What you need to know about this story:

  • Confidential banking reports expose how questionable transactions happen right under the noses of financial institutions and authorities worldwide.
  • The money remittance firms implicated in the Bangladesh Bank heist had been sending huge amounts of money from unknown customers to unverifiable entities for a few years before the theft. The amounts are too big to be left unnoticed by banks and regulators.
  • Lack of resources, a largely cash-based economy, a thriving casino and gaming industry and a strict bank secrecy law make the Philippines an attractive venue for financial crime.
  • Suspicious transactions related to online sexual exploitation of children and drug trafficking are on the rise during the Covid-19 pandemic.

Filipino remittance firms were investigated in the aftermath of the 2016 cyber-heist that siphoned off $81 million from the central bank of Bangladesh. Documents now show that a few years before the daring theft, these remittance firms had moved millions of U.S. dollars in “suspicious” transactions, raising the question as to why they were not stopped in their tracks much earlier.

A cache of secret bank reports shows that Philrem Service Corp. (Philrem) and Werquick Inc. sent more than $1 billion of what were deemed “suspicious” wires from 2012 to 2016, mostly using their accounts in BDO Unibank Inc. (BDO), Rizal Commercial Banking Corp. (RCBC), and Metropolitan Trust Bank Co. (Metrobank).

These activities were flagged in Suspicious Activity Reports (SARs) submitted by various U.S. banks to the U.S. Treasury Department’s Financial Crimes Enforcement Network or FinCEN. Because the U.S. dollar is the world’s currency, sending money from one country to another requires conversion to U.S. dollar.

This means that funds have to pass through a bank operating in the U.S. These U.S. banks must file SARs to FinCEN if it sees suspect activity. FinCEN is the U.S. financial intelligence unit similar to the Anti-Money Laundering Council (AMLC) of the Philippines. (See sidebar: What is a SAR?)

The SARs were shown to PCIJ by BuzzFeed News and the International Consortium of Investigative Journalists, which led more than 400 reporters in 88 countries to investigate trillions in banking secrets. Information contained in these reports is not necessarily evidence of wrongdoing or criminality, but they have been closely examined to identify transactions and relationships that inform news stories in the public interest.

The cross-border investigation exposes the secret world of international banking. Journalists across the globe found that the world's biggest banks fail to stop suspicious activities, allowing anonymous actors go unchecked while millions of dollars in taxpayer’s money get looted. (Explore the FinCEN Files data here.)

Since the FinCEN files cover activities involving Filipino parties mostly from 2012 to early 2016, the reports can be seen as a precursor to the 2016 Bangladesh Bank heist. The SARs indicate how vulnerable the Philippine financial system had been to money laundering as moving funds apparently can be done without naming or verifying the source and beneficiary as well as specifying the purpose of the transfers.

The AMLC could not disclose whether it had investigated the remittance firms prior to the heist, but it maintained that anti-money laundering rules and regulations covering money service businesses (MSBs) such as Philrem and Werquick had been in place since 2011. 

The Bangko Sentral ng Pilipinas (BSP), which oversees banks and non-banking financial institutions, issued Circular No. 706 in 2011 to include MSBs as “covered institutions” or “covered persons.” Covered institutions or persons refer to banks, offshore banking units, quasi-banks, trust entities, non-stock savings and loan associations, pawnshops, foreign exchange dealers, money changers, remittance agents, electronic money issuers and other financial institutions that  are subject to BSP supervision and/or regulation.

These covered institutions, AMLC said, “were and are still required to comply with anti-money laundering (AML) and counter-terrorism financing (CTF) obligations,” which includes customer identification, recordkeeping, and reporting of covered and suspicious transactions.

MSBs and banks have always had the primary responsibility of complying with AML and CTF obligations under the law. The firms involved in the heist, AMLC said, “failed to comply with these requirements, such as customer due diligence, recordkeeping, and covered and suspicious transaction reporting and, in turn, were vulnerable to be used as conduits for money laundering and terrorism financing activities.”

Philrem & Werquick

Philrem, the remittance company linked to the $81-million transfer of stolen funds from the Bangladesh central bank, is a big subject in the FinCEN files. It appears in at least six SARs, joining the ranks of Dubai gold trader Kaloti and billionaire Roman Abramovich who are both subjects of multiple reports. 

Werquick, a money service business owned by Philrem’s Salud R. Bautista, is the subject of two SARs.

