While it's true that cyber-security is an ever-increasing risk in the banking industry, the new BSP framework might be ignoring an equally growing risk - that of legacy IT systems. After all, the last two computer glitches, the one at the Bank of Philippine Islands (BPI) at the start of June 2017 as well as the one at Security Bank last June 21, 2017 were not caused by hacking per se but by errors in their internal systems, human or otherwise. It was only BDO Unibank that admitted to have lost money due to ATM skimming.
In the House and Senate Hearings on these computer malfunction incidents, both BPI and BSP officials cited similar snafus taking place in other countries such as in the United Kingdom as well as Singapore. The computer outages that took place in the Royal Bank of Scotland (RBS) in 2012 and 2013 (leading to a record fine of GBP 56 million pound sterling) as well as a similar outage in the Development Bank of Singapore (DBS) in 2010 were not products of hacking or external breaches in their computer systems but were internal to their respective firms.
Royal Bank of Scotland
The RBS cases are particularly instructive. Their numerous mishaps were attributed to human error as well as a failed batch processing upgrade. The U.K.'s Financial Conduct Authority (FCA) pinned RBS computer failure to deficiencies in the bank's IT risk management and control. There was an:
- Inadequate focus on IT resilience;
- Insufficient identification, understanding or mitigation of the risk of a batch scheduler failure;
- Measures to reduce the risks and subsequent effects of computer outages such as separating batch processing systems were not in place;
- IT risk management policies were focused on recovering from a low probability but high impact events such as the total loss of a data center rather than smaller but more probable disruptions like software failure.
But the RBS computer outage could also have been due to the dismal state of its core legacy IT systems. The basic bank process software, "the back-end", may have been left untouched due to years of under-investment. Instead, management may have treated the legacy core system as a "black box" that is wrapped in snazzy new shell or front-end (customer-interface) applications such as real-time banking services such as mobile banking and/or internet banking (which show customers their up to the minute bank balances) even though their actual bank balances are batch-processed overnight. Hence, there is a divergence between what a customer thinks his balance is and what the bank thinks their customer's bank balance is until the two balances are reconciled with the overnight batch processing. This momentary divergence makes the bank's data vulnerable to data corruption. Over time, because of competitive pressures, the shell of applications sitting on top of the core legacy system may become more larger and more complex and increase the risk of incompatibility and connectivity of the newer shell applications with the older core technology.
Compounding this basic problem is the complex integration of one bank's legacy IT system with another bank's legacy IT system. The modern RBS itself is a result of the merger of the old RBS with Natwest in 2000. Post merger, "a decision was taken to ditch Natwest more advanced computer systems and migrate all of the enlarged group's IT onto RBS's smaller IBM-based platform" because RBS's mainframe system was considered more cost-efficient solution at that time.
Although European banks spend a sizable amount on IT, most of the money is spent on patching and maintaining increasingly creaky and fragmented legacy systems. As mentioned by Frances Coppola, a banking systems analyst, "core system replacement is very expensive... Very expensive IT infrastructure projects simply aren't acceptable to management or staff when the system may break down and their jobs are on the line." Bank management may like to move to new systems but system migration of this magnitude has been likened to "trying to change the engines on an aeroplane while it is in flight." There is the very real risk that everything can go horribly (and expensively) wrong. More often than not, bank management prefers to make incremental changes, resulting in a system that is ever more complex, diverse, and unstable. Hence, the operational risk of a major IT failure remains a very distinct possibility at many banks.
Bank of the Philippine Islands (BPI)
Like RBS, BPI is an old bank. In fact, it is the oldest bank in the Philippines. Like RBS, the modern BPI is a product of a series of mergers since the late 1990s:
- City Trust Banking Corporation, the retail banking arm of Citibank Philippines, in 1996;
- Far East Bank & Trust Company (FEBTC) in 2000 (the larger banking merger at that time);
- Three major life, non-life and reinsurance companies in 2000; as well as
- Prudential Bank in 2005.
BPI has been known to be a leader in the field of banking technology. For instance, it was the first to introduce Automated Teller Machines into the country in the 1980s. As such, it may have a number of core legacy systems remaining.
Like RBS, and as indicated by its Executive Vice President Ramon Locsin Jocson (BPI's Head of Enterprise Services) during the Senate and Congressional Hearings, the bank was prepared for a low probability event such as total loss of data instead of a higher probability event such as the software malfunction it suffered last June 7, 2017.
Like RBS (as well as Security Bank), it suffered a batch processing failure. The failure occurred internally and was not due to an external computer breach or hack. The error was pinned on a programmer who inputted the wrong date range on a batch reconciliation report and who deviated from procedure to rush the report, resulting in errors in as many as 1.5 million accounts and resulted in a system wide shutdown of its ATM, Cash Acceptance, and Point of Sale systems for almost two days.
Although the bank spends a significant amount on IT - around Php 5.3 billion (roughly US$100 million) on IT investments, it is not clear as to how much investment goes to new systems as to patching and maintaining its core legacy system. It is also not clear as to how much of this yearly investment goes into front-end or shell applications versus the more mission-critical core or back-end systems.
The bank, however, did indicate that it is, by far, the leading Philippine bank in terms of the absolute size of its IT infrastructure investments (roughly 8% of 2016 bank revenues) and it has been spending at least Php 400 million a year in terms of research and development. It also indicated that it spends at least Php 300 million a year in terms of cyber-security. Why so much investment in IT? Because it aims to "catch up" with the technological capabilities of its rivals within the ASEAN region.
So what then?
If BPI is one of the leaders in Philippine banking technology and this "glitch" happened to them, then what does this say about the state of the core legacy systems of the rest of the Philippine banking system? By the very fact that BPI is playing catch up to its regional rivals, perhaps the bank has realized that it has reached a "tipping point where the costs of and risk of doing nothing outweigh the cost and risk of taking action."
To paraphrase banking analyst Frances Coppola, it is high time then that the BSP focus on the increasing fragility of the legacy IT systems of Philippine banks. Unless this is addressed, we run the risk of a major systems failure in one or more banks at some point. The BPI/BDO/Security Bank failures are warnings. Banking regulators need to address this problem before there is a real disaster.