers at saka each of these run on other servers, your Honor, may sarili silang work. All other transactions we have, I'll just passed on as batch files, your Honor, so walang direct connections to the internet. That's what we mean by closed system. Next page please, so ano ang nangyari. So let me take you to June 6. On June 6, your Honor, what we do is we have depositors who go abroad and then they use the ATM machines abroad to withdraw money. So on June 6, we needed to reconcile a report from May 26 to May 29 because one of our corresponding banks.
CHIZ: Monday, April.

RP: May 26 to May 29, your Honor, I mean entered April 27 to May 2. So, your Honor, ang nangyari, May 26 to 29 ang request transactions that were done using the switch of May 26 to 29 that was the request given by our shared operations group that was given to our one of our lead technical persons.

Now, this system, your Honor, there are only twelve people who are trained in this system. Out of the twelve, there are only two that have access to the system. The specialist in questioned is one of the two. So, she was assigned to extract a report and she was instructed to take it from our back-up files. Now in order to get it from the back-up files, she has to route a request and inform her superior that she's going to do something in the back-up environment. What she did was, you know because maybe of experience since you are already access the reduction file since she knows that it can be done more expediently on the reduction file the temptations there and in order to rush the report she said I can do it introduction. So she generated the report introduction and extracted the file. Now the file contained instead of May 26 to May 29 and na-enter niya sa online system namin were dates of April 27 to May 2. In effect, nag-extract lahat ng transactions April 27 to May 2. And created the file called IST that's for the name of the system, 'yan ang name ng convention namin and it gave the date June 6, 2017. So in effect, this was submitted around 3PM and it concluded around mga 6PM and she left the file there, OK.

Now, if you go to the next page, so what happened, your Honor, at around 8PM the extraction took place but since may file na na-create it created another file called 'point one'. OK so if you use windows as an example, if you have a duplicate file na tawag niyo diyan, copy one we are using unix here. Sa Unix ang convention is point one. So it doesn't replace the file it just needs some another file. Bibigyan nila ng extension na point one.

If you go to the next page, so nangyari po, your Honor, was then at around 10AM hinugot niya itong file na 'to on April 27 to May 2 file instead of the June 6 file. In effect, your Honor, the balances were dated using transactions from April 27 to May 2 instead of June 6. That's what happened your Honor.

So ano ang impact? If you go to the next page so again, let me reiterate this covered only transactions sa ATMs namin, sa point of sales systems namin at sa cash acceptance machines. You can only withdraw money from ATMs. You deposit money through our cash acceptance machines. So I'll give you an illustrative example, your Honor: kung kliyente ka na nadagdagan 'yung balance mo, mangyayari if you have Php10,000 at the start pero nung April 27, 28, 29 nag-withdraw ka ng Php3,500 and Php4,000 respectively bigla na lang makikita mong balance mo Php2,500 because this transactions reposted.

So let me reiterate, your Honor, what transactions reposted was your owned transactions but they were at a certain point in time in the past, OK. Whenever they transactions from other clients crossed to other clients so this were you're all transactions in the past nabalik lang. Now, what about a credited example: kung nag-deposit siya sa amin cash acceptance machines, let's say ng Php100,000 noong April 29 at saka Php6,000 nung April 29 bigla na lang nakikita mo ang balance mo Php116,000. Now, the average debits, your Honor, when we looked at it out of the 1.5 million clients which Mr. Consing mentioned the average debit was around Php7,700; average credit Php7,200. So 'yun ang nakita nung mga kliyente namin pagbukas nung June 7. Now, please note the only way that you can reach a billion, there are people saying they had Php12-B, but let's take for an example, Php1-B lang. In order for you to reach Php1-B for the five bases you could have had to deposit Php200-M per day. Now ang cash acceptance machine, you can feed the highest bill is Php1,000. You feed it every two seconds. So theoretically, in one minute you can feed around Php30,000 times 60minutes, in one hour Php1.8-M. So in order for you to do Php200-M a day you would have to do it across five machines. Walang tigil for 24 hours, feed ka lang ng feed ng Php1,000. The other thing about this, your Honor, is medyo imposible kasi our casettes get feed at Php4-M. So at Php4-M sasabihin niya lipat ka na puno na. So, categorically, I can state, your Honor, na mga nag-post na Php12-B, Php8-B, Php1-B they are all false. The documents that they presented to the public and to the TV stations, radio stations are all doctored and fake, your Honor.

So if I go to the next page your Honor, anong nabalik na namin I think as Mr. Consing mentioned we did it over the span of 37 hours ang recovery namin but during the time may lapses be opened our channels so 24 hours 'yung total na down namin na nabalik namin. What all we did was to repost back so kung 'yung credit binaliktad namin kung ano ang debit binaliktad namin.

What we need to do to prevent a re-occurrence, now during the day, your Honor, meron ang aming ATM system from an average Php2-B ang transactions searched to Php10-B ang transactions because of the 5 days instead of one day naging 5 days so what we have imposed now, your Honor, is an automatic circuit breaker kapag umabot ng Php10-B or umabot ng more than Php1-B transactions, papatayin niya ang production system namin and it will say tama na or not. So we installed circuit breaker, your Honor. The second thing we are doing is addressing our time to recovery, your Honor. Bakit ang tagal bago nakabalik 'yung system because, your Honor, we had to post back five days worth of transactions and one day of valid transactions so six days worth of transaction ginawa namin in one day kaya natagalan. So gagawin naming, your Honor, we are going to put in more installed points so kung ang importante with any complex system is you have to have the ability to recover. In the future, we will avoid this re-occurrence but this also gives us something to think about that maybe what we need to do is to put more restored points so at least every step maka-recover kami kaaagad. Now, the third thing that we need to do, and we're doing already, kasi ang ginagawa ang reversal we call that memo posting. 'Yung program namin ng memo posting, hindi ho namin na-optimize for two years. Hindi namin nagalaw kasi ho we are now in the process of upgrading our deposit systems. So by the end of this year, a deposit system will be 24/7. Meaning to say, we do not have to put down the online systems habang tumatakbo kami ng batch runs. So, medyo nakaligtaan namin because of that but what we're doing now is optimizing that. The last thing that we need to do and probably this is the question that you will ask, bakit hindi namin nahuli ng mas maaga? In fact, the warning came from our clients telling us that 'yung balances nila, ganoon. And we learned that maybe around 6:30PM. There is a process that we do, your Honor, which is called reconciliation. Before the branches open, around 8:00AM, our shared services group takes a look at cash on hand kasi kailangan mag-deliver kami ng cash to the different branches. Kailangan mabalanse 'yung ledger namin and then kailangan we deliver cash to the branches that need cash, we fill up ATMs to those ATMs that need cash. We could have seen that in the report, your Honor, kasi makikita mo na Php10-B ang withdrawal, hindi balanced. So, what we're going to do, your Honor, instead of 8:00AM, we are going to move that up to 4:00AM, the moment we stop our batch run, we do the check first before we open up our channels. \

So, 'yun po 'yung nangyari, your Honor, it's just because an error in judgment of one of our programmers where the programmer in question thought that maybe this is a faster way of doing it and delivering the assignment that I was tasked to do. Because of that there was an unscheduled file generation which then caused us to post loan entries which we were able to then reverse, your Honor. And these are the remedial actions that we are doing to prevent a re occurrence, your Honor.

CHIZ: Who will present next? Tapusin niyo na muna Sir. We will discuss what has been done and what was done to address the concern of the depositors. Thank you.

RP: Yes, Mr. Chairman. I also have a slight presentation and what I hope to take you through is how we respond. You'll see how a branch banking system mobilizes to compensate for the incident.

CHIZ: You may proceed, Sir.

RP: Thank you, Sir. So, let me begin. BPI, we serve about 8-Million customers and the most basic of the services are what you call deposit, withdrawal, and the lending transactions. Those services are provided in the most basic of channels which we call our branches and in BPI we call it the branch of account. We extend these services, when you see the boxes on the right side of the slide, to add convenience to our customers and that convenience are transactions such as fund transfers, remittance, payments of bills, and what we call an inter-branch transaction that in BPI the brand of that is bank anywhere which means to say that if you open your account at one branch, you should be able to transact at another branch where you did not open that account, for no extra-charge. So, that is a convenience to our customers. And in the addition to that, for our customers who do not wish to bank in the branch, we also offer services at home where you can bank online, when you are stuck in traffic, when you can bank on your mobile platforms, on our ATMs which is the most used electronic channel, and POS machines, your credit cards, and remittances.

Now, let me describe the branch. On this slide, all our branches look the same but it's important to make some distinctions here Mr. Chairman. So, first of all we have 827 branches in BPI. Those branches are generally open between 9:00AM and 4:30PM, seven to seven and a half hours a day. That may change if it's in a mall but generally seven and to seven and a half hours a day. And the systems that we have in the branch are such that we can process transactions at a speed of about 850,000 transactions per day. And this is our primary channel for all our banking services. I should note that if this is the bank also where you opened your account or a BPI customer opened their account, this is all your primary balances are kept. It is a procedure in the branch everyday that before they open certain print outs are made while we open at 9:00AM. Our employees typically come in at 7:30-8:00AM and it is interesting to note one of the things that they print is the account balances of all the customers. So, that if in any given day there's an error of the balance, they can always refer to print outs. These are hard copies of customer data from the prior day. And that's why the branch of account is critical in an emergency situation because if it goes offline, there is a certain data that is protected. And this branch network is particularly important, Mr. Chairman, because on the days June 7 to June 8, when we knew that the electronic channels were down, this was the system on which we felt we could rely on service our customers for all their banking needs.

