As you may recall, Agrobank stated that it was investigating an internal system incident but did not specify what the incident was about. A report now claims that the incident appears to be a coordinated attempt to siphon funds from the bank using hundreds of accounts, with suspected losses of up to RM165.75 million.
According to The Edge Malaysia, sources familiar with the investigation records allege that 718 accounts across 19 financial institutions, including banks and e-wallets, were involved. In an email response to the news outlet regarding the accuracy of the figures, namely the 718 accounts and RM165.75 million, Bank Negara Malaysia (BNM) said that “the affected institution has been working closely with BNM, law enforcement agencies and experts to investigate the matter, establish the root causes and recover lost funds.”
“Investigations so far reveal that no customer funds have been impacted, no customer data has been compromised, [and] all financial services, including mobile and internet banking, continue to operate normally,” BNM added. The statutory body also stated that the incident was isolated, posed “no imminent threat to the financial system”, and that both the banking and payment systems have been operating normally since it was first reported.
Industry sources said that Agrobank has its own internal payment system, which connects to the real-time retail payments platform (RRP). Payments Network Malaysia Sdn Bhd (PayNet) manages the RRP, an e-payment infrastructure.
“This system sends payment instructions, such as credit or debit [request], to PayNet to be channelled into other banks,” one of The Edge Malaysia’s sources said. “Each message includes the sender’s account information, the recipient’s account, the transaction amount and the verification code”.
Bank Negara owns 35.5% of PayNet, while a consortium of 11 Malaysian financial institutions holds the remaining shares. The central bank also stated that it will continue to monitor Agrobank’s response and corrective actions, ensuring that the safeguards in place are sufficient to protect the integrity of the broader financial system.
As per The Edge Malaysia’s report, some sources claim the bank was the victim of hacking, while others suggest that it fell for a scam or experienced a failure involving a third-party service provider. However, at the time of writing, the exact cause is still unknown.
Agrobank replied to The Edge Malaysia earlier in the month, stating that it can’t give a specific figure “while the ongoing internal assessment is still in progress”. The bank explained that the matter involves internal technical processes and is currently under comprehensive review as part of its standard governance procedures.
“In addition to the measures already communicated on Nov 13, we have begun strengthening our system monitoring capabilities, enhancing internal controls and engaging external system experts to conduct comprehensive audits,” Agrobank added. “It would be premature to assign accountability before the internal review is completed. Any necessary action will be taken in accordance with our governance and regulatory requirements.”
(Source: The Edge Malaysia)
