PHILIPPINE BANKS’ credit ratings, as well as those of lenders in the region, could face pressure from rising risks of cyberattacks due to an increase in digitalization in the sector, Fitch Ratings said.
A Fitch report on Asia-Pacific (APAC) banks’ technological risks published last month said increased digitalization in the sector due to the coronavirus disease 2019 (COVID-19) pandemic increases the risk of cyberattacks that could cause reputational damage and affect their viability ratings. The report was written by Fitch Asia-Pacific Financial Institutions Director Willie Tanoto and Associate Director Priscilla Tjitra.
“Banks across APAC have been digitalizing their service offerings at varying paces and the imperative to do so was accelerated during the COVID-19 pandemic when service channels overwhelmingly moved online. Faster adoption of digital banking presents new business opportunities and banks that managed the transition well have reinforced their business profiles compared with competitors,” Fitch said.
“However, increased digitalization also amplifies the technology-related operational risks that banks face, and can expose them to reputational damage that weighs on their franchises. Cases of technological failure in APAC since 2016 have shown the potential to transform into wider financial risks that have an adverse impact on bank ratings,” it said.
Fitch said while specific incidents of technological failures have not had an immediate impact on its ratings of banks in the region, this could change if these incidents and vulnerabilities recur or persist, as this could show a weakness in lenders’ risk management.
“Technological failure events could have varying impact on banks according to the frequency and the severity of the incidents,” Ms. Tjitra said in a virtual interview with BusinessWorld.
“Direct impact on banks could arise from monetary compensations to customers or fines imposed by the regulators, while indirect costs could come from reputational damage. All of these could influence our assessment of a bank’s ratings,” she added.
Fitch Asia-Pacific Financial Institutions Director Tamma Febrian said in the same interview that the technological risks faced by Philippine banks are the same as those seen by other banks in the region.
“Externally, they are exposed to hacking incidents, phishing scams and ransomware, among others. Internally, some also have had a fair share of experience in dealing with system failures in the past, partly because they had to grapple with systems that are very outdated and not as scalable for use in the increasingly digital world,” Mr. Febrian said.
He said Philippine banks still need to improve the readiness and sophistication of their systems to combat the risks that come with increasing digitalization in the country.
INVESTMENTS IN TECHNOLOGY LAGGING
Mr. Febrian noted that lenders in the Philippines could face heightened risks as they are “a bit lagging” in terms of technology investments and only began to ramp up spending when the pandemic hit, compared with banks in countries like Singapore that have been doing it 10 or more years ago.
“But I think the banks are aware of these risks and shortcomings, and are taking appropriate actions to address them,” he said.
“BSP (Bangko Sentral ng Pilipinas) is similarly as invested in ensuring that cyber risks are being properly controlled and mitigated within the banking system, as evident, for example, from the latest requirement that asks banks to implement an automated and real time fraud-monitoring system,” Mr. Febrian added.
Ms. Tjitra said in emerging markets like the Philippines, rules on cyberattacks on banks are less strict compared with those in advanced economies.
“In terms of the regulatory implications, we noted that the rules and the supervisory actions taken in relation to banks’ tech operational issues in developed markets are more stringent than in emerging markets, including the Philippines, which are typically still evolving,” Ms. Tjitra said.
The analysts and the report cited recent cases of cyberattacks involving lenders in the Philippines, including a 2021 hacking incident involving BDO Unibank, Inc. and UnionBank of the Philippines, Inc., as well as the Bangladesh Bank heist in 2016 that involved Rizal Commercial Banking Corp. (RCBC). Bank of the Philippine Islands in 2019 also experienced some disruptions to its services due to issues encountered while upgrading its core banking system.
BDO and UnionBank faced sanctions from the BSP due to the 2021 online fraud incident where hackers stole about P1.2 million from more than 700 BDO clients. BDO also reimbursed affected clients.
Meanwhile, RCBC had to pay a P1-billion fine for lapses that enabled the cybercriminals to allegedly run off with $81 million from the account of Bangladesh Bank at the Federal Reserve Bank of New York and their transfer to four accounts registered under fictitious names at RCBC’s Jupiter Street branch in Makati City. The amount is the biggest ever monetary penalty imposed by the BSP on a lender.
The Fitch report also mentioned an incident experienced by banks in Southeast Asia, including those in the Philippines, in March 2020, where over 200 thousand credit card details were leaked. — Keisha B. Ta-asan