On the next slide, let me describe to you the alternative channels that were affected on June 7 to June 8. So, the first one was automatic teller machine, ATM network, this is the most used convenience channel that we have outside of the branches. BPI has about 2,300 of these machines with 4.6 million users and it processes about 4,000 transactions a day approximately. The next channel is our cash acceptance machines, the exact opposite of an ATM. Instead of dispensing cash, it takes in cash particularly for clients who do not wish to come into the branch or want to in bank off hours. It is a relatively newer machine which has been in service since only in 2011 or so. As you can see, we only have 800 of them, 1 million users, and we process basically 5% of transactions. The next channel is our online, it is branded BPI express online, and this is used on a computer or a laptop. We have 1.2 million active users doing 40,000 transactions per day. And finally, we have our mobile application system; it's called express mobile, 1.1 million users, 70,000 transactions a day. So, if I could put this into perspective Mr. Chairman, when you combine the transaction history of this four channels that were affected by the June 7 to June 8 incident, you're looking at approximately half a million or 500,000 to 600,000 transactions per day that were impaired during the event.

On the next slide, allow me explain to you how we reacted to this. If you recall from my first slide when we described the branch banking system, our branches have a capacity to do 850,000 transactions. So, knowing that our electronic channels were down, we immediately mobilized to extend banking hours to allow our customers to come to their branch banking network to fulfill their financial transactions. When the event also broke out, when we found out about it on June 7th, it was very important for us to understand from talking to Mr. Jocson's team what was going on because we were very urgently in the position to provide for our customers also an idea of what was going on, give them comfort on what the root cause was, and give them an outlook. What was also very important was to communicate, Mr. Chairman, to our branch network because it was them who would have to remedy the situation and deal with customers. Particularly important here, Sir, was knowledge of the fact of the mispostings because if you remember that was what would allow them to use their back-up data to service their customers for their banking needs. We boosted our customer care systems, we don't just serve our customers in our branches on June 7 and June 8, we also have a telephone and social media customer service. And they were boosted during the events of June 7 and 8. And obviously, for our customers affected by this unable to make payments, we reversed fees particularly in relation to BPI-related services when they were impacted by delayed payments.

So, if I can step through this a little bit on the next slide, I'll give you some examples of how we went through this. We extended banking hours; you may recall from my prior slide that our branches typically close at 4:30PM. We created three additional hours of banking time, of processing capacity in our branches on Wednesday, June 7, Thursday, June 8, and Friday, June 9. In addition to that, just for extra measure, 200 of our 800 branches or 237 to be precise, were open on Saturday for additional banking for a whole day. Now, allow me to present to you what this does in terms of providing relief to our customers. If you take the combined impact of extending to 7:30PM for three days and opening on a Saturday, what we've effectively done is create a capacity for 1.7 million monetary transactions. That is an excess of the 540,000 or the 600,000 transactions which were done on the 26 hours or so that we lost electronic channels and so while this is a rather simple calculation, Mr. Chairman, your Honor, it does illustrate the thinking behind the team when we mobilize to open branches and create capacity for our customers.

This next slide, just illustrates to you the intensity of our communications during the five day period, June 7 to June 13. We issued a total of 17 public advisories; it was pretty rapid fire, Mr. Chairman, during June 7th. In one instance when one announcement following another in 45 minutes but we sustained it after five days. And once we were in recovery mode, the relationship with our customers, we were making it a little bit more personal and we began issuing letters and contacting them one by one. And obviously the channels we used are online, social media, and any avenues we have through print and broadcast. This slide is just a reference, Mr. Chairman, if you can see the intensity of the communication was high on June 7th and on June 8 and died down as we went into a normalcy on Friday, June 9. This is a sample, Mr. Chairman, of how we were announcing this on electronic channels and finally this slide here illustrates how we mobilized our call center personnel. We have 400 personnel, we posted 525 headcount during the peak hours of the incident to make sure that we could fill our calls and ensure there was no backlog. So with that, Mr. Chairman, that is my presentation. If you have any questions or if the floor has any questions, I'll be pleased to entertain.

CHIZ: Maraming salamat, G. Gotuaco. Ilang katanungan lang po kung maari. Una kay Mon, nabanggit mo closed system 'yung lugar ng IT niyo kung saan nagkaroon ng error. So, 100%, hindi ito hacking? Dahil kung wala naman sa internet, walang third party, ang pagkakamali nanggaling sa loob. Can you say 100% certainly that this does not involve any hacking from the outside?

RP: Your Honor, 100% definite it was not a hack. Your Honor, if you allow me also, I'll give you a brief description lang of the process that went through when this was reported to me at 7:00AM and by 7:30AM, why I concluded that this was not a hack. BPI has a cyber security operation center, that cyber security operation center tracks 20,000 events per second. Withdraw ka sa ATM, log-on ka sa online, may tellering system, those are events. Those 20,000 events per second, your Honor, we basically use tools to look for aberrant behavior, meaning to say meron bang nag-escalate ng privileges, may pumapasok ba?

During that time, your Honor, noong nakita ko na ganito ang nangyari, ang ibig sabihin niyan meron nang leakage palabas. Ibig sabihin siguro kung na-hack kami mayroong traffic palabas. So, tiningnan ko kaagad, your Honor, 'yung traffic kasi we have that in our SISOC reports. Traffic for the last three days especially for the last two hours, there was none, your Honor. The second thing that I did, your Honor, was to call up our service providers. We have two service providers, FireEye Mandiant and IBM. FireEye Mandiant does threat analytics for us meaning to say, your Honor, aside from monitoring the system they also look out for messages or anything and any noise if we were hacked. So, negative on that area. IBM naman manages security operations center for us, I also asked them for any reports outside of those that were given to me and there were none. So, by that time, your Honor, I concluded that given that this was a closed system, walang connection sa internet, the only possible thing na pwedeng pumasok was that somebody was in control of a work station and pounding out commands and I saw on the network, wala naman pumapasok. Then I concluded, your Honor, that it was not a hack. Plus it was verified by our service providers, by IBM and FireEye.

CHIZ: Second question, you mentioned a circuit breaker earlier na at some point there will be a circuit breaker to avoid future occurrences. What will be the practical effect of that? May delay ba sa posting, anong epekto nun from the point of view of the depositor?

RP: From the point of view of the depositor, your Honor, siguro ibig sabihin lang niyan sa aming automated processing instead of straight through meron kaming gap na idadagdag na 10 minutes. So, let's say na kapag nakita that the transaction was extra ordinary magsa-stop 'yung automated production at that time. And then it will ask the operator, yes or no to proceed. So, that basically means that he needs to look at the reason why the volume ballooned to that size. If everything is OK, your Honor, the person just needs to say yes and it will proceed. Probably 10 minutes delay. If abnormal, then we go to take a look at whether what the root cause was.

CHIZ: Next question, marami nang mga kumpanyang gumagamit ng ATM para sa payroll nila, what was the situation with respect to payrolls that needed to be made during the time or period affected? Has everything been resolved by now?

RP: For that question, your Honor, may I refer to Mr. Gotuaco who was managing the situation at that time.

CHIZ: Mr. Gotuaco, Sir?

BPI RP: Thank you, Mr. Chairman. We have automated claims din, Mr. Chairman, that were affected by the downtime particularly on Friday as we were recovering, as you could imagine, 26 hours lost of processing time. But ultimately, the payrolls were affected, we had some delays but most of our customers, a great majority of our customers were finally settled in terms of payroll by the time of the weekend.

CHIZ: Of the 540 transactions that you showed us may have been affected, not necessarily all because if they did not make a transaction during that period, walang galaw?

RP: Yes, that's correct.

CHIZ: So, the 540 transactions, lahat na ba ng claim na-settle na ng BPI as of today?

RP: In fact, Mr. Chairman, it is difficult to know what the totally of claims is at this point because we are still early since the incident. But all claims that are brought to our knowledge, we have engaged customers. We in fact have invested quite a bit of time in understanding how they were affected by bounced checks, by delayed payments of interest and principal, by premium payments on insurance contracts that may have been viewed, and where we have identified those situations. In fact, we have reversed fees already such many of our customers may not even have known they were impacted by the incident.

CHIZ: As a process, kung may complaint ang isang depositor. Nalaman niya next week, next month na maaring naapektuhan sila, ano 'yung prosesong pagdadaanan niya para gumawa ng claim sa BPI?

RP: Marami ho tayong proseso. In fact, even during the incident, Mr. Chairman, I wish to emphasize that our branches were always open. So, that would have been your first line of dispense so to speak if you are a customer. If the branch is open, and we are open for extended hours and they were open on Saturday. That's just the first option. There are other ways that we have reached out to the customers. Many of our customers have branch managers and relationship managers that know them. We have initiated call outs to our customers once normalcy occurred to reach out to make sure that they are comfortable that they haven't been affected.

CHIZ: Just to clarify, there's no prescriptive period for this. Meaning, if they discover it a year from now, they can still go to you to point it out and prove their claim if at all.

RP: Mr. Chairman, what we do is, I wish to assure you that every single customer's claim is not just with respect to the June 7 and June 8 incident. It is important to us, and BPI will make every effort to consider the merits of each case to make sure that our customers are comfortable and satisfied.

CHIZ: What if the payment or the premium that needed to be paid is with respect to a third party corporation and as a result of which fees, penalties or interest was imposed on the depositor. Meaning it's not a BPI affiliated company. How do we go through the process of quote and quote reversing whatever penalties or interest?

RP: That's correct. It is very easy for us to understand, Mr. Chairman, the fees as it relates to our own services. I think you're asking how it relates to other third parties. And what we have done is for all our customers, we have reached out to them and if they do have a case of that third party merchant, we would like to engage on the facts and circumstances of the inconvenience and I assure you and our customers that we will do our best to make sure that they're taken care of.

