Several clients of BDO who say they lost thousands in unauthorized withdrawals are asking the bank to reconsider its decision to deny their reimbursement claims.
After BDO announced it was processing around 700 claims after a “sophisticated fraud technique” affected some clients, more than 30 BDO depositors whose claims were denied said the bank also owed them.
In response, BDO said: “There’s a bank process for these concerns.”
The country’s largest bank pointed to the terms and conditions for the use of its electronic banking system, which say the bank is not legally liable for such losses.
Way before the December 11 hacking incident acknowledged by BDO, many of the bank’s clients had been victimized by cyberattacks, according to Richard Lo, an IT professional and anti-bank fraud advocate.
The victims of these earlier fraud incidents said money was stolen from their accounts even though they were careful not to click on links to scams.
VICTIMS’ STORIES
Overseas Filipino Worker Sallie Panganiban said P102,025 was siphoned away from her BDO accounts on October 9 this year.
Panganiban said she was supposed to use the money to buy a car for her mother–a senior citizen who had to wait 3 hours for an ambulance when she was diagnosed with COVID-19 in September.
As she is based in Bahrain, Panganiban said it was very difficult for her to coordinate with BDO about unauthorized withdrawals.
Panganiban said she had to go through BDO’s customer service via email and landline. She had to ask her relatives to aid her in claiming the unauthorized withdrawals.
But in the end, she said her request for reimbursement was denied.
In the letter sent to her by BDO, the bank said there was no system breach nor procedural lapse noted on its online banking facility.
“We have carefully considered your request for a refund, however, we regret to inform you that we are unable to credit back the amount you are claiming as we have no basis to justify this credit given that the transaction was made using a valid/legitimate Online Banking User ID and password,” BDO said in the letter sent to her.
Panganiban requested for a reinvestigation of the incident, but the bank said it found no basis to grant her request for reimbursement.
“It appeared that your personal and sensitive information, and account details were compromised outside of the Bank’s scope of stringent data privacy and security protocols,” BDO said in the second letter sent to her.
Panganiban however insists that BDO did not look into her complaint thoroughly.
“D’un sa call, walang proper investigation kasi medyo naging irate yung agent na nakausap,” she said.
(During the call, there was no proper investigation because the agent we talked to was irate.)
Carol Daria meanwhile lost P137,050 on November 13.
She said that as a business consultant, she is extra careful with her funds and personal details. In spite of this, she was still victimized by unauthorized withdrawals.
Daria also found that there were more cases of the same cyberattacks even before the weekend of December 11 and 12, with some BDO clients victimized as early as March.
“Before December marami na pong naha-hack noong November sa group namin. And yet walang ginawa ang BDO. May ginawa lang sila nung nag viral siya,” Daria said.
(Before December, there were also members of our group who had been hacked in November. And yet BDO did nothing. They only moved after it went viral.)
Daria is also unhappy that BDO reimbursed only the “Nagoyo” victims, referring to the Mark Nagoyo account where stolen funds were sent during the December incident.
Jaime Junio also lost P202,000 pesos from unauthorized withdrawals on November 13.
Junio, a former national athlete and current badminton coach, said the cash was siphoned away cash from the savings account of his 3-year old child.
BDO also denied his claim for reimbursement. Junio is also unhappy that BDO turned down his request for reimbursement, especially after hearing BDO’s announcement it would refund close to 700 victims.
He said that like these other victims, he was careful not to fall for phishing, smishing or other scams.
“Wala akong ginagawa na anything, walang na comprromise, wala akong clinick through email. Wala.”
(I did not do anything, nothing was compromised, I didn’t click anything through email. Nothing.)
Daria said that if BDO had given her and her fellow victims the appropriate attention and action, the “Mark Nagoyo” attack probably wouldn’t have happened.
‘NOT LIABLE’
Lo has started an advocacy group called BankFraudPH dedicated to helping victims like Daria, Junio, and Panganiban. He said banks have way too much power in resolving these matters.
He said that it doesn’t matter if defrauded bank clients appeal to the Bangko Sentral ng Pilipinas (BSP) or the National Privacy Commission (NPC).
Lo said the BSP has admitted it can only facilitate a mediation process between stakeholders, but the bank, in this case BDO, has the final say.
“The dispute process starts and ends with the bank. If the bank says ‘No you are not entitled to a refund,’ that is it,” Lo said.
BDO’s terms and conditions for electronic banking use also say the bank is not liable for:
“Loss or damage you may suffer arising out of any improper, fraudulent access or utilization of the BDO Electronic Banking Services due to theft or unauthorized disclosure of User IDs, passwords, ATM PINs/TPINs/MPINs or violation of other security measures with or without your participation,” a section of BDO’s liability clause says.
In a statement, BDO also said this liability clause is standard in the banking industry.
“Liability clause is a regular compliance in the banking industry. This has been part of the normal compliance for a long time,” BDO said.
The country’s largest bank even said that it made exceptions and shouldered the losses not caused by the clients to maintain good customer relationship even if the Bank is not legally liable.
Former Trade Undersecretary Vic Dimagiba, president of consumer rights group Laban Konsyumer, said the BDO incident should prompt the BSP to do more to protect bank clients.
“I believe these incidents show that BSP should protect consumers, depositors upfront and not simply pass the buck to the bank,” Dimagiba said.
The NPC meanwhile said it is now conducting a voluntary investigation into the BDO incident.
“To date, we are still gathering and verifying information. Our Complaints and Investigation Division is spearheading our investigations,” said newly installed NPC Chairman John Henry Naga.
Despite the BDO breach, the BSP said the Philippine banking system is still safe. The central bank noted that the number of individuals affected by unauthorized withdrawals and cyber attacks is less than 1 percent of the total market.
The BSP has repeatedly promised to get to the bottom of the cyberattacks and get all affected depositors properly reimbursed.
