2016 Bangladesh Bank heist

From Wikipedia, the free encyclopedia

The Federal Reserve Bank of New York

In February 2016, instructions to steal US$951 Million from Bangladesh Bank, the central bank of
Bangladesh, were issued via the SWIFT network. Five transactions issued by hackers, worth $101 million
and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded,
with $20M traced to Sri Lanka (since recovered) and $81M to the Philippines. The Federal Reserve Bank
of NY blocked the remaining 30 transactions, amounting to $850 million, at the request of Bangladesh
Bank.[1]
Contents
[hide]

1Background

2Events
o

2.1Attempted fund diversion to Sri Lanka

2.2Funds diverted to the Philippines

3Investigation
o

3.1Bangladesh

3.2Philippines

3.3United States

3.4Other attacks

4Response from linked organizations

5Ramifications

6References

Background[edit]
In 2012, the Philippines loosened restrictions on its gambling industry despite opposition from the Catholic
Church. After the country's gambling industry benefited from Chinese President Xi Jinping's campaign
against corruption, which drove gamblers further south of Macau,[2] its casinos lobbied against a 2012
amendment by the Philippine Senate of the 2001 Anti-Money Laundering Act that required them to report
suspicious transactions. Senate President Juan Ponce Enrile had lobbied for the inclusion of casinos in
the scope of the law. At that time, big casino firms in the Philippines such as the City of Dreams had not
yet been established.[3]
Events[edit]
Hackers or insiders (it is not yet clear which) attempted to steal $951 million from the Bangladesh central
bank's account with the Federal Reserve Bank of New York sometime between February 45 when
Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's
system, observe how transfers are done, and gain access to the bank's credentials for payment transfers,
which they used to send about three dozen requests to the FedBank to transfer funds to Sri Lanka and
the Philippines. 30 transactions worth $851 million were prevented by the banking system but five
requests were granted; $20 million to Sri Lanka (later recovered [4][5]), and $81 million lost to the
Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was
laundered through casinos and some later transferred to Hong Kong.
Attempted fund diversion to Sri Lanka[edit]
The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri
Lanka-based private limited company. The hackers misspelled "Foundation" in their request to transfer
the funds, spelling the word as "Fundation". This spelling error gained suspicion from Deutsche Bank, a
routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh
Bank.[6][4][7]
Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the
transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the
anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by Bangladesh
Bank.[4]
Funds diverted to the Philippines[edit]
The money transferred to the Philippines was deposited in five separate accounts with the Rizal
Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious identities.
The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos,
returned to the RCBC and consolidated in an account of a Chinese-Filipino businessman; [3][5] the
conversion was made from February 5 to 13, 2016.[8] It was also found that the four U.S. dollar accounts
involved were opened at the RCBC as early as May 15, 2015, remaining untouched until February 4,
2016, the date the transfer from the Federal Reserve Bank of New York was made. [8]
In February 8, 2016, during the Chinese New Year, Bangladesh Bank through SWIFT informed RCBC to
stop the payment, refund the funds, and to "freeze and put the funds on hold" if the funds had already
been transferred. Chinese New Year is a non-working holiday in the Philippines and a SWIFT message
from Bangladesh Bank containing similar information was received by RCBC only a day later. By this
time, a withdrawal amounting to about $58.15 million had already been processed by RCBC's Jupiter
Street (in Makati City) branch.[8]
On February 16, the Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas' assistance in
the recovery of its $81 million funds, saying that the SWIFT payment instructions issued in favor of RCBC
on February 4, 2016 were fraudulent.[8]
Investigation[edit]
Bangladesh[edit]

Initially, Bangladesh Bank was uncertain if its system had been compromised. Governor of the Central
bank engaged World Informatix Cyber Security, a US based firm, to lead the security incident response,
vulnerability assessment and remediation. World Informatix Cyber Security brought in the leading forensic
investigation company Mandiant, a FireEye company for the investigation. These cyber security experts
found "footprints" and malware of hackers which suggested that the system had been breached. The
investigators also said that the hackers were based outside Bangladesh. An internal investigation has
been launched by Bangladesh Bank regarding the case. [4]
The Bangladesh Bank's forensic investigation found out that malware was installed within the bank's
system sometime in January 2016, which gathered information on the bank's operational procedures for
international payments and fund transfers.[8]
Philippines[edit]
The Philippines' National Bureau of Investigation (NBI) launched a probe and looked into a ChineseFilipino who allegedly played a key role in the money laundering of the illicit funds. The NBI is
coordinating with relevant government agencies including the country's Anti-Money Laundering
Council (AMLC). The AMLC started its investigation on February 19, 2016 of bank accounts linked to
a junket operator.[8] AMLC has filed a money laundering complaint before theDepartment of
Justice against a RCBC branch manager and 5 unknown persons with fictitious names in connection with
the case.[9]
A Philippine Senate hearing was held on March 15, 2016, led by Senator Teofisto Guingona III, head of
the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money Laundering Act.
[10]
A closed-door hearing was later held on March 17.[11] Philippine Amusement and Gaming
Corporation (PAGCOR) has also launched its own investigation.[4]
United States[edit]
FireEye's Mandiant forensics division and World Informatix Cyber Security, both US based companies,
are investigating the hacking case. According to investigators, the perpetrators' familiarity with the internal
procedures of Bangladesh Bank was probably obtained by spying on its workers. The government of
Bangladesh is considering suing the Federal Reserve Bank in a bid to recover the stolen funds. [4]
Other attacks[edit]
Computer security researchers have linked the theft to as many as 11 other attacks, and alleged
that North Korea had a role in the attacks, which if true would be the first known incident of a state actor
using cyberattacks to steal funds.[12][13]
Response from linked organizations[edit]

Atiur Rahman, Governor of Bangladesh Bank who resigned from his post in response to the case.
The Rizal Commercial Banking Corporation said it did not tolerate the illicit activity in the RCBC branch
involved in the case. Lorenzo Tan, RCBC's president, said that the bank cooperated with the Anti-Money
Laundering Council and the Bangko Sentral ng Pilipinas regarding the matter.[14] Tan's legal counsel has
asked the RCBC Jupiter Street branch manager to explain the alleged fake bank account that was used
in the money laundering scam.[15]