CHIZ: Finally, with respect to the specialist that committed the error whether a negligence because as you said she was in a rushed. What action has been taken if any insofar as she is concerned?

RP: Your Honor, may I answer the questions. Your Honor, the investigation has been pointed that this particular person is to blame. This particular person has also owned up to committing the mistake, your Honor. In terms of the investigation it still ongoing because, your Honor, what we are looking at now are certain processes and protocols that we need to strengthen so that this will not happen again but as of the moment until this is concluded the said person, your Honor has been reassigned to another area and all his access to the system has been taken out, your Honor.

CHIZ: Sir, we would like to recommend Senator Drilon for his intervention.

FD: Thank you very much, Mr. Chair. All the questions in my mind has been ask and answered but there are some few points which I wish to emphasize. So, from your answer, Mon, it is clear that it was an error in judgment of a programmer?

RP: Yes, your Honor. And if I may answer the question, in a different way, your Honor. Right. I was a programmer once, I was young once. And sometimes.

FD: You are still young.

RP: And this particular person, your Honor, has been three years with us. He was at the top of the programming class. So, there is always the zeal to be able to do things faster. So, I attribute this, your Honor to a lapse in judgment.

FD: An innocent lapse of judgment, not malicious?

RP: Not malicious, your Honor. Nothing to gain at all, your Honor.

FD: Now, there are some talks about unauthorized access to your clients' deposits. Those at stake happened here?

RP: Your Honor, no such thing, I categorically say that all the clients were (inaudible) so were their own hosting or holding their own transactions which were done a month ago but other than that they will not be able to see other information outside of theirs, as far as the bank is concerned, your Honor. The data that was affected, your Honor, this transaction file is 'anonymized'. It only contains transaction codes, transaction amounts.

FD: Not names?

RP: Not names, your Honor.

FD: And none of your clients lost money. In fact, we could venture in that, maybe for emphasis?

RP: Your Honor, yes no money is loss.

FD: Well, you have done corrective measures. I assume you can assure the public that, I don't know if you can assure the public that innocent error in judgment will not happen in the future. Whatever is rated by human beings is subject to frailties and this particular case is, I don't know what else, what other assurances you can give the public in done everything that you have described.

RP: Your Honor, may I answer it in a different way, your Honor. These are complex systems that we're working with – a combination of process, people and technology. In parts of the process, you need trusted people to be able to further the process, your Honor. What's important to a bank like us and to an organization like us is the ability to recover, your Honor. Any tool that is available to ability to preserve the integrity of the data anytime is that, anytime we can go back and then we cover it all. So, I think from a risk management focus that's were doing. You cannot avoid having complex system, your Honor, because banking uses advance technologies. But, my assurance to the public your Honor, were investing to ensure that our meantime to recover will be faster. But there will be no doubt that we will be able to recover, should any other similar incident occur in the future.

FD: Thank you very much, Mr. Chairman.

CHIZ: I'd like to distinguish, have it occur to me nor the discussions with respect to BPI and BDO that's why if you will bear with me. Sir, we just have to finish off with the BPI before proceeding with the incidents leading to BDO. May I address this question to Assistant Governor Fonacier? Ma'am, the BSP is the regulator of banks in general, BPI most specifically did its own investigation on the matter and may I get your input in so far as the perspective of the BSP's in regard to this incident as the regulators of BPI?

RP: Good morning, Mr. Chairman, as to the side of the BSP we also conducted our own investigation but we haven't really completed it yet the full investigation. But we can say at this point that there was really no hacking or computer glitch. Seems really a human error. But the concern of the BSP in case of the situation, BPI with the particular situation is the internal controls, in that why the internal controls failed to detect right away the mistake of the error so that's basically it, Mr. Chairman.

CHIZ: Insofar as liabilities under the existing regulation is concerned what if any other?

RP: We haven't completed it as mention, Mr. Chairman, with the investigation but we can see from the initial investigation that we've done is that, in the case of BPI this situation is there was no loss to any client. But, our emphasis is that clients should be guided by BPI and how they go about if they have some concerned in their accounts. So, I think basically that should be banks be very clear to clients in addressing complaints in regards to this particular situation, your Honor.

CHIZ: Without preempting the results of your final investigation in all of this investigation, how is thus far as BPI will be able to perform in so far as rectifying the incident? 37 hours, Mr. Guansing, is that correct?

RP: Yes, Mr. Chairman, 37 hours from start to finish.

CHIZ: What's the benchmark with respect to this similar situation that we have to consider. Good batting average? Average? Kumbaga sa good, better, best? Is that 'good'?

RP: I think, Mr. Chairman, it is difficult to make a judgment at this point because we haven't completed yet the investigation. The call really is for BPI to be very clear about the handling the effects of such a situation, especially with the clients, Mr. Chair.

CHIZ: Most importantly, Assistant Governor Fonacier, at 540,000 transactions involving approximately 1.7 million?

RP: Mr. Chairman, there were actually 540,000 is our daily count. The transaction involve here were 2.9 million transactions.

CHIZ: Involving how many depositors?

RP: Involving 1.5 million depositors.

CHIZ: At 2.9 million transactions involving 1.5 million depositors and the matter being addressed in 37?

RP: From point to point 37 hours Sir, we kept our electronic systems down for 26 hours.

CHIZ: Based on past experiences the part that day that they went the extending ranking hours up to them. Commendable the least let's say did that but the response time is that fast? But my standards are fast but I don't know by the standards of the BSP. Again, given the volume of the transactions involve and given the volume of depositors involved. Anyone? That would be Director Labasan?

RP: Labasan.

CHIZ: T. Is your middle name?

RP: Yes. That's right. Essentially your Honor, this type of incidents means this seldom happens. So, it is difficult to benchmark. Even in other economies, this incident happens and they are very limited information thus to the effort being undertaken. But with here, I mean given the gravity of, it is fairly acceptable, your Honor.

CHIZ: Pending your initial report?

RP: Pending the official report but we still have to perform certain details on the procedures.

CHIZ: And when will you wind up coming up with the final report and what if any be BPI will be doing about this?

RP: Mr. Chairman, as committed by the incoming governor. We have started the investigation but the first few days were really devoted to preliminary discussions, preliminary walkthrough of difference processes because at that time we could not start the detail procedures because we do not want to interfere with the mediation efforts. Come Monday exclude, we should be ready. But we need a few more days. We are still requesting certain information but we have started already. Essentially, a few more days concluding the investigation, your Honor.

CHIZ: I level of confidence in what the BPI has done to rectify the situation as the regulators, Assistant Governor Fonacier you might want to share, Director Tayag, Ma'am?

RP: Good morning, Mr. Chair, Senator Drilon. Basically, the perspective that I will come from is really on consumer protection because there were consumers affected. And in terms of benchmark, what we want to ensure that our supervised entity, number one: if there is some incident communicating clearly their customers if there is service disruptions if there are alternatives that were provided and if there is any loss mainly of complaints. That they are adequately heard and there are mechanisms per address.

So, basically in situations like this, those are the things that we look at. Without giving any fending off the final findings on this area of what was already presented given any other additional information. I think our resource persons presented the advisories, the schedule of the advisories and the additional methods that they put in place. I think these are the things that have already been shown. The things that we required in supervising what the people should do. In terms of process, we expect our supervised institutions to have a mechanism for the customers to let them know if they have complaint. So in this case, it was represented that no funds were lost and other related complaint due to the service disruptions to approach their banks. If they are not satisfied with the Bangko Sentral put in place, also a consumer assistant mechanism where they can come to the bank. Come to the BSP and we can further facilitate this discussion.

CHIZ: Are you talking about agreements procedure? Banks should be placed which we discussed earlier. What Mr. Lituangco has said, would be through the bank?

RP: Yes Sir, whichever bank.

CHIZ: So, sinumang maaapektado nito, akala nila apektado sila o baka nakalimutan nila na nag-withdraw o nag-deposit sila, they can go to any branch?

RP: Yes, Sir.

CHIZ: And to clarify, there is no prescriptive period for this? Meaning, the depositor can be aware of it na baka naalala niya o bigyang nangailangan kaya tiningnan. There's no prescriptive period?

RP: No prescriptive period because the customer might not be aware. But, once they are made aware, we encourage them to go to the bank kasi sila po ang makakasagot nang madalian kasi sila ang may alam ng client information and transactions. Pero, kapag hindi po sila satisfied ay puwede silang pumunta sa bank and we refer it back to the bank doon po mayroon nang turnaround time. We require the banks to respond to the BSP and with the client within seven banking days.

CHIZ: In this situation when reversals are made everything is borne with the bank. All the costs are borne with the banks? Next to ours, 'di ba? Hindi naman iyon 'pass on', am I correct, Mr. Guansing?

RP: That is correct, Mr. Chair. All costs are borne with the bank.

CHIZ: So reversals, all within the bank as affiliated firms are borne with the bank?

RP: Everything within the bank is borne within the bank. All our extra cost, related to the extra hours, overtime, etc. is borne by the bank. The cost of communication is borne by the bank.

CHIZ: Also by the bank. Yes, Mr. Fonacier?

RP: I concur, Mr. Chair.

CHIZ: All is borne by the bank. In theory, what if someone makes complaint? Sinabi niya, 'Ay! Nabawasan ako ng Php20,000.' It's difficult to prove from my end as the depositor. How would the bank now proceed to address such complaint by a depositor? Meaning, ano ang pagbabanggain ninyong data to prove or disproved whatever claim the depositors may have with respect to a debit or a credit?

RP: May I?

CHIZ: Yes, Mr. Chair.

