While it's true that cyber-security is an ever-increasing risk in the banking industry, the new BSP framework might be ignoring an equally growing risk - that of legacy IT systems. After all, the last two computer glitches, the one at the Bank of Philippine Islands (BPI) at the start of June 2017 as well as the one at Security Bank last June 21, 2017 were not caused by hacking per se but by errors in their internal systems, human or otherwise. It was only BDO Unibank that admitted to have lost money due to ATM skimming.
In the House and Senate Hearings on these computer malfunction incidents, both BPI and BSP officials cited similar snafus taking place in other countries such as in the United Kingdom as well as Singapore. The computer outages that took place in the Royal Bank of Scotland (RBS) in 2012 and 2013 (leading to a record fine of GBP 56 million pound sterling) as well as a similar outage in the Development Bank of Singapore (DBS) in 2010 were not products of hacking or external breaches in their computer systems but were internal to their respective firms.
Royal Bank of Scotland
The RBS cases are particularly instructive. Their numerous mishaps were attributed to human error as well as a failed batch processing upgrade. The U.K.'s Financial Conduct Authority (FCA) pinned RBS computer failure to deficiencies in the bank's IT risk management and control. There was an:
- Inadequate focus on IT resilience;
- Insufficient identification, understanding or mitigation of the risk of a batch scheduler failure;
- Measures to reduce the risks and subsequent effects of computer outages such as separating batch processing systems were not in place;
- IT risk management policies were focused on recovering from a low probability but high impact events such as the total loss of a data center rather than smaller but more probable disruptions like software failure.
But the RBS computer outage could also have been due to the dismal state of its core legacy IT systems. The basic bank process software, "the back-end", may have been left untouched due to years of under-investment. Instead, management may have treated the legacy core system as a "black box" that is wrapped in snazzy new shell or front-end (customer-interface) applications such as real-time banking services such as mobile banking and/or internet banking (which show customers their up to the minute bank balances) even though their actual bank balances are batch-processed overnight. Hence, there is a divergence between what a customer thinks his balance is and what the bank thinks their customer's bank balance is until the two balances are reconciled with the overnight batch processing. This momentary divergence makes the bank's data vulnerable to data corruption. Over time, because of competitive pressures, the shell of applications sitting on top of the core legacy system may become more larger and more complex and increase the risk of incompatibility and connectivity of the newer shell applications with the older core technology.
- City Trust Banking Corporation, the retail banking arm of Citibank Philippines, in 1996;
- Far East Bank & Trust Company (FEBTC) in 2000 (the larger banking merger at that time);
- Three major life, non-life and reinsurance companies in 2000; as well as
- Prudential Bank in 2005.