Philrem executives are embroiled in several cases related to the heist, including those filed by the AMLC, the Bureau of Internal Revenue, and the Bangladesh central bank. The BSP revoked the firms’ registrations in 2016. (See sidebar: What went before: Bangladesh Bank Heist)

From the more than 2,100 SARs included in the FinCEN files, a total of 27 SARs, filed between 2010 and 2016, refer to Filipino individuals and companies as originators and beneficiaries of “suspicious” wires. These PDF reports contain narratives of more than 1,700 transactions worth at least $644 million. All figures used in this story are estimates as they do not include transactions cited in prior SARs. The PCIJ also does not have the spreadsheet attachments on file. The actual amounts could be higher.

Infographic by Alexandra Paredes/PCIJ

Of the total $644 million, 70 percent of the transactions were made by Philrem ($335 million) and Werquick ($124.1 million). The narratives in the SARs point to much larger figures though, with one report citing amounts reaching up to $1.6 billion. The breakdown of this amount is not fully available, however. PCIJ is only able to examine wires with transfer details.

The FinCEN files include five unique SARs pertaining to Philrem alone, one referring to Werquick only, and one dedicated to both Philrem and Werquick. The seven SARs were filed between 2013 and 2016, covering transactions that took place from 2012 to 2016. Majority of the transactions ran in the millions of dollars; the lowest amount was $29,250 while the highest was $94.5 million involving 64 wire transfers.

The SARs were filed by the Bank of New York Mellon (BNYM), one of the oldest and largest banks in the U.S. It maintains correspondent banking relationships with Philippine banks to enable them to transact in U.S. dollars.

The biggest amount was reported in the SAR dated April 12, 2016, where BNYM scanned for wires from November 2012 to March 2016 and found 5,001 “suspicious” transfers worth $1.03 billion involving Philrem and Werquick. The report took note of Philrem’s involvement in the Bangladesh Bank heist that happened two months prior, in February 2016. BNYM included Werquick as it learned from news reports that it is also owned by Salud R. Bautista. 

The seven SARs that flagged Philrem’s and Werquick’s activities cited several reasons:

  • “The true ordering customers are not disclosed in the wire details;”
  • “The source of funds and the purpose of the transaction cannot be ascertained;”
  • “Some of the counterparties appear to be shell-like or unverifiable entities;”
  • “Many of the wires were sent in large, round-dollar (and occasionally repetitive) amounts;”
  • “Many were sent between the same counterparties within a short period of time;” and 
  • “The wires were sent from the Philippines, a high-risk jurisdiction for money laundering and other financial crimes.”

PCIJ sent a request for comment to Philrem owners Salud and Michael Bautista and its compliance officer Anthony A. Pelejo through their lawyers. The parties have not officially responded to PCIJ’s queries, but one of their lawyers indicated that his clients were not inclined to comment considering the ongoing case.

Two key observations emerge consistently across all seven SARs. 

First, Philrem and Werquick as known money remitters were sending wires on behalf of “unknown third parties,” which meant that the “source of funds and the purpose of the transaction cannot be ascertained.”

PCIJ’s analysis of Philrem’s and Werquick’s transactions showed that $235.2 million or more than half of the estimated total $459 million worth of transfers were sent without information on who actually sent the money. The actual senders meanwhile were identified in the wires worth a total of $229.6 million. 

Second, the two companies, according to BNYM, were also sending wires to shell-like companies. Shell entities can be created and used for legitimate purposes, but BNYM itself noted in many of its reports that these types of companies are a concern for money laundering and other financial crimes given that “they are easy to form, inexpensive to operate, and are structured in a manner designed to conceal the transactional details of the entities.”

“The use of shell entities provides an opportunity for foreign or domestic entities to move money by means of wire transfers, whether directly or through a correspondent banking relationship, without the entity owners having to disclose their true identities or the nature or purpose of transactions,” BNYM said.

In the SAR filed on May 8, 2015, for instance, BNYM reported that over 32 percent of the funds sent by Philrem, or approximately $319 million, from Jan. 1, 2013 to March 20, 2015, did not identify a true remitting customer. BNYM also found that nearly 48 percent of the $319 million in funds was credited to numerous shell-like entities that have accounts with three banks in Hong Kong. These shell-like entities were also receiving wires in similar large, round-dollar, and/or repetitive/trending amounts, BNYM noted.

Infographic by Alexandra Paredes/PCIJ

Why report suspicious activities?

Stephen Cutler, director of tech firm Guide Meridian and former legal attaché of the Federal Bureau of Investigation to Manila, said the main reason financial institutions must know money transfer details, such as names and identifiers of senders and receivers, and the reason for the transaction, is to reduce the risks of abuse of the system by criminals or terrorists. 