RP: Mr. Chair, that is the fortunate circumstance here that we know very precisely. The nature of these postings. We know what caused balances to be too high or too low where ATM the transactions were occur. In April 27, that was posted on June 6. In fact Sir, that's why if you could always go back to main branch or a new branch to transact on June 7 and June 8 because our branch personnel knew the proper balances of our client as to the day prior. And were also able to determine on June 6 what are those are errand transactions or those errand postings from April 27 to May 2 that were posted that day. Kaya po, Mr. Chairman, you could count and bank and do all your transactions with the branch on June 7 and June 8.

CHIZ: Kung nakalimutan man niya o gustong may magsamantala. What will you saw him or her to prove na, 'Oo nga, nabawasan ka' o 'Sorry, baka nakalimutan ninyo na nag-withdraw kayo'?

RP: And so, even after the incident, Mr. Chairman, if the client to ascertain kung ano ho ang tamang balance niya sa account niya. It's very easy even after the incident to come to the branch. Talk to your relationship manager. Call our call center and you'll see that no money has been lost. Your account is intact.

RP: Your Honor, may I add what Mr. Lituangco has said, we have some case, your Honor, we have a reconciliation process with the bank, your Honor. When we withdraw from the ATM, we have mug shots, your Honor. We have CCTVs and their transaction logs. So, claiming that clients coming back and saying, 'hindi, sobra ang bawas mo.' And we showed them the tape, kasi natural lang ho, April 27-28, makakalimutan mo. And then we showed them the transactions and logs and 6 PM that day that April 26 you withdrew this money and screen captured 'ito ang CCTV'. So, we were able to address that you're Honor. So factually, your Honor, the reconciliation process goes: we look at the logs; we look at what were the facts behind the claim. Right. And if legal and factually, it's proven na ganoon, we may could, your Honor.

CHIZ: How long before you can do it?

RP: Three days, your Honor.

CHIZ: Maximum of three days?

RP: Yes, your Honor.

CHIZ: Now, with the CCTV footages with respect to the ATM banks of BPI.

RP: ATM banks of BPI?

CHIZ: ATM machines of BPI?

RP: ATM machines of BPI, your Honor, but also your Honor we have the transaction logs of when, let's say, the switch if they withdraw from the other bank, your Honor. There's a switch log your Honor, that's passed to us. So, we were able to confirm, your Honor.

CHIZ: But no more CCTV?

RP: No more CCTV, your Honor. But at least we can show your Honor when it was withdrawn and there's collaboration from the other banks, your Honor. Because it was transacted.

FD: Just to emphasize, in any of the branches, a depositor can immediately the accurate entry or posting in any accounts?

RP: Yes, you Honor. I will also refer to Mr. Lituangco if you want to add in.

RP: Yes, your Honor, you could have done that in June 7 and June 8, obviously, on any given day, Sir.

CHIZ: Up to this day?

RP: Yes, up to this day.

CHIZ: Before proceeding with the BDO, any statements Mr. Guansing?

RP: Mr. Chair, your Honor, our focuses is we do right by our clients. Our focus is 90% to ensure that no one loses money. There had been double credits here. But that has not been our focus. OK? Will sort out the double credits and in good time the amounts are small. Our focus has almost been exclusively on how to ensure that everyone is on hold.

CHIZ: The debits?

RP: The debits. Sorry. If there is anyone out this, you know, standing, please come to us to fix this.

CHIZ: New credits?

RP: We will do that in our good time.

CHIZ: Paano kapag na-withdraw na?

RP: But the focus has been on the debit side.

CHIZ: Debit side?

CONSING: Yes, Sir.

CHIZ: So far, has anyone filed a complaint in defense of the BPI, with your depositors, Mr. Guansing?

RP: Not that we aware of, your Honor.

CHIZ: Thank you, Sir.

RP: Will the Central Bank may aware of any similar incident abroad? Let's say, in the most sophisticated economies; are there this things happen too, even in the more sophisticated economies?

CHIZ: That should be Director Labasan. Mr. Labasan?

RP: Yes Mr. Chair. Even in Europe and Singapore this incident this really happen.

CHIZ: So, we are not unique in a sense?

RP: Yes, your Honor.

CHIZ: In a bad way, we are unique?

FD: It's because human intervention could always cause something that is not intended to be. Is that correct?

LABASAN: Yes, Sir.

FD: Or the important thing is the ability to respond immediately?

RP: And to recover.

FD: Thank you, Mr. Chair.

CHIZ: Thank you, Senator Drilon. Moving forward, may now move to the BDO, I'll call it an incident or a situation and who is the designated hitter on the part of the BDO? Mr. Reyes? Sir, uulitin ko po sinabi ko kanina. Briefly, in layman's terms can you discuss to us what happen? What the current situation is? What has been done to rectify any incorrect and what will be done to avoid if occurrence in the future were similar incident? You may proceed Mr. Reyes.

RP: Yes, Mr. Chair, salamat. Good morning, Honorable Chairman Escudero. Honorable Senator Drilon, the BSP officials. Of course our colleagues here in BPI, as well. The BDO case, the onset, we like to say is different from BPI. It is, well, as we know with the BPI the trial has been in process with the error and in case we learn in the lapse in judgment. The BDO case is ATM skimming. If you allow me further, your Honors, we have prepared a statement that we'd like to –

CHIZ: In your statement, will you be defining ATM skimming?

RP: Yes.

CHIZ: Spelled s-c-h-e?

RP: S-k-i-m-m. It's not a 'scheme'. It's a skimming

CHIZ: Skimmed milk?

RP: We will go through the details.

CHIZ: Please, proceed Sir.

RP: First of all, I would like to thank you for this opportunity to present BDO's case and share with you details on exactly what happened, what we have done today and what will do going forward to improve the service with our clients. And I also like to introduce the team from BDO here with me. Starting from Mr. Alvin Go our legal adviser, we have Ricky Martin head of information technology group, Mr. Tobby Mendoza who heads the product management team of which ATM management is a part of and of course we have Peter Magdame also from transaction banking group who among many other functions in charge of the fraud management unit of BDO.

As a general comment since we talked about the data processing issue with BPI, we wish to state that any systems environment will always require some degree of human intervention. Intervention is required for step requiring human judgment, quality control, maintenance or upgrade. That is best performed by a person not a machine. Given this fact, human error is inevitable; automation is only an accepted means to minimize human error and its impact on a business or operation. All system environments have potential points of failure that keep in mitigating risk is to identify where this point of failure exist and have the requisite recovery procedures in place to keep in whenever failure occurs. All banks are dependent on technology heavily for the successful delivery of services to its clients. As a result banks are always careful in gear towards addressing and resolving problems quickly whenever there's a failure. Key functions include tight documentation, record keeping, timely balance reconciliation and a lot. BDO adheres to the basic principles of quality control ensuring a major checker arrangement for all transactions at anytime. Going back to BDO's case which concerns recent for reported incidents of ATM skimming fraud, the bank assures the public that there's no cause for worry. ATM skimming fraud is common and affects ATM and the cardholders of many banks. The recent events are related to three recent separate fraud events that come to the bank's attention and they affected seven ATMs. The seven ATMs are from three locations. The number of cases so far filed and we've reviewed and handled, there about 95 cases. As a result, we have also disabled cards that have been compromised. The investigation of this case is on-going and the numbers we provided are subject to change. In addition, the data refers to contains and issues validly filed through the bank channels. As a general process, we validate all complaints received and begin the process of rectification immediately once validated. To put this incident in perspective, the recent fraude events involved 7 ATMs out of a total 3,700 for BDO – that's 0.2% of the ATM population.

Let me talk about a little bit of skimming your Honor, skimming is the unauthorized copy, the magnetic stripe, information ATM cards – the thin black stripe at the back of your cards which store the details of your card and are necessary for ATM transactions. Skimming is done through illegal devices that read or skim the magnetic stripe as transactions are being done. A second device is usually present to obtain the ATM pin. In the Philippines it is often small pinhole camera that records the entry of the pin during a transaction. The skimmed cards details are being used to fake cards which is paired to the recorded pin and use and perform an authorize withdrawals or purchases. Skimming has been going on for quite a number of years already. The magnetic stripe is a 50-year-old technology and attempts to fraud it or as old. However, new technology makes skimming and thin camera devices very cheap, easy to produce and obtain. Fraudsters also do a lot of research and developments new methods of attack such as what we'll show later, deep insert skimmers which are very thin, small and hard to detect arrived on constant basis and often attempt whatever security measures we have implemented. The three incidents above are related to new type of skimming device as I called deep insert, once this inserted in the machine, once resting they can read cards virtually undetected and will have invisible through conventional anti-skimming protection modules. More importantly, they are also very easy to install and remove with the process very similar to actions made by a client inserting an ATM card into the ATM machine. This new insert device is coupled with more upgraded versions of pinhole camera, which strong magnets are capable of attaching to the pin pad shield. The extent of compromised ATMs, the numbers are very small. In a recent study in Philippine banking industry, first quarter of 2017 there were less than 100 ATMs hit out of the 15,000 ATMs nationwide around 0.05% of total ATMs in the country. Others admittedly, a general up in trends in the numbers, which were seen at recent fraud attempts in May and June, general ATMs are safe to transact in.

Now, your Honor, what have we done, BDO continuous to employ a number of measures, some unique to us, some other banks doing to secure our card holders transactions. First thing, the bank will reimburse on clients affected by unauthorized withdrawals by said point of compromises (POCs) subject to existing investigation and reimbursement processes. Result like this requires customers filed disputes through the proper bank channels. Social media post and activities will not be actionable from the bank side without a formal filing. And of course card replacement would be free. Secondly, for customers who actively blocked, these cardholders will proceed to the branch of account for a free card replacement. Thirdly, on preventing deep insert skimmers, BDO deploying an upgrade in ATM Machines.

