Bangladesh Bank’s inefficiency, neglect led to reserve heist
Unprotected security systems and irresponsible officials made Bangladesh Bank vulnerable to pilferage of the central bank’s foreign reserves. Linking the SWIFT server to the local network simply made things easier, and within six months the secret password was used to extract 81 million dollars (Tk 8.1 billion) from the bank’s reserves.
This cyber heist took place around three and a half years ago, on the night of 4 February 2016. Bangladesh Bank discovered the theft the next day, but kept it under covers for another 24 days. In fact, it was on the 33rd day after the heist that the central bank officially informed the finance minister about the matter.
Once the matter came out into the open, an inquiry committee was formed on 15 March that year, headed by former governor of Bangladesh Bank, Mohammad Farashuddin. On that day the bank filed a case with the Motijheel police station. The next day the case was handed over to the police’s Criminal Investigation Department (CID).
The Farashuddin committee began work on 20 March and presented its inquiry report to the finance minister at the time, AMA Muhith, on 30 May that year. However, till date the government has not made public the findings of that report. Nor has CID submitted any charge sheet in the case.
The people remain in the dark about who was behind stealing their hard earned money from the central bank. Neither has it been revealed whether any Bangladeshi was directly or indirectly involved in the scam or whether anyone’s irresponsibility or neglect opened the doors to the theft. No one was punished and some even were promoted.
Around three years after the incident, Bangladesh Bank filed a case with the New York Southern District Court in the US on 31 January this year, accusing 20 persons and institutions. It still has not been decided whether the case will be conducted in New York or not.
In the meantime, a special senate committee hearing was held in this regard in the Philippines and a case was filed. A bank official there has been sentenced to a lengthy prison term.
Ironically, Bangladesh has made no visible effort to retrieve its stolen funds and this has not been recovered as yet. There seem little expectations that the money will ever be retrieved.
The main report of the Farashuddin committee comprised 27 pages. Other members of the committee were professor Mohammed Kaikobad and financial institutions division secretary at the time, Gokul Chand Das. Over the past three and a half years, the inquiry report has been discussed and debated over by various quarters, but it has never seen the light of day. As a result, its observations have not been taken into cognizance and its recommendations have not been followed.
AMA Muhith, as finance minister at the time, had taken initiative for certain emergency measures upon receiving the inquiry report. On 1 June 2016 he issued a letter to various quarters within the government, highlighting the weaknesses in the central bank’s transaction security. He called for immediate measures to address these weaknesses, including taking measures against certain employees of the bank who were named in the report. He also wanted to make a statement in the parliament about the matter, but that never happened.
Speaking to Prothom Alo on the overall issue on Monday, the inquiry committee head Farashuddin said, the government appointed an inquiry committee to look into the matter. The committee submitted its report. Now only the government can make an official statement about the issue.
How the heist happened
Banks worldwide use the Society for Worldwide Interbank Financial Telecommunications (SWIFT) for transactions among each other. Bangladesh has eight officials responsible for financial transactions through SWIFT. These transactions are conducted in a back-office of Bangladesh Bank’s accounts and budgeting department. This space is heavily secured.
The inquiry committee describes the events of 4 February 2016 night. One of the officials authorised to send the transaction messages is assistant director Sheikh Reazuddin. At 7:15 that night, before logging out of the system, he issued order to the Federal Reserve Bank of New York (New York Fed) to transfer 319.70 million US dollars, using 18 messages as per the regulations. The money was to be invested in the currency market. After sending the message, Sheikh Reazuddin left the office at 8:03 at night.
It was a Thursday. After he left office, his user ID and password was used to send 35 messages to the New York Fed from 8:36 pm till 3:59am, issuing directives to transfer 951 million US dollars. The directives stated that 81 million dollars was to be transferred to accounts of certain persons with the Philippines Rizal Commercial Banking Corporation (RCBC). And 20 million dollars was to be sent to Salikha Foundation prevented the money from being transferred to Sri Lanka.
Of the 35 messages sent, money was transferred from the New York Fed in response to 4. The Fed had suspicions about 30 of the messages and one was stopped due to the misspelling. They sent a reply message to Bangladesh, though Bangladesh only came to know of this two days later as no one was there on Thursday night, no one bothered on Friday and so it was only on Saturday that Bangladesh Bank came to know about the mater. But, only on 9 February the funds in the Philippines bank were removed.
It is so far the largest central bank heist anywhere in the world. Those involved in the robbery did their homework well. They coordinated their dealings with the weekly holidays of Bangladesh and Philippines as well as the Chinese New Year. The report said that Bangladesh bank lacked the sense to perceive that anyone could take advantage of this long holiday. It said that the criminals took full advantage of the Bangladesh Bank’s sloppiness.
How BB came to know
Even though Friday is a holiday, the back-office is opened for some time to conduct transactions. At 8:45 Friday morning, joint director of the accounts and budgeting division Zubair Bin Huda came to the office, followed by joint director Mizanur Rahman Bhuiyan, assistant directors Sheikh Reazuddin and Rafiq Ahmed Majumdar. The latter three left office at 12:32 in the afternoon.
