The Bangko Sentral ng Pilipinas said Thursday it will impose sanctions on BDO Unibank Inc., the largest lender in terms of assets and controlled by the Sy Group, and Union Bank of the Philippines of the Aboitiz Group over a hacking incident last year that affected the accounts of clients.
BDO said it would comply with the BSP decision, but added it would not have any impact on the bank’s operations.
“We will work with the BSP to ensure a more secure banking environment,” said BDO president and chief executive Nestor Tan.
The BSP, however, did not specify what type of sanctions it will impose on the two big banks.
It said in a statement it completed the investigation into the incident that originated from a compromised web service in December 2021.
The incident involved unauthorized access of accounts with BDO and fund transfers mostly to accounts with UnionBank.
“Based on the results of the investigation, the Monetary Board approved the imposition of sanctions on BDO and UBP to ensure that both banks will swiftly address the issues the BSP noted,” the BSP said in a statement.
BSP Governor Benjamin Diokno said “this incident is a reminder that we should continue to enhance our defenses against cyber threat actors to protect the integrity of the financial system and the interests of depositors.”
The BSP investigation recognized the corrective actions undertaken by both banks related to the cyber incident, including reimbursement by BDO of affected clients.
The sanctions imposed emphasize the importance of continuously enhancing risk management systems involving cybersecurity, anti-money laundering, and combating terrorism and proliferation financing, the regulator said.
“The sanctions also reinforce the need for banks to take a proactive stance in ensuring that their depositors are adequately protected,” the BSP said.
BDO said in February this year it was nearing completion of the reimbursement of affected clients in the reported hacking of nearly 700 accounts.
Diokno said the BSP’s oversight examination team reported that both BDO and UBP extended their full cooperation in the ongoing investigation, which was at an advanced stage.
He said the BSP continued to coordinate with law enforcement agencies, relevant government bodies, including the Anti-Money Laundering Council and key stakeholders in the efforts to strengthen cybersecurity. It also worked closely with Congress for the passage of measures on SIM registration and anti-mule accounts.
The National Bureau of Investigation said in January that it arrested five suspects in the BDO cyberhacking incident. The suspects, including two Nigerian nationals and three Filipinos, were charged with trafficking of unauthorized access devices and violation of the Cybercrime Prevention Act.
The BSP earlier advised digital financial consumers to enable multiple layers of security features, including multi-factor authentication, for online transactions in BSP-supervised financial institutions’ digital platforms.