We have the solution, that's probably the one thing that maybe we would like to refer and sharing it maybe later. But as of writing, over 1000 of the banks ATMs including the 7 point of compromise we've mentioned have been upgraded. The target implementation of the rest of the bank ATM is on the fourth quarter of the year. It takes time to do this. Additionally, the bank also deploys the following to protect this cardholders from what do you called the business as usual basis: number one, live real-time fraud system to track our customer's transactions and determine suspicious or off pattern withdrawals and purchases. Peter is here, he is in-charge of that unit (Fraud Management Unit), fully-staffed 24/7 fraud team that does the monitoring of the system and also investigates cases that are filed with BDO. The fraud team can also anticipate a potential skimming attack and block cards pro-actively so that the fraudster will have no access to cardholder funds. Number three, physical and software security measures such as sensors with have traditional skimming devices that are being attached on card readers, pin pad covers to hide the pin as customers transact. Number four, security personnel both in the branches and in offside ATM locations to check our ATM for suspicious devices attached in machine as well at people who act suspiciously around the machine. Number five, regular ATM security reminders in traditional and social media will focus on skimming. Lastly, to migration to EMV, we have been talked about; BDO has been migrating customers in moving to EMV as early as 2016. To the bank is on track to its 2018 timeline for the migration. That said any bank card which uses magnetic stripe to transact which covers all banks in the Philippines by the way and most of the world still vulnerable to this type of threat. Even this video I would like to reiterate that this skimming is isolated in nature and that the handling of customer issue is a business as usual process for the bank. So action points mentioned demonstrate this to protect customers and their transactions.

As a message, final message, I like to say as well, that having a broad network of ATM provides benefits to banking clients. Convenience, access options, alternative to physical branches. Skimming and similar compromising incidents are expected to happen nothing as ordinary (inaudible). That is the price we pay for providing the above benefits, conveniences to our clients. Would like to reiterate that what already said to the public cause worries, skimming accidents can happen, but generally a small percent of total transactions. Banks, the BSP and the authorities are already aware of this incidence and all taken measures and continue to take measure to rest cases from happen and investigate the fraud events immediately. We would like to assure the public that all efforts are being done by banks to protect its card holders and transactions. Cardholders can do their part by being vigilant when performing their transactions and reporting cases of suspicious devices and people around ATM machines that they transact in. Thank you very much your Honor.

CHIZ: Sir, skimming is theft? Gumamit ng teknolohiya para nakawan ng pera 'yung isang depositor gamit ang ATM machine. Is that an accurate way to say it? Mr. Magdame?

RP: Yes, your Honor.

CHIZ: If it's theft, so nanakawan 'yung depositor gamit itong skim na ito, may paraan ba para malaman ng bangko kung ang ginamit 'yung deep insert o ginamit niya 'yung card niya? Ang pinupunto ko po ay ito, kung gumawa ng claim 'yung isang depositor, can the bank actually find out and detect? If it was the depositor himself using his card that made the transaction or the skimming device? Anyone can answer.

RP: Your Honor, currently we do have what you call point of compromise; this is when a lot of people complain at the same time of a particular transactions or particular point of time. So for example, customer complain that I have not withdrawn in this particular ATM, we look back and trace all his transactions and there's another customer from another bank for example, complains of that the same unauthorized withdrawals, we now have a matrix to pinpoint which is the point of compromise.

CHIZ: Which ATM machine?

RP: Which ATM which was used as a point of compromise in the data of the cards. So that's how we look at it. At the same time, we have system in BDO which has active monitoring of suspicious transactions. For example Sir, a particular customer does not withdraw abroad, it triggers already a plug to us na why suddenly this customer has transaction abroad. And we will call the customer, have you done a transaction in the US? So that is one of the thing that we actually do.

CHIZ: Sir, that's circumstantial. My question is from the technological point of view, from the banks point of view, is there a way by which you can determine that it's a skimmed device or card that was used or the actual depositor's card? Because if I'm the depositor that was skimmed, that's now circumstantial. What if I behaved extraordinarily for that day and made an additional out of character withdrawal or deposit. May ganoon naman, how do you address that?

RP: Your Honor, the skimming is actually way of in essence of cloning the card of the customer. So from the perspective of the bank, it would recognize that as a valid card. I would like to emphasize that the mags guide is actually a five-year-old technology. This particularity of the technology is something that EMV can actually overcome. Because for EMV, every transaction would be unique and every card, in essence, would be unique. So even if you attempt to clone it, the boxes would recognize it as a skimmed card and will not be able to post your transaction.

CHIZ: If it's EMV already?

RP: Yes, Sir.

CHIZ: But right now, hindi pa?

RP: Right now, we are actually doing the migration. The industry is moving, the entire industry is moving to EMV already. And the bank has actually been complying with same standards.

FD: When can we complete the migration the EMV system? When?

RP: I could only speak for the bank, the bank with its 2018 target.

FD: Sorry?

RP: 2018.

CHIZ: For your information, Manong Frank, correct me if I'm wrong, in previous discussion with the BSP, the BSP has already issued directives for all banks to migrate to EMV. The first deadline was supposedly January of 2017.

FD: Last January.

CHIZ: But given the volume of, especially the bigger banks, I think the smaller banks have been able to comply, but the bigger banks is taking more time to migrate. Now the deadline was extended to June 30 of 2018. But in the meantime, this is where I'm heading towards, there is also regulation to the effect that if the bank has not yet migrated and given that this is an old technology already, by BSP regulation, liabilities would fall on the bank for any loss that may be suffered, correct me if I'm wrong, by any depositor as a result of skimming because this step nanakawan 'yung depositor, kung nanakawan 'yung depositor dahil doon the depositor will not bare the loss. Is that correct understanding?

RP: Yes Sir, as earlier stated, after investigation and we found out that there's really a theft, we reimburse.

CHIZ: At the cost of the bank?

RP: At the cost of the bank. Your Honor, for you to appreciate how skimming has been done.

CHIZ: May sample ka?

RP: We're ready. So we brought a little show-and-tell of how technology has evolved. Previously, when people are trying to steal card, they have what you call the skimming device. This is one of the earlier generations skimming device.

CHIZ: Tinuturuan ba natin 'yung mga nanonood kung pano gawin?

RP: Actually Sir, this is public information that at least we can show how is the impact.

CHIZ: Hindi naman tayo nagtuturo kung pano gawin 'yan?

RP: Hindi naman po. We will not show the solution. Papakita ko po, so this is how skimming device looks like and if you remember an ATM, this is what you called overlay. So what they do is that they add this, pag nakabit na hindi mo na makita.

CHIZ: Sinisingit?

RP: So you require two things, your track data from the magstripe and the pin. So paano nila kinukuha 'yung pin? Previously what they do is what do you call shoulder survey. 'yung may tao sa likod sinisilip kung ano ang pin mo. Kaya ang ginawa natin naglagay tayo ng mga mirrors sa ATM , mapapansin mo meron tayong salamin. Makikita mo 'yung sumisilip. Plus the regulators have mandated to put what you called a pin type shield para nakatakip 'yung pin. So nasa makina po, nandito 'yung pin.

CHIZ: Nakatago?

RP: Opo. So ang ginawang solusyon ng (inaudible) dahil may takip, gumawa sila ng ganito ang tawag dito pin pad overlay. So pinapatong po sa taas ng pinpad sa loob nito, so maski na may takip, nakaka-capture pa rin ang data.

CHIZ: Yan 'yung camera?

RP: Hindi po, hindi pa po ito 'yung camera.

CHIZ: Hindi pa yan 'yung camera?

RP: Ang ginagawa po nito pag pumupindot po, kina-capture 'yung pin.

CHIZ: Pero bago niya malagay yan kailangan niya baklasin 'yung keypad nung ATM?

RP: Hindi po, pinapatong lang. May glue lang po siya sa likod.

CHIZ: Mukha siyang keypad.

RP: Mukha siyang keypad. So ang tawag dito is pin pad overlay, so, nilalagay nila.

FD: That will not notice by the user of the ATM?

RP: Actually Sir, a lot of users have been able to identify but unfortunately some are not. Kasi pag nagmamadali ka, madilim, so when overlay transactions came about, medyo because of the efforts of all the banks and the regulators will help us with EMV, a lot of people want to do is they try to identify kung may overlay. So medyo nahuhuli na po 'yung overlay, napapansin na. Then they start coming out with pinhole cameras because of the technology. So the original technologies that they were using was using a camera on the machine or at the back of machine and trying to get the pin.

CHIZ: Question, this one is hooked up to them or they have to retrieve this in order to get the data? Hindi ito online sa kanila?

RP: Hindi po, wala po silang koneksyon sa network. So talaga pong nakahiwalay talaga siya.

CHIZ: So 'yung data maiipon lang dito? And they have to retrieve this in order to use it?

RP: Opo.

FD: Your CCTV will be able to capture who try to recover this?

RP: Yes Sir, actually we do. Unfortunately, sometimes it's after the bank.

FD: (inaudible)

RP: Kasi minsan Sir, mabilisan, ilang hours lang kinukuha na agad. So magha-harvest lang sila ng kaunti.

FD: So did you say that there were eight incidents?

CHIZ: Seven ATMs in three locations.

RP: Just to continue, Sir, well technology has evolved. Medyo huli na 'yung mga tao. They started building pinhole cameras. Ang pinhole camera, 'yung iba this is just example, was to use the same pinpad cover and if you notice they attached camera here at the back. So what do they do know is to capture pins through the cameras.

CHIZ: 'Yung dini-discuss mo, ito 'yung modus operandi ng mga skimmers?

RP: Opo. Medyo mapapansin niyo, hindi pa maganda ang gawa niyan merong parang may rubber. Ang improved nun, acrylic.