Even simple questions, with documentation for the answers, he said, would deter criminal activity such as online sexual exploitation of children, drug trafficking, arms trafficking and corruption. Keeping such information, he said, would also provide law enforcement agencies with lead information on people who move money from illegal sources. (See related story: Sextortion: Dirty sources, dirty money)

“This information is critical in order to reduce the risk of criminal exploitation of our financial system,” Cutler said in an email interview.

A United Nations Office on Drugs and Crime report estimated that in 2009, proceeds generated from drug trafficking and organized crimes amounted to 3.6 percent of the global gross domestic product, with 2.7 percent or $1.6 trillion being laundered.

In the Philippines, a 2018 AMLC study that assessed the country’s exposure to external threats based on suspicious transaction reports showed that illicit funds from environmental crimes, illegal trafficking of persons, kidnapping for ransom, and terrorism  have entered the country. Illicit funds from smuggling have also originated from the country, while proceeds from other predicate offenses circulated within the country’s financial system.

AMLC in a July 2020 forum reported a big uptick in suspicious transactions when the Covid-19 pandemic and the ensuing quarantines began. From March 1 to April 24, 2020, the number of suspicious transactions related to violations of the Anti-Child Pornography Act of 2009 ballooned by 11,380 percent from the same period in 2019. The number of suspicious transactions involving drug trafficking and other related offenses also increased – by 189 percent compared to the same period last year.

What the rules say

To prevent their systems from being used  for criminal activity, financial authorities worldwide require banks and money remitters to set up AML and CTF programs. “Know-your-customer” (KYC) policies are included in these programs to allow institutions to identify and verify customer identity and the source of funds. 

The Implementing Rules and Regulations (IRR) of Republic Act No. 9160 or the Anti-Money Laundering Act (AMLA) likewise recognize the risk associated with dealing with wire or fund transfers, where according to the law, a bank may unknowingly transmit proceeds of unlawful activities or funds intended to finance terrorist activities.

Finance professionals interviewed by PCIJ on background said that banking with money service businesses is considered high-risk for money laundering because the “true customers and intentions” can be hidden by using money remitters as a conduit of a predicate crime.

Sought for comment, the AMLC said it was unable to, while the BSP said it was not privy to the SARs submitted to FinCEN.

PCIJ wanted to verify whether money remitters were required to provide the banks with details of its own customer or the actual sender of the money.

When asked about bank requirements for money remitters that transfer money on behalf of their customers during the period covered in the SARs, as well as the current process, AMLC said the requirements on fund or wire transfers have generally been consistent since 2012. 

Under the 2012, 2016, and 2018 IRRs of the AMLA, covered institutions must establish policies and procedures designed to prevent them from being used to transfer proceeds of unlawful activities or funds intended to finance terrorism. They must obtain information such as “name of the originator, name of the beneficiary, and account number of the originator and beneficiary, or in its absence, a unique transaction reference number.”

Moreover, AMLC said that since 2012, the IRRs of the AMLA mandate refusal to accept fund transfer instructions under the certain circumstances, such as:

  • wire/fund transfer from a non-customer originator, unless it has conducted the necessary customer due diligence to establish the true and full identity and existence of said originator, or;
  • transfer to non-customer beneficiary, unless the intermediary bank has conducted customer due diligence to establish the true and full identity and existence of such beneficiary; or
  • for high-risk customers, where additional information cannot be obtained, or any information or document provided is false or falsified, or the result of the validation process is unsatisfactory.

BSP meanwhile cited Circular No. 706 in 2011, which put in place customer identification requirements for compliance by banks and non-bank financial institutions. The same circular sets the following customer identification requirements for fund/wire transfers:

  • the beneficiary institution must conduct customer due diligence to establish the true and full identity and existence of a non-customer beneficiary before accepting instructions to pay out fund transfers to said beneficiary;
  • the originating institution must conduct customer due diligence to establish the true and full identity and existence of a non-customer originator before accepting instructions to fund/wire transfer from him/her;
  • in cross-border transfers, the beneficiary institution must conduct enhanced due diligence on the beneficiary and originator if the latter is a high-risk customer; and
  • cross-border and domestic fund/wire transfers amounting to P50,000.00 or more or its equivalent must include the following originator information through the payment chain: i) name; ii) address or national identity number or date and place of birth; and iii) account number or unique reference number.

