Bangladesh Bank Heist; How Secure the Banking System? – By Md. Hasanuzzaman
Bangladesh was deeply shocked by the news of stealing 101 million dollar (800 crore taka nearly) of its Central Bank from the foreign currency account with the Federal Reserve Bank of New York. Almost the entire amount was transferred online to the Philippines banking system and a small portion of it to Sri Lanka by suspected Chinese hackers on February 5. The incident took place at a time when Bangladesh’s banking system is trying to recover from the recent ATM and credit card fraud.
Bangladesh Bank has around $28 billion in foreign currency reserve. Nearly one third of the reserve is in the form of liquid assets with the Federal Reserve Bank in the United States and the Bank of England. The rest is invested in bonds and gold.
According to BB officials, hackers stole the money from a BB account with the Federal Reserve Bank of New York on Feb. 5. Soon after the BB came to know about the hacking, it started working on the issue secretly. But the issue came to the fore after Inquirer.net, a leading news website in the Philippines, revealed that the funds laundered were those of a financial institution in Bangladesh.
Bangladesh’s government has publicly blamed the New York Fed for not spotting the suspicious transactions earlier. Bangladesh’s Finance Minister Abul Maal Abdul Muhith said it might launch legal action against the US body to help recover the money. The New York Fed said its system had not been breached by the hackers. It said in a statement that “to date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised.” The Federal Reserve Bank’s New York branch holds accounts for over 250 foreign banks, governments, and large financial institutions due to the bank’s high-end security measures.
If what the Federal Reserve has said holds true, in that there was no detected breach of their systems, “this means that there is also the real possibility of an inside job, with someone from inside Bangladesh’s central bank aiding the hackers.”
Hackers attempted to steal $1 billion from the Bangladesh central bank’s account with the Federal Reserve Bank of New York sometime between February 4-5 when Bangladesh Bank’s offices were closed. The perpetrators managed to compromise Bangladesh Bank’s system and gained access to the bank’s credentials for payment transfers, which they used to send about three dozen requests to the FedBank to transfer funds to Sri Lanka and the Philippines. A $850-870 million transfer was prevented by the banking system but four requests by the hackers were granted; $81 million was transferred to the Philippines, entering the Southeast Asian country’s banking system in February 5, 2016. This money was later transferred to Hong Kong. Another request to transfer $20 million to Sri Lanka was granted.
The $20 million fund to Sri Lanka, was intended by hackers to be transferred to Shalika Foundation, a Sri Lanka-based nonprofit organization. The hackers misspelled “foundation” in their request to transfer the funds, spelling the word as “fandation”. This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seek clarifications from Bangladesh Bank. Shalika Foundation was not found in the list of registered Sri Lankan nonprofit organizations.
Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by Bangladesh Bank.
According to the system, to pay another party from its Federal Reserve Bank of New York (FRBNY) accounts, BB’s authorised officers, using their electronic signature/pass codes, send an electronic advice to Deutsche Bank (correspondent bank of BB in New York), using the Belgium-based secure messaging network, Society for Worldwide Interbank Financial Telecommunication (SWIFT). It seems that the Deutsche Bank and the FRBNY were initially executing the transfer requests without manual due diligence (identification, reconciliation and confirmation). This means that the Deutsche Bank’s automated system mechanically and instantaneously relayed the BB’s payment/debit requests to the FRBNY using the Fedwire Funds Services (owned and operated by the Federal Reserve Banks), the payment order also routed to the Clearing House Interbank Payments System (CHIPS), a clearance and settlement system for large value international transactions of public and private counterparties, owned and operated by some large banks in the US since the payees are private individuals/NGOs. The CHIPS then automatically credited the funds of the banks of the payees (Rizal Commercial Banking Corporation or RCBC, Philippines, and Pan Asia Banking Corporation, Sri Lanka; possibly through their correspondent banks), and debited that of FRBNY (in turn debiting BB’s account).
The money transferred to the Philippines was deposited in five separate accounts with the Rizal Commercial Banking Corporation (RCBC), and later found to be deposited under fictitious identities. The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC and consolidated to an account of a Chinese-Filipino businessperson. The conversion was made from February 5 to 13, 2016. The four U.S. dollar accounts involved were earlier opened with the RCBC in May 15, 2015, which remained untouched until February 4, 2016.
In February 8, 2016, during the Chinese New Year, Bangladesh Bank through SWIFT informed RCBC to stop the payment, refund the funds and to “freeze and put the funds on hold. Chinese New Year is a non-working holiday in the Philippines, and a SWIFT message from Bangladesh Bank containing similar information was received by RCBC a day later. By this time, a withdrawal amounting to about $58.15 million was already processed by RCBC’s Jupiter Street Branch.
The Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas assistance on February 16 regarding the recovery of its $81 million funds saying that the SWIFT payment instructions issued in favor of RCBC to be fraudulent.
Investigators in the Philippines found that computer hackers stole around $100 million, which was brought into the country’s banking system. It was sold to a black market foreign exchange broker, transferred to at least three large local casinos, sold back to the money broker and moved out to overseas accounts—all in a few days. The National Bureau of Investigation (NBI) of Philippines launched an investigation and looked into a Chinese-Filipino who allegedly played a key role in the money laundering of the illicit funds. The NBI is coordinating with relevant government agencies including the Anti-Money Laundering Council (AMLC). The AMLC started its investigation on February 19, 2016 on bank accounts linked to a junket operator. AMLC has filed a money laundering complaint before the Department of Justice against a RCBC branch manager and 5 unknown persons with fictitious names in connection with the case. A Philippine Senate hearing was held in March 15, 2016, led by Senator Teofisto Guingona III, head of the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money Laundering Act. A closed door hearing was later held on March 17. PAGCOR, has also launched its own investigation.