CHIZ: They have to retrieve this tool?

RP: They have to retrieve that.

CHIZ: So they have to do two things, install it and retrieve it to be able to take advantage on it.

RP: But the disadvantage of that, it takes time if you notice. So they improve their technology so they now use acrylic to push it in and attach but unfortunately for the acrylic, it's –

CHIZ: Umaangat?

RP: Umaangat. So mas high-tech na sila ngayon. So they came out with the print out camera on a metal fascia.

CHIZ: May I see it? Nahuli ninyo ito, hindi naman kayo ang gumawa nito? This is the question that I was leading towards. These are not regulated merchandised. These are over the counter merchandised that you can buy. You know, the battery, the IC, the camera, it is over the counter?

RP: Yes Sir, that is actually a part of a cellphone.

CHIZ: So these are all legal merchandise that they simply put together in order to perform their criminal deed?

RP: Yes Sir.

CHIZ: I would like to recognize the presence by distinguished, Senate President, Senator Koko Pimentel. So walang bawal dito? Kapag hawak ko ito ng hiwa-hiwalay, hindi ito illegal per se?

RP: Hindi po.

CHIZ: Kung hawak ko ito, iligal ba ito. Is there a law saying that this is illegal?

RP: Ah yes Sir Republic Act 8484 would count that as a device that would attempt to counterfeit customers Sir.

CHIZ: So mere a possession of a device like this, you can already be arrested?

RP: Yes Sir, if it can be identified as (inaudible).

CHIZ: Manufacturing this device is also penalized by the law?

RP: It would be covered also

FD: Can you state that law here?

RP: Republic Act 8484 Sir.

CHIZ: Otherwise known as?

RP: The Act Regulating the Issuance and Use of Access Devices, Prohibiting Fraudulent Acts Committed.

RP: So even with that Sir, we have implemented a lot of technology which basically prevented the use of traditional skimmer. So, in order for us, we were able to put it to zero in a video machine. There was no skimming incident until late last year which we suddenly looked at the newer technology that migrating in the Philippines.

This technology is what we call deep insert skimmer (inaudible). D-e-e-p, 'malalim' po. So what is the difference between this and this? Sir, our technology, most of the banks has employed, we can now prevent it and detect it so they cannot get the card data. So they may get the pin, because the pin is organic, but they couldn't get the card data. Unfortunately in late 2016, a new tech evolved and started out in Europe before coming into the Philippines which is basically this device. This device is what you call (inaudible) so what does this do. Sir, if you are familiar with ATM, this is where you insert the card. So previously, ito nandito po iyan sa labas. Ngayon po ang ginagawa nila, to insert this na mabilis. Ipapatong nila iyong, written card. Parang kung titignan mo akala mo nagwi-withdraw, pero ang nangyayari noon, ipinapasok na niya iyong skimmer sa card.

CHIZ: Maiiwan na iyon.

RP: Kapag labas po ng card, card na lang po ang lalabas. Maiiwan na sa loob.

CHIZ: And that will be the one that will get all data that contains in. Now the information that we obtain using that if you insert, do they have to recover if you insert again?

RP: Yes Sir, actually, they have a device that they use to pull out the device back in place.

CHIZ: Bale iyong ginagamit sa vendo machine, tinatalian iyong tingga para kapag hulog hilahin mo ulit?

RP: May panungkit, may panungkit siya. So get the data with the pinhole in place. So this is impressive in the sense na mabilis na nagmigrate na technology.

CHIZ: Mabilis iyong innovation?

RP: They invest a lot. We do have a solution that we are already deploying at BDO. But I would prefer that we will show you more of private session because it was already built technology. But we have ways now to prevent it and that we are currently deploying to our ATMs.

CHIZ: Sir, this was raised earlier ng BPI. Since EMV will in placed and will addressed this – sorry ha – hindi ko masyadong kabisado. Hindi ba may BancNet?

RP: Yes Sir.

CHIZ: Hindi lang 'yung sa ATM ng BDO halimbawa, are you part of that?

RP: Yes Sir.

CHIZ: Pwede mag-withdraw iyong ATM depositor pwede rin mag-withdraw sa ATM sa ibang bangko?

RP: Yes Sir.

CHIZ: Whatever you are doing applies only to BDO ATM machines?

RP: Yes Sir.

CHIZ: Not to ATM machines of other banks that is part of your network?

RP: Part of the bank network, yes Sir.

CHIZ: Part of the bank network? Hindi ba?

RP: Yes Sir.

CHIZ: Is there a technicality in that situation, if the skimmer used an ATM machine of another bank that he is accessing his or her BDO account. Where do you coming then?

RP: Yes. In fact, we have data that shows in the past let's say more than two years, right? We've had cases where na compromise na ang non-BDO ATM machine. But unfortunately it is a BDO account holder who using that card so sa amin din bumabagsak. We pay. I mean that is the bottom-line.

CHIZ: The liability is with you, in that situation.

RP: Because we are the issuer of the account holders.

CHIZ: Although the ATM machine used is not yours?

RP: Yes.

CHIZ: In that situation, who was skimmed? The bank that owns the ATM or the bank that will ultimately answer for the demand deposit?

RP: Actually the skimmed would be the bank who has the account holder.

CHIZ: In this case you?

RP: Yes Sir. So but even without fault to us, as part of our commitment to our depositors we will restitute.

CHIZ: Senate President Pimentel, recognized?

SENATOR KOKO PIMENTEL (KP): Thank you, Mr. Chairman. In that particular case, that is because network, the BancNet, don't you pressure your member banks of BancNet to also do what you are doing? Examine all of your ATMs? Make sure that no devices would be inserted or it has not been compromised? Kasi if you tolerate the situation then you will keep on shouldering the losses of your depositors. So do you have some sort of a request to the other bank members to also do what you are doing?

RP: So in fairness to the all banks. All banks have, are investing heavily also in technology. It might be in different format or different approaches but all of banks have invested in a lot of technology. The challenge really there is that, is just like a mutual escalation. We come up with a new technology today to prevent fraud, tomorrow the fraudsters comes in and have a better technology so that is how the reality of it.

CHIZ: So it is a race?

RP: Yes.

CHIZ: At this point, where are we? Are we winning the race? Or is it a perpetual race?

RP: I think the perpetuity will always be there.

CHIZ: Because of the desire of some people to always try to get ahead, take advantage and or steal?

RP: Yes Sir.

CHIZ: Any areas from legislation that you might need? With all the gaps that need to be filled?

RP: Thanks, your Honor for the question. I think based on the recent cases we've handled. In fact, there is one recent fraudster calling in Cebu. And through the efforts of the banks and the PNP we are able to catch the fraudsters. Unfortunately skimming is a bailable offense, and fraudsters use they illegally obtained funds to pay for the bail and go free. Also, majority of these, of course, are foreign syndicates which we learned they immediately fly and they are prevented from litigated further, so maybe that is one area where, your Honors could look into.

CHIZ: That's transnational already, transnational coordination.

FD: That matter of the offender being able to leave can be addressed by the judiciary for example (inaudible) just filed then automatically the court should be able to issue HDO when a foreigner is involved.

RP: We do that, your Honor, we do that once the information is filed. We immediately file a motion for the issuance of hold departure order.

FD: What I am saying, even without any motion, a foreigner could be caught should issue when a foreigner is involved while the motion is pending they can still leave.

RP: That is exactly what is happening, your Honor.

FD: That is exactly what is happening. So I do not know whether how we legislate that the Supreme Court will rule automatically for the issuance of the hold departure order the moment information filed against a non-resident offender.

RP: I think that would help your Honor and would appreciate to have that kind of circular.

CHIZ: May I addressed this to Mr. Magdame, who is in charge of your fraud division? So this is not hacking? Or is this hacking?

RP: No it is not. By the term hacking, Sir, is typically via passing through the bank systems and software trying to penetrate the bank systems. In this particular case, this is a physical kind of fraud. So it is not hacking per se. But it is fraud and attempts to steal from customers.

CHIZ: So this does not touch on the IT security safeguard systems of the bank?

RP: No, not in this particular case. We are talking about a specific terminal or sight that is being impacted when fraudsters come in.

CHIZ: So this is with respect to a specific, sorry, I would use the term what people call, ATM machines?

RP: Yes Sir.

CHIZ: Iyon lang iyong pinakialaman nila at lahat ng transaksyon na dumaan sa makinang iyon?

RP: Yes, yes, your Honor.

CHIZ: And to effect this day, they don't need the internet, they don't even utilize the internet. They literally attached a device and then retrieve the device afterwards. Make whatever skimming device they can come up with and then use that card to withdraw and affect to the depositors account?

RP: Actually Sir, it is really a physical net. They have physical access to a machine using that device.

CHIZ: It is theft. So it is not hacking, it is theft?

RP: Sir, categorically, not hacking.

CHIZ: Yes Sir?

RP: Thank you, your Honor, for pointing that out. I think and also say, like you said, it is all about the ATM. ATM is a channel and we are also pointing that out, there are many channels which a customer can access their accounts and do transactions. Of course BDO, with the most branches as well, you know you can always go to the branch do your over the counter transaction. ATM is a channel. And then you have electronic banking, mobile banking. So we are talking specifically ATMs here and what has happened to us and what we are doing to rectify that. The channels, the other channels are not affected.

CHIZ: May I ask the BSP, as the regulatory, the regulator, rather and the deliberate body in charge? What have you done insofar as these incidents according to BDO involving 95 cases, seven ATM machines and three locations? Yes Director Tayag, Ma'am?