Section 923 of the Manual of Regulations for Banks (MORB) also outlines the respective obligations of originating, intermediary and beneficiary financial institutions in the wire/fund transfer chain. The rules emphasize the need for both originating and receiving financial institutions to verify the identity of originators and beneficiaries.

SAR findings

In the SARs, it appears that Philrem and Werquick were able to send multimillion in U.S. dollars without identifying or verifying the source of the funds, the true beneficiary, as well as the purpose of the transactions.

As early as November 2011, in the SAR filed on Dec. 13, 2013, BNYM had directed BDO that any wires sent by order of Philrem must include originating customer information. But the same practice apparently continued for years. In the succeeding SARs filed on June 24, 2014, Sept. 10, 2014, and May 8, 2015, Philrem apparently was allowed to transfer money without information about the actual originators of the money. Data extracted from the SARs showed that at least $82.3 million worth of the wires with no known originator were done by Philrem using its BDO account. Two wires worth $700,000 and $38,223 each meanwhile were transferred by Werquick through BDO, again with no details where the money came from.

Documents showed that RCBC and Metrobank have also facilitated transactions in which the identity of the actual sender was unknown or the funds were transferred to shell-like entities. At least $94.3 million was transferred via RCBC while $25 million passed through Metrobank, according to PCIJ’s data analysis.

In one of the SARs, a company whose identity could not be verified via online research received a total of P206.25 million in four wires from Philrem between February 2014 to March 2016. BDO and Metrobank were used to transfer money to the company’s bank account in Hong Kong.

BNYM flagged the wires because “they were often sent only a few days apart, and all were sent in large, round-dollar amounts, with most in the amount of $1,000,000, $1,500,000, or $2,000,000.” BNYM could not also find information on the company on the LexisNexis research database or any internet research, suggesting it is a shell company. PCIJ’s own search in the company registries of Hong Kong, Singapore and the Philippines did not turn up results as well.

BNYM noted that Philrem primarily banked with BDO, but it also held accounts with Metrobank and United Coconut Planters Banks (UCPB). Werquick meanwhile was recorded to have sent wires through BDO and RCBC. 

One of the SARs mentions UCPB as one of Philrem’s banks, but PCIJ did not find details of transactions made through this bank in narrative reports. The document stated that UCPB as well as BDO had responded to BNYM’s KYC requests on Philrem.

Bank responses

PCIJ sent requests for comment to BDO, RCBC, Metrobank, UCPB, and BNYM to understand the nuance and context of the SAR findings. All five banks were provided with details extracted from the SARs and questions about information included in this report.

BDO said it could not address PCIJ’s questions specific to the transactions because of legal limitations. PCIJ wanted to know why it appeared that some of Philrem’s and Werquick’s transactions were facilitated without identifying the true sender, purpose, as well as verifying the receiver of the wires. 

Federico Tancongco, BDO chief compliance officer, said the  Philippines has one of the most restrictive regimes when it comes to laws on  confidentiality of deposits and assets in the possession of banks, referring to Republic Act No. 1405 on peso-denominated bank deposits (Bank Secrecy Law), Republic Act No. 6426 on foreign currency deposits (Foreign Currency Deposit Act of the Philippines), and Republic Act No.  8791 on clients’ assets (The General Banking Law of 2000). The lawyer also cited restrictions on the disclosure of covered transaction reports and suspicious transaction reports that banks must submit to the AMLC.

Tancongco said BDO observed and implemented protocols prescribed by the BSP in dealing with  MSBs. The banks, he said, routinely investigated transactions that raised suspicion or irregularity. Clients, he added, were required to provide justification  or  explanation for  transactions that were unusual or outside  of  their economic profile or expected activities based on their declared businesses and sources of revenue.

When assessing transactions, Tancongco said BDO was “necessarily limited to documents submitted to the bank.”

On questions pertaining to the bank’s KYC and KYCC (know-your-customer’s-customer) procedures, Tancongco talked about the onboarding process or account opening, wherein the bank requires information to establish the true identity of the client. BDO, he said, also performed due diligence  and validated the information and documents provided by clients. For MSBs in particular, Tancongco said BDO also reviewed and assessed their AML and CTF programs, and checked whether they were licensed and accredited by regulators.

After account opening, BDO also performed “continuing account and transaction  monitoring  to  assess if  the relationship is to be maintained,” Tangcongco said. These protocols include, among others,  periodic review and updating of the  client’s information and expanded transactional due diligence.

