It has been four years since a band of hackers broke into this Bangladesh Bank’s account with the New York Fed with the intent to pull off what would have been the biggest cyber heist in history.
Thanks to stroke of good fortune, the hackers made way with less than one-tenth the sum — and Bangladesh is no closer to seeing that money back four years on as there has been little tangible progress in the legal battle at home and abroad.
Not just that, there has not been any lasting solution to prevent a repeat of the incident that left the central bank $81 million short — and would have left it with a $951 million-size hole in its books.
The central bank is working under a temporary arrangement for four years that is costing additional time and money.
Under the makeshift system since 2016, the BB sends payment instructions to the New York Fed through the SWIFT system and follows it up with an email. After receiving the email, the New York Fed calls the BB to double-check whether it has sent the payment instruction or not.
Until the three-tier security system is ensured, the Fed does not carry out any fund transfer instructions. And this arrangement is for Bangladesh only.
Not just that, the Fed transfers funds for only two days a week now, down from four days initially.
As a result, the BB processes international payments with the help of a foreign bank on other days, resulting in an additional cost.
In 2017, the SWIFT, the Fed and the Bangladesh University of Engineering and Technology (BUET) designed a permanent payment instructions system for the BB. The system is secure, said a central banker.
The SWIFT sent the design in June 2016 and it was reviewed by the BUET. The Fed also examined the design.
Accordingly, the central bank purchased necessary software and hardware by the end of 2017 to make the system up and running.
But they have not been installed yet as SWIFT officials keep pushing back their Bangladesh visit fearing they will face legal actions in the hacking case filed with the Criminal Investigation Department.
Until December last year, no SWIFT official visited Bangladesh fearing that they might face legal actions in the hacking case filed with the CID.
The government high-ups assured that they would not face any sort of hassle or questioning from the law agencies. Convinced, a team of the SWIFT met with the BB governor in Dhaka on December 19 last year.
A SWIFT team will visit Bangladesh in order to install the hardware and a third party will audit its effectiveness. Once the SWIFT and the Fed give their green light in favour of the new system, it will be put in place.
The team that visited Bangladesh in December proposed two more initiatives that would make the payment instructions more secure.
One of them is Global Payment Initiative (GPI), which SWIFT is calling the new standard in global payments.
Another is payment control service (PCS). In case of any irregularities during the transaction such as higher-than-usual fund size or uncommon transaction timeframe, the channel can block the transaction and notify the bank.
A team from the SWIFT has to come to install the system. It has sent a list of the officials to Bangladesh, but the date for their visit could not be known.
Once the SWIFT installs the system, the BB would float a tender for a third-party audit of it. If the SWIFT and the Fed vet the audit report, the system will be fully up and running.
“If the officials of the SWIFT cooperate with the BB, we would be able to move to the new system within three to four months,” Debdulal Roy, executive director of the BB, told The Daily Star.
The delay has been largely caused by the time being taken by the SWIFT officials, he said.
In November last year, a team from the Fed also visited the country.
NEW SECURITY SYSTEM IN CENTRAL BANK
Although the BB has not taken any measure in line with the recommendations made by the Farashuddin-led probe committee, the central bank and the government have taken high-level security measures to safeguard the BB’s IT infrastructure.
A censor has been installed at the BB in association with the Computer Incident Response Team (CIRT), the national body under the ICT ministry, Roy said.
The CIRT now monitors the activities of every computer of the BB and reports to the central bank every month.
It reports every suspicious activity, he said, adding that some 4,000 BB officials have been given training on IT and cyber security.
The IT management and the security system of the dealing room that manages the SWIFT messaging with the New York Fed are being handled separately, Roy said.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial institutions worldwide to send and receive information about financial transactions.
BB CASE IN NEW YORK
On February 1 last year, the BB filed a case with the United States District Court for the Southern District of New York against the Philippines’ Rizal Commercial Banking Corporation (RCBC) and others, including several top executives, for their involvement in a “massive and multi-year conspiracy” to steal its money.
The court heard the statements from both Bangladesh and the Philippines in the last week of December last year.
“We are awaiting the court verdict on whether it would accept the case or not,” Abu Hena Mohd Razee Hassan, head of the Bangladesh Financial Intelligence Unit, told The Daily Star.
LEGAL PROCEEDING IN MANILA
The Philippines has filed 12 cases against the RCBC.
The Department of Justice has ordered the filing of charges for four counts of money laundering against the owners of local remittance firm Philrem Service Corp. in connection with the heist, reported the Inquirer of the Philippines on January 9.
In a 23-page resolution dated December 12, 2019, Justice Undersecretary Adrian Ferdinand Sugay reversed an earlier department ruling dismissing the charges against the remittance firm’s owners.
He said Philrem, a covered institution under the Anti-Money Laundering Act, failed to report to the Anti Money Laundering Council (AMLC) the series of suspicious transactions that paved the way to conceal the money stolen from the BB almost four years ago.
Last year, the Makati Regional Trial Court Branch 149 found former RCBC branch manager Maia Deguito guilty of eight counts of money laundering in connection with the heist and sentenced her to a jail term ranging from 32 to 56 years. The case is currently on appeal, the Inquirer said.
Since 1973, the BB has held its international reserves in a custodial account in New York City with the New York Fed. This account enables the central bank to participate in the international financial system