RCBC President Lorenzo Tan also filed an indefinite leave of absence to give way to the investigation by
the authorities on the case and to clear his name in the issue. RCBC's board committee also launched a
separate probe into the money laundering scam.[16][17] Helen Yuchengco-Dee, daughter of RCBC founder
Alfonso Yuchengco, will take over the bank's operations. The bank also apologized to the public for its
involvement in the heist.
Bangladesh Bank chief governor Atiur Rahman resigned from his post amid the current investigation of
the heist and money laundering. He submitted his resignation letter to Prime Minister Sheikh Hasina on
March 15, 2016. Before the resignation was made public, Rahman stated that he would resign for the
sake of his country.[18]
Ramifications[edit]
The case threatens the reinstatement of the Philippines to the blacklist, by the Financial Action Task Force
on Money Laundering, of countries making insufficient efforts against money laundering. [19] Attention was
given to a potential weakness of Philippine authorities' efforts against money laundering after lawmakers
in 2012 managed to exclude casinos from the roster of organizations required to report to the Anti-Money
Laundering Council regarding suspicious transactions.
The case also highlights the threat of cyber attacks to both government and private institutions by cyber
criminals using real bank codes to make orders look genuine. SWIFT has advised Banks using SWIFT
Alliance Access system to strengthen their cyber security posture and ensure they are following SWIFT
security guidelines. Bangladesh is reportedly the 20th most cyber-attacked country, according to a cyber
threat map developed by Kaspersky Lab which runs in real time.[20]

A printer error helped Bangladesh Bank discover the heist. The banks SWIFT system is configured to
automatically print out a record each time a money transfer request goes through. The printer works 24
hours so that when workers arrive each morning, they check the tray for transfers that got confirmed
overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty.
When bank workers tried to print the reports manually, they couldnt. The software on the terminal that
connects to the SWIFT network indicated that a critical system file was missing or had been altered.
When they finally got the software working the next day and were able to restart the printer, dozens of
suspicious transactions spit out. The Fed bank in New York had apparently sent queries to Bangladesh
Bank questioning dozens of the transfer orders, but no one in Bangladesh had responded. Panic ensued as
workers in Bangladesh scrambled to determine if any of the money transfers had gone throughtheir own
records system showed that nothing had been debited to their account yetand halt any orders that were
still pending. They contacted SWIFT and New York Fed, but the attackers had timed their heist well;
because it was the weekend in New York, no one there responded. It wasnt until Monday that bank

workers in Bangladesh finally learned that four of the transactions had gone through amounting to $101
million.
Bangladesh Bank managed to get Pan Asia Banking to cancel the $20 million that it had already received
and reroute that money back to Bangladesh Banks New York Fed account. But the $81 million that went
to Rizal Bank in the Philippines was gone. It had already been credited to multiple accountsreportedly
belonging to casinos in the Philippinesand all but $68,000 of it was withdrawn on February 5 and 9
before further withdrawals were halted. The manager of the Rizal Bank branch has been questioned about
why she allowed the money to be withdrawn on the 9th, even after receiving a request that day from
Bangladesh Bank to halt the money.
The hackers might have stolen much more if not for a typo in one of the money transfer requests that
caught the eye of the Federal Reserve Bank in New York. The hackers apparently had indicated that at
least one of the transfers should go to the Shalika Foundation, but they misspelled foundation as
fandation.
How Many Banks Were Hit?
At least two, possibly more. SWIFT sent out an alert to members last week indicating that a second bank
in Asia had been targeted in a similar attack and that a small number of recent cases of fraud had
occurred at customer firms. The alert did not identify the second bank in Asia, but Tien Phong Bank in
Vietnam told Reuters over the weekend that in the fourth quarter of last year it encountered and
stopped a similar SWIFT hackamounting to about $1.1 millionbefore any funds could be taken.
A SWIFT spokesman told the Wall Street Journal that a few other incidents had occurred, but didnt
elaborate on whether there were successful heists at other banks or simply other attempts.
Did the Attackers Compromise SWIFT?
Not directly. According to SWIFT, they obtained valid credentials the banks use to conduct money
transfers over SWIFT and then used those credentials to initiate money transactions as if they were
legitimate bank employees. How they got the credentials is unclear. News reports have indicated
that insiders might have cooperated and provided the credentials to the hackers. Other reports

indicate thatlax computer security practices at Bangladesh Bank were to blame: the bank reportedly
didnt have firewalls installed on its networks, raising the possibility that hackers may have breached the
network and found the credentials stored on the system.
How Did the Hackers Cover Their Tracks?
They installed malware on the banks network to prevent workers from discovering the fraudulent
transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to
automatically print SWIFT transactions. The hackers installed it on the banks system some time in
January, not long before they initiated the bogus money transfers on February 4.
In the case of the bank in Vietnam, the custom malware targeted a PDF reader the bank used to record
SWIFT money transfers. The malware apparently manipulated the PDF reports to remove any trace of the
fraudulent transactions from them, according to SWIFT and the New York Times.
What Does the Heist Mean?
Even if the hackers didnt compromise the SWIFT network itself, such that all of SWIFT banks were
vulnerable, its still bad news for the global banking process. By targeting the methods that member banks
use to conduct transactions over the SWIFT network, the hackers undermine a system that until now had
been viewed as stalwart.
The incidents also raise integrity issues about the trustworthiness of SWIFT reporting. The US
government relies on SWIFT transaction records to alert it to suspicious money transfers that could be
related to terrorism financing. The so-called Terrorist Finance Tracking Programhas, according to the
government, allowed the U.S. and our allies to identify and locate operatives and their financiers, chart
terrorist networks, and help keep money out of their hands. But if hackers could so easily subvert
systems at SWIFT endpoints as they did in Bangladesh Banks heist, they could conceivably do the same
thing to initiate money transfers that feed terrorism groups or countries whose bank account funds are
frozen by international sanctions. Rachel Ehrenfeld, author of Funding Evil: How Terrorism Is Financed
and How to Stop It, says she and others warned lawmakers on Capitol Hill several years ago that hacking
SWIFT or the Federal Reserve would be ideal ways for terrorist groups to bypass TFFO monitoring. We

