A vlogger recently shared a horrendous experience of losing hard-earned money from a bank account. Naturally, anyone in that situation would panic and immediately call the bank to investigate. This is where internal bank investigators come in after a report is filed with customer service. The author, who served in this role for five years under a US-based bank with operations in Asia, explains what happens behind the scenes.

BDO, in a statement, clarified that the recent incident posted by one of their depositors was a case of alleged account holder neglect. The bank explained that there was no internal security breach, but there was a password and device registration change along with a triggered One Time Pin (OTP) all on the same day. Since the pandemic, more people have adapted to cashless payments, and the use of online banking has been widely encouraged and accepted.

From 2020 onward, technologies have continued to evolve to prioritize both security and convenience while protecting account holders from cyberattacks and financial institutions from operational losses.

To simplify what happened, when one registers for an online banking account, aside from creating a username and password, most banking apps also bind with the devices registered. What does this mean? It means that the app installed and logged in on a device recognizes the phone’s model and other internal features, including biometric or PIN functions.

This ensures that an account can only be accessed on the registered device, in good faith, under the account holder’s supervision. Another requirement is a registered mobile number where OTPs are sent or generated. For added security, some banks provide a mobile token feature within their apps, allowing customers to generate OTPs even without internet access.

First line of defense

These app and website access features serve as a first layer of protection for account holders, though they remain vulnerable to evolving fraudulent attacks. To ensure accounts stay secure, never click unknown links, never share passwords, and always keep phones and banking apps safe.

The first layer is only part of the security system. Within banks, not all officers have access to transfer funds in and out of accounts.

Access is based on ranking thresholds and security clearances depending on their roles. Every action also leaves a digital footprint. Any click or view can be traced during a historical review to reveal the intention behind accessing an account.

Customers are also assigned internal risk levels. Transfers are not always easy to complete, as factors such as transfer limits, unusual account activity, recent password or device changes, and account holds can trigger alerts to both the account holder and the bank.

For password or device changes, there is often a holding period before transfers can be made, as the app needs to complete binding and embargo hours.

When a customer reports unauthorized transactions, cases are categorized as normal billing disputes, mass card network attacks, or fraud. Billing disputes are usually complaints against merchants or unsatisfactory services.

Mass card network attacks involve associations such as Visa, Mastercard, or AMEX. These are typically carried out by offshore syndicates hacking into Point of Sale (POS) systems or engaging in Bank Identification Number (BIN) fraud, where the first six to eight digits of card numbers are compromised and the Card Verification Value (CVV) bypassed through a system.

In the vlogger’s case, it was classified as fraud, which requires an internal investigation by the bank’s Fraud Management Unit.

The outcome may or may not be favorable to account holders, as each case is reviewed individually. In some instances, if it merits consideration, upper management may approve writing off the customer’s losses.

However, if the incident is determined to be negligence on the part of the account holder, the resolution usually involves filing a police report for an external investigation, with the hope of recovering the funds, or at least part of them.

Protecting accounts from fraud remains a shared responsibility between banks and their clients. Financial institutions continue to enhance security systems with multiple layers of protection, while account holders must stay cautious with personal information and devices. Although recovering lost funds is not always guaranteed, vigilance and prevention provide the strongest shield for safeguarding hard-earned money.