The Great Bangladesh Central Bank Heist of 2016: Whose Heads Should Roll in RCBC?

RCBC Jupiter Branch Manager Maia Santos-Deguito

Today, RCBC fired  the top officers of the RCBC Jupiter branch in Makati, namely, bank manager Maia Santos-Deguito and senior customer relations officer Angela Torres "for alleged illegal transactions linked to the $81-million Bangladesh bank heist."

RCBC President Lorenzo Tan

RCBC President Lorenzo Tan has offered, not to fall on his sword like Atiur Rahman, the beleaguered Bangladesh Central Bank Governor, but to go on leave "to give the bank a free hand in investigating the alleged money laundering issue involving its Jupiter branch in Makati and its branch manager."  According to Atty. Francis Lim, Mr. Tan's legal counsel, the RCBC is solidly behind Lorenzo Tan: "The bank’s board thanked him for his gentlemanly and decent gesture but said their trust in him is intact and unshaken."

But is the bank's board really behind Mr. Tan? After all, these words were spoken by the legal counsel of Mr. Tan and not by the legal counsel of the bank itself.  The bank, along with a whole host of Philippine and international regulatory officials, is still investigating exactly what happened.  It would take months, maybe even years, before this case is resolved.  After all, this case put the spotlight on the entire country as one of the money laundering capitals of the world, a financial black hole where else dirty money disappears never to be found again.

This case has all the elements of a Hollywood blockbuster: robbing a central bank, fake bank accounts, cars full of cash, disappearing cyber experts, and casinos that would dwarf anything conjured up by Danny Ocean. Someday, someone in Hollywood will make a movie out of this great caper.

We won't bog the reader down in the details of what happened.  But there is one thing that Lorenzo Tan said that struck seemed odd.  He said that the US $81 million transaction did not need his approval because the money can enter the system without the need for their intervention.  "Because to impose such a requirement would slow down the process that needs to be expeditious and efficient...International remittances under accurate SWIFT instructions are credited to the beneficiaries accounts without the need of any manual intervention."

Compliance vs. Economic Efficiency:

Does this mean that it was RCBC's official policy to emphasize economic efficiency over compliance?

Under BSP Circular No. 706, which updates Anti-Money Laundering Rules and Regulations, RCBC is supposed to report any "covered transaction" involving single transactions in cash or other equivalent monetary instruments in excess of P 0.5 million within one banking day. RCBC is also supposed to flag any suspicious transaction, regardless of the amount involved, where there is "no underlying legal or trade obligation, purpose or economic justification" and "the amount involved is not commensurate with the business or financial capacity of the client" and "any circumstance relating to the transaction which is observed to deviate from the profile of the client and/or client's past transactions with the institution."

If you look at the money trail or read these details, the transactions fit the textbook description of a suspicious transaction.  The Bangladesh Central Bank via the New York Fed wiring US$ 81 million to four individuals who just recently opened accounts with nominal amounts of money? There must be a giant red flag here somewhere.

MLPP

The bank seems to be paying lip service to its MLPP or Money Laundering and Terrorist Financing Prevention Program.  The current MLPP was approved by RCBC's board last November 2014 and "was implemented bankwide." The approved MLPP "was disseminated to all offices and subsidiaries within and outside the Philippines." The MLPP details the procedures for complying and implementing the AMLA (Anti-Money Laundering Act) including suspicious transaction reporting.  Under BSP's Circular No. 706, the bank is supposed to have a reporting chain under which the suspicious transaction will be processed.  Moreover, there is supposed to be an approved board-level committee which decides whether or not the bank should file a report to the Anti-Money Laundering Council.

BASE60

RCBC's reporting system, called the BASE60 AML Monitoring System (BASE60) was launched in July 2014.  The Base60 monitors all financial transactions in the Bank to facilitate the detection of money laundering and terrorist financing schemes.  It is capable of aggregating all customer accounts as well as generating various reports for the use of AML Department (AMLD).  To conform to BSP Circular No. 706, this system supposed to generate timely reports for RCBC's board and senior management. The system has a sophisticated integrated alert and case management system that can generate custom alerts using parameters set by the client.