Tancongco commented: “While  the regulators and the banks work together and invest in automated systems to adopt a robust framework to detect attempts at money laundering and terrorist financing, the perpetrators are also relentless in evolving their tactics and sophistication. Thus no one can guarantee that all attempts can be detected and stopped in time.”

Thea Daep, RCBC’s external counsel and spokesperson, said the bank was “constrained by existing laws, rules and regulations, to decline” PCIJ’s request for comment The lawyer said cases involving some RCBC officers or employees, both former and current, and/or the bank itself were ongoing, which prevented the bank from making public comments or disclosures. Like Philrem, RCBC is also implicated in the Bangladesh Bank heist.

Estela S. Calderon, head of Metrobank’s Corporate Affairs Division, said the bank was unable to participate in PCIJ’s inquiry.

UCPB has not responded to PCIJ’s letter.

PCIJ also wrote to BNYM to understand why, like Filipino banks, it also facilitated transactions involving the subjects despite multiple SARs and red flags found. BNYM has not responded to PCIJ as of this writing.

PCIJ was unable to ascertain any action that the five banks may have taken related to Philrem’s and Werquick’s activities during the period covered in the SARs, given confidentiality rules.

Actions vs fraud

Apart from the wires with no details about the originating source, BNYM also reported transactions involving fraudulent accounts and actions taken by some of these banks. 

For instance, on May 27, 2014, Philrem sent one wire in the amount of $140,383.43 through BDO for credit to a Dubai-based bank for the ultimate benefit of a company that dealt with marine services.

On May 30, 2014, BDO requested a return of funds, “due to fraudulent account.”

On June 5, 2014, the funds were returned.

In another SAR, which was submitted on March 31, 2014, BNYM reported one suspected fraudulent wire involving Werquick.

BNYM noted that on Feb. 24, 2014, Werquick sent one wire in the amount of $29,250 through RCBC for credit to a China-based bank for the ultimate benefit of an unverifiable party.

On Feb. 25, 2014, the beneficiary bank said it was unable to proceed with the payment due to issues with the wire details concerning the beneficiary. 

On March 3, 2014, RCBC attempted to make a clarification but the payment did not push through. RCBC then cancelled the wire, stating that it was the result of a hacked email. At the time of the report, BNYM said the funds had yet to be returned as the beneficiary refused to refund the transfer.

Because of this incident, BNYM conducted a scan for additional wire activity involving Werquick. The scan found 1,527 wires made between Nov. 28, 2013 and Feb. 28, 2014, totaling $106.4 million. At least nine transactions worth $26.5 million were identified to have been facilitated by RCBC.

As in the prior SARs, BNYM reported that many of the wires appear suspicious for numerous reasons, including: “(1) limited, if any, ordering customer information provided on many of the wire transfers thus masking the true identity of the ordering customer; (2) repetitive, large round-dollar transactions within short period of time for which a legitimate business purpose cannot be established; (3) wires sent by or for the ultimate benefit of shell-like entities; and (4) concerns regarding the source and/or ultimate destination of funds.”

Sending wires

PCIJ spoke with seven banking and finance professionals to understand bank practices. None of the interviewees were employed in any of the banks included in the report.

The banking professionals who spoke to PCIJ on background said it all starts with the opening of an account. Sending wires requires a customer to have an account with the bank, which then subjects the customer to KYC procedures by gathering information to establish the customer’s identity and source of funds.

When sending wires, the premise is that the client, who already holds an account with the bank, has already been subjected to due diligence procedures. The bank will also obtain relevant information such as names of the sender and recipient and country of destination to check for sanctions. The bank screens transactions to vet if the information provided has a hit in any “blacklist.” The level of transaction screening on wires depends on the amount of money being transferred. A bigger amount may require additional probing.

When conducting sanction screening, the bank aims to “scrub” the names of the sender and receiver against a list of sanctioned individuals or entities. This list includes the names of individuals related to any predicate crime (i.e., terrorism, drug trafficking, cartels, etc.) and politically exposed persons (PEPs), countries sanctioned by the U.S., E.U. and other high-risk transactions (i.e., transactions that may be linked to materials used in creating ammunitions or war-related items).

If the information has an “initial hit,” the transaction will be put on hold for further investigation depending on the turnaround time set by the bank's policies. This may take as long as one week in some banks.

Additionally, customers need to establish the purpose of remittance especially if it involves a huge amount. Documents are needed to support the purpose.

Banking relationship

Sources knowledgeable of banking procedures also explained that dealing with MSBs such as remittance firms was considered high-risk because the “true customers and intentions” could be hidden by using the MSB as a conduit of a predicate crime. This is why banks have to continually assess these MSBs on how they conduct business.

