The recent news of fraudulent transfer of the Bangladesh Bank's (BB) US Dollar Reserve to yet unidentified beneficiaries has ignited a governance firestorm inside the country, while showcasing the vulnerabilities of a digital world, and the strengths and weaknesses of the international funds transfer architecture. This commentary seeks to discern the key aspects of forensic investigation and financial prevention.
Funds Transfer Architecture
To pay another party from its Federal Reserve Bank of New York (FRBNY) accounts, BB's authorised officers, using their electronic signature/pass codes, send an electronic advice to Deutsche Bank (correspondent bank of BB in New York), using the Belgium-based secure messaging network, Society for Worldwide Interbank Financial Telecommunication (SWIFT). It seems that the Deutsche Bank and the FRBNY were initially executing the transfer requests without manual due diligence (identification, reconciliation and confirmation). This means that the Deutsche Bank's automated system mechanically and instantaneously relayed the BB's payment/debit requests to the FRBNY using the Fedwire Funds Services (owned and operated by the Federal Reserve Banks), the payment order also routed to the Clearing House Interbank Payments System (CHIPS), a clearance and settlement system for large value international transactions of public and private counterparties, owned and operated by some large banks in the US since the payees are private individuals/NGOs. The CHIPS then automatically credited the funds of the banks of the payees (Rizal Commercial Banking Corporation or RCBC, Philippines, and Pan Asia Banking Corporation, Sri Lanka; possibly through their correspondent banks), and debited that of FRBNY (in turn debiting BB's account).
Pan Asia Banking Corporation officials in Sri Lanka became suspicious of the unusually large transfer and immediately brought this to the attention of Deutsche Bank. Reportedly, Deutsche Bank officials also noted a spelling error in the NGO payee name of Sri Lanka, possibly upon verification request from Pan Asia. The alarm bells then went off everywhere, including the FRBNY and BB.
The crucial part of the transfer architecture compromised in the heist was the SWIFT messaging system, either remotely by the external and unrelated hackers based in Bangladesh or elsewhere, or physically on BB site. In either case, there may be BB insiders involved as collaborators. Investigating the CCTV shutdown both at BB and RCBC sites during the February 4-5 timeframe, as reported in some media, is thus important; if the report is factual, then the prospect of BB and RCBC insiders as collaborators will be high. Even without CCTV shutdown, investigation should explore if any BB and RCBC official, with access to or intimate knowledge of SWIFT authorisation codes, met physically or communicated via phone or internet in the recent past. By itself, this requires a multi-country and multi-department investigation.
Judiciously BB Governor Dr. Atiur Rahman engaged the Washington DC area consulting firm, World Informatix, which in turn has recruited famed cyber intelligence firm FireEye. However, this effort needs to be immediately augmented by and coordinated with international law enforcement and intelligence agencies. Further, all Bangladesh Bank officials, not just those of a department, should be immediately barred from leaving the country for now.
A complicating factor is that the sets of hackers and ultimate financial beneficiaries of the heist may be disjointed. The latter may have simply paid the hackers for hacking without the hackers knowing their purpose and identities. This seems like a real possibility, given the elaborate and sequential transfer of funds involving the casinos in the Philippines. If not stopped, the Sri Lankan scheme might have involved the casinos there too. It seems that the choice of this unlikely duo of countries, the Philippines and Sri Lanka, could have been driven by the money whitening opportunity at the casinos, with the stricter alternatives in Macau, Malaysia and Singapore being avoided. This type of sophisticated choices in various aspects of the globally spanned fraud operation hints to very wealthy and resourceful ultimate beneficiaries, ominously raising the possibility of financing for extremist/rebel organisations or geopolitical covert operations. Coincidentally, maritime Bangladesh is located in a triangular fashion with the island nations of Philippines and Sri Lanka on the south-western and south-eastern shipping routes respectively, both dotted by rebel movements and terrorism.
Notwithstanding Dr. Atiur Rahman's leadership in improving risk management at domestic banks, one area that remains visibly weak is that of operational risk relating to failure of operations, most notably failure to prevent internal and external fraud. Risk management in this context requires, among other things, control of the physical environment (sites and technical infrastructure) and the financial environment (rules and policies for executing financial activities like funds transfer, trading, accounting, etc.). As recommended by IT experts, there is clearly plenty more to do in securing the technical infrastructure. If not already in place, it will be highly desirable, as per the norms of today's banking world, to institute electronic card access to BB sites for all BB staff with restricted access to sensitive areas such as funds transfer messaging zones.
The control of the financial environment is much more complex and challenging, since too restrictive an environment may reduce flexibility to react timely and promptly, and hurt efficiency by increasing the time and cost of executions. For example, manual due diligence in payment advice verification is safer but would be quite inefficient for all, especially smaller payments. With this tradeoff in mind, best practices around the world use some common controls that include the size of a single transfer, number and size of total transfer to a single payee, number and size of total daily transfer requests to all payees in aggregate, daily size and number of transfers authorised by a single officer, restrictions on transfers to specific geographic destinations, daily reconciliation and reconfirmation of transactions, etc. A severe event may still occur, albeit with a low probability. As such, a best practice is to allocate risk capital to manage and withstand such losses.
Further, the internal BB financial controls in Bangladesh need to be complemented and synchronised with similar controls, whenever possible, at the end of the global partners in the architecture, importantly the FRBNY and Deutsche Bank. If such controls are already in place, they need to be revisited now following the seismic heist.
To conclude, going forward, bolstering operational risk management at BB will be of paramount importance since any further security breach could immutably tarnish the country's banking and cybersecurity image. Instead of unproductive public feuds over the lag in information sharing by BB and making drastic personnel changes in a hasty manner, the country is better off speedily identifying the intercontinental network of perpetrators and their ulterior motive, for once without bureaucratic or political intervention.
The writer is Professor of Practice, Finance Dept. at McGill University, Canada.