RP: Thank you, your Honor. I think what was being presented here to you really finds the vulnerability of what was being referred to us a 50-year-old technology, 'yung magstripe or magnetic technology. So as early, can I just discuss that the Bangko Sentral has put in place several regulations already to address this. As early as 2013, signaling the bank to migrate to EMV which is the chips. So that it would not be longer be vulnerable to these types of attacks. As you have already mentioned, your Honor, we expected the banks to be fully EMV compliant early this year. But because of all the requirements and the things have to be done for that to happen the deadline has been moved to June 2018. But we have put in place mechanisms to address the slight delay. So as early as end 2016, the Bangko Sentral has contemplate the liability should favor to make it clear that when there is a theft transaction, the bank that is not yet EMV compliant will bear the liability. And we also shortened the restitution period, so if a customer has been skimmed and funds were lost, the account has to be made whole within ten days. So this was previously a 45-day now shortened to ten days. And then last June 9, we also issued supplemental guidelines to further push the banking industry towards full adoption of EMV for a much faster pace, where it already introduces penalty and it also requires bank that are unable to shift within the given renewed deadline to already set aside some funds or provisioning, to anticipate if there would be any losses related to this. So the framework of the EMV migration and the things that we put in place directly address this vulnerability, your Honor.

CHIZ: The depositor's skimmed whose claim was denied by the bank? What would be his or her remedy? Korte na o pwede ng pumunta sa inyo?

RP: Pwede po silang pumunta sa amin as also mentioned earlier, the first line would be to complain to your bank. They would be able to find out, actually if it's a chip, they should be immediately know if it was skimmed or could investigate on what represented earlier. But if the client is not satisfied as I mentioned have a customer assistance mechanism. So pwede din pong pumunta sa Bangko Sentral.

CHIZ: Personal assistance, is that an appeal mechanism? Meaning, can you reverse the decision of the bank on a particular case? Or do you simply send a reminder to them or pakiusap lang sa kanila?

RP: We facilitate lang for discussion.

CHIZ: So, basically, the remedy would be for the Courts already.

RP: Actually, Sir, we haven't had an experience that we went in the Court but –

CHIZ: Not a single one.

RP: Not yet.

CHIZ: So I guess either ni-restore or naalala niya na nag-withdraw nga pala siya.

RP: Yes Sir.

CHIZ: One or two things.

RP: Yes Sir.

CHIZ: Senator Drilon?

FD: Right now pending the adoption of the EMV. The law says would be the account of the banks is that correct for the record?

RP: Yes Sir.

FD: And after the EMV is adopted, the deadline is June 30, 2018. Who verse the laws, if any that takes place?

RP: Essentially, the Deputy Director, essentially even the latest technology that was presented can be addressed by the EMV technology. But essentially, if everything is compliant already, we hope all of these will be finally resolved.

FD: So you are saying that with the EMV, these things can't happen anymore?

RP: Yes the skimming.

FD: The skimming, yeah I know the skimming. In the context of ATM skimming, it will not happen anymore?

RP: Yes Sir, unless EMV is compromised. There is no indication that EMV is vulnerable at this time.

CHIZ: Senator Drilon's point is this as we are innovating; the fraudsters are innovating as well. Habang nag-le-level up tayo, mag-le-level up din sila. I think the point of Senator Drilon is driving on this: right now since they haven't shifted to EMV the liability is with them. What if you're already at EMV and nag level up din iyong mga gustong magnakaw, is it only then that BSP will issue a corresponding regulation?

RP: Not essentially Sir, as mentioned earlier; we have already put this technology management framework. These regulations are constantly upgraded, we do global scan of global environment and if we see that there is a need to revise a regulation, to upgrade the regulation; if we see that there are certain incidents which may have knock on the ability then we can issue, we can immediately issue bulletin and consequently revise the regulation.

CHIZ: Sir how big is your group?

RP: Right now? We are about a little over 30.

CHIZ: Up to now it is a group? Meaning lower than a division or whatever office you have?

RP: Right now it is a group and we're expanding, we are having a new division within the group.

CHIZ: A new division within the group, means a smaller division than the group?

RP: Yes Sir. Eventually, we will have four divisions after the creation of the new division.

CHIZ: What is the higher or bigger than the group?

RP: Department.

CHIZ: What is higher that department? The Board itself already?

RP: Sub-sector.

CHIZ: Sub-sector and then? Sector and then the Board? Right?

RP: Yes.

CHIZ: Shouldn't be somewhat already had it in the direction of being bigger; given the advancement of the technology, given the concerns being raised, given attacks done or probably formulated in the future or in the coming days. Assistant Governor, Ma'am? As the fraudsters innovate, we too shall innovate.

RP: Yes Mr. Chairman, we are actually right now is trying to consider expanding the group of our IT specialists.

CHIZ: It doesn't need to be approved the DBM through our rationalization plan. You can reorganize direct offices as you intend

RP: (inaudible) Of course.

CHIZ: Of course but you can do it by yourself?

RP: Yes Mr. Chairman.

CHIZ: And you are heading to that direction?

RP: Yes we are heading to that direction.

CHIZ: May I ask the two banks as well the direction given, as we increase the utilization of the technology. Hindi ba napansin ninyo hindi na uso masyado iyong hold-up ng bangko? Hindi ba? When was the last incident na may bangkong hinold up? 'Di ba halos wala na? Ito na iyong bago, since we are shifting into more high tech devices. This is now the new way ng pangho-hold up. Dati states coach, dati armored van, diba pinapasok iyong bangko, nag-time lock, ni-remit iyong mga pera na nakalagay sa kada branch. So that is one thing of the past. So right now it is IT. Are the banks also or are there any regulations, improving the directions of the banks beating up their IT, anti-fraud, cybersecurity the visions as well? Mr. Consing, Sir?

RP: Mr. Chairman, thank you for allowing me to answer that question. At BPI, we have significantly increased our IT expense. Last year alone, our expense on IT, all our IT expenses was over Php5.3-B. That's over, that's almost Php22-M every working day. That's just the cost of our IT. Our IT employs over 900 people. The increase in the expenditure on our IT is practically doubled in increase in its expenditures of the banks as a whole. And this is in recognition of the fact that the environment is now getting more challenging that we have to try to stay ahead.

CHIZ: On the part of the BDO, Sir? Who can answer?

RP: Your Honor, the situation for BDO is exactly the same. We have been banking up on our investments and outlays as far as IT security is concerned. Mr. Jocson mentioned earlier the presence and their ability to provide for a security operations center. We have done the same. We have set up our own, which also runs on a 24/7 basis. We are also engaged with a number of vendors and solution providers so that it's not just BDO who looks out for BDO, but we have other solution providers, IT and for cyber security who also take a look and measure and monitor as to whether or not there are attacks that are being done against the institution.

CHIZ: On the part of BSP?

RP: As previously mentioned, our IT Management Regulation of the BSP is one of the most dynamic regulations. In fact, we have already sent to the industry a revised regulation which will essentially increase the standards for ensuring the robustness security and resilience of the IT environment of banks. We expect to release the new regulation in a month or two.

CHIZ: Which means they should spend more on it and look at it?

RP: They should establish the necessary framework for them to manage cyber security risk to ensure that they are resilient in the event that they are hacked.

CHIZ: Which includes the risk management analysis that maybe unique to each bank?

RP: Yes which should all threat intelligence.

CHIZ: Yeah. It's maybe unique?

RP: Yeah. But the regulation basically is flexible. It allows, principles-based so is flexible, it allows banks to manage its own risks and how to apply the standards.

CHIZ: We sound high-tech whenever they say we were hacked or whatever. But can I ask you a pointblank question; has there been any hacking incident that you know of, of any bank in the country in the past? Nagkaroon na ba ng hacking talaga?

RP: Most of the crimes reported to us pertain to skimming and phishing.

CHIZ: And?

RP: Phishing.

CHIZ: Ano naman 'yung 'phishing'?

RP: Phishing is an online. May 'card not present' fraud.

CHIZ: Paano? Paano?

RP: 'Card not present' fraud Sir.

CHIZ: 'Card not present' fraud?

RP: Yes Sir.

CHIZ: Absent 'yung card?

RP: So when you buy in an online merchant, you need to enter your –

CHIZ: OK, OK. 'yung three-digit pin code ko sa dulo.

RP: Yes Sir. And the BSP also has already issued the necessary regulation to address that.

CHIZ: You call it 'card not present' fraud?

RP: Yes that's right.

FD: What about credit card present?

RP: Yes Sir.

FD: Ibig sabihin paggamit mo ng credit card.

RP: It's skimming Sir. Skimming essentially which will be addressed by EMV. So at present, it is basically skimming. You have a gadget to copy the information.

KP: Because we are putting are hopes so much on this EMV. What can EMV do or what does it provide that it prevent from all of these experiences?

CHIZ: That the black stripes cannot.

KP: Yes.

RP: As mentioned by BDO, each transaction in an EMV environment is secured so essentially it cannot be copied. If let's say, in a hybrid card if the card is copied, I'm sorry, the magnetic stripes is copied. The bank would know in their system that the transaction emanated from an outside. So there's a service code that dictates that this particular transaction should be EMV and should comply the EMV standards.

CHIZ: So doon pa lang, malalaman na kung skimmer account or transaction yan o hindi?

KP: So meaning to say an EMV-compliant card has a magnetic stripes plus a chip?

RP: Yes Sir.

KP: Ganoon ba iyon?

RP: Yes Sir.

KP: How about with BPI? I have an ATM card, your ATM card has parang, golden square doon, is that EMV-compliant?

RP: Your Honor, the credit card has an EMV chip. But the debit card, we will start issuing only in July, your Honor. So what you have now is a credit card that has an EMV chip.

PIMENTEL: OK. So EMV na i'yung credit card?