were told cybersecurity is so good you cannot do that. But of course you can, she says. The question is
how many other incidents were there that we dont know about? These kinds of banks dont like
advertisements of this kind [when theyre hacked.]
Whos to Blame?
Aside from the hackers themselves? Bangladesh Bank blames the Federal Reserve Bank of New York for
allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The New
York Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and
never got a response. Authorities at the Reserve Bank said that workers followed the correct
procedures in approving the five money transfers that went through and blocking 30 others.
Bangladesh Bank says the Fed bank should have blocked all money transfers until it got a response on the
ones it deemed suspicious.
Whats the Connection to the Sony Hack?
Malware found on Bangladesh Banks system shares similarities to some of the malware found in the
Sony hack, which the US government attributed to North Korea. But according to someone familiar
with the Bangladesh Bank investigation who spoke with Bloomberg, this malware wasnt used in
the actual heist. There is evidence that three different hacking groups were in Bangladesh Banks network,
one of which has possible connections to the Sony hack, due to the shared use of malware. But according
to forensic evidence and the movements of this group in the Bangladesh Banks network, the group
behind that malware doesnt appear to be responsible for stealing Bangladesh Banks money. Instead, a
third group appears to have performed this operationa group that may or may not be related to the Sony
hackers.
Government investigators in the Philippines are currently probing the incident in an effort to uncover who
made off with the $81 million stolen from Bangladesh Bank. At least $21 million of the stolen funds
reportedly ended up in the Philippine bank account of Eastern Hawaii, a company run by Chinese
business man Kim Wong, who says he received it as payment for helping a Chinese client settle a casino

debt. Casinos in that country are not covered by anti-money laundering laws, which means there are gaps
in record-keeping around where money goes once a casino obtains it.

Hours before the Federal Reserve Bank of New York approved four fraudulent requests to send $81
million from a Bangladesh Bank account to cyber thieves, the Fed branch blocked those same requests
because they lacked information required to transfer money, according to two people with direct
knowledge of the matter.
On the day of the theft in February, the New York Fed initially rejected 35 requests to transfer funds to
various overseas accounts, a New York Fed official and a senior Bangladesh Bank official told Reuters.
The Feds decision to later fulfill a handful of resubmitted requests raises questions about whether it
missed red flags.
The New York arm of the U.S. central bank initially denied the transfer requests because they lacked
proper formatting for the SWIFT messaging system, the network banks use for international financial
transfers, the two officials said.
The Bangladesh Bank official said they lacked the names of correspondent banks, which typically receive
wired funds. The Fed rejected the requests, which came from hackers who had broken into the SWIFT
network through Bangladesh Bank systems.
Later in the day, however, the cyber thieves resubmitted those 35 requests. On the second try, the
messages had the proper formatting, the New York Fed official said. The requests had been
authenticated by SWIFT, the first line of defense against fraudulent wire transfers.
Despite the technical compliance, the New York Fed rejected 30 of the requests a second time. But the
Fed did approve five requests for a total of $101 million. Later, one of those five transfers - a $20 million
request - was reversed because of a misspelling.
The New York Fed has said it blocked the 30 resubmitted requests because they were flagged for
economic sanctions review. Only afterward were they deemed potentially fraudulent.
The Bangladesh Bank official and another source close to the bank said the New York Fed should have
rejected all the requests on both the first and second attempts.

The source close to the bank, who also had direct knowledge of the matter, said anomalies in the four
transfers that ultimately went through should have raised questions at the New York Fed. They were paid
to individual recipients, a rarity for Bangladesh's central bank, and the false names on the four approved
withdrawals also appeared on some of the 30 resubmitted requests rejected by the bank, said the source
close to the Bangladesh Bank.
"Of course, we asked the Fed why the repetition of the names did not create red flags," the source said.
"They are saying they rejected 35 badly submitted ones," the source said. But when the requests were resubmitted, they "paid 5 of them and stopped 30. Why? They can give no answer."
Bangladesh Bank and SWIFT declined to comment. The New York Fed has said there were no problems
with its procedures for approving SWIFT fund transfers, and declined to comment on whether it missed
any warning signs.
The cyber theft from Bangladeshs central bank - and recent disclosures of other similar fraud attempts have brought scrutiny on the SWIFT messaging system. SWIFT is a cooperative of global banks formally
known as the Society for Worldwide Interbank Financial Telecommunication, and its transaction system
was used as a conduit for one of the largest cyber bank heists in history.
RELATED VIDEO

NY Fed blocked, then cleared $81 million heist

In the United States, a congressional committee has launched a probe into the New York Fed's role in the
bank heist. The Bangladeshi central bank might seek compensation for the funds from the Federal
Reserve, and Bangladesh Bank police have said that recent installation of a new SWIFT settlement
system at the bank last fall may have provided thieves an opportunity to gain access to the banks SWIFT
servers.
RED FLAGS?

The New York Fed's reviews of payment requests that come over the SWIFT system are focused chiefly
on guarding against money laundering and transfers to people and entities that are under U.S.
government sanctions, Fed officials have said. But requests often also are temporarily halted to fix typos
and other formatting problems.
The Fed branch has said its clients, including Bangladesh Bank, and SWIFT have primary responsibility
for preventing unauthorized transfers.
Fed employees queried Bangladesh Bank about the purpose of the payments requested on Feb. 4 and
again on Feb. 5, according to a letter to congresswoman Carolyn Maloney (D-NY) by New York Fed
General Counsel Thomas Baxter.
The four transfers totaling $81 million went to accounts in the Philippines. The money wound up with
casinos and casino agents and remains missing. An attempt to transfer $20 million to a foundation in Sri
Lanka was reversed because the word foundation was misspelled.
The source close to Bangladesh Bank said questions about the anomalies in the approved requests were
discussed at a meeting in Basel last month between New York Fed President William Dudley, Bangladesh
Bank Governor Fazle Kabir and representatives from SWIFT.
Rep. Maloney and Tom Carper, the top Democrat on the Senate Homeland Security Committee, both
have made inquiries to the New York Fed.
The House Science Committee informed the New York Fed in a letter this week that it is launching a
probe into its handling of the transfer requests. The committee plans to examine the New York Feds
response to the heist, the oversight of SWIFT, and whether additional measures are needed to address
vulnerabilities to cyber attacks.
SWIFT, which has come under scrutiny after the Bangladesh Bank heist and cyber attacks in at least
three other cases, plans a new program to improve security and also wants banks to "drastically" improve
information sharing.
Share on FacebookShare on Twitter

