|
 On the day of the theft in February, the New York Fed initially
rejected 35 requests to transfer funds to various overseas accounts,
a New York Fed official and a senior Bangladesh Bank official told
Reuters. The Fed’s decision to later fulfill a handful of
resubmitted requests raises questions about whether it missed red
flags.
The New York arm of the U.S. central bank initially denied the
transfer requests because they lacked proper formatting for the
SWIFT messaging system, the network banks use for international
financial transfers, the two officials said.
The Bangladesh Bank official said they lacked the names of
correspondent banks, which typically receive wired funds. The Fed
rejected the requests, which came from hackers who had broken into
the SWIFT network through Bangladesh Bank systems.
Later in the day, however, the cyber thieves resubmitted those 35
requests. On the second try, the messages had the proper formatting,
the New York Fed official said. The requests had been authenticated
by SWIFT, the first line of defense against fraudulent wire
transfers.
Despite the technical compliance, the New York Fed rejected 30 of
the requests a second time. But the Fed did approve five requests –
for a total of $101 million. Later, one of those five transfers - a
$20 million request - was reversed because of a misspelling.
The New York Fed has said it blocked the 30 resubmitted requests
because they were flagged for economic sanctions review. Only
afterward were they deemed potentially fraudulent.
The Bangladesh Bank official and another source close to the bank
said the New York Fed should have rejected all the requests on both
the first and second attempts.
The source close to the bank, who also had direct knowledge of the
matter, said anomalies in the four transfers that ultimately went
through should have raised questions at the New York Fed. They were
paid to individual recipients, a rarity for Bangladesh's central
bank, and the false names on the four approved withdrawals also
appeared on some of the 30 resubmitted requests rejected by the
bank, said the source close to the Bangladesh Bank.
"Of course, we asked the Fed why the repetition of the names did not
create red flags," the source said.
"They are saying they rejected 35 badly submitted ones," the source
said. But when the requests were re-submitted, they "paid 5 of them
and stopped 30. Why? They can give no answer."
Bangladesh Bank and SWIFT declined to comment. The New York Fed has
said there were no problems with its procedures for approving SWIFT
fund transfers, and declined to comment on whether it missed any
warning signs.
The cyber theft from Bangladesh’s central bank - and recent
disclosures of other similar fraud attempts - have brought scrutiny
on the SWIFT messaging system. SWIFT is a cooperative of global
banks formally known as the Society for Worldwide Interbank
Financial Telecommunication, and its transaction system was used as
a conduit for one of the largest cyber bank heists in history.
In the United States, a congressional committee has launched a probe
into the New York Fed's role in the bank heist. The Bangladeshi
central bank might seek compensation for the funds from the Federal
Reserve, and Bangladesh Bank police have said that recent
installation of a new SWIFT settlement system at the bank last fall
may have provided thieves an opportunity to gain access to the
bank’s SWIFT servers.
[to top of second column] |
RED FLAGS?
The New York Fed's reviews of payment requests that come over the SWIFT system
are focused chiefly on guarding against money laundering and transfers to people
and entities that are under U.S. government sanctions, Fed officials have said.
But requests often also are temporarily halted to fix typos and other formatting
problems.
The Fed branch has said its clients, including Bangladesh Bank, and SWIFT have
primary responsibility for preventing unauthorized transfers.
Fed employees queried Bangladesh Bank about the purpose of the payments
requested on Feb. 4 and again on Feb. 5, according to a letter to congresswoman
Carolyn Maloney (D-NY) by New York Fed General Counsel Thomas Baxter.
The four transfers totaling $81 million went to accounts in the Philippines. The
money wound up with casinos and casino agents and remains missing. An attempt to
transfer $20 million to a foundation in Sri Lanka was reversed because the word
“foundation” was misspelled.
The source close to Bangladesh Bank said questions about the anomalies in the
approved requests were discussed at a meeting in Basel last month between New
York Fed President William Dudley, Bangladesh Bank Governor Fazle Kabir and
representatives from SWIFT.
Rep. Maloney and Tom Carper, the top Democrat on the Senate Homeland Security
Committee, both have made inquiries to the New York Fed.
The House Science Committee informed the New York Fed in a letter this week that
it is launching a probe into its handling of the transfer requests. The
committee plans to examine the New York Fed’s response to the heist, the
oversight of SWIFT, and whether additional measures are needed to address
vulnerabilities to cyber attacks.
SWIFT, which has come under scrutiny after the Bangladesh Bank heist and cyber
attacks in at least three other cases, plans a new program to improve security
and also wants banks to "drastically" improve information sharing.
(Additional reporting by Tom Bergin in London; Editing by Raju Gopalakrishnan
and David Greising)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
