In Mexico, bankers may make fraud your problem
Customers who saw their Internet accounts fraudulently drained say they lost every cent.
By DAVID ADAMS and GINA MANFREDO
Published June 17, 2006
MEXICO CITY — One morning last July Alejandro Sanchez got a worried phone call from the branch manager at his bank.
There had been some unusual activity on his account.
“She asked if I had made some transfers,” said Sanchez, 46. “She told me not to worry and she would call me back.”
A few hours later somber bank officials showed up at his office to advise him that his company accounts, totaling almost $300,000, had been temporarily blocked for security reasons. Sanchez says he was assured it was all “a misunderstanding.”
It wasn’t until a week later that the bank told him he had been a victim of Internet fraud. All his money was gone.
But the bank still insisted he shouldn’t worry. “They said it was being investigated and I would get my money back,” said Sanchez, a father of three and the Mexico representative for a large North Carolina electrical engineering firm, Reliance Electric.
But almost a year later Sanchez hasn’t seen a cent. And his bank — Spanish-owned BBVA Bancomer and Latin America’s second-largest financial institution — says he won’t get any.
Such is the fate, it seems, of Mexican victims of online bank fraud. Whereas banks in the United States and Europe guarantee the security of client accounts, in Mexico the rules are reversed.
“The banks simply deny any responsibility,” said Enrique Arias, director of financial analysis for the National Commission for the Protection and Defense of Financial Service Users, CONDUSEF. “Unfortunately there is a lack of regulation and clients have little recourse.”
In recent months dozens of cases have appeared in the Mexican press and on an Internet Web site decrying online fraud. Banking authorities admit there is a problem, with losses in the millions of dollars. But so far little is being done to address it, or to help victims retrieve their funds.
“It’s a case of benign neglect,” said Tom Cash, a business intelligence expert with Kroll, a U.S. risk consultancy company that has advised a number of banks in Mexico. “Absent a customer backlash, they are going to continue looking at it with indifference.”
Customers are now beginning to speak out, as well as file a number of lawsuits against two foreign-owned banks, Santander Serfin and BBVA Bancomer.
One victim, Jose Luis Rojo y Arabi, a gruff former Mexican police commander, is organizing a group of complainants in a class-action lawsuit seeking to have the banks thrown out of Mexico.
“We are not going to win,” said Rojo y Arabi, who heads a private security firm specializing in rooting out corruption. “But we are going to kick up such a storm of bad publicity that everyone is going to get their money back.”
He is seething after someone fraudulently withdrew about $25,000 from his BBVA Bancomer accounts over two days in February. The bank insinuated his company’s long-serving accountant was responsible. After she passed a lie detector test, Royo y Arabi is convinced the fraud was carried out hackers in cahoots with bank staff.
“The bank doesn’t seem to care,” he said. “They behave like they are at the beach, happy as clams.”
Ivan Forcada, a 30-year-old self-employed civil engineer, lost almost $5,000 from his account at BBVA Bancomer and can’t afford attorney fees.
Forcada was saving up to buy a car when he discovered four fraudulent transfers, including $300 cash drawn on his bank credit card. The bank turned down his claim and recently wrote him a letter informing him that he now owes $400 interest on the credit card debt. He says he has also been threatened with a lien on his house if he doesn’t pay.
“They treat you as if you are the one committing fraud, or else as a careless idiot for not looking after your password,” he said. “But it’s their internal controls that failed.”
Forcada and others say a lack of regulation in Mexico has left the Internet banking system hopelessly vulnerable to fraud, while banks make millions promoting it to their clients as a fail-safe and convenient way to handle money.
The truth, they say, is that some — though not all — Mexican banks have failed to invest sufficiently in proper security systems and fire walls since online banking was introduced in that country about six years ago. Banks also rely on sloppy employment practices, including outsourcing many jobs to temporary employees over whom they exercise little control.