Investigators examining the theft of $81 million from Bangladeshs central bank have uncovered evidence
of three hacking groups -- including two nation states -- inside the banks network but say it was the third,
unidentified group that pulled off the heist, according to two people briefed on the progress of the banks
internal investigation.
FireEye Inc., the company hired by the bank to conduct the forensics investigation, identified digital
fingerprints of hacking groups from Pakistan and North Korea, the two people said. It hasnt found
enough data to determine whether the third group, the actual culprit, was a criminal network or the agent
of another nation.
The twists and turns add to the mystery of who pulled off one of the largest cyberheists in history. The
hackers, pairing theft with havoc within the global financial system, used the Swift inter-bank messaging
system to move cash into fake accounts in the Philippines but were discovered before they could complete
an attempted transfer totaling $951 million.
The U.S. Federal Bureau of Investigation suspects an insider with access to the computers at the
Bangladesh central bank played a role in the caper, according to the people briefed on the investigation.
Police in Bangladesh said they have found negligence within the bank but havent determined whether
there was any criminal intent.
Spokesmen for Pakistans interior and information technology ministries didnt respond to requests for
comments. Telephone and e-mailed requests for comment to North Koreas delegation to the United
Nations went unanswered.
Weak Link
A year in the making, the hacking scheme ran through the Swift messaging system and the central banks
accounts at the Federal Reserve Bank of New York, exposing crucial weaknesses in the global financial
system. Government officials in the Philippines and Sri Lanka are investigating where the purloined
money may have gone. Members of the U.S. Congress have asked for additional information about
whether there were lapses in security by institutions duped in the scam.

These guys started to lay the groundwork for their hack or their robbery a year ago. They set up their
false accounts, with false IDs, said Leonard Schrank, who was Swifts chief executive officer for 15 years
through 2007. It was really well thought through, and they found a very weak link, which they exploited.
Hundreds of billions of dollars are moved internationally through the Swift system daily. The group
warned users last month that it was aware of several similar attacks. It didnt indicate whether it
suspected the same hackers or whether more money was taken.
Skilled Perpetrators
The Bangladesh forensic results, provided to the bank in the last few days, highlight the challenges of
identifying skilled perpetrators in cyberspace, where hackers can mimic others and route their actions
around the world to confuse trackers.
The people briefed on the investigation agreed to provide details for this article only if not identified,
citing the small circle of people who have been briefed so far.
On Tuesday, the new head of Bangladeshs central bank met in Basel, Switzerland, to discuss the
investigation with officials from the New York Fed and Swift. In a brief joint statement, the parties said
they were committed to recovering the proceeds of the fraud, bringing the perpetrators to justice and
working together to normalize operations.
Representatives for the New York Fed, Swift and Bangladesh central bank declined to provide additional
details about the progress of the investigation. Vitor De Souza, a spokesman for FireEye, declined to
comment on the report.
USB Port
FireEye was unable to determine how the thieves first entered the Bangladesh banks network, according
to one of the people. One possibility is that malware was introduced into the network by someone inside
the bank or a technician working with the bank. Malware can be introduced quickly onto a network by
someone inside with something as simple as a thumb drive in an open USB port. The forensics
investigation hasnt found any evidence of this, the person said.

The potential role of any insider is still being investigated. The FBI has been assisting the inquiry at the
request of the Bangladesh central bank. Jillian Stickels, a spokeswoman for the FBI in Washington,
declined to comment on the investigation. The Wall Street Journal reported earlier Tuesday that the FBI
suspected the involvement of an insider.
The Bangladesh Bank hasnt yet been able to determine whether an employee was involved, according to a
panel it appointed to review the incident. An official from Bangladeshs police said it hasnt received
information from the FBI about a possible insider and that no arrests had been made.
Bangladesh officials have sought to cast Swift as bearing some responsibility, this week releasing details
about Swift technicians who made upgrades to the banks system late last year. Reuters previously
reported on the officials findings.
The way that technicians from Swift set up the network at Bangladesh Bank was not according to the
agreed plan," Shah Alam, a senior official in Bangladeshs Criminal Investigation Department, told
Bloomberg on Tuesday.
We have also found that some officials at Bangladesh Bank who were in charge of maintaining the
network fell short of their responsibilities, he said, adding that police were still trying to determine if the
officials actions went beyond pure negligence.
Such allegations are false, inaccurate and misleading, Swift said in a statement on its website.
Moral Responsibility
The Bangladesh central bank has been roiled since the hack was disclosed in March, and several officials
have stepped down. Atiur Rahman resigned as Bangladeshs central bank governor, saying he took moral
responsibility after failing to immediately inform the Finance Ministry of the theft. Two of his deputies
were also removed.
Attribution of a breach is notoriously difficult, even for the U.S. government. In this case, the task was
hampered as investigators sifted through the handiwork of multiple hacking groups, attributing the heist

at various stages of the investigation first to one group and then the next, according to one of the people
briefed.
Hackers used the Swift system to make illicit payments to accounts in several countries, creating
sophisticated malware designed to operate on the banks Swift messaging system. As the hackers
navigated through the banks network unseen for weeks, they deployed a smorgasbord of tools that
included two pieces of malware dubbed Nestegg and Dyepack, according to one of the people briefed on
the report.
Custom Malware
The ease with which the hackers manipulated the interbank system and the significant resources used to
create and customize the malware raise the possibility of more attacks against international institutions,
people involved in the bank probe said.
Close all those tabs. Open this email.
Get Bloomberg's daily newsletter.
Sign Up

North Koreas hacking prowess has been cited by government officials repeatedly in recent years.
President Obama accused North Korea of pilfering and publishing a trove of corporate information from
Sony more than a year ago -- after the production of The Interview, a movie that parodies North Korea
-- and vowed to take unspecified action against the country. North Korea has also been blamed for a series
of financial hacks in South Korea by officials there.
After the White House publicly attributed the Sony breach to North Korea, some security firms publicly
cast doubt on the claim. North Korea has denied any involvement.
Investigators have spent weeks following the money trail from the Bangladesh central banks account, but
the ultimate destination of tens of millions of dollars remains unknown.
Simple Errors

After scouting the computer system, the hackers impersonated bank officials, sending instructions
through the Swift system to move nearly $1 billion to several bank accounts in several countries.
Most of the transfers were stopped or reversed because of simple errors made by the hackers, including a
spelling error. Clues to the missing millions have led from computers in Bangladesh to a colorful cast of
characters including a bank manager and casino operators in the Philippines and the head of a non-profit
foundation in Sri Lanka.
Swift, which stands for Society for Worldwide Interbank Financial Telecommunication, is a cooperative
that is a vital component in global interbank transfers. It has said that its systems werent compromised
but that messages were sent through its system by attackers who appeared to have good knowledge of the
bank systems and their security procedures.