BASE60 is an end to end software solution developed by Object Frontier Software that is used by quite a few Philippine banks other than RCBC:

1. United Coconut Planters Bank (UCPB)
2. EastWest Bank, Security Bank
3. China Bank
4. PhilTrust Bank
5. Robinsons Bank
6. Planters Bank
7. Asia United Bank (AUB)
8. One Network Bank (ONB)
9. Philippine Bank of Communications (PBCOM)

According to Mr.Eduardo Arcenio C. Roldan, the AML Compliance Office/Senior Manager of Asia United Bank, the software was useful for "the investigation of suspicious transaction made possible by the generation of alerts based on approved parameters." Another banker, Mr. Carlos L. Chuakay Jr., AVP & AML Officer of PBCOM Compliance Group, said that the alert scenarios that were built into AML Base60, for both the customer and transaction modules, effectively helped our business units to monitor their accounts accordingly."

Given that the software had the capability to generate alerts based on both customers and their transactions, what alert scenarios did RCBC build into its BASE60 system?

Internal Audit Department

Under BSP Circular No. 706, RCBC's Internal Audit department is required to conducted a periodic and independent evaluation  of the suspicious transaction reporting system as well as the adequacy and effectiveness of its internal controls associated with money laundering.

Compliance Office

The management and implementation of the MLPP is a primary task of the bank's Compliance Office. The bank's Compliance Officer monitors AMLA compliance and conducts regular compliance testing of business units. All banking units to submit to the Compliance Office certificates of compliance with the Anti-Money Laundering Rules and Regulations on a quarterly basis. The bank's Anti-Money Laundering Department regularly reports to the Anti-Money Laundering Committee, senior management committees and the BOD to disclose results of their monitoring of AMLA. The Compliance Office meets with and submits compliance reports directly to Audit Committee because RCBC's board and senior management have the ultimate responsibility to implement the provisions of these Anti-Money Laundering rules and regulations.

In May 2011, the Compliance Office was reorganized and expanded into three departments: Anti-Money Laundering Department, Testing and Monitoring Department, and the Corporate Governance Department under the direct control and supervision of the Compliance Officer.  The Compliance Office has an AML Lawyer, AML Specialists, and Compliance Specialists.  The designated Deputy Compliance Officer (DCO) from each unit/department/division is responsible for the actual implementation of applicable regulatory issuances and the submission of compliance certifications to the Compliance Office.  The compliance function also covers oversight of the activities of the bank's domestic subsidiaries under BSP supervision to ensure uniform implementation of the requirements of the BSP and other regulatory agencies.

Customer Profiling

Under its MLPP, the bank is required to risk profile its clients to "Low, Normal, or High with its corresponding customer due diligence of Reduced, Average or Enhanced. Decisions to enter into a business relationship with a high-risk customer requires senior management approval, and in some cases such as a politically exposed person or a private individual holding a prominent position, Group Head approval is necessary."

Under BSP Circular No. 706, customers normally designated as low risk are often individual customers with regular employment or economically productive activity, small account balance and transactions, and a resident of the area of the covered institution's office or branch. For these customers, reduced due diligence may be applied.  Other low-risk clients are banking institutions, trust entities, and quasi-banks, publicly-listed companies, and government-owned and controlled corporations (GOCCs).

How were the RCBC individual accounts in question profiled? Low risk?  If they were designated as low risk at the time they were accepted as customers, didn't the bank perform additional customer due diligence prior to disbursing to them very large amounts of money directly from the Bangladesh Central Bank? Didn't the bank ask what business they had with the Bangladesh Central Bank?

AMLA Training

Based on RCBC's 2014 Annual Report, the directors, and senior officers received some training on the Anti-Money Laundering Act of 2013. Were these sessions merely corporate "check the box" exercises in compliance?

• AML Training for Directors last November 28, 2011.  Topics included: Functions of the AMLC; Covered and Suspicious Transaction; Updated AML Rules and Regulation (BSP Circular No. 706); Frequently asked questions involving Politically Exposed Persons (PEPs); Responsibility of the Board of Directors of the Bank on AML Compliance; Other Highlights of BSP Circular No. 706.  The speaker was Atty. Richard David Funk II, Deputy Director and Head of the Compliance and Investigation Group of the AMLC.  The program was facilitated by the Regulatory Affairs Division, Legal and Regulatory Affairs Group, RCBC.

