For the past few months, the Philippine banking industry has experienced incidents resulting to somewhat diminished public confidence. While those events are seem normal in global arena, locally they are quite new. It started with the “RCBC: Bangladesh Bank US$81 million heist” where funds hacked from the central bank of Banghladesh was remitted, laundered in casino and some are withdrawn. There was a recovery, but the bank was slapped with Php 1 Billion penalty by the regulator. Then, it was followed by the largest bank, Banco de Oro (BDO) , being accused of city mayor for alleged tax fraud after the branch declared gross annual revenue of only Php 400K in 2016, not even enough to pay the salary of the bank manager. Then, here comes the 166 year-old Bank of the Philippines Islands (BPI) where some client are over-credited to the extent of Php 1 Billion and some debited without their knowledge resulting to delayed transactions and customers great inconvenience. Except for RCBC’s Php 1 billion penalty and the downfall of its stock prices, it would be difficult to exactly measure the diminished confidence and customer dissatisfaction. Good thing is that the incidents are already managed and mitigated by either the bank itself or the regulator. RCBC is even hugely penalized compared to its counterparts abroad. The RCBC’s Php 1 Billion penalty is 26% of its 201 6 full year Php 3.86 billion income. Whereas when Standard Chartered Bank, in dealing with Iran or not disclosing the transactions, was slapped with total of US$ 640 Million penalty, which is 3% of its income (US$ 19.07 Billion). Citibank’s Banamex case was slapped US$97.4 million, 3% of the US$3.6 Billion income for 2016. RCBC’s huge penalty could be either due to Philippines’s central bank – doing a good job or it is just RCBC team poorly negotiated the amount.
On the other hand, the BPI’s system glitch affecting its customers is quite small if compared to October 2014 cyber attacked which hit JP Morgan, affecting 76 million households and seven million small & medium enterprises.
These comparisons however, does not suggest that customers should not complain, regulators to be at ease and banks remain complacent. There must be an improvement in the banking industry’s internal controls. Likewise, given the on-going financial technology evolution and disruptions, banks should finds answers even to those questions not yet even asked. But, for a start a change in control paradigm must be started. Basic and institution-specific questions must be raised. Some of these are:
[read more=”Click here to Read More” ]
- How do the bank perceive controls?
Controls hasten, not slowdown the process. If the institution thinks of control as a cost and more often as a show stopper, rather than a steerer towards profit, probability of process failure is high. In a car, the dashboard showing speed can be liken to reports & metrics. The car break is the control. If the car break is working 100%, the driver can accelerate – be fast as he can knowing that the vehicle can be stopped, anytime. Otherwise, if there is doubt, maximum speed would not be utilized fear would engulf the driver seat . It is the job of middle office units such as Compliance, Risk Management and Internal Audit to convince the business unit to give importance to controls. They may not be heard, but they should have sufficient process to escalate and record those that they raised it . They must argue well so that even there is no buy-in (as it usually takes time) it would leave questions or ‘what if’ scenarios in the consciousness of the business heads.
2. Are forward-looking risks escalated and discussed in an open & transparent environment?
Risk on payment and recovery of loans, change in foreign exchange, interest rates , & the like as well as operational incidents are usually discussed in either overall or specific risk committees. While those risks are important, the recent risk incidents could have been mitigated & prevented if the institutions encourage reporting and discussion of forward-looking risks in a designated periodic formal forum . What if the employees involved in the BPI glitch has a concern that if otherwise heard would have prevented him hastily doing his tasks? What if the Jupiter Branch has been internally rated high risk beforehand so that resources would have gathered and re-focus to monitor the branch manager’s activities? A revenue lower than the branch manager’s salary declared by a branch operating for several years already is a classic forward-looking risk. Those incidents maybe rationalized, but it has been proven that forward looking risks are better mitigated, escalated and resolved before damage will occur or worse, become a loss . Rather than being bashed in the internet by the people outside the bank, why not come up with an internal forum with its own employees surfacing & discussing forward-looking risk and bashing its own internal processes & controls. It maybe difficult to facilitate, but proactive risk management is cheaper than reactive risk resolution.
- Do we have a know -your- employee program?
Knowing-your-client (KYC) and knowing your product is important. Knowing your employee, not only during hiring, but as they live and work in the bank is far more important. This is the reason why some institutions created a human resources coordinator whose task is like those of agents in professional sports (remember Jerry Maguire). It is not enough to know the employee upon hiring. It is also important to know the employees as their lives change. They spent more of their time office than at home. Any change will affect the way they do their tasks. It is important that there must be somebody they can lean on or confide which often cannot be provided by the supervisors or those who are in the same unit. Do not misconstrue that there must be a “gestapo” or a spy in the unit. This often result to higher attrition. Knowing your employee program involves a designated human resources person directly & openly engages with the business unit on professional & personal basis. Significant change in employee’s behavior can be spotted before high impact risk incidents occur. With an implementation fitted to the culture of the organization, know-your-employee program is a very dynamic risk management tool which pro-actively address the risks rooted from personnel. Examples are misappropriation of funds, embezzlement, rogue traders and many more.
- Is the Information Technology and Risk Governance Framework working ?
The Board of Directors of each institution has designated committee for Information Technology as well as on Risk Management. Nevertheless, sometimes governance are purely on a board room-basis only based base on periodic risk management reports . The challenge is how often the board of directors rolled up their sleeves to meet the people who are actually doing the tasks. One may rationalize that it can be delegated to a unit, say quality team or a 3rd party survey. Likewise, it may be construed as managing instead of oversight. However, it has always been more effective if the members of Board of Directors Committee, really know what they govern beyond reports and documents. Board of Directors should know the intricacies of the product, processes and should be able to experience what their bank is offering to the public. Approval and notations by a committee member is not suffice for governance. They should ask pointed questions , grill and challenge the management. Management are often focus on day to day tasks and the full year internal plan. Committee members could help by looking at the bank in the perspective of outsiders and how the bank is prepared for the future of banking and technology and worst scenarios.
Asking the right institution-specific and business-specific questions are tantamount to finding the right solution. It has been said by 17th century thinker that a ship is not a ship if it remains in harbor. In similar manner, a bank is not a bank if it does not take risk. However, given the technological changes where risk can arise in a click of a mouse, the Philippine institutions must change its understanding and paradigm towards risk and controls. It should begin with self-assessment, asking the right questions .