Metro Manila (CNN Philippines) Sen. Sergio Serge Osmea, chair of the Senate committee on
banks, once again slammed Rizal Commercial Banking Corp. (RCBC) officials for failing to stop the entry
of the $81 million stolen from Bangladesh Bank.
During the third senate hearing on the money laundering case on Tuesday (March 29), RCBC President
Lorenzo Tan admitted he knew of the alleged $81 million bank heist only "after the funds had left already.
Also read: PH money laundering probe: What we know so far
Osmea asked, what threshold amount could have prompted RCBC to stop an anomalous transaction?
At that time it was one billion pesos (around $20 million), RCBC Legal and Regulatory Affairs Head
Macel Estavillo said.
This means high ranking bank officerswould only be informed when such an amount enters the bank in a
single transaction but that is still not a guarantee that the transaction would be referred to senior
management.

After a series of questionings, Tan said he would be forewarned probably when instincts kick in, and that
his employees would surely inform him at the end of the day.
Also read: RCBC chief: I have no knowledge of money laundering
Osmea called this very poor compliance, saying the money could have been remitted already by that
time, like what happened with the $81 million.
Executive session sought
Estavillo maintained that banks can stop anomalous transactions but for a temporary period only, citing
several laws such as the Bank Secrecy Law and the Anti-Money Laundering Act. She said all the banks
could do was file a suspicious transaction report.
She also called for amendment to the laws to give more teeth to the banks.
Osmea insisted that there is no secrecy to protect if the persons who own the bank accounts "doesn't
exist."
However, Estavillo said that "even if the account holder would be fictitiousfirst there has to be a court
order determining that the bank secrecy law still applies to the deposit.

But Osmea said he interviewed other banks who say they would stop a bank transaction if they knew the
money was stolen. Estavillo maintained, RCBC alone could not tell whether the money was really
laundered.
Estavillo said the RCBC management is willing to divulge the banks procedures "but if possible in an
executive session because there are so many security measures that we will be discussing and it would
be difficult to discuss without compromising the security of our bank.
Related: RCBC apologizes for involvement of its personnel in money laundering
case
RCBC urged to submit records of fictitious accounts or be cited for contempt

Heated debates ensued as the five-hour Senate hearing dragged on.

Sen. Aquilino Pimentel III disputed RCBCs use of the Bank Secrecy Law and compelled the banks
management to submit all documents relating to the five fictitious dollar accounts that received the $81
million.
The fake accounts were under the names Michael Francisco Cruz, Jessie Christopher Lagrosas, Ralph
Picache, Enrico Teodoro Vasquez and Alfred Santos Vergara.
If the depositors have been determined by the bank itself as fictitious depositors, there is no point in
invoking or applying the bank secrecy law, Pimentel said. He said fake accounts are not entitled to any
protection.
Estavillo said RCBC had already furnished copies of the requested documents to the AMLC, but Pimentel
maintained that it should submit the same directly to the Senate.
We do not have any legal jurisprudence Your honor, we cannot comply," Estavillo said.
Pimentel was supposed to move to cite the RCBC for contempt, but the AMLC confirmed that the bank
had already submitted necessary documents to the council.
AMLC added the documents were attached to the criminal complaints it filed at the Department of Justice
(DOJ), making these public records.
Pimentel said he is willing to suspend his motion, depending on the completeness of the documents
submitted by RCBC.
Metro Manila (CNN Philippines) As it continues to come under fire for its alleged link to the $81million cyber banking heist, Rizal Commercial Banking Corp. (RCBC) said it is willing to return its share of
the money to the Bangladesh Bank.
"If we are found liable, yes, I will recommend to the board that we set aside a certain sum of money to
give back," RCBC President (on leave) Lorenzo Tan said during the Senate's fifth hearing into the heist.
The money could amount to as much as $46.4 million or P2 billion.

Of the $81 million stolen by hackers from the Bangladesh central bank, about half is said to be
recoverable from various sources: businessman Kam Sin Wong, casino operator Solaire Resort and
Casino, and remittance firm PhilRem.

Should RCBC shell out P2 billion, it will be a significant chunk of its profits. It booked a net income of P5.1
billion last year, a 15% jump from the P4.4 billion in 2014.
Still, Tan said the bank can take the hit. "We set aside about P1-2 billion a year for bad loans, bad trades
and operation loss."
Senator Ralph Recto also pointed out that RCBC may benefit as this move could restore its tarnished
reputation.

The Yuchengco-led bank maintains that it followed due process when the dirty money was wired to four
RCBC accounts last month. But by the time it received the stop orders from Bangladesh Bank, the money
had already been taken out and gambled in casinos.
Nevertheless, RCBC shares have fallen since the issue broke. Share prices hit a 52-week low of P28.75
during the height of the scandal. Tan notes that the bank's market capitalization lost "a couple billion
pesos" since.
Slap on the wrist?
RCBC could also be hit by separate penalties by the Bangko Sentral ng Pilipinas (BSP) and the AntiMoney Laundering Council (AMLC) should they be found in violation of regulations.
According to BSP Deputy Governor Nestor Espenilla, Jr., RCBC could face a penalty of up to P500,000
per violation under the Anti-Money Laundering Act (AMLA). A penalty of P30,000 per day or per
transaction could also be levied by the BSP.
On top of that, regulators could also slap the bank with administrative, disciplinary penalties.
Recto contended those penalties might be too light, though, given the scale of the problem. This is said to
be the largest cyber banking heist in history.
"Whether or not RCBC knew where the money came from, if bank protocols were not followed, they have
to be given the appropriate penalties," Recto said during the hearing.
Espenilla agreed, adding that the BSP should even be given the power to push additional penalties
against errant banks.
"The economy has grown and the transactions have grown so the flexibility should be there," he said.
The BSP will submit its recommendations for the proper penalties so the Senate can take it up in its
planned amendments to the AMLA and the BSP Charter
MANILA, Philippines Rizal Commercial Banking Corp. (RCBC) said it does not have any casino client
after being implicated in the ongoing investigation into alleged money laundering of some $100 million in
funds from abroad that reportedly found its way through the countrys casinos.