Arias, 36, a former bank auditor, says banks typically hide behind bank secrecy laws to avoid divulging information that might incriminate their staff. When staff members are caught, banks reportedly prefer not to prosecute in return for at least partial recovery of the stolen funds. Analysts say banks seek to limit damage to their reputations, which could undermine public confidence and cause a run on the bank’s assets.
But critics say that policy may prove counterproductive in the long run if not enough is done to bring fraud under control. For example, banks are eager to sign up anyone who comes in the door, but fail to check the personal information of new clients, creating a hackers paradise, Arias said.
Online banking is expanding rapidly in Mexico, proving lucrative for the banks. In 2005, transactions via Internet tripled from 13.3-million to 42-million, according to the Bank of Mexico.
Officially, Mexican police acknowledge only $2-million in reported cases of online bank fraud. But CONDUSEF estimates the figure to be as high as $600-million, affecting as many as one in 3,000 accounts.
The largest known case involves $1.2-million being contested in court, involving Banamex, a U.S.-owned bank, and a stock market trading company, according to local media reports.
“In Mexico, nothing happens,” said Cristina Ramirez, a former top bank executive at Chase Manhattan, who saw $100,000 disappear from her account the day after Christmas. “It comes out in the press and no one pays any interest. People here are used to getting (cheated) and not being able to defend themselves.”
Analysts say the worst offenders are the big Spanish banks, Santander and BBVA, which have busily gobbled up banks in this hemisphere in recent years. They recently began moving into the U.S. market. BBVA last week announced a major acquisition in Texas, making it that state’s fourth-largest bank.
Citibank subsidiary Banamex has also been hit hard by fraud, but in most cases the bank accepted responsibility and reimbursed clients. Other smaller Mexican banks have also adopted rigorous security and reportedly have a far lower rate of fraud. One bank, Ixe, even installs special security devices on home computers to protect users.
Santander declined requests for an interview. In a written response to questions, BBVA said it does offer fraud guarantee to its clients, as well as special antifraud services, including a system whereby a client can request that he be advised by cellular text messaging of any transaction over a certain amount.
But the bank denied it was at fault, instead asserting that online fraud targeted “the weakest link in the chain: the client.”
In most cases the victims were long-time bank customers, with “preferred client” status. Typically the fraud took place either at the weekend or after hours. The fraudulent transfers were also wildly at variance with the clients’ normal account activity, but the banks took no action to intervene.
Alejandro Sanchez said it wasn’t until 40 days after the fraud on his accounts that BBVA Bancomer informed him that his money could not be retrieved.
“I nearly fell off my chair,” he said.
BBVA Bancomer gave Sanchez a letter saying that the missing money had been transferred by use of his confidential password, which the bank said was “the exclusive knowledge of the account holder.”
It went on: “We regret to inform you that the operations were carried out without the responsibility of the (banking) institution.”
The bank later contacted him to say it had recovered about $50,000. But the bank refused to give it to him until he sign a letter waiving any legal claim against the banks over the outstanding amount.
“I told them to go to hell,” he said.
Meanwhile, Mexican authorities are studying bank reform. A new bank law approved by Congress in March was six years in the making. But analysts say it is already out of date and doesn’t tackle bank secrecy issues.
While the law does force banks to give up information about the destination of fraudulent transfers, Arias says it does not go far enough.
For instance, banks are not required to provide the names of staff who handled accounts hit by fraud, or the times they had access.
On the positive side, banks must now warn clients about the risks of online banking, as well as updating their security systems.
The new rules “will make the use of Internet banking in Mexico one of the safest in the world,” said Carlos Marmolejo, a spokesman for the Banking Commission.
But Sanchez and the other victims aren’t holding their breath. All have either switched banks or stopped accessing their accounts online.
“They expect us to deposit our money and our faith in banks,” he said. “But the way things are, we might be better off going back to the days when we kept our money under the mattress.”
Times Latin America correspondent David Adams can be contacted at email@example.com. Gina Manfredo is a freelance reporter based in Mexico City.