Cases related to the cyber-heist that exposed the vulnerability of the country’s financial system remain pending. Who got sued and who got cleared?
By Nancy C. Carvajal, Rex David Morales and Angelica Carballo Pago
Philippine Center for Investigative Journalism
It was the stuff of Hollywood suspense.
One weekend in early February 2016, the central bank of impoverished Bangladesh found $81,001,662.12 missing from its account with the Federal Reserve Bank of New York.
The stolen funds found their way into a major Philippine bank, converted into pesos by remittance companies, and disappeared in Manila’s smoky casinos.
More than four years later, only $15 million has been recovered and only one person, Maia Deguito, the manager of the Jupiter Street, Makati branch of Rizal Commercial Banking Corp. (RCBC), has been convicted.
Executives of one of the remittance companies implicated in the heist, Philrem Service Corp. or Philrem, the subject of a number of Suspicious Activity Reports filed with U.S. financial authorities, were only recently indicted for money laundering.
Prosecutors, however, cleared casino junket operators Kam Sin Wong, president of Eastern Hawaii Leisure Co., and Weikang Xu, for lack of evidence.
No one was looking
The timing of the cyber-heist was elaborate. No one was looking — Bangladesh Bank was shut down for the weekend and it was Chinese New Year in Manila.
Hackers were said to have deployed malware and sent fraudulent requests to the Federal Reserve Bank of New York using the SWIFT (Society for Worldwide Interbank Financial Telecommunication) accounts of Bangladesh Bank employees, asking central bank funds to be transferred to bank accounts in different Asian countries, including the Philippines, where the money was laundered.
The transactions, worth over $1 billion, were eventually halted, but not before $101 million were successfully transferred, of which $81 million went to the Philippines.
The funds were transferred into four accounts at the Jupiter Street branch of RCBC, a mid-sized lender. The accounts, under the names of Alfred Santos Vergara, Michael Francisco Cruz, Enrico Teodoro Vasquez and Jessie Lagrosas, were all fictitious accounts, according to the Department of Justice (DOJ).
The accounts were opened in May 2015, a year before the heist, and remained dormant until the transfer in 2016. The Vergara, Cruz, Vasquez, and Lagrosas accounts received $19.9 million, $6 million, $25 million and $30 million, respectively.
On the day of the transfer, an account was opened for “William Go DBA Centurytex Trading,” and received $22.73 million from the Lagrosas account.
The money was converted into pesos by Philrem and other remittance companies, and distributed to the bank accounts of Weikang Xu, Eastern Hawaii Leisure Co., operator of Midas Hotel and Casino, and Bloomberry Resorts and Hotels Inc., which holds the gaming license of Solaire Resorts and Casino.
Deguito, the RCBC branch manager, was found guilty of eight counts of money laundering on Jan. 10, 2019.
Also in March 2016, the Anti-Money Laundering Council (AMLC) filed a complaint against casino junket operators Kam Sin Wong and Weikang Xu, alleging that they should have flagged the funds transferred to their accounts as suspicious or stolen. The cases were dismissed by DOJ, citing lack of proof.
“Although a substantial portion of the money … ended up with respondents Kam Sin Wong and Weikang Xu, there is not enough evidence to establish that they had knowledge of the nature of the subject funds,” the DOJ resolution obtained by the Philippine Center for Investigative Journalism (PCIJ) stated.
Wong returned $4.6 million and P450 million in cash to authorities and testified before the Senate that he did not know the money remitted through Philrem came from illegal sources. He claimed that it was casino debt paid by a client.
Go denied ownership of the RCBC account and claimed his signature in the bank application forms was forged.
The cyber-heist led to the resignation of RCBC President and CEO Lorenzo Tan in 2016, after he was cleared of any involvement in the heist by an RCBC internal investigation.
In 2019, the DOJ filed money-laundering charges against RCBC executives Raul Victor Tan, Romualdo Agarrado, Brigitte Capiña, Ismael Reyes and Angela Ruth Torres for failing to stop the transactions.
