Rogue

Our banks have been having an interesting time of late. There have been hacks, glitches and, yes, rogue officers to keep things interesting.

The most recurrent problem among the banks has been ATM fraud. The country, over the last few years became a sort of Mecca for foreign talent coming to test the mettle of our ATM networks. Banks had to install those ugly covers on ATM keypads to make it more difficult to observe PINs being keyed in. CCTVs have been deployed to identify the hackers.

Still, it seems the hackers manage to keep a step ahead of new security features installed. There is malware that causes a machine to dispense all its contents, like hitting the jackpot in a slot machine, when activated. Hackers have developed hardware capable of overriding reports of transactions to the mainframe.

It is a running cat-and-mouse game between bank IT experts and criminals intending to crack ATM security. For every technological vulnerability, fortunately, there is a technological counter-measure.

Bank regulators, for instance, have ordered banks to shift to more modern ATM cards, using chips in place of magnetic bands, so that they are more difficult to clone.  That seems to have deterred the hackers.

Then there is the problem of computer systems crashing. Human error is blamed for the recent glitches experienced by BPI and BDO. It took days, and a lot of anxiety among depositors, to restore the systems.

On June 26, one bank’s computer system bogged down. Government decided belatedly to declare that day an official holiday. Someone forgot to tell the computer system this was not a banking day.

Modern banks cannot do without IT systems, vulnerable as they sometimes might seem to be. Millions of transactions need to be processed each day. Customers expect speed and promptness.  Banks that cannot keep up with the pace clients have come to expect lose business.

Some 86% of Filipinos may be unbanked. Still the banking system groans under the sheer number of transactions that happen each day from the 14% that do have bank accounts. If we are to bring more people into the banking system, the banks will have to invest in software and hardware to facilitate the business.

Then there are the procedures and systems that enable banks to maintain strong internal controls. Money is fungible. When it is lost, it will be hard to find.

The new BSP governor, Nestor Espenilla, cut his teeth as the regulator-in-chief of the banks. Bankers view him with the same dread as students do the terror teachers. He constantly wanted the best practices in the industry adopted by our domestic banks, especially in the area of risk management.  He wanted auditors to use the most advanced accounting methods. He enforced deadlines for prompt corrective action (the dreaded “PCA”) with a whip.

With Espenilla as BSP governor, we can expect an even more tightly regulated banking system. That is good. Modern banking is a business with a thousand parts. Weak regulation will spell failure.

When news broke about an apparent case of internal fraud at Metrobank, we can be sure that Espenilla’s army of auditors will be all over the place. They will look under every rock and into every piece of documentation. The most important goal in a review like this one is not just the prosecution of the errant bank officials but the introduction of new safeguards to protect banks against rogue officers.

The best managed bank and the most advanced IT system cannot protect against rogue personnel. Internal controls and effective audit procedures will make it more and more difficult to commit fraud. But no bank can be 100% protected against white-collar crimes. They will only make it necessary for the potential criminals to be more technically adept.

In order to prevent a bottleneck at the top that could paralyze business processes, decision-making on loans are distributed down the line to the branch manager level. At each level, there is a limit to the amount of loans that could be decided upon without bringing the matter up to higher authority.

The devolution of decision-making requires investment of a lot of trust on responsible bank officers. Sometimes, the trust could be broken and the intricate procedures of internal control breached. The banks, after all, are run by a cadre of bank officers, each with a level of vulnerability.

Much trust must have been invested by Metrobank in the lady vice-president who supervised the huge credit line of a large conglomerate. That is necessary. The bank needed to nimble in responding to the needs of a major client. The bank officer managing the huge account needed to be able to decide on drawdowns from the credit line.

There are many advantages in giving much leeway to trusted officers managing the accounts of major corporate clients. But there are also perils in increasing the margin of discretion of senior bank officers. One of those perils in someone named Mavic Lopez who administered the account of Robinson group.

We have been treated to varying estimates of the amounts Lopez was able to bleed from the Robina credit line. The lower estimates run in the hundreds of million. The higher estimate runs to maybe two billion. We will not know until the forensic audit is done.

Social media entertains us with photos of the suspect and accounts of the lavish lifestyle she led. A string of cases, including garnishment, have been filed against the suspect.

But we are still left wondering how to check rogue officers before they strike.