Once a SWIFT message is sent, a copy of the message is printed automatically. However, general manager of the accounts and budgeting division, Badrul Huq Khan, told the inquiry committee that the four officials could not open the printer for the printout of the messages, but failed to inform the authorities of the matter. They claimed that the printer often gave trouble, though they could not specify when it last malfunctioned. The inquiry committee commented that these officials did not bother to stay back and take further time to arrange a manual printout of the SWIFT messages.
The inquiry report said that the general manager Badrul Huq Khan came to office on Saturday morning at 10:27, and 47 minutes later Zubair Bin Huda informed him about the printer problem. At 12:15 in the afternoon alternative measures were taken for the printouts and 199 messages were received from New York Fed. However, it was not possible to enter the SWIFT system through the browser, with ‘error message’ being repeated. That was why the message could not be read.
Attempts were then made to contact the New York Fed over telephone, but it was closed at the time. Then at 1:31pm, e-mails and faxes were sent to New York Fed to hold up any payment and also to return any finds that had been transferred. The printer was still out of order. At 2:54pm SWIFT was approached for emergency assistance. At their advice the SWIFT server was disconnected from the local network and then the printer began functioning again. It was then that Bangladesh bank first came to know about the funds being stolen from the reserves.
After the entire Friday day and entire night passed, at 3:30 Saturday afternoon Badrul Huq Khan first informed the central bank’s deputy governor (DG-1) Md Abul Kasem about the reserve funds being pilfered. Kasem then spoke to the bank’s governor Atiur Rahman. After that, Abdul Kasem told Badrul Huq Khan that the governor had ordered strict secrecy to be maintained about the matter.
How the grounds were prepared
The Farashuddin report said that since 1995 the SWIFT transactions had been conducted without any hitch. But then an order from Bangladesh Bank made the security vulnerable, following which the heist took place.
The decision was for any sort of interbank transaction directives to be immediately conducted through the Real Time Gross Settlement (RTGS). This RTGS connection with SWIFT was launched with great fanfare after which the problems began.
In March 2015, president of the SWIFT User Association of Bangladesh, Anis A Khan, proposed the RTGS link with SWIFT. SWIFT advocated this too. It was finally approved and implemented.
The inquiry report said that a risky Local Area Network (LAN) was set up with about 5,000 computers of Bangladesh Bank and initially with Mutual Trust Bank, BRAC Bank and Citibank NA. Surprisingly, though the matter had to go through scrutiny of the planning commission, the central bank’s executive committee and the board of directors, not a single question was raised about how necessary this connection actually was, its technological justification and whether there could be any sort of security beach during transactions.
SWIFT under suspicion too
The Farashuddin committee also expressed its suspicions concerning SWIFT’s activities. The report said that SWIFT’s experts had created RTGS connection with SWIFT in their own manner, not handing over the new user instructions to anyone of Bangladesh Bank. There were technical problems at the very outset for which they had to revamp the system. They had also stated that the SWIFT server Hardware Security Module (HSM) card should never be disconnected. The card keeps the SWIFT server live round the clock. If the card had been disconnected, no way could the money have been transferred on 4 February. The inquiry report expressed surprise at the silence and irresponsibility of the Bangladesh Bank governor and others in this regard.
When Prothom Alo sent an email to SWIFT for their comments, they sent back a counter mail, asking if the inquiry report had been published. When they were informed that the report had not been published, SWIFT made no further response.
Who is to blame?
The inquiry committee has not been able to confirm if anyone within Bangladesh was directly or indirectly involved in the scam. But they commented about the glaring unprofessionalism was evident in the foreign exchange reserve management, the hasty use of technology bypassing the control structure and, while in the back-office, listening to music, organising a birthday party, chatting, chatting on Facebook and playing computer games. This was blatant inefficiency and negligence of protecting public resources. This unprofessionalism of the central bank officials made it very easy for the cyber criminals to hack the system with their malware.
The present situation
The Farashuddin inquiry report has been shelved into deep freeze quite some time back. Bangladesh Bank has taken no action whatsoever. CID has come up with no report, the central bank has not taken any measures to look into the matter either.
Former additional secretary Mohammed Firoz Miah spoke to Prothom Alo about two types of measures to be taken against any employee of the government, or any semi-government or autonomous corporation who faces criminal charges. One is judicial action and the other, departmental action. Anyone facing judicial measures will also have to face departmental action. If there are specific charges, even if there are no judicial measures, departmental measures must be taken.
None of the Farashuddin committee’s recommendations have been implemented, not even about taking departmental action.
Former governor of Bangladesh Bank Salahuddin Ahmed, speaking to Prothom Alo on Monday, said that the reserve funds are no one’s personal property. It was wrong to keep the matter secret. Had the Philippines bank been contacted in time, the funds would have been recovered by now. He said in such cases immediate administrative and legal action must be taken. This would reduce fraudulence and irregularities. As no measures are taken, fraudulence is on the rise.