The heist was audacious, complex and surprisingly successful. In early 2016 an attempt was made to steal almost $1bn of Bangladesh central bank money held at the US Federal Reserve via a Philippine bank, a Philippine remittance company and Philippine casinos. The theft, in which $81m was taken from the account, has significant implications both globally and locally.

It is clear that safeguards at even the best-protected institutions in the world are far too weak given the sophistication of today’s hackers. Procedures will have to be reviewed and improved. In the Philippines, the heist demonstrates that the laws in the country, while modern and following international best practices, have significant gaps and that banks and other market participants have weaknesses that can be exploited.

Early indications are that the sector will weather this storm. The cost of the event is not enough to have a material impact on the banks. However, the theft is likely to result in some significant changes in terms of law, regulation and process.

Many Steps

In February 2016 hackers attempted to move approximately $1bn in a series of transactions from an account at the New York Federal Reserve owned by Bangladesh Bank. The target accounts were at the Jupiter Street branch of Rizal Commercial Banking Corporation (RCBC) in Manila. RCBC was founded in 1960 and is owned by the Yuchengco Group of Companies. Most of the transfers – 30 of the 35 attempted – were rejected for lack of details, but a total of $81m was successfully moved to four accounts at RCBC. The funds were then consolidated in an account newly opened at RCBC and sent to a money transfer company, Philrem Services Corporation. Philrem sent most of the money, apparently as cash, to a person that was said to be a junket operator at a casino.

It was the single-largest money laundering case in the Philippines, and it appears to have been the result of a series of failures at a number of institutions all along the value chain. Other attempts have been made. The Bangladesh theft was followed by an apparent attack by a North Korean-linked group. At least one unnamed bank was hit in the Philippines.

Untangling The Mess

The Bangladesh theft is still being sorted out. Around $15m of the funds have been recovered, and $2.5m of the funds have been frozen. RCBC was fined P1bn ($21.2m), the largest penalty ever imposed by the BSP, for the lapse. But since then, the matter has become contentious, as the parties involved cannot agree exactly where the fault lies for the loss. At first, it seemed that the bank would take the hit for the theft. An executive of RCBC made public statements promising to pay back the missing funds. But now the bank is refusing, RCBC saying that the Bangladesh central bank is to blame for the failure.

Bangladesh Bank insists that the Philippine institution was in error. Both the central bank of Bangladesh and the US Federal Reserve had sent stop payment instructions to RCBC, and these instructions were not acted upon by the bank. The central bank also noted that the Philippine institution and others ignored basic anti-money laundering (AML) best practices. Multiple times the transactions could have been stopped by following the most basic of procedures, but the funds continued to move regardless.

In November 2016 five people were charged in the case at RCBC. But as of early 2017 the case remained open, with officials from Bangladesh appealing directly to President Rodrigo Duterte resolve the issue. Specifically, it would like to get RCBC to pay up.

Legislation Currently In Place

What is most surprising about the massive fraud is that for the most part the Philippines has the right legislation and protocols in place to deal with the relevant activities. The country has been off of any of the Financial Action Task Force (FATF) lists since 2012.

Republic Act (RA) 10167 and RA 10168, passed in 2012, address financial crimes and strengthen earlier money laundering legislation to meet international standards. The laws themselves are comprehensive and cover just about all financial institutions and contemplate any number of possible infractions. Detailed implementing rules and regulations were published, and they suggest a strict programme and quick enforcement. Suspected accounts can be frozen without a court order and without the knowledge of the depositor. The legislation, however, has one major gap, and it was through this gap that tens of millions of dollars flowed. After lobbying on the part of the Philippine Amusement and Gaming Corporation, casinos were exempt from the legislation. It was believed that investors would be scared off if the AML laws applied to gambling establishments.

Investigations Ongoing

The Philippine Senate has been investigating the theft, and it has identified many deficiencies despite the abundance of law on the matter. It found loopholes not only in the AML Act, but also in the Bank Secrecy Law and General Banking Law, and its contends that these weaknesses allow for the committing of financial crimes. Politicians have said that they need to make amendments to the laws, if they are going to prevent failures in the system and repeats of the money laundering scandal.

The senators also criticised the speed of the process in place to deal with failures in the financial system. They said that the Anti-Money Laundering Council (AMLC) is too slow in taking action if trouble is detected. In the case of the Bangladesh theft, it should have coordinated with the Philippine Amusement and Gaming Corporation at the first sign of trouble. In the event, it took two weeks for it to make the calls after learning about the theft. The AMLC says that at present it can take a month to freeze suspicious bank accounts.

Secrecy Law

Central to the concerns on the part of the legislators and the administration is the bank secrecy law, or RA No. 1405. It is an essential part of the banking system, but one which makes it very difficult to identify fraud and act upon suspicions of it.

The Philippines has one of the strictest bank secrecy laws and is one of the last countries to offer almost absolute protection of depositor identity. The law was enacted in 1955. It was passed to discourage the hoarding of cash in homes by encouraging individuals to make deposits at financial institutions. The hope was that by driving cash to bank accounts the law would help mobilise funds needed for economic development.

A debate about modifying the bank secrecy law is ongoing, with some senators in favour of amending it and some in favour of doing away with it. At present, bank secrecy can only be violated under a narrow set of circumstances. It has been suggested that more categories of suspected infractions be added to the list.

Secrecy appears to have played a crucial role in the scandal. In that case, accounts were opened under fictitious names, but the bank refused to discuss the accounts because the use of fictitious names is not enough to warrant disclosure. Now the topic is on the table, others are supporting a change in the law. BSP and the Bureau of Internal Revenue are both pushing for a weakening of bank secrecy. The former said that easing is needed to prevent money laundering, the latter in order to investigate tax evasion. Only Switzerland, Lebanon and the Philippines prevent the tax authorities from forcing their way into bank accounts.

The new administration is taking an interest in money laundering, and its efforts could help motivate some changes in practices and law. At the end of 2016 the AMCL came under fire from President Duterte for its failure to coordinate better with other arms of the government, such as Department of Justice and the National Bureau of Investigation, in the pursuit of alleged drug money. The AMCL said that it was bank secrecy that prevented cooperation. The government would like the authorities to be able to examine bank accounts if there is suspicion of criminal activity.

Aftermath & Impact

Standard & Poor’s has said that the theft, while significant, would not impact its stable outlook on the local banking sector. The ratings agency noted that the banks are well capitalised and that the event, in terms of cost and penalties, could easily be absorbed. The fines and the possible restitution could impact RCBC, but the costs do not appear to have systemic implications.

BSP executives did acknowledge that the country could face sanction from the FATF due to lapses in AML standards. The FATF had been warning as early as 2013 that the casinos in the country need to be brought under the AML rules. But it seems as though the FATF is not taking any extraordinary action following the theft. It told the local press that it is not scheduled currently to conduct another inspection, and suggested that there would be no immediate impact from the event.

A modification of bank secrecy could have an effect on the banking sector, as some clients might withdraw funds if their anonymity is not guaranteed. But the consequences will likely be limited. The change in the law, if it comes, will probably not involve the total abandonment of secrecy, while the sector does not depend on secrecy for the vast majority of its business.