Self-Assessment for PH Banks

For the past few months, the Philippine banking industry  has experienced incidents  resulting to somewhat  diminished public  confidence.    While those events  are seem normal in  global arena, locally they are   quite  new. It started with the  “RCBC: Bangladesh Bank US$81 million  heist” where funds hacked from the central  bank of Banghladesh was  remitted,  laundered in casino and some are  withdrawn.  There was a recovery, but the bank was slapped with Php 1 Billion penalty by the regulator.    Then, it was followed by   the largest bank, Banco de Oro (BDO)  , being accused of city mayor for alleged tax fraud after the branch declared gross annual revenue of only Php 400K in  2016, not even enough to pay the salary of the bank manager. Then, here comes the  166 year-old  Bank of the Philippines Islands (BPI)  where some client are over-credited to the extent of  Php 1 Billion and some debited  without their  knowledge resulting to delayed transactions and customers  great inconvenience.   Except for  RCBC’s Php 1 billion  penalty and the  downfall of its stock prices, it would be difficult to exactly measure the diminished  confidence and customer dissatisfaction. Good thing  is that the incidents are  already managed and mitigated by either the bank itself or the regulator.   RCBC  is even hugely penalized  compared to its counterparts abroad.  The  RCBC’s  Php 1 Billion penalty is 26%  of its 201 6 full year Php 3.86 billion income. Whereas when Standard Chartered  Bank, in dealing with   Iran or not disclosing the transactions, was slapped with total of   US$ 640 Million penalty, which is 3% of its income (US$ 19.07 Billion).   Citibank’s Banamex case was slapped US$97.4 million, 3% of the US$3.6 Billion income for 2016.  RCBC’s huge penalty  could be either due to  Philippines’s central bank –  doing a good job  or  it is just  RCBC team  poorly negotiated the amount.

 On the other hand,  the BPI’s system glitch affecting its customers  is quite small if compared to  October  2014   cyber attacked which  hit  JP Morgan, affecting 76 million households and seven million small & medium enterprises.  

These comparisons however, does not suggest that  customers should not complain,  regulators to be at ease and banks remain complacent.  There must be an improvement in the  banking industry’s  internal controls. Likewise, given  the on-going   financial technology evolution and disruptions, banks should  finds answers even to those questions not yet  even asked.   But, for a start  a change in control paradigm  must be started.   Basic and institution-specific  questions must be raised. Some of these are:

[read more=”Click here to

  1. How do  the bank perceive controls?  

Controls  hasten, not slowdown the process. If the institution thinks of control as a cost and more often  as a show stopper, rather than a steerer towards profit, probability of process failure is high.  In a car,  the dashboard  showing speed  can be liken  to reports & metrics.  The car break is the control.   If the car break is working 100%, the driver can  accelerate –  be fast as he can knowing that  the vehicle can be stopped, anytime. Otherwise,  if there is doubt, maximum speed would not be utilized   fear would engulf the driver seat .  It is the  job of middle office units such  as Compliance, Risk Management and Internal Audit to convince the business unit to give importance to controls.  They may not be heard, but they should have sufficient process to escalate and  record  those that they  raised it .  They  must argue well so that  even there is no buy-in (as it usually takes time) it would leave questions  or ‘what if’ scenarios  in the consciousness of  the business heads.

            2. Are forward-looking risks escalated and discussed  in an open & transparent environment?  

Risk on payment and  recovery of loans, change in foreign exchange, interest rates , & the like as well as operational incidents are usually discussed in either  overall or  specific risk committees. While those risks are important, the recent  risk incidents  could have been mitigated & prevented if the institutions encourage reporting and discussion of forward-looking risks in a designated  periodic formal  forum  . What if the employees  involved  in the BPI glitch has a concern that if otherwise  heard  would have  prevented him hastily doing  his tasks?  What if  the Jupiter Branch has been internally  rated high risk beforehand  so that resources would have  gathered  and re-focus to monitor the branch manager’s activities?  A revenue  lower than the branch manager’s salary declared by  a branch operating for several years already is a  classic forward-looking risk. Those incidents maybe rationalized, but it has been proven that  forward looking risks are better mitigated, escalated and resolved  before damage will occur  or worse,  become a loss .  Rather than being bashed in the internet by the people outside the bank,  why  not come up with an internal  forum  with its own employees surfacing & discussing forward-looking risk and bashing  its own internal processes & controls. It maybe difficult  to facilitate, but proactive risk management is cheaper than reactive risk resolution.

  1. Do we have a know -your- employee program?

Knowing-your-client (KYC) and knowing your product is important.  Knowing your employee, not only during hiring, but as they live and work in the bank is far more important.  This is the reason why some institutions created a human resources coordinator whose task is like those of agents in professional sports (remember Jerry Maguire).  It is not enough to know the employee upon hiring.  It is also important to know the employees as their lives change.  They spent  more of their time office than at home. Any  change will  affect the way they do their tasks.  It is important that  there must be somebody they can lean on or confide which often cannot be provided by the supervisors or those who are in the same unit.  Do  not misconstrue that there must be  a “gestapo” or a spy in the unit.  This often result to higher attrition. Knowing your employee program  involves a  designated human resources  person directly & openly  engages with the  business unit on professional & personal basis.  Significant change in employee’s behavior  can be spotted before high impact risk incidents occur.  With an implementation fitted to the culture of the organization, know-your-employee program  is a very  dynamic risk management  tool which pro-actively address the risks rooted from  personnel.  Examples are misappropriation of funds, embezzlement, rogue traders and many more.

  1. Is the Information  Technology and    Risk Governance Framework working ?

The Board of Directors of each institution has designated committee for Information Technology as well as on Risk Management.    Nevertheless, sometimes governance are purely on a board room-basis only based base on  periodic risk management reports .    The challenge is how often  the board of directors  rolled up their sleeves to meet the people who are actually doing the tasks.    One may rationalize that it can be delegated  to a unit, say quality team or a 3rd party survey.  Likewise, it may be construed as managing instead of oversight.  However, it has always been more effective if the members of Board of Directors Committee, really know what they govern beyond reports and documents.  Board of Directors should know the intricacies of the product, processes and should be able to experience what their bank is offering to the public. Approval and notations by a committee member is not suffice for governance.  They should  ask pointed questions , grill and challenge the management.  Management are often  focus on day to day tasks and the full year internal plan.  Committee members  could help by looking at the bank in the perspective of outsiders and how the bank is  prepared for  the future of banking and technology  and worst scenarios.

Asking the right institution-specific  and business-specific  questions are tantamount to finding the right solution.  It has been said by 17th century thinker that a ship is not a ship if it remains in harbor.  In similar manner, a bank is not a bank if it does not take risk.   However, given the technological changes where risk  can arise in a click of a mouse,  the Philippine  institutions  must change its understanding and paradigm towards risk and controls. It should begin with self-assessment, asking the right questions .