DESPITE changes in the past two decades where technology transformed the efficiency, speed, and complexity of financial instruments driving the financial sector, it appears that CIMB is continuously plagued by hiccups in its IT systems.

Much has already been written and said about this issue. The public is both surprised and shocked by what they hear and read regarding this latest incident.

CIMB has now admitted that a processing error related to a specific third party financial remittance service resulted in an unspecified number of customers’ accounts being credited twice with a duplicate amount, and that the money that was credited was drawn from the bank’s own account and not the sender’s. The bank has refused to confirm the number of accounts involved but unverified reports quoted a figure of 11,000.

This is not the result of a processing error or a few bad actors. It does not mean that everyone is at fault here. It is the result of human mistakes, misjudgments, and misdeeds that resulted in several systemic failures over the last few years for which the customers of the bank had paid dearly. Specific firms and individuals had acted irresponsibly.

CIMB was ill-prepared for this latest incident and its inconsistent response added to the uncertainty and panic of their customers. To the public, there appears to be a breakdown in accountability and ethics.

The integrity of our financial markets and the public’s trust in those markets are essential to the economic wellbeing of our nation. The soundness and the sustained prosperity of the financial system and our economy rely on fair dealing, responsibility, and transparency.

While we expect businesses and individuals to pursue profits, we expect that they produce products and services of quality and conduct themselves well.

We witness an erosion of standards of responsibility and ethics that stretched from base level to the highest level. This resulted in significant financial consequences and damage to the trust of investors, businesses, and the public in the CIMB group.

The vulnerabilities that created the potential for this latest incident were years in the making. This incident was the result of human inaction i.e. senior management’s ignorance of the terms and risks of the bank, not a software gone haywire.

The bank’s board and senior management ignored warnings and failed to question, understand, and manage evolving risks within a system essential to the wellbeing of the bank.

Many may have expressed the view that this latest incident could not have been foreseen or avoided. But warning signs were there. The tragedy was that they were ignored and discounted. There was pervasive permissiveness where little meaningful action was taken to address the warning signs in a timely manner.

CIMB’s history of failures over the years:

1. December 17, 2018 – Though CIMB denies it, the bank suffered a security breach on its CIMB Clicks application. On Sept 4, 2019, the bank acknowledged and assured their customers that their data remained intact despite the technical issues that affected some of its systems.

2. April 9, 2020 – The bank publicly reassured their customers that their data remained secured while concurrently denied any suspicious activity on its platforms after a viral WhatsApp message claimed Zoom was to blamed for the direct debit issue that had affected some customers. The bank went on to confirm that the direct debit transactions were legitimate purchases made by customers for online services.

3. September 2, 2020 – A system outage resulted in customers unable to make online credit card transactions. On Sept 14, 2021, several of the bank’s online and offline services such as CIMB Clicks mobile app, ATMs, cash deposit machines (CDM’s), as well as in-store card payments (debit and credit) saw interruption throughout the day.

4. February 9, 2021 – CIMB Clicks app became unavailable due to technical issues.

5. October 28, 2021 – Technical issues disrupted the bank’s market-making activities on all structured warrants on the KLCI.

6. December 30, 2021 – Operations in Singapore were not spared as the banking service there was reported to be down for 3 whole days.

All these incidents were avoidable only if the “sentries” had been at their posts. Every time an incident happened, the standard response from CIMB would be them stating that they operate within strict security guidelines and adherence to all regulatory, legal, compliance, and risk requirements.

The public do place special responsibility with the existing bank regulators and those entrusted to run the regulatory agencies with protecting our financial system. Individuals such as the CEO and the senior management sought and accepted positions of significant responsibility and obligation at the bank. Tone at the top does matter, and in this instance, the people that were let down was the public. No one said “No”, resulting in a series of failures leading to customers of the bank having to suffer and pay for the bank’s callousness.

Existing bank regulators and regulating agencies not only failed to safeguard the bank’s customers, they “willfully” ignored the mounting dangers. The public do not accept the view that regulators lack the power to protect the financial system. They had ample power in many areas but they chose not to use it.

Shareholders complained, with justification, of executives who pocketed staggering paychecks while delivering mediocre results. In CIMB’s 2020 Annual Report, where it detailed components of employee remuneration, the approach the bank took for the fixed component of each employee’s remuneration was determined based on skills, competencies, responsibilities and performance of the employee, taking into consideration market competitive levels. For each employee, performance was tracked through KPIs in a balanced scorecard, which included amongst others, measures on customer experience, risk management and process controls.

According to said Annual Report, the Group CEO was paid an annual emolument of RM2.4 mil before other perks.

In this instance, does too big to fail mean too big to manage for CIMB? It would be of no surprise for the bank regulators and other regulating agencies if their examination revealed instances of governance breakdowns and irresponsibility on the part of CIMB.

It is clear that CIMB Bank has failed to live up to its responsibility. Even though the internal investigation and those conducted by the banking regulators might conclude that CIMB have lived up to their legal obligations, the public and the customers of the bank believe that it is best for all parties that those responsible for the series of incidents resign. As for the CEO, he has to take full responsibility for the things that took place in the bank and it should be clear to him that resigning would be the right thing to do.

It is clear that there are profound lapses in regulatory oversight and despite the series of incidents over the last 4 years, the bank is still ill prepared.

The greatest tragedy would be to accept the refrain that no one could have seen this coming and thus nothing could have been done. If the banking regulators accept this notion, it will happen again.

As of June 2021, approximately 780,000 Malaysians are out of work, cannot find full-time work, or have given up looking for work. Numbers do not disclose how many families have lost their homes to foreclosure and may have slipped into the foreclosure process or are seriously behind on their mortgage payments. EPF accounts and life savings are already depleted pursuant to Covid. The flood in December 2021 compounded their misery wiping away the household wealth of thousands of families.

Many people who abided by all the pandemic regulations now find themselves out of work and uncertain about their future prospects. The impacts of this Covid and flood crisis are likely to be felt for a generation. And the nation faces no easy path to renewed economic strength.

Businesses, large and small, are feeling the sting of an impending recession. There is much anger about what has transpired, and justifiably so. – February 10, 2022.

* FLK reads the Malaysian Insight.

* This is the opinion of the writer or publication and does not necessarily represent the views of The Malaysian Insight. Article may be edited for brevity and clarity.