RCBC to BB: Share results of cyber heist probe

FILE: In February last year, about USD81 million of the stolen funds ended in four dollar accounts opened with the RCBC Makati branch in May 2015. (Photo by Paul Edgar Pastoral/Flickr, CC BY-ND 2.0)

MANILA — Rizal Commercial Banking Corp. (RCBC) has again called on officials of Bangladesh Bank (BB) to make public the results of its own investigation on the 2016 bank heist, wherein it lost a substantial amount, instead of blaming other entities.

In a statement Tuesday, lawyer George dela Cuesta, RCBC Legal Affairs head and first senior vice president, said RCBC had been used as a scapegoat for BB’s inefficiency to ensure that its funds with the New York Federal Reserve were fully secured.

In February last year, about USD81 million of the stolen funds ended in four dollar accounts opened with the RCBC Makati branch in May 2015.

The Philippine government exerted efforts to recover the funds, part of which ended in the hands of casino operator Kim Wong, who returned a total of USD4.63 million and PHP488 million worth of cash to the Anti-Money Laundering Council (AMLC).

Dela Cuesta said BB “has been quite active in media, accusing everybody but itself” regarding the stolen money.

“BB had blamed the New York Fed for releasing the funds but never mentioned that ‘someone’ in BB helped clear the withdrawal. BB also targets RCBC every now and then, asking it to return the whole amount which is factually and legally baseless,” he said.

The lawyer pointed out that Bangladesh’s former finance chief had dubbed the incident an “inside job”, thus, it had no right to ask other entities to return the stolen funds.

He said both the Philippine government and the New York Fed have asked BB to release the results of its investigation ”to no avail”.

“For as long as BB refuses to cooperate with global efforts to find out what happened, this suspicion will linger. Unfortunately, BB’s refusal to cooperate victimizes truth since there are critical questions based on reports that only BB can respond to and clarify,” he said.

Among these issues are how BB cleared the funds withdrawal in the New York Federal Reserve to be wired to RCBC even as reports have said that this process requires BB officials to be physically present to give the go signal; why BB allowed itself to be digitally vulnerable by not putting in place a firewall and using only second-hand USD10 switches; and why BB was not alarmed over the trial runs made by the hackers as early as January last year.
The statement also cited reports that the Bangladeshi expert who claimed inside job as a possible reason for the heist, disappeared for a few days after giving his statement and was later found to be “in daze and out of his wits”.

It said BB asked RCBC to freeze the movement of the stolen funds in an ordinary message instead of using the Code Red required from banks to raise the alarm, and called the bank only on Feb. 11 last year, six days after the release of payment instruction from New York Fed.

RCBC said “BB is definitely partly to blame for the heist. Its refusal to be transparent is a continuing cover-up and a disservice to global efforts to combat cybercrime. For this, BB must be sanctioned until it owns up and shares what it knows to prevent a repeat,” it said, pointing out that no BB official has been identified for participating in the crime.

The bank said it had revealed everything it legally could to the Senate and its regulator, the Bangko Sentral ng Pilipinas (BSP).

The BSP has slapped a PHP1 billion supervisory fine against RCBC in relation to the cyber heist.

The fine imposed on RCBC is the largest to date against any BSP-regulated institution. (PNA)