RCBC vice chairman Cesar Virata said the bank does not deal with casinos and has limited transactions
with tobacco and liquor companies as part of its internal rules on corporate good governance.
Virata added that the account in question is an individual account that was opened more than a year ago.
Sources said RCBC has suspended the manager of its Makati branch while investigation is ongoing.
We are not allowed to deal with casinos, Virata said, pointing out in an interview that this is mainly due
to the investment of International Finance Corp. (IFC), private sector arm of the World Bank, in RCBC.
Thus, as part of its internal rule, RCBC does not have casino corporate clients and has limited exposure
to tobacco and liquor companies.
Headlines ( Article MRec ), pagematch: 1, sectionmatch: 1
Last year, IFC raised its equity interest in RCBC to about 12 percent from 6.4 percent. It infused $100
million in fresh capital and separately bought P4.8 billion worth of the banks bad assets.
For its part, the Philippine Amusement and Gaming Corp. (Pagcor) said the investigation should focus on
banks because the funds entered through the banks.
Pagcor said it is up to the Anti-Money Laundering Council (AMLC) to deal with the issue, saying that the
casino industry relies on the AMLC safeguards within the Philippine banking system.
Pagcor chairman Cristino Naguiat said it is conducting its own investigation but believes that casinos in
the Philippines are not involved in money laundering and even in human trafficking activities as reported
in the media.
There are safeguards in place, he said. Nonetheless, he said Pagcor would cooperate with any
investigation on the matter.
Like in banks, he said, casino operators in the Philippines implement know-your-customers (KYC) rules
such as requiring passports and proper identification from players.
He also said Pagcor is not against proposals to include casinos in the coverage of the Anti-Money
Laundering Act (AMLA).
MANILA, Philippines The president of Rizal Commercial Banking Corp. (RCBC) is expected to attend a
Senate hearing on Tuesday on an $81-million money laundering transaction involving the bank.
In the hearing called by the Senate Blue Ribbon committee, RCBC president and chief executive officer
Lorenzo Tan is expected to shed light on the alleged involvement of the bank owned by taipan Alfonso
Yuchengco.

Tan will also face RCBC Jupiter branch manager Maia Santos-Deguito who, he said, was in charge when
the alleged embezzled money from Bang-ladesh Bank was deposited in her branch.
Sen. Teofisto Guingona III chairs the committee.
RCBCs spokesman denied Tan had gone on leave. Not true. He will be there, the spokesman said.
Tan had offered to go on leave to give the bank a free hand in investigating the alleged money laundering
issue.
Headlines ( Article MRec ), pagematch: 1, sectionmatch: 1
However, Francis Lim of ACCRA Law said the banks owners and management have vouched for the
integrity of Tan.
The banks board thanked him for his gentlemanly and decent gesture but said their trust in him is intact
and unshaken, Lim said.
Tan has vehemently denied involvement in the alleged multimillion-dollar money-laundering scheme that
is now subject of an investigation by the Anti-Money Laundering Council (AMLC).
I condemn as malicious and actionable insinuations that the top management of the bank knew of and
tolerated alleged money laundering activities in one branch, he said.
I will fully cooperate with all ongoing inquiries and believe that I and consequently the banks
management will be fully vindicated, he added.
Lim said Deguito had already admitted in a radio interview that she had assumed Tan knew about the
$81-million transaction at the RCBC Jupiter branch.
He also told lawyer Ferdinand Topacio, counsel of Deguito, to stop dragging other bank officials into the
alleged laundering of dirty money via RCBC.
So instead of asking RCBC to sanction Mr. Tan, Topacio should instead assist his client to explain the
accusation of William Go that she opened an account in her branch without his knowledge, used this
account for deposit and withdrawal without his knowledge, and identify who forged Gos signature to
withdraw money, he added.
Likewise, Lim said Topacio should explain why Deguito attempted to fly to Japan last Friday.
Topacio earlier said in a television interview that he would file charges against officials of the Bureau of
Immigration and other agencies for not allowing his client to fly to Japan last Friday despite the absence
of a hold departure order.

Aside from Tan and Deguito, others invited to the hearing are Philippine National Bank president
Reynaldo Maclang, BDO Unibank president Nestor Tan and East West Banking Corp. president Antonio
Moncupa Jr.
A Malacaang official, meanwhile, said no stone should be left unturned in the investigation by authorities
into the money laundering issue.
But as it is, Presidential Communications Development and Strategic Planning Office Undersecretary
Manuel Quezon III said the discovery of this and its investigation is proof positive that we are a
responsible member of the global banking community and not a safe haven for dirty money.
It should be a cause of reassurance for us that even when there are alleged situations of this nature, it
was detected first and foremost; secondly, it was investigated; thirdly, it was reported in the media so
nothing was kept secret, Quezon said over radio dzRB.
We are confident that their investigations will leave no stone unturned because the integrity of the
countrys banking system is at stake.
Meanwhile, former senator Panfilo Lacson promised to work for strengthening the Anti-Money Laundering
Act (AMLA) if he gets elected again to the Senate. Lacson, one of the authors of AMLA, said the country
should be fully compliant with the standards of the Financial Action Task Force. With Aurea Calica,
Cecille Suerte Felipe

Passage of Anti-Money Laundering Act (AMLA) of 2001 (Republic Act No. 9160) and Subsequent
AMLA Amendments (RA 9194, RA 10167 and RA 10365)
The Original AMLA under RA 9160 (September 2001)
In order to implement its continued commitment and support of the global fight against money laundering,
the BSP has issued a number of measures to bring the Philippines' regulatory regime on money laundering
closer to international standards. In September 2001, the Anti-Money Laundering Act (AMLA) of 2001 was
passed under Republic Act No. 9160. The legislation, among others, defines money laundering as a criminal
offense, prescribes penalties for such crimes committed and forms the foundation of a central monitoring
and implementing council called the Anti-Money Laundering Council (AMLC). To combat money laundering,
this law imposes requirements on customer identification, record keeping, reporting of covered and
suspicious transactions, relaxes strict bank deposit secrecy laws, and provides for
freezing/seizure/forfeiture/recovery of dirty money/property as well as for international cooperation.
The AMLC is comprised of three (3) members: the Governor of the Bangko Sentral ng Pilipinas as the
Chairman and the other two (2) members are the Commissioner of the Insurance Commission and the
Chairman of the Securities and Exchange Commission. It acts unanimously in the discharge of its functions.
AMLC is also referred to as the countrys Financial Intelligence Unit (FIU) and is assisted by a Secretariat,
otherwise known as the AMLC Secretariat (AMLCS), headed by an Executive Director.