RP: Yeah. But I will have to warn you your Honor, especially when you go outside of the country, if there is no, if the P.O.S. has no ability to capture EMV, it will be defaults to magnetic.

KP: That would be my next question eh. Have you experienced any fraud related to your EMV-compliant cards?

RP: If let us say your Honor you are a shopper going abroad, you go to one of the outlet stores in the US, the US is not an EMV-compliant country yet. Most of the P.O.S. in the ATMs in the US only accept magstripe at this time, EMV they have not signed up yet, so as Japan. So when you go to US and Japan, it defaults to magstripe.

KP: OK, ito this is a CitiBank Visa Card.

RP: Yes.

KP: Alin ang EMV dito?

RP: The chip your Honor.

KP: Ito? Ito?

RP: The chip, your Honor.

KP: Which chip? Right here?

RP: Yes. The chip, your Honor, contains your personal information but note, your card carries both. Right? Because, especially, when you travel abroad your Honor, for example, you have some online system, internet systems, which will tell you, 'Do you want to turn on your magstripes reader?' You can turn on or turn off your magstripes. You can ask the bank to do that for you. But if you don't do that, it's turned on. So when you go to let's say an outlet store in the US, then you will give your credit card, it reads the magstripes.

CHIZ: Not the EMV?

RP: Not the EMV. Because the P.O.S. is not EMV-compliant. You must realize that around the world there are still some countries that are still some countries not EMV-compliant. EMV is just a liability shift. It does not properly protect you also for fraud because fraud as you said your Honor; this is a transfer of technology that is moved to other areas. Now with regards your Honor to your question earlier, may I comment that you are correct to your observation kindly shift it to this stage.

We often use the word hacking but there are different stages, there is a breach, there is a compromise. So I will tell you that it's clear and present danger in the banks. We get around 30 threats a day. They are trying to get in. Out of the 30 threats daily, the 10 are malicious. So you really have to hold them off. They can get in to your perimeter, you call that a breach. But then, when they start expatriating data, that's when you call it a compromise. So right now, you probably have breaches happening almost every day. It's how you control the breaches. How you hold them off.

CHIZ: There is an ongoing battle? That's what you are saying?

RP: Yes. It's an ongoing battle, your Honor.

CHIZ: The same is true with BDO and most banks. It's an ongoing battle? Not that it's normal ha. But it's the new normal I guess when it comes to the utilization of IT and more modern technology. Again, hindi na uso 'yung pinapasok ang bangko, hindi ba? When was the last time that it happened? Maliban sa Marawi ha. Pati 'yung armored van kinuha. Outside those? Wala na ano? Has it been a decade?

FD: Hindi naman.

CHIZ: Probably more. Perhaps it's been a decade na may holdaper na pinasok. 'yung armored vehicle iba iyon. Parang hijacking iyon. Pero 'yung pinasok 'yung bangko, ever since ni-re-remit 'yung cash on branch. Halos wala na ano? Would that be a correct assessment? Would it be correct? At least a decade I'm sure?

RP: Maybe even more Mr. Chairman.

CHIZ: 'Yung papasok sa bangko. Tutok-teller. Tutok-manager. Kuha sa vault. Wala na .

DRILON: Luma na 'yung sa vault.

CHIZ: It's been a while. Right?

RP: Yes Mr. Chair.

KP: Mr. Chairman, our analogy is it's a race. So if it's a race, and then we are putting our hopes on the EMV technology, why are we deferring, requiring EMV. By the time, by next year, ano na, they will dissolve the EMV. So what's the point? By June next year gagastos na 'yung mga bangko to be EMV-compliant and their another excuse is broken na ang EMV technology by the fraudster. So what kind of a race is this that we are not in a hurry?

RP: Currently Sir, there is no evidence yet indicating that EMV can be compromised at the moment. And we would like to clarify that EMV is not silver bullet. Banks should be able to find other ways, other mechanisms in order to protect their clients. But essentially if you have EMV card that somehow it protects the consumers because of the liability shift framework that we are putting in. Again it's not a silver bullet. It's an ongoing battle. We need to always fortify your security defenses.

CHIZ: I think the point of stand of Senator Pimentel is why (did) we extend the deadline? Earlier Senator Pimentel, the smaller banks were able to comply because they have smaller numbers of depositors and cards that they issue. The bigger banks would require more time to actually comply because of the sheer number of systems that they have to migrate to EMV. But liabilities have been shifted. Penalties are being imposed correct me if I am wrong, because of the delay. And third, if I may ask, if (inaudible) Japan and US with EMV, if all of the ATMs now shift to EMV, does that mean that 'yung card dalawa pa rin? O EMV na lang siya? 'yung ATM card? Can we still use the ATM card from a machine in the United States? Not anymore?

RP: Yes Sir. If it's hybrid, your Honor, it's hybrid.

CHIZ: 'Yung shift is hybrid.

RP: Yes.

CHIZ: So both EMV and the black stripes? It doesn't have to be black stripes.

RP: It can be silver.

PIMENTEL: Mr. Chairman and the default modes are both active. Tama? Both can be accessed?

RP: But we are starting as well that initial talks of the possibilities of disallowing fallback because we need to achieve first the critical 'yung mga in terms of the card and the number of terminals in EMV environment.

CHIZ: You want them to be able to use their cards abroad as well? Perhaps the fallback can be activating or deactivating and informing the depositor or the cardholder?

RP: Yes Sir.

CHIZ: He can activate it here when he is in the Philippines?

RP: Yes Sir.

CHIZ: And he can activate it when he goes abroad.

RP: He can notify the bank to activate it if he wants to use it let's say in the US or in Japan.

CHIZ: Or perhaps do it online?

RP: Yes Sir.

CHIZ: As the case may be?

RP: Yes Sir.

CHIZ: Any reforms?

KP: This is on EMV technology we also need to do our own reading so that we can understand all of these that is happening. What's the documentary about the incident involving the Bank of Muscat? Can that happen here? Muscat in Oman. In New York, you can just walk from ATM to ATM using different cards withdrawing almost $400,000 in one afternoon. Can that happen here in the Philippines? May hacking yata doon. I think they got the information of the customer of the bank and then replicated or produced cards with the data. Can that happen here?

RP: Essentially Sir, it's still skimming.

KP: Skimming plus hacking siguro 'yun because na-access 'yung database.

RP: No. You can get the information from the ATM terminal, the device attached to the ATM terminal. There was no penetration of the system.

CHIZ: Because to be able to withdraw, Senator Pimentel, kung gusto niyang mag-withdraw ng Php1-M, dapat 'yung account may one million to begin with or several accounts to come up with a million.

Again, to reiterate, the intention of the hearing is to inform the public as to what happened, to remove any speculation with respect to the incidents lately in the BDO and the BPI. And moving forward, to inform the public as well, anon a ang ginawa ng mga bangko kaugnay ng nangyari at ginagawa para maiwasang mangyari muli? At kung paano ma-handle 'yung mga complaints if ever so that ang recovery or restitution is done at the soonest possible time. May I ask for any final statement from any of our resource person before we call it a day insofar as this issue is concerned? Mr. Consing? I give you the floor.

RP: Your Honor, we just want to thank you. To the Honorable senators and the BSP officials in the room and our colleagues for the time you give to us to explain with the June 6 incident. You have our assurance that we will make things right. I think we have already make things right. But there is any outstanding issue, we will make sure that we will make things right. Thank you, Sir.

CHIZ: On the part of BDO? Sir?

RP: Thank you your Honor. As what Mr. Consing said, from BDO as well, we would like to thank you for the opportunity to share with you exactly what happened. We are going to make it right for the customers as well. So again, we thank you.

CHIZ: On the part of BSP?

RP: Mr. Chairman, actually our call is for the banks to be very clear about how to handle the complaints of customers and of course, communications should be very clear about how they would go about having their concerns addressed by the banks Mr. Chair.

CHIZ: Are you looking into incidents as well? We will be coming up with an investigation or report or something. No?

RP: Since we are currently coordinating –

CHIZ: Since it is a regular occurrence. So wala na?

RP: Yes Mr. Chair, since we are currently coordinating with them. So at this point, we haven't really started yet.

CHIZ: Kindly submit to the committee a report of your final a copy rather of your final report with respect to the BPI incident so that we can complete this incident only what you can give of course even a salutary or positive portion without violating the secrecy of banks and regulations that you may have, just so we can complete full circle our inquiry on this matter.

RP: Yes Mr. Chairman, we seek approval from the Monetary Board for such report.

CHIZ: Thank you, Assistant Governor Fonacier. Now moving forward to the agenda, can I ask Senator Drilon to make the corresponding motion for the approval of the principles subject to style and the same.

FD: Yes Mr. Chairman, the proposal Bill No. 1467 which seeks to establish an SEC office in Koronadal City and appropriating funds there for the similar measure was passed by Congress to establish an SEC office in Bacolod City and this is no different so I therefore move that the committee recommend to plenary the approval of this measure.

CHIZ: Thank you Senator Drilon. Upon previous consultation with the representatives of the SEC, would anyone speak on this? Who may be against it? Can you say no Atty. Garcia instead of simply turning your head left and right?

RP: (inaudible)

CHIZ: Thank you very much. There being no motion. Senator Drilon, seconded by Senator Pimentel, the same is hereby approved committee secretary is directed to prepare the corresponding committee report again subject to style in so far as Senate Bill No. 1467 filed by Senator Pimentel is concerned. So ordered. There be no other matters, the hearing on the Committee on Banks, Financial Institutions and Currencies is hereby suspended. We thank are distinguished guests. Thank you very much.

 


 

 

<BACK>

 

 

 

Copyright 2016. ALL RIGHTS RESERVED Office of Senator Chiz Escudero