Hours before the Federal Reserve Bank of New York approved four
fraudulent requests to send $81 million from a Bangladesh Bank account
to cyber thieves, the Fed branch blocked those same requests because
they lacked information required to transfer money, according to two
people with direct knowledge of the matter.
On the day of the theft in February, the New York Fed initially
rejected 35 requests to transfer funds to various overseas accounts, a
New York Fed official and a senior Bangladesh Bank official told
Reuters. The Fed's decision to later fulfill a handful of resubmitted
requests raises questions about whether it missed red flags.
The New York arm of the U.S. central bank initially denied the
transfer requests because they lacked proper formatting for the SWIFT
messaging system, the network banks use for international financial
transfers, the two officials said.
The Bangladesh Bank official said they lacked the names of
correspondent banks, which typically receive wired funds. The Fed
rejected the requests, which came from hackers who had broken into the
SWIFT network through Bangladesh Bank systems.
Later in the day, however, the cyber thieves resubmitted those 35
requests. On the second try, the messages had the proper formatting, the
New York Fed official said. The requests had been authenticated by
SWIFT, the first line of defense against fraudulent wire transfers.
Despite the technical compliance, the New York Fed rejected 30 of the
requests a second time. But the Fed did approve five requests - for a
total of $101 million. Later, one of those five transfers - a $20
million request - was reversed because of a misspelling.
The New York Fed has said it blocked the 30 resubmitted requests
because they were flagged for economic sanctions review. Only afterward
were they deemed potentially fraudulent.
The Bangladesh Bank official and another source close to the bank
said the New York Fed should have rejected all the requests on both the
first and second attempts.
The source close to the bank, who also had direct knowledge of the
matter, said anomalies in the four transfers that ultimately went
through should have raised questions at the New York Fed. They were paid
to individual recipients, a rarity for Bangladesh's central bank, and
the false names on the four approved withdrawals also appeared on some
of the 30 resubmitted requests rejected by the bank, said the source
close to the Bangladesh Bank.
"Of course, we asked the Fed why the repetition of the names did not create red flags," the source said.
"They are saying they rejected 35 badly submitted ones," the source
said. But when the requests were re-submitted, they "paid 5 of them and
stopped 30. Why? They can give no answer."
Bangladesh Bank and SWIFT declined to comment. The New York Fed has
said there were no problems with its procedures for approving SWIFT fund
transfers, and declined to comment on whether it missed any warning
signs.
The cyber theft from Bangladesh's central bank - and recent
disclosures of other similar fraud attempts - have brought scrutiny on
the SWIFT messaging system. SWIFT is a cooperative of global banks
formally known as the Society for Worldwide Interbank Financial
Telecommunication, and its transaction system was used as a conduit for
one of the largest cyber bank heists in history.
In the United States, a congressional committee has launched a probe
into the New York Fed's role in the bank heist. The Bangladeshi central
bank might seek compensation for the funds from the Federal Reserve, and
Bangladesh Bank police have said that recent installation of a new
SWIFT settlement system at the bank last fall may have provided thieves
an opportunity to gain access to the bank's SWIFT servers.
RED FLAGS?
The New York Fed's reviews of payment requests that come over the
SWIFT system are focused chiefly on guarding against money laundering
and transfers to people and entities that are under U.S. government
sanctions, Fed officials have said. But requests often also are
temporarily halted to fix typos and other formatting problems.
The Fed branch has said its clients, including Bangladesh Bank, and
SWIFT have primary responsibility for preventing unauthorized transfers.
Fed employees queried Bangladesh Bank about the purpose of the
payments requested on Feb. 4 and again on Feb. 5, according to a letter
to congresswoman Carolyn Maloney (D-NY) by New York Fed General Counsel
Thomas Baxter.
The four transfers totaling $81 million went to accounts in the
Philippines. The money wound up with casinos and casino agents and
remains missing. An attempt to transfer $20 million to a foundation in
Sri Lanka was reversed because the word "foundation" was misspelled.
The source close to Bangladesh Bank said questions about the
anomalies in the approved requests were discussed at a meeting in Basel
last month between New York Fed President William Dudley, Bangladesh
Bank Governor Fazle Kabir and representatives from SWIFT.
Rep. Maloney and Tom Carper, the top Democrat on the Senate Homeland
Security Committee, both have made inquiries to the New York Fed.
The House Science Committee informed the New York Fed in a letter
this week that it is launching a probe into its handling of the transfer
requests. The committee plans to examine the New York Fed's response to
the heist, the oversight of SWIFT, and whether additional measures are
needed to address vulnerabilities to cyber attacks.
SWIFT, which has come under scrutiny after the Bangladesh Bank heist
and cyber attacks in at least three other cases, plans a new program to
improve security and also wants banks to "drastically" improve
information sharing. (Additional reporting by Tom Bergin in London;
Editing by Raju Gopalakrishnan and David Greising)
No comments:
Post a Comment