• Updates of the Anti-Money Laundering Act of 2013, as amended.  Attended by RCBC Directors and Senior Officers last September 30, 2013.  The speaker was Mr. Arnold Frane of the Legal Services Group, Anti-Money Laundering Council Secretariat.  This BSP Program was facilitated by the Regulatory Affairs Division, Legal and Regulatory Affairs Group, RCBC.

The bank's Compliance Office also conducted "Comprehensive Compliance Training" for various units of RCBC.  The lecture provided "each participant with information on regulatory and compliance awareness as well as operational guidance on the use of the new AMLA monitoring system." RCBC's Retail Banking Group received this training in 2013 and again in 2014 in the Branch Re-orientation Program of the Retail Banking Group.

Multiple Possible Points of Failure at RCBC

There are obviously many possible points of failure in RCBC's compliance system:

• Branch Level
• Retail Banking Group
• BASE60 
• Compliance Office
• Internal Audit
• Legal and Regulatory Affairs
• President & CEO
• Audit Committee

The obvious point of failure was at the level of RCBC's Jupiter branch, wherein the branch manager and its senior customer relations officer were summarily removed.

Another possible point of failure was at the Retail Banking Group.  Since branches clearly fall under Retail Banking Group, this could be the second point of failure. The Head of Retail Banking Group is new: Lizette Margaret J. Racela was only appointed Group Head of Retail Banking as of February 1, 2016 - a little over a month before the anomalous transactions took place.  She previously came from the consumer lending business of RCBC Savings Bank where she was responsible for the the growth of its loan portfolio.  The previous head was Raul Victor B. Tan, Executive Vice President of RCBC, who now heads the Treasury. While serving as Retail Banking Group Head, Mr. Tan also served as the Head of Treasury from March 2015 until Ms. Racela took over the Retail Banking Group.  Could holding two demanding jobs be one source of the problem and could this have distracted Mr. Raul Tan from his implementing AML compliance in the Retail Banking Group?  This remains to be seen.

RCBC EVP Raul Victor B. Tan

Another possible point of failure was the BASE60 AML Software, itself.  It is unclear if the software flagged the anomalous transactions or whether it has the capacity to do so.  In terms of spot foreign exchange transactions, RCBC is the biggest Philippine bank using the BASE60 software.  According to BASE60, its alert system was customizable on a customer and transaction basis.  It is not clear if the alert system was configured properly or used parameters that could have flagged the transaction.  It could have been a GIGO problem, as they say in computer parlance: Garbage In, Garbage Out. What is clear was that it was the Bangladesh Central Bank that notified the BSP regarding the anomalous transactions, which, in turn, prompted the BSP and the Anti-Monetary Laundering Council to begin an investigation.

Compliance is definitely an issue in RCBC.  It is unclear if the transactions were flagged by the Compliance Office or what level of customer or transaction due diligence was conducted beyond the branch level.  It is also unclear if all banking units had "clean" quarterly certificates of compliance. In RCBC's 2014 Annual Report, RCBC First Vice President Ma. Fe P. Salamatin is listed as the bank's Compliance Officer and Head of its Regulatory Affairs Division. There was also an obvious deficiency in RCBC's Compliance Testing and Monitoring. RCBC First Vice President Ruth Mendez Aninon is the Head of the Compliance Testing and Monitoring Department in the Compliance Office of the bank's Regulatory Affairs Division.

Internal Audit obviously failed to spot the weaknesses of RCBC's AML compliance systems. RCBC First Senior Vice President Ana Luisa S. Lim heads the Internal Audit Group.

RCBC First Senior Vice President Ana Luisa S. Lim

As a facilitator of the AML training, the Legal and Regulatory Affairs Group may have had some role to play in this fiasco. Executive Vice President and Corporate Secretary Maria Celia H. Fernandez-Estavillo is listed as the Head of the Legal and Regulatory Affairs Group.

RCBC EVP Maria Celia H. Fernandez-Estavillo

Tone From the Top

As President & CEO, Lorenzo Tan sets the "tone" of the organization from the top.  He is a very strong influence in shaping the bank's culture of compliance.  Given his statements above, it seems obvious that his policies emphasized efficiency over compliance.