Bangladesh Bank continues to run after those involved in the heist. In March 2020, a federal court in New York dismissed the charges filed by Bangladesh Bank against RCBC, Wong’s Eastern Hawaii Leisure Co. Ltd., Centurytex Trading and Philrem. The bank appealed to the U.S. Circuit Court of Appeals in April.
In June, Bangladesh Bank filed new cases against 17 companies from the Philippines allegedly involved in the heist, including Bloomberry Resorts and Hotels Inc., which said it would “defend itself against the baseless charges.”
Charges vs Philrem execs revived
Philrem executives Michael and Salud Bautista were also accused of money laundering by the DOJ’s anti-money laundering task force in April 2017, but the charges were dropped five months later on the basis of the finding that they submitted a suspicious transaction report (STR).
In a resolution promulgated on Dec. 12, 2019 and released to the media in January 2020, the DOJ changed course and ordered the filing of charges against spouses Michael and Salud Bautista, owners of Philrem, and compliance officer Anthony Pelejo.
“Since Philrem Service Corporation is a covered institution under Republic Act No. 9160, as amended, its responsible officers are and should be charged with full knowledge of the corporation’s legal obligations. That the suspicious transaction report said so little despite what the law very clearly required, betrays an attempt on the part of the corporation’s responsible officers to conceal what is, in truth, a very irregular, if not downright illegal transaction,” the DOJ said.
The public got a glimpse of Philrem’s lucrative operations in public hearings conducted by the Senate Blue Ribbon Committee in the 16th Congress, chaired by Sen. Teofisto Guingona III.
At the beginning of the probe, Philrem treasurer Salud Bautista claimed the company could have earned only P500 from the transactions involving the stolen money, as the remittance charge for overseas Filipino workers, who composed the bulk of their clients, was only P50 per transaction.
Upon the prodding of Sen. Sergio Osmeña III, Philrem admitted it had earned a little over P10 million or roughly $209,000, which, it said, would be returned to the Bangladesh government.
On June 1, 2016, the Bangko Sentral ng Pilipinas (BSP) revoked the permits of three remittance and foreign exchange dealers — Philrem, Werquick Inc. and Peso Remittance Express, Inc.
An anti-fraud investigator who was part of the National Bureau of Investigation team that conducted a separate investigation on the cyber-heist told PCIJ, “the Philrem business is so lucrative, that it is unlikely that the firm will cease its operations.”
May 2015 – More than a year before the heist, U.S. dollar bank accounts under the names of Alfred Santos Vergara, Michael Francisco Cruz, Enrico Teodoro Vasquez, and Jessie Lagrosas are opened at RCBC Jupiter Street Branch, and left dormant.
4 February 2016 – An unauthorized user issues 35 Bangladesh Bank SWIFT payment instructions to the Federal Reserve Bank of New York involving $951 million.
5 February 2016 – At midnight, $81 million worth of funds from the central bank of Bangladesh are transferred to four different accounts in RCBC Jupiter Street Branch through its account in the Federal Reserve Bank of New York, using SWIFT identifications.
The money is transferred to the fictitious Vergara, Cruz, Vasquez and Lagrosas accounts.
An account for “William Go DBA Centurytex Trading” is opened on the same day and receives $22.73 million, which was withdrawn from the Lagrosas account.
8 February 2016 – At about 5:00 p.m., top RCBC officials were alerted by the AMLC about the fraudulent transfers after being informed by Bangladesh Bank.
9 February 2016 – RCBC freezes the Vergara, Cruz, Vasquez, Lagrosas and the Go-Centurytex accounts. It was too late, as over-the-counter withdrawals were made on the accounts hours after the stolen funds were credited and even after the bank ordered a freeze, a bank employee later told a Senate inquiry.
A total of $58.1 million is withdrawn over the counter from the four fictitious accounts, with $42.9 million deposited to the account of Go and Centurytex, by way of three cash deposit slips signed by Deguito. This brings to $65.7 million the amount deposited to this account.