The AMLA Implementing Rules and Regulations (IRR) was also issued in 2001.
First AMLA Amendment under RA 9194 March 2003
To address concerns such as the high threshold level for covered transactions, the coverage of covered
institutions and the existing Bank Secrecy Law, the amendments to the AMLA were signed into law on 7
March 2003 under Republic Act No. 9194. The amendments included the following: a) lowering the threshold
for covered transactions from P4.0 million to P500,000; b) authorizing the BSP to inquire or examine any
deposit or investment with any banking institution without court order in the course of a periodic or special
examination; and c) removing the provision prohibiting the retroactivity of the law.
Said amendments were given favorable consideration by the Financial Action Task Force (FATF) and
sanctions were not imposed on the Philippines. However, the Philippines at that time remained in the list of
non-cooperative countries and territories (NCCTs) of the FATF and the countrys removal from the list will be
determined by the FATF after close monitoring of the implementation issues. The Philippines was finally
removed from the NCCT list of the FATF in February 2005 due to excellent progress made in combating
money laundering and terrorist financing.
The Revised Implementing Rules and Regulations (RIRR) on the AMLA of 2001, as amended, was approved
by the Congressional Oversight Committee on 6 August 2003 and was implemented on 3 September 2003.
Second AMLA Amendment under RA 10167 June 2012
To further strengthen the countrys AML regime and address the concerns of the FATF, second AMLA
amendment under RA 10167 was signed into law on 18 June 2012 amending for the purpose Sections 10
and 11 of the AMLA, as amended.
Section 10 relates to the Freezing of Monetary Instrument wherein upon verified ex parte petition by the
AMLC, the Court of Appeals (CA) should act on the petition to freeze within twenty-four (24) hours from
filing of the petition, and the freeze order shall be for a period of twenty (20) days unless extended by the
Court/CA.
Section 11 relates to the Authority to Inquire into Bank Deposits wherein the AMLC is given authority to
examine bank accounts upon order of any competent court based on an ex parte application which
effectively expanded the instances when no such court application is required. Said provision simply means
that the court may allow the AMLC to look into bank deposit accounts of suspected money launderers
without notifying them. Under this Section, the CA is directed to act on the application to inquire into or
examine any deposit or investment account within twenty-four (24) hours from date of filing of the
application. In addition, although Section 11 of the AMLA reworded the authority of BSP to check the
compliance in the course of a periodic or special examination of a covered institution with the requirements
of the AMLA and its implementing rules and regulations, the sponsoring Senator when asked if the BSP,
without court order, may be allowed to look into specific accounts under the proviso, Senator Guingona said
that it is only to ensure compliance with AMLA.
These two amended provisions recognized the urgency of the issuance of the freeze order and the grant of
authority to AMLC to conduct bank inquiry within 24 hours from the filing of the petition.
This AMLA amendment under RA 10167 resulted to favorable action of the FATF where it decided to upgrade
the country's dark gray list to gray, which is just one notch away from being taken out in the FATF list of
nations considered non-compliant to global AML standards.

After the passage of RA 10167, the Revised Implementing Rules and Regulations (RIRR) was approved
under AMLC Resolution No. 84 dated 23 August 2012. BSP disseminated said RIRR to all BSP covered
institutions under BSP Circular Letter No. CL-2012-068 dated 20 September 2012.
Third AMLA Amendment under RA 10365 February 2013
As continuing commitment to comply with FATF AML/CFT standards, the third AMLA amendment under RA
10365 was passed into law on 15 February 2013 that covered the following major amendments:

Expansion of the definition of the crime of money laundering: AMLC can now go after persons who
engage in the conversion, transfer, movement, disposal of, possession, use, and concealment or
disguise, of the monetary proceeds of an unlawful activity, that was previously limited to the
transaction of laundered funds and property;

Inclusion of jewelry dealers in precious metals and stones whose transactions are in excess of
P1,000,000 and company service providers as defined and listed under RA 10365, are now included
as Covered Persons;

Increase of unlawful activities to money laundering from 14 to 34. The 20 additional crimes include
trafficking in persons, bribery, counterfeiting, fraud and other illegal exactions, forgery,
malversation, various environmental crimes, and terrorism and its financing;

Authorize the AMLC to require the Land Registration Authority and all its Register of Deeds to submit
report to the AMLC covering real estate transactions in excess of P500,000.00;

Issuance of freeze order by the Court is now valid for a maximum period of six (6) months, from the
previous twenty (20) days validity under RA 10167.

Compliance with FATF International Standards

In November 2003, the Philippines amendments to the AMLA were evaluated by the FATF and were found to
be at par with international standards. On 11 February 2005, the Philippines, Cook Islands, and Indonesia
were removed from the list of NCCTs during the meeting of the FATF. After the countrys delisting from the
list of NCCTs, the AMLC of the Philippines was accepted as one of seven new members of the Egmont
Group, the global network of FIUs against money laundering and terrorist financing, making the Philippines
an equal partner in the global fight against money laundering and terrorist financing. Membership to the
Egmont Group means affording AMLC free and unlimited access to a wealth of financial data contained in the
databases of all the FIU-members of the group. All information exchanged by FIUs are subjected to strict
controls and safeguards to ensure it is used only in an authorized manner, consistent with national
provisions on privacy and data protection.
The recent AMLA amendments under RA 10167 and RA 10365 are testament of the Philippines serious
commitment to further strengthen the countrys AML regime and to address the weaknesses noted by the
FATF in the Philippines legal framework with regard to AML. Passage of these laws were officially recognized
and favorably considered by the FATF that are now in substantial compliance with its AML/CFT international
standards. Thus, FATF in its February 2013 plenary meeting, shielded the Philippines from being blacklisted
again.

Other AML Initiatives Undertaken by BSP to Further Strengthen the Countrys AML Regime
Since 2000, the BSP continued to firmly undertake several initiatives on how to safeguard the Philippine
banking system through constant reshaping of existing AML preventive measures and implementation of
appropriate policies at par with global standards such as the following initiatives.
1.