Audit Committee

RCBC has won many awards for Corporate Governance in recent years, but its Audit Committee is another possible point of failure. The Audit Committee is one of the two most essential board committees in RCBC. The other committee, the Corporate Governance Committee, nominates qualified candidates to the board and oversees the company's executive compensation program.

The Audit Committee is tasked with oversight of the bank's compliance with legal and regulatory requirements.  Specifically, it reviews the compliance reports submitted to the Audit Committee by the Compliance Officer during Audit Committee meetings.  The Audit Committee also approves the annual work plan of the Compliance Office.  It reviews the extent and scope, activities, staffing, resources and organizational structure of the Internal Audit function.  It approves the annual audit plan to ensure its conformity with the objectives of the bank.  It conducts quarterly reviews of the performance of the Internal Audit function, including capacity and manpower complement. It periodically reviews the Internal Audit Charters. It also oversees the assessment and management of the bank's enterprise risk such as legal and reputational risks.

The board is composed of three board members, at least two of whom are independent directors, including the Chairman, and another one with audit experience.  The committee composition is as follows:

• Armando M. Medina, Chairman
• Medel T. Nera, Member
• Francisco C. Eizmendi, Jr., Member

Both Chairman Medina and Francisco C. Eizmendi, Jr. are listed as independent directors.

RCBC Audit Committee Member Medel T. Nera

Independent directors are considered independent when they are:

"Independent from management or from any business relationship which could, or could reasonably be perceived to materially interfere with the exercise of independent judgment, and the lack of a relationship to the corporation, its related companies or substantial shareholder as a regular director or officer or relative of the same, as an executive or professional adviser within the last five years, or business relations other than arm's length, immaterial or insignificant transactions."

Mr. Nera is a non-independent member of the committee because he serves as President, CEO, or director of four listed companies within the Yuchengco Group of Companies - a major shareholder of RCBC: Director, President, and Chief Executive Officer of House of Investments, Inc., Director of iPeople, Inc., EEI Corporation, and Seafront Resources Corporation.  He also serves as a director of the National Reinsurance Corporation of the Philippines, a listed company outside the YGC. He has been with a director of the bank since 2011.

RCBC Audit Committee Chairman Armando M. Medina

Chairman Medina has been an independent director of the bank since 2003 but was a former President of RCBC.  How independent is Chairman Medina? He may be independent in name only.  According to his Bloomberg Executive Profile, Chairman Medina seems to have long-standing ties to the Yuchengco Group, having served or is serving as an independent director of Malayan Insurance Co., Inc. and Pacific Plans, Inc. - companies associated with the Yuchengco Group. As Chairman of the Audit Committee, Mr. Medina bears the brunt of responsibility for the Audit Committee's lapses in oversight.

RCBC Audit Committee Member Francisco C. Eizmendi, Jr.

Mr. Eizmendi has been an independent director of the bank since 2006. For the past two years, Mr. Eizmendi only attended 8 out of 13 Audit Committee meetings (61.54%) in 2014 and 8 out of 15 Audit Committee meetings (53.33%) in 2013.  It is important to note that Mr. Eizmendi's attendance record when it comes to general board meetings was stellar.  In 2014, he was able to attend 15 out of 16 or 93.75% of general board meetings and 19 out of 20 or 95.00% of general board meetings in 2013. 

In 2014, Mr. Eizmendi attended 10 out of 10 Corporate Governance Committee meetings (100.00%) and 4 out of 6 Related Party Committee meetings (66.67%).  In 2013, Mr. Eizmendi attended 12 out of 12 Corporate Governance Committee meetings (100.00%).

Why was Mr. Eizmendi's attendance record for Audit Committee meetings so poor when his attendance record for general board meetings and other committee meetings was good? Did he prioritize the regular board meetings over the Audit Committee  meetings? Was his health poor at the time of the Audit Committee meetings? According to RCBC, there was no shortage of ways Mr. Eizmendi could have attended Audit Committee meetings:

"Directors attend regular and special meetings in person or through teleconferencing andd videoconferencing in accordance with the rules and regulations of the SEC in a manner allowing the director to actively take part in the deliberations on matters taken up.  The Bank ensures availability of teleconferencing facilities when justifiable causes prevent the director's attendance. A director may also attend the meetings by submitting written comments on the agenda to the Corporate Secretary and the Chairperson prior to the meeting, as provided in Subsection X141.1 of the Manual of Regulations for Banks." 