Also, $13 million is deposited to an RCBC account of Abba Currency Exchange, Inc., which transferred the same amount to the Philrem RCBC Pasig account on Feb. 11.
Another $15.2 million is credited to the account of Philrem in RCBC Greenhills. On Feb. 5, 9 and 10, $52.7 million worth of funds are transferred to the Greenhills account. A total of $80.9 million is received by Philrem through various accounts and sources.
05-13 February 2016 – The accounts of Weikang Xu, Eastern Hawaii Leisure Co. and Bloomberry Resorts and Hotels Inc. receive money converted into pesos from remittance company Philrem.
17 February 2016 – The AMLC compliance officer reports the account of Go and Centurytex to have been used for suspicious transactions.
Go supposedly ordered Philrem to remit the total amount of $80.9 million to recipients including Bloomberry Hotel and Resorts Inc. ($29 million) and Eastern Hawaii Leisure Co. Ltd. ($21.2 million) owned by Wong.
Philrem delivers $18 million and P600 million pesos in cash to Weikang Xu in one of the casinos on Roxas Boulevard.
19 February 2016 – Accounts of and related to Weikang Xu, Solaire and Eastern Hawaii Leisure Co. are investigated by the AMLC.
15 March 2016 – The AMLC files money-laundering charges against Deguito and the holders of the four fictitious RCBC accounts before the DOJ.
22 March 2016 – Junket operators Kam Sin Wong and Weikang Xu are charged by the AMLC.
5 August 2016 – The BSP slaps RCBC with a record P1-billion fine after a probe into the heist.
November 2016 – Six employees, including the former treasurer of RCBC, are named by the AMLC in a money laundering complaint filed with the DOJ. The investigation takes three years, and on May 22, 2019, the DOJ charges bank executives Raul Victor Tan, Romualdo Agarrado, Brigitte Capiña, Ismael Reyes and Angela Ruth Torres. Nestor Pineda, a sales director, was cleared.
24 August 2017 – Philrem executives Michael and Salud Bautista, as well as Kam Sin Wong and Weikang Xu, are cleared of money laundering complaints by the DOJ. Philrem was found to have complied with the rules by filing suspicious transaction reports with the AMLC. Only Maia Deguito, RCBC Jupiter Street branch manager, and the four fictitious RCBC account holders are brought to court.
December 2017 – RCBC accuses Bangladesh Central Bank of a coverup for refusing to divulge the findings of an internal investigation.
10 January 2019 – Deguito is found guilty by the Makati Regional Trial Court of eight counts of money laundering, with each count punishable by four to seven years in prison. She was also asked to pay $109 million in fines.
28 January 2019 – Deguito appeals the court ruling.
31 January 2019 – The Bangladesh central bank files charges against RCBC and some of its officers before a US court in New York. RCBC claims it was a “political stunt.”
12 December 2019 – The DOJ reverses its 2017 resolution and charges the Philrem owners with four counts of money laundering.
06 March 2020 – RCBC files a defamation case against Bangladesh Bank in the Makati City Regional Trial Court, which RCBC says is meant to counter the central bank’s “political stunts.”
23 March 2020 – The money laundering case filed by the Bangladesh Bank in 2019 against RCBC, Eastern Hawaii Leisure Co. Ltd., Centurytex Trading and Philrem is dismissed by the New York court.
June 2020 – Bangladesh Bank files new charges against 17 Philippine-based companies, including RCBC and Bloomberry Resorts and Hotels Inc., which operates the Solaire casino. The charges include conversion, theft, misappropriation, aiding and abetting, conspiracy to commit fraud, trespass against chattels, and unjust enrichment. –PCIJ, September 2020
- SWIFT or the Society for Worldwide Interbank Financial Telecommunications is a global cooperative that operates the financial communication network of member banks around the world.
- Of the $101 million that was stolen from the Bangladesh Central Bank, $20 million was sent to Pan Asia Bank in Sri Lanka. The amount has been recovered.
- Junket operators work with casinos to help them attract wealthy, VIP customers.