I’ve been following with interest the startling news of how BDO depositors suddenly lost money due to an alleged hack of the bank’s online banking system --and how that behemoth of a bank dealt with it. Despite an offer to return all the money supposedly lost by around 700 clients, BDO’s stance left a sickish, sourish taste in the mouth. Somewhat like when one’s experiencing acidity.
As has been noted in social media as well as the press, just the opening contractual framework with which the victims found themselves in left much to be desired. Imagine a disclaimer of liability clause that excused the bank from all loss or damage from use of the online banking services offered by the bank --even where the client didn’t participate in the fraud or the theft!
After years of negotiating contracts trying to dump all the burdens on the opposing side, I know the clause would be hard to sell to any counter-party. Automatically, the other party is going to ask “well, what if you caused the loss? All those losses aren’t going to be all laid at my feet, right? Right?” Call this the “own-fault” exception.
Which is the same question we should be asking BDO. What if the loss was caused by it? A client wouldn’t necessarily have participated in a fraudulent scheme dreamed up by a rogue bank employee. And yet, with this clause, the bank could wash its hands of the responsibility, smile, and deny a refund. Oh, that’s an iron-clad contractual way out all right. As the bank says --it finds ways!
And no. This is not a standard clause, even if BDO says otherwise. I mean, what other bank has this distinctly one-sided clause in its terms and conditions? (Let’s see if BDO will drag other banking institutions in this mess so we can all judge them together.)
Even the Bangko Sentral has called out BDO over this unfair clause. Deputy governor Chuchi Fonacier said BDO’s contract of adhesion runs afoul of the BSP’s Consumer Protection Framework, which requires banks to treat customers fairly. And this clause certainly isn’t fair.
And what’s even more galling is that BDO required the victims of the alleged hacking to come to the branch and “submit documentation” so the refunds can be processed. If it’s online banking, and you’ve detected a supposed hacking, wouldn’t it be within your powers to trace all those transactions that occurred through the hacking?
(We’re going with the media story that it’s a hacking, although given that the bank didn’t report the matter to the National Privacy Commission on time, there’s a fishy possibility it wasn’t. We are still waiting for the NPC to tell us the results of its investigation on the “data breach” and why the mandatory reporting wasn’t made. Maybe there is no breach?)
In any case, here’s the bank that knows its depositors suffered losses “without their participation”. Why the need for clients to show up at the bank physically, especially in these times with the pandemic raging? Why give them that hassle (at the very least), which could actually be life-endangering at most?
What if the clients were unaware of the loss? How could they then comply with this requirement to show up, line up, and sign all those prepared papers (like an instant waiver)? BDO could then pretend there was no loss, and not have to refund? How convenient.
This necessitates a review by the authorities of the treatment given by giant banks to poor, disempowered clients. The ones in no position to negotiate and have no choice but to swallow whatever is thrust upon them when they wish to avail of convenient services. The BSP would do well to go beyond a mere telling-off. Intense scrutiny should be the next step, and if needed, reform.