Mr. Eizmendi was 79 at the time of the 2014 Annual Report.  Maybe retirement, at least from the audit committee, is due if he cannot attend to the demands of the Audit Committee, particularly at a time of crisis, wherein many, many more Audit Committee meetings will be required? Both Chairman Medina and Mr. Eizmendi will end their five-year service period as independent directors by 2017.

Director remuneration can be substantial.  Each Non-Executive Director (NED) receives a per diem of Php 30,000 per regular board meeting.  This amounts to Php 480,000 in per diems per NED in 2014. Audit and Risk Oversight Committee Chairmen receive Php 15,000 per meeting while their committee members receive Php 10,000 per diem per meeting.  For other board committees, chairmen receive Php 10,000 per meeting while members receive Php 6,000 per meeting. Directors also shared a bonus pool of about Php 19 million in 2014, averaging roughly Php 1.3 million per director. So each member of the Audit Committee earned an average of Php 2.0 million in 2014.

Director Remuneration
Director	General Meetings	Committee Meetings	Total Meetings	Average Bonus	Total Compensation
Armando M. Medina	Php450,000.00	Php453,000.00	Php903,000.00	Php1,300,000.00	Php2,203,000.00
Francisco C. Eizmendi, Jr.	Php450,000.00	Php170,000.00	Php620,000.00	Php1,300,000.00	Php1,920,000.00
Medel T. Nera	Php480,000.00	Php302,000.00	Php782,000.00	Php1,300,000.00	Php2,082,000.00
Total	$1,380,000.00	$925,000.00	$2,305,000.00	$3,900,000.00	$6,205,000.00

Bear in mind that all the Audit Committee members have had extensive financial expertise throughout their professional lives, in their capacities as both board directors and corporate executives.  All Audit Committee members attended the update on the Anti-Money Laundering Act conducted by Atty. Richard David C. Funk II, Deputy Director, Compliance and Investigation Group of the Anti-Money Laundering Council for the Board of Directors last August 26, 2014.  Moreover, members of the Board are given independent access to management and the Corporate Secretary for information such as background or explanation on matters brought before the Board, disclosures, budgets, forecasts and internal financial documents.  So, all of the Audit Committee Members have the capability to oversee RCBC's legal and regulatory compliance. Again, there was a lapse in oversight and all Audit Committee members, especially Chairman Medina, bear some responsibility for that lapse.  

So whose Heads Should Roll in RCBC?

The BSP has promised to hold RCBC and its bankers accountable for this humongous black eye to the Philippine Financial System.  If it is to improve, the system must change.  Bank processes and procedures must change. Bank culture must change.  Very often, the ones responsible for the mess are not the ones who should clean it up.  They may be more concerned about deflecting criticism and blame from themselves than actually reforming the system.  Hence, heads must be placed on the chopping block of accountability.  Here are some possible candidates:

• Raul Victor B. Tan, EVP, former Head of Retail Banking Group
• Ma. Fe P. Salamatin, FVP, current Compliance Officer and Head of its Regulatory Affairs Division
• Ruth Mendez Aninon, FVP, current Head, Compliance Testing & Monitoring Department, Compliance Office, Regulatory Affairs Division
• Ana Luisa S. Lim, FVP, current Head of Internal Audit Group
• Maria Celia H. Fernandez-Estavillo, EVP and Corporate Secretary, Head of the Legal and Regulatory Affairs Group
• Lorenzo Tan, President & CEO
• Armando M. Medina, Chairman, Audit Committee
• Medel T. Nera, Member, Audit Committee
• Francisco C. Eizmendi, Jr., Member, Audit Committee

The heads that should roll should come from fairly high up the corporate ladder and not just some unknown and nameless junior executive.  After all, no less than the Governor of the Bangladesh Central Bank himself, Atiur Jain, was compelled to resign even though the crime took place so many levels below him. Such was the gravity of the situation he and his nation faced.  The same holds true for RCBC. It brought enormous shame on not just RCBC but the entire country.  Someone high up has to pay the price.

If nothing happens, then RCBC is looking to ride it out until the controversy dies down.  After all, RCBC is no stranger to scandal.