During the televised hearing, Romualdo Agarrado, the bank branch’s customer service manager, testified that on Feb. 5, when the funds were transmitted to the accounts, he saw a bank messenger and another bank officer load 20 million pesos ($428,000) in a paper bag into the car of the bank’s branch manager, Maia Santos-Deguito. He said she drove off with the money.
Officials allege the money was withdrawn from a bogus account set up under the name of a local businessman, William So Go, who denies any involvement in the transfers. Agarrado also accused Deguito of offering him a 5 million pesos ($107,000) bribe and of ignoring his Feb. 9 recommendation to heed an email from the bank’s head office ordering a recall of the funds.
The bank’s internal investigation showed Deguito helped to set up an account under Go’s name, with a forged signature, said Macel Fernandez-Estavillo, a director and in charge of legal affairs at the Rizal Commercial Banking Corp. The stolen funds are thought to have been consolidated into that account, converted into pesos and sent through a remittance company to two casinos and to a person named Weikang Xu, according to the Philippine Anti-Money Laundering Council executive director, Julia Bacay Abad. Xu runs casino junkets, said Silverio Benny J. Tan, corporate secretary of Bloomberry Resorts Corp., which runs Solaire Resorts and Casinos – one of the companies that allegedly received the funds.
Many details of the case remain murky, such as who was behind the heist and how the hackers breached the Bangladesh Bank’s cyber security. No arrests have been announced so far, though Deguito faces a criminal complaint that could result in charges against her.
Security of Banking System
According to a report published by Bloomberg, hackers who stole $101 million from Bangladesh’s central bank stalked its computer systems for almost two weeks beforehand. Prepared for Bangladesh Bank by cyber security firms FireEye Inc. and World Informatix, the assessment offers a tantalizing glimpse into how cyber criminals can use banks’ own systems against them. The cyber companies say the thieves deployed malware on servers housed at the central bank to make payments seem genuine. Security researchers from FireEye’s Mandiant have been assisting investigators in Dhaka in the wake of the worst cyber attack faced by Bangladesh.
The detectives believe special malwares were installed in Bangladesh Bank’s computer system several weeks prior to the attack and the hackers watched how money is transferred from its account at Fed Reserve, reports Reuters. The nature of the malware is still unknown but the “malicious software likely included spying programs that let the group learn how money was processed, sent and received”.
In a sophisticated and coordinated cyber attack, the criminals, posing as Bangladeshi central bank officials, sent dozens of secure messages to the New York Fed, which transferred funds belonging to Bangladesh from the Fed to bank accounts in the Philippines and Sri Lanka. The hackers introduced malicious code, known as malware into the Bangladesh bank’s server, which allowed them to process and authorize the transactions, according to an interim report from FireEye Inc., the Silicon Valley-based cyber security firm the Bangladesh Bank hired to probe the Feb. 5 theft.
Brussels-based Society for Worldwide Interbank Financial Telecommunication, a cooperative owned by some 3,000 global financial institutions and known as SWIFT, said Monday that it would ask customers to review their internal security in light of the breach of Bangladesh’s central bank. SWIFT is a member-owned cooperative that provides international codes to facilitate payments between banks globally.
FireEye investigators have warned Bangladeshi officials that dozens of computers at the central bank may have been breached by hackers leading up to the attack.
The Federal Bureau of Investigation last week joined the hunt for the perpetrators. Bangladeshi police officials met with an FBI team in Dhaka. The U.S. Embassy in Dhaka said the U.S. “stands ready to assist the Government of Bangladesh with its investigation.”
Philippines is now in danger of being returned to the “gray list” of the Paris-based antimoney-laundering watchdog Financial Action Task Force (FATF). Securities and Exchange Commission Chair Teresita Herbosa has earlier warned that the Philippines could be demoted to the FATF “gray list” of noncompliant countries due to the local legal constraints in the monitoring of casinos, which, in other parts of the world, are tightly regulated. The Philippines is one of the very few countries that exclude casinos from the purview of their laws against money laundering.
The Philippines’ Anti-Money Laundering Act of 2001 (AMLA) has been amended four times to expand the list of predicate crimes and institutions covered by the law, in response to the FATF threat to put the country in its “blacklist” of countries being used as money-laundering havens. Despite being told by the Anti-Money Laundering Council (AMLC) in 2013 that casinos are known conduits of money laundering—anyone can claim they earned money through gambling—these were still excluded from the list by Congress. The amended Amla just added money changers, dealers of jewelry and precious metals, real estate companies and preneed firms to the list of entities required to report to the AMLC suspicious transactions for purposes of catching money launderers and terror financiers. Previously,
The Bangladesh Bank heist highlights a potential pitfall in global anti-money laundering efforts, which in the case of the Philippines has focused more on vanquishing terrorist financing than on preventing misuse of the financial system by banks and casinos.
The BB Governor has done the only moral thing to do, resign. He has taken the rap on himself. But that is only one aspect of the issue. The matter has generated several questions and people need credible answers to those. It is not only the money involved in the defalcation, there are questions of national security linked with the fraud, and the sooner the investigations are over, the sooner, hopefully, we should be able to identify the local cohorts who have helped in the theft and the sooner we can plug the loopholes in the system.
The control of the financial environment is much more complex and challenging, since too restrictive an environment may reduce flexibility to react timely and promptly, and hurt efficiency by increasing the time and cost of executions. Further, the internal BB financial controls in Bangladesh need to be complemented and synchronised with similar controls, whenever possible, at the end of the global partners in the architecture, importantly the FRBNY and Deutsche Bank. If such controls are already in place, they need to be revisited now following the seismic heist.
Md. Hasanuzzaman is journalist and international affairs analyst.