Creation of the Anti-Money Laundering Specialist Group (AMLSG) within the Supervision
and Examination Sector (SES)

The AMLSG was created on 13 December 2007 under MB Resolution No. 1443 to address the need for
technical expertise in the supervision of AML activities of banks and non-bank financial institutions (NBFIs)
under the supervision and regulation of the BSP. The Group became fully operational in November 2008 and
currently has 34 authorized plantilla positions. It is under the direct supervision of the Managing Director,
Supervision and Examination Subsector I, SES.
AMLSG aims to be BSP's core unit of highly competent, dynamic and ethical professionals who work to
ensure financial institutions (FIs) adopt and maintain adequate and effective policies, systems and
procedures that prevent them from being used to support the laundering of proceeds from any unlawful
activity. AMLSG is tasked to develop relevant guidelines and regulations to support and guide the AML efforts
of financial institutions supervised by the BSP, ensure the effective implementation of said policies through
examination services and technical assistance to the SES and enhance the related technical skills of the SES
human resource pool through training. In addition, AMLSG shall perform off-site monitoring to identify those
FIs whose operations present an elevated risk of money laundering activities. AMLSG works closely with the
AMLC Secretariat and various banking and non-bank industry associations under the regulatory ambit of the
BSP to foster domestic cooperation.
Since 2008, AMLSG has conducted several AML onsite examinations, particularly commercial banks due to
their significant assets size and complex banking activities. The Group was also principally involved in the
crafting of AML rules and regulations, such as the issuance of Circular 706 dated 5 January 2011 and the
adoption on 2 March 2012 of the AML Risk Rating System, that are discussed below.

2.

Issuance of a consolidated AML regulations under BSP Circular No. 706 dated 5 January
2012, otherwise known as the Updated AML Rules and Regulations (UARR)
UARR was issued for the purpose of consolidating all existing BSP circulars, circular letters and other
issuances related to AML. Likewise, it enhances the implementation of the existing AML legal
framework to better conform with international standards as well as address the deficiencies noted
by the joint team of assessors from the World Bank and Asia Pacific Group on Money Laundering
during the mutual evaluation of the country in 2008.
The UARR applies to all covered institutions supervised and regulated by the BSP including Banks,
Offshore banking units, quasi banks, trust entities, non-stock savings and loan associations,
pawnshops, foreign exchange dealers, money changers and remittance agents, electronic money

issuers including their subsidiaries and affiliates wherever they may be located.
In addition to the usual provisions on customer identification/KYC, covered and suspicious
transaction reporting and record keeping and retention requirements that are found in the AMLARIRR, the UARR emphasizes the incorporation of a sound risk management system to ensure that
risks associated with money laundering and terrorist financing are identified, assessed, monitored,
mitigated and controlled by covered institutions. A sound risk management system includes
adequate and active Board and Senior Management oversight, acceptable policies and procedures
embodied in a Money Laundering and Terrorist Financing Prevention Program (MLPP), appropriate
monitoring and Management Information System and comprehensive internal controls and audit.
UARR encourages covered institutions to formulate a risk-based and tiered customer acceptance and
retention policies, adoption of a criteria for assessing customers as low, normal and high risk and
standards for applying reduced, average and enhanced due diligence. It also mandates observance
of extreme caution and vigilance in dealing with high risk customers such as shell companies.
The UARR also strongly supports the Financial Inclusion advocacy promoted by the BSP. For
instance, it allows a) the outsourcing of the conduct of face-to-face contact as well as the gathering
of the KYC documents and information to establish the identity of a customer; b) acceptance of one
(1) valid ID for the conduct of financial transactions, listing for this purpose a wide variety of
acceptable IDs and the utilization of the covered institutions own technology to take the photo of
their customers in case the ID presented is non-photo-bearing such as TIN, barangay and DSWD
certification; and c) the third-party reliance is likewise introduced in the UARR to avoid duplication
of customer identification processes so that covered institutions may refocus their resources to
better serve and address the needs of customers. This principle allows a covered institution such as
a Bank to rely on the KYC conducted by another covered institution.
UARR further provides that any violations of existing provisions thereof shall constitute a major
violation, that may subject the bank, its directors, officers and staff to enforcement actions such as
monetary and non-monetary penalties. The enforcement actions shall may be imposed on the basis
of the overall assessment of a covered institutions AML compliance system, and if found to be
grossly inadequate, such may be considered as unsafe and unsound banking practice that may
warrant initiation of prompt corrective action.

3.

Adoption of AML Risk Rating System (ARRS)

A necessary consequence of a risk-based approach to supervision is the development of a riskfocused examination process that is complemented by the adoption of an AML Risk Rating System
(ARRS) approved under MB Resolution No. 362 dated 2 March 2012 and disseminated to all BSP
covered institutions under Memorandum to All Banks No. 2012-017 dated 4 April 2012.
ARRS is an internal rating system to be used by BSP to understand whether the risk management
policies and practices as well as internal controls of Banks and NBFIs to prevent money laundering
and terrorist financing are in place, well disseminated and effectively implemented. ARRS is an
effective supervisory tool that undertakes to ensure that all covered institutions as defined under
Circular No. 706 are assessed in a comprehensive and uniform manner, and that supervisory
attention is appropriately focused on entities exhibiting inefficiencies in Board of Directors and
Senior Management oversight and monitoring, inadequacies in their AML framework, weaknesses in

internal controls and audit and defective implementation of internal policies and procedures.
Under the ARRS, each covered institution is assigned a Numerical and Adjectival Composite Rating
(4 as the highest sound; 3 adequately sound; 2- vulneralbe; and 1 as the lowest grossly
inadequate) based on the assessment of the following four (4) components:
1. Component I- Efficient Board of Directors (BOD) and Senior Management (SM) Oversight
(Management);
2. Component II- Sound AML policies and procedures embodied in a Money Laundering and Terrorist
Financing Prevention Program duly approved by the Board of Directors (MLPP);
3. Component III- Robust internal controls and audit (Controls and Audit); and
4. Component IV- Effective implementation (Implementation).
Evaluation of the four (4) components takes into consideration the covered institutions responses to
various questions that are designed to comprehend its business operations as well as its risk profile.
The responses will be assessed and on-site examination will confirm their veracity and accuracy.
Based on the evaluation of the existence or non-existence of the each of the above components,
BSP covered institutions are assigned a Numerical and Adjectival Component Rating that also ranges
from 4 as the highest and 1 as the lowest. After considering the four components, enforcement
actions proportional to the Composite Rating are recommended to ensure that BSP covered
institutions take necessary measures to improve their risk management policies and practices.

4.

Proactive issuance of AML Regulations on Ongoing Basis since 2000

Aside from AML Circulars, BSP also issues on an ongoing basis Circular-Letters since 2000 to
disseminate resolutions adopted by the AMLC covering updates of guidelines on reporting of
suspicious transactions or identifying suspected individuals or organizations (local and international)
known to be involved in money laundering and other illegal activities, particularly those included in
the United Nations Sanctions List.
In addition, BSP has issued several media releases and other public advisories to disseminate
certain suspicious or illegal activities to make the public fully aware of them.