Remittance officers interviewed recently by PCIJ said that identifying originating customers or the ultimate beneficial owners in wire transfers depended on the arrangement between the bank and the money remittance firm. Strict banks would require a list of who the actual remitters were, but the requirement ultimately depended on the relationship of the bank with the remittance firm, which is the bank’s client.

Cutler said it used to be possible to send money without identifying the true sender if it was sent in "batches" or "bundles" labeled as coming from the remitter. 

In practice, banks did not necessarily do the same KYC on the customers of an MSB because there was supposed to be an established relationship between the bank and the MSB. “The expectation is that during the onboarding of the MSB, the bank has done due diligence on the capabilities of the MSB to do KYC,” a bank professional said.

Relationship, ultimately, is key. Banks depend on the established years of relationship with its customers. It is assumed that once the bank has an existing relationship with another bank or a non-bank financial institution, the former relies on the latter's KYC policy for the latter's customers. The bank will subject their customer's customer for name screening only if it has a hit.

If the money remitter has high regard for or good control of AML and CTF risks based on the bank's assessment, the banks may be less stringent in investigating the credibility of the transactions and customers of the money remitter. If they entertain money remitters with acceptable risks (medium to high), the expectation is the bank has more stringent controls and conducts KYCC. Money remitters with very high AML and CTF risks should not be allowed to do business with the bank.

To assess the AML and CTF risks of a prospective bank customer or reassess the same risks of current customers, banks formulate their own criteria to determine the risks prevalent on the customer and whether they will accept, continue or not continue the relationship.

Due diligence

BSP explained that banks are required to apply customer due diligence for MSB-clients, based on their assessment of the risk profile of the MSB. This is referred to as risk-based customer due diligence, which means that a high-risk customer will warrant enhanced due diligence, while those posing normal or low risk will only require average and simplified or reduced due diligence, respectively.

Owing to the nature of the activities of an MSB, banks are required to have a risk management framework for dealing with their MSB-clients, such as analyzing their business models, reviewing their AML and CTF program and controls and monitoring of their transactions, among others.

BSP clarified that AML and CTF regulations are principles-based and requirements are applied on a risk-based approach. Each institution is given discretion to adopt their AML and CTF policies, procedures and controls based on its own risk and context.

“These were not crafted to provide one-size-fits-all set of rules because the ML/TF (money laundering and terrorist financing) risks that each bank, NBFI (non-bank financial institution) and MSB faces differ based on various factors, which may include asset size, business model, products and services offered, customer profile, delivery channels, and geographic location, among others,” the central bank said.

BSP also clarified that risk-based customer due diligence procedures are not equivalent to KYCC or conducting KYC on the customers of their customers. It is not a requirement for banks, the BSP said. Citing a Financial Action Task Force (FATF) 2015 statement, BSP said that the FATF standards did not require a KYCC approach to conducting customer due diligence. 

Regulations governing due diligence on MSBs are also provided in Section 923 of the MORB wherein covered persons, like banks, need to require MSBs to submit proof of registration with the BSP. MSB customers are also required to use company accounts for their remitting, foreign exchange dealing and money changing business.

More common before

Graham Barrow, a UK money laundering expert, said sending wires with no details about the source used to be a problem. The sheer number of banks fined for putting "stripped" wire payments (sender's details removed) through the U.S. system to avoid the Office of Foreign Assets Control filters showed how it was once commonplace.

But the advent of very large fines and more intrusive regulation has meant that, over the past few years, banks have become more careful. Still, there could be a large number of transactions with missing vital information or suspicious characteristics, which have, up to now, gone unnoticed.

Barrow has worked for a number of global and local banks, including HSBC and Deutsche Bank, to uncover gaps in compliance with anti-money laundering regulations.

What Barrow found concerning was the number of SARs filed by BNYM over a number of years as it was indicative of a system that tended to find problems after the fact.

“Because of confidentiality rules, the public will not hear about corrective actions,” he said.

STR, the PH SAR

The Anti-Money Laundering Act, as amended, requires covered institutions to report covered transaction reports (CTR) for transactions going beyond P500,000. Suspicious transaction reports or STRs, the counterpart of SARs in the U.S., must also be filed if the transaction has no justified purpose; the client is not properly identified; the amount involved is not commensurate with the capacity of the client; or the transaction is in any way related to an unlawful activity or any money laundering activity or offense, among others.

