Weak internal control systems in banks

Metropolitan Bank & Trust Corp. (Metrobank) filed a joint complaint-affidavit with the Department of Justice (DoJ) dated July 24 against Metrobank’s head of Corporate Service Management Division, Maria Victoria S. Lopez and two conspirators, Hubert Co and Sue Sai, for two counts of qualified theft (P995,875.000.00) through falsification of commercial documents, which is an offense under the Revised Penal Code; and falsification of commercial documents, which is a violation of the General Banking Law of 2000

Co was the payee of four Metrobank manager’s checks (MCs) processed by Lopez: P20.2 million dated September 21, 2013; P10.025 million, January 26, 2015; P35.35 million, June 21, 2017; and P30.3 million, June 30, 2017. All MCs were endorsed and deposited to Sai’s account. Lawyers for Co and Sai said the two did know that Lopez was stealing money from Metrobank by issuing MCs to pay them for a loan they (Co and Sai) reportedly personally granted to her (Ibid.).

The biggest amount in the silent “heist” was through a fake P900-million promissory note (PN) on June 16, 2017 made in favor of Metrobank, drawn against the P25 billion credit line of Metrobank’s long-time client Universal Robina Corp. (URC). Lopez had ordered the debit of P2.25 million from the loan account, but the bank was able to confirm that URC was unaware of the supposed loan (BusinessWorld-BW, 07.22.2017). Earlier, Metrobank Corporate Accounts flagged auditors and subsequently called in the National Bureau of Investigation (NBI) that forged letters directing the bank to issue MCs in favor of an individual payee were discovered. “The owner of the credit line was a corporate account (and) the bank cannot issue the manager’s check to an individual payee (Philippine Daily Inquirer-PDI, 07.22.2017).”

Metrobank is the Philippines’ second-biggest bank in assets and controls P1.9 trillion resources. It had P18.1 billion net income last year, and ?5.6 billion in the first quarter of this year. Metrobank president Fabian S. Dee assured the public that the bank will operate as usual and URC will not be affected (BW, op. cit.). Bangko Sentral ng Pilipinas (BSP) Gov. Nestor Espenilla said he had no doubt Metrobank would be able to absorb the blow (PDI op.cit.). But that is not the point. Weak control systems and procedures in bank operations must be strengthened or overhauled and tighter regulations imposed on the banking industry towards the protection of the public.

How and what for did one woman, working for the bank for 30 years (due to retire next year), and reportedly earning P250,000 per month (BW op.cit.) defraud her employer for a staggering close-to-one billion pesos over four years without being earlier found out? Even just a lifestyle check would have aroused suspicion: according to NBI investigators, she lives in a posh village in Quezon City, owns nine cars, the “cheapest” of which is a Range Rover; some of her children are in school in the US (PDI, op. cit.).

It is difficult to imagine how even one spurious MC can go through, much less that these fake MCs can be periodically issued (over four years!) on the say-so and approval of one person. Promissory notes, use of credit lines and credit limits and drawdowns from loans are inter-departmentally processed and approved — how can one bank person cross responsibility lines and approval limits to repeated theft from bank funds? How did Metrobank accounting systems book Lopez’s intricate schemes? How were these reflected in the financial statements to the public? What did the bank auditor do, or not do? Definitely, the assets, liabilities, and all accounts moved significantly. Did the regulator, the BSP not catch such big changes in the second biggest bank’s posture and position in the banking industry?

It seems that Metrobank has been remiss in enforcing controls by giving too much power to decide and do, to this one single person, Lopez. Checks-and-balance from other departments and units may have been weak or out rightly disregarded, or the organizational workflow and responsibilities too compartmentalized and thus not transparent. The chain of command was not respected, or maybe the lack of control was abetted by an informal organization that raised certain individuals to greater power than their rank, because they might be closer to the higher-ups by some personal affinity, or commonness of objectives, official or personal, and operating style.

For in operations such as a bank (or other structured organizations) there must be accomplices, conspirators, and other passive consenters that make the crime possible.

In June, a computer error forced the Bank of the Philippine Islands (BPI), to shut down online access and automated teller machines (ATMs) for two consecutive days (AFP, 07.21.2017) — why was one unsupervised computer programmer given sole decision to input transactions for the day (she reportedly made a mistake in the date/time parameters batch input, draining some bank accounts).

Barely a fortnight after that, Banco de Oro (BDO) had to close seven ATMs in three locations on admitted skimming (unauthorized ATM withdrawals) by hackers (ABS-CBN News, 06.13.2017). Why has BDO (and BPI) not tightened controls by completing migration to the BSP-directed Europay Mastercard Visa technology (EMV) and away from the vulnerable magstripes on all of the cards it issues? (Note: Both BDO and BPI have promised to complete EMV upgrade by the end of this year (Ibid.))

Last year unidentified hackers stole $81 million from a US account of the Bangladesh central bank, funneling the stolen funds into a Philippine bank and Manila-based casinos (Ibid.). How did Rizal Commercial Banking Corp. (RCBC) Jupiter branch manager Maia de Guito open four fake bank accounts and use one existing account without the owner’s knowledge, obviously to lodge the inflow of the hacked amounts? Despite the “stop payment” order from Bangladesh and RCBC Head Office, RCBC Jupiter branch still allowed withdrawals from the accounts, amounting to $58.15 million (Rappler, 05.16.2016).

At the press briefing on the Metrobank scam, NBI spokesman Ferdinand Lavin said: “The biggest loss on this is the integrity of the banking system and the internal control system of the bank (BW, op. cit.).”

“We have to look into the adequacy of those controls if in fact a significant crime happened,” BSP Governor Espenilla assured us all (PDI, op. cit.)

Leave a Reply

Your email address will not be published. Required fields are marked *