RCBC Scandal: The Bangladesh Bank Cyber Heist

RCBC Scandal: The Bangladesh Bank Cyber Heist

One of the established and oldest commercial banks in the Philippines got embroiled in a controversial transnational banking heist in 2016. Unidentified hackers tried to illegally transfer close to USD 1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank to different banks. The hackers were able to transfer USD 101 million to various banks. From this amount, investigators were able to trace USD 81 million to Rizal Commercial Banking Corporation or RCBC.

Background of the Bangladesh Bank Cyber Heist

In February 2016, hackers issued 35 unauthorized instructions via the SWIFT global payment network in an attempt to illegally transfer close to USD 1 billion from a Federal Reserve Bank of New York account belonging to Bangladesh Bank.

Only five of the 35 instructions were successful. However, the hackers were still able to transfer USD 101 million to other banks in other countries. Investigators were able to trace USD 20 million to Sri Lanka and the remaining USD 81 million to the Philippines.

Take note that the Bangladesh Bank is the central bank of Bangladesh. It has maintained an account with the Federal Reserve Bank of New York as part of its function in managing the international reserves of its country.

Nevertheless, the incident has been dubbed as the Bangladesh Bank Robbery or the Bangladesh Bank Cyber Heist of 2016. It highlighted the threat of cyber attacks to governments and private institutions, most notably national and commercial financial institutions.

Involvement of Rizal Commercial Banking Corporation

A report by the Philippine Daily Inquirer or PDI revealed that the USD 81 million transferred to the Philippines landed in five separate accounts with RCBC in its Jupiter Street branch in Makati. Once under these accounts, the funds were transferred to Philrem Service Corporation, a foreign exchange broker, to be converted into Philippine pesos.

The converted funds amounting to close to PhP 3.7 billion were consolidated and went back to RCBC under the bank account of a Filipino-Chinese businessperson named William Go. The PDI explained further that the money was converted later into casino chips through three casino establishments: Solaire Resort and Casino, City of Dreams, and Midas Hotel and Casino. These chips were subsequently converted back to cash and remitted to accounts in Hong Kong.

An official from RCBC told media reporters that they filed a suspicious transaction report with the Anti-Money Laundering Council or AMLC once they become aware of the transactions. This particular report altered financial regulators.

However, investigators scrutinized the degree of accountability of RCBC. For starters, investigations revealed that the five RCBC bank accounts were under fake identities. Branch manager Maia Santos Deguito was under fire for failing to recognize the legitimacy of the five ID documents presented to her, as well as for allowing the creation of the corresponding accounts.

Deguito issued a statement alleging that the top management of RCBC was aware of the transactions at every stage. The same PDI report noted that her representative showed documents to substantiate the allegation.

The RCBC management quickly denied the allegation. It launched its own internal investigation in cooperation with the AMLC and Bangko Sentral ng Pilipinas. The Senate of the Philippine also launched its probe while the Philippine Amusement and Gaming Corporation investigated the involved casino establishments.

Note that Go also hit back at RCBC and Deguito. Apart from denying any link to the Bangladesh Bank Cyber Heist, specifically to the money laundered in the Philippines, his affidavit sent to the National Bureau of Investigation mentioned that Deguito contacted him and disclosed that she opened bank accounts without his knowledge.

Results of the Investigations and Charges Against Deguito

Investigations revealed further that Deguito opened four accounts in May 2015 under the names of Enrico Vasquez, Alfred Vergara, Michael Cruz, and Jessie Christopher Lagrosas that each contained USD 500 deposit. These accounts remained untouched until 4 February 2016. Note that Deguito also opened an account for Go in that same year.

Both the Senate and financial regulators of the Philippines described the entire incident as the biggest case of bank robbery and money laundering in history.

Deguito was charged in 2018 by the Department of Justice or DOJ. However, the same department cleared casino boss Kim Wong and junket operator Weikang Xu. Note that Wong returned at least USD 15 million of the money that landed in casino accounts. The DOJ also cleared Philrem Service Corporation.

On 10 January 2019, the Makati Regional Trial Court Branch 149 held Deguito guilty of eight counts of money laundering. Judge Cesar Untalan specifically sentenced her to four to seven years in prison for each of the eight counts. The court also ordered Deguito to pay a fine of USD 109 million.

The Impacts of the Bangladesh Bank Cyber Heist Controversy

Aside from the fact that the entire Bangladesh Bank Cyber Heist revitalized concern over cybersecurity, and the risk of cyber attacks to government and private institutions, the involvement of RCBC, local financial institutions, and local casino establishments raised more specific concerns.

The incident demonstrated the weakness of the anti-money laundering laws of the Philippines. Note that lawmakers excluded casinos from the roster of organizations required to report to the AMLC regarding suspicious transactions.

Due to the shortcomings of existing laws and the lapses of involved parties, the country barely escaped the blacklist maintained and enforced by the Financial Action Task Force on Money Laundering.

President Rodrigo Duterte signed on 14 June 2017 the Republic Act No. 10927, which amended Republic Act No. 9160 or the Anti-Money Laundering Act of 2001. The new law included casinos under the law coverage, thus placing these establishments under the regulation of AMLC and requiring them to report suspicious transactions.


  • Dela Paz, C. 2016, 11 March. “Ex-S&R Owner to SUE RCBC Manager Over Heist.” Rappler. Available online
  • Lucas, D. L. 2016, 29 February. “$100-M Laundering via PH Banks, Casinos, Probed.” The Philippine Daily Inquirer. Available online
  • Lucas, D. L. 2016, 9 March. “PH Blocks $870M Stolen From Bangladesh.” The Philippine Daily Inquirer. Available online
Posted in Business and Economics, Topics and tagged , , .