Philrem’s owners, the spouses Salud and Michael Bautista, as well as its compliance officer Anthony A. Pelejo are facing money laundering charges for failing to report a CTR and a substantial STR in connection with the 2016 Bangladesh Bank heist.

PCIJ asked whether BSP and AMLC have investigated or looked into Philrem and Werquick prior to the Bangladesh Bank heist as the FinCEN files suggested that the two firms were among the entities with multiple SARs.

The AMLC said it “may not disclose such information due to its confidentiality.”

The BSP meanwhile said it had no access to SARs or any information that foreign financial intelligence units might provide to the AMLC.

While the U.S. and the Philippines may have different thresholds pertaining to the reporting of suspicious activities, the amounts flagged by BNYM were too large to be left unnoticed by the banks and the AMLC.

For example, in 2014 alone, BNYM flagged $143.68 million worth of transactions for Philrem. AMLC’s annual report put the value of STRs recorded by AMLC in 2014 from all covered institutions at $29.16 million, or P1.3 billion using the conversion $1.00=P44.70.

The CTRs and STRs that need to be filed with the AMLC are confidential. PCIJ asked AMLC to give an indication if the BDO, RCBC and Metrobank have filed the same reports with Philrem and Werquick, or Philrem and Werquick for their clients.

The AMLC again said that it could not disclose such information due to its confidentiality.

PCIJ also asked BSP if it had encountered cases wherein the banks mentioned in the FinCEN reports did not verify the sender and receiver of wire transfers.

The BSP did not provide details, but it clarified that banks are given discretion to adopt their AML and CTF policies, procedures and controls based on their own risk assessments and business context. In determining the risk profile of originators and beneficiaries, banks may adopt measures prescribed in the MORB or add their own to satisfy their risk appetite in dealing with clients.

Post-heist measures

The Bangladesh Bank heist triggered the issuance of new financial regulations.

Casinos became covered persons under the ambit of the AMLC. Before the heist, casinos were not required to conduct KYC of their customers or report suspicious and covered transactions to the AMLC. 

AMLC likewise reorganized and created a compliance and supervision group, which is in charge of enforcing AML rules and regulations. The Financial Intelligence Analysis Group, which handles STRs and CTRs, now has 30 to 40 staff compared with just nine back in 2017. 

AMLC also adopted an “inverted triangle” approach to supervision. At the top, the AMLC is in one corner and the supervising authorities, such as the BSP, are in the other. The AMLC supposedly ensures that supervising authorities comply with their duties over covered persons on AML and CTF matters. At the bottom of the “inverted triangle” are the covered institutions, who are primarily responsible for AML and CTF compliance.

Independent of AMLC, BSP conducts risk-based supervisory activities, which comprise both offsite supervision and onsite examinations on both banks and MSBs, among other BSP-supervised financial institutions. 

In 2017, the BSP issued Circular No. 942, an updated framework aimed at enhancing the central bank’s oversight over the operations of MSBs. BSP implements the “network approach” in MSB supervision, wherein an entity that operates an MSB, especially a remittance business, shall be held responsible for monitoring the operations of its remittance network in terms of their compliance with relevant rules. 

Westpac, Wirecard, what’s next?

The Philippines continues to attract financial crime with its involvement in scandals like the Westpac money-laundering and child exploitation breaches in 2019, the Wirecard fraud in June 2020, and more recently, the cybertheft of P167 million from state-owned UCPB.

Barrow, the U.K. money laundering expert, explained that one of the major differences between the bank heist and most money-laundering schemes was that the former was the result of a hack, so it was a type of activity not seen before. This made it difficult for the banks to do pre-emptive action. The heist prompted all major banks to look again at their systems and controls. 

“It is a sad fact (but true) that it often takes a large and newsworthy event like this for banks to understand the potential loopholes in their systems and how they can be exploited,” Barrow said. “The criminals, on the other hand, spend all of their time looking for them and often corrupt or bribe bank employees to help.”

Barrow said the Philippines would likely continue to attract financial crime for a number of reasons. It has a well-developed regional financial services sector, but the local regulator may not be seen to be very assertive or punitive in dealing with transgressions. Put alongside a still largely cash-based economy and a thriving casino and gaming industry, the Philippines is an attractive venue for criminals to use as a throughput destination, meaning the money will be washed here but will flow elsewhere.

For Cutler, Philippine laws and regulations were adequate. Fraud and money laundering still happen even in countries with robust laws like Germany in the case of Wirecard and Australia in the case of Westpac.

