Claims of additional billions from BPI glitch false, says bank

June 21, 2017 - 12:42 PM
InterAksyon file photo of a BPI branch.

MANILA, Philippines — Clients of Bank of the Philippine Islands who said their accounts grew by billions of pesos during the recent technical glitch at the financial institution were making false claims, bank officials told the Senate Wednesday.

BPI executive vice president Ramon Jocson told the Committee on Banks, Financial Institutions and Currencies and Committee on Finance that a person would have to deposit P200 million every day for five days within the April 27 to May 2 period to reach P1 billion.

This meant BPI’s cash acceptance machines would have to be fed a P1,000 bill every two seconds for a deposit of P30,000 a minute or P1.8 million an hour. This would need to be done non-stop over 24 hours across five machines to deposit P200 million a day. But cash acceptance machines are filled at P4 million.

Thus, Jocson concluded, there was no way depositors could have received from P1-12 billion in their accounts as they claimed, and “the documents they presented to the public, to the radio stations, to the TV stations, were all doctored and fake.”

Explaining the glitch, Jocson said what had been affected was the information switching technology system, which drives automated teller machines (ATMs), point-of-sale systems, and cash acceptance machines.

During the day, BPI’s system posts temporary credits or debits to the balances of clients transacting through these three modes. The bank updates balances at night.

At around 8 p.m., the automated system kicks in and extracts “transaction log files” from each of the systems — ATM, loan, trade, remittance, tellering, and any other system that processed transactions for clients. At 10 p.m., each of these files is picked up by BPI’s central database and the update of balances begins. BPI then takes a copy of the database at that point.

“This is a closed system. It is not connected to anything external. It is not connected to the Internet … It has its own network,” Jocson stressed.

But what caused the glitch?

Some BPI depositors, when going abroad, use ATMs overseas to withdraw. On June 6, BPI needed to reconcile the reports from May 26 to 29 at the request of one of their corresponding banks abroad. Of the 12 personnel trained to use the system, only two had access to it, Jocson said. One of the two committed the error that led to the glitch.

The specialist was assigned to extract a report and instructed to take it from the backup files. To do that, she would have to “route” a request and inform her superior that she was going to do something in the “backup environment,” Jocson said.

“Because maybe of expediency,” he said, the specialist generated the report and extracted the file but, instead of entering May 26 to 29, she entered April 27 to May 2 into the online system. In effect, all transactions from April 27 to May 2 were extracted to create creating a file assigned the date of June 6. At 8 p.m. the extraction took place and, by 10 p.m., the file with the April 27 to May 2 transactions was used by the system, instead of the transactions for June 6.

In effect, said Jocson, the balances were updated using transactions from April 27 to May 2 instead of June 6. The clients’ transactions from this period were reposted. However, Jocson stressed, transactions of clients did not cross over to transactions of other clients.

“These were all your transactions in the past, nabalik lang (these were just returned),” Jocson explained.

Around 1.5 million of the bank’s eight million clients were affected by the glitch with the average debit around P7,700, and the average credit around P7,200. This was what the affected clients saw in their balances on June 7, Jocson said.

To correct this, what BPI did was “repost back,” reversing what had been credited or debited.

BPI President and CEO Cezar Consing voiced “deep regret” over the incident as he stressed the bank had been in continuous coordination with the Bangko Sentral ng Pilipinas and other regulators since, sharing the “configuration and processes” of its information technology system.

There was no breach of data privacy, he stressed.

“We will continue to do everything we can to regain our standing with our regulators, clients, the public, and you lawmakers,” Consing said.