Following the discovery of the 2016 heist, banks seemed to be relieved that only one bank was caught up. Banks, he noted, tended to blame “rogue” mid-level people for massive fraud, and not senior management. 

“The financial institutions themselves need to take a stronger role in ‘compliance beyond the checkmark’ on an audit sheet,” Cutler said. “There appears to be a culture of ‘apparent compliance’ rather than true compliance.”

Cutler said good oversight should include strong financial Augmented Intelligence (AI) with strong “machine learning” that evolves as the criminal behaviors evolve.

“A single bank is important to watch over its own system, and ensure it is effective. But a single bank won't see what's going on in other banks. BSP and AMLC must do that for systemic protection. It requires AI to help,” he said.

Barrow said having a more assertive regulator that ensures local financial institutions don't just have good written policies and procedures but actively put them into practice, remove suspicious customers, file SARS and have agile and responsive monitoring systems would be a big step in the right direction. 

Good examples could be found in countries like the Netherlands and Denmark, which had fined large banks and where the government, regulators and the banks work together against financial crime, he said.

Former internal revenue commissioner Kim Jacinto-Henares said the Philippines would continue to attract financial crime primarily because of the bank secrecy rules. 

Enacted in 1955, Republic Act No. 1405 or the Bank Secrecy Law was passed to encourage individuals to deposit their money in banks instead of privately hoarding them. The policy of the government at the time was to have money “properly utilized by banks in authorized loans to assist in the economic development of the country.”

But the law, Henares said, made it hard to investigate financial criminal activity.

The one-page law states that all deposits are confidential in nature and may not be examined or inquired into by anyone, even government offices, except with a written permission of the depositor, or if it is a subject of a case or litigation. 

Measures that seek to ease bank secrecy restrictions have been filed in the House of Representatives and the Senate. But Henares said lifting the bank secrecy law did not seem “realistic” as it would mean forcing public officials to disclose their bank deposits.

Capacity

The Anti-Money Laundering Council can examine bank accounts pursuant to a court order or if there is probable cause that the deposits are related to certain crimes. But the capacity of the AMLC has long been in question.

Cutler said the BSP and AMLC have “decent policies and goals.” However, inadequate technology and staffing levels of both the BSP and AMLC prevent them from conducting proper oversight and monitoring of the banking and financial system of the Philippines in a globally active context. 

Cutler noted that AMLC is both a regulator and a financial intelligence unit. Unlike financial watchdogs in other jurisdictions, AMLC is a hybrid financial intelligence unit that is able to investigate and prosecute complaints for money laundering.

It has a lot of power, Cutler said, but lack of resources hindered its work.

“AMLC has a massive amount of data flooding into it daily. But how to take this data and make sense of it?” Cutler asked. 

The volume of STRs has also increased. Between 2012 and 2018, for instance, the number of STRs jumped to 491,717 from 17,711.

Despite the significant increase in workload, the number of AMLC staff has not substantially increased (although new people were hired in recent years). This leaves an agency that employs just 146 workers, including 30 to 40 staff in the financial intelligence analysis group, grappling with more than 9,000 reports of suspicious financial activity every week. The council’s total manpower plantilla is 254.

Infographic by Alexandra Paredes/PCIJ

A study that reviewed the quality of STRs submitted to AMLC showed that almost half of the 132,306 reports submitted in 2016 did not have sufficient information that would warrant further analysis and investigation. AMLC recommended reinforcing its Registration and Reporting Guidelines, specifically on how to properly narrate details of circumstances of suspicious transactions.

Asked about how AMLC staff are able to read and act on all STRs received, the council said that not all STRs are processed. Due to the high volume of reports received, the council employs a risk-based prioritization system, which involves generating STR-based alerts, acting as triggers for the AMLC to conduct financial intelligence analysis. STR-triggered analyses are then disseminated as intelligence briefs or information transmittal sheets to law enforcement agencies, foreign financial intelligence units, and other units to support and assist investigations.

Intelligence briefs and information transmittal sheets are among the council’s proactive intelligence reports shared to authorized end-users. It does not wait for any request for information from any government office or law enforcement agency, the AMLC said.

In its latest annual report covering the years 2017 to 2018, the AMLC disclosed that it had filed only 10 money-laundering complaints with the Department of Justice and the Office of the Ombudsman and two cases with the regional trial courts. --With research and reporting by Angelica Carballo Pago, Stanley Buenafe Gajete, Robert JA Basilio Jr., Rex David Morales and Pia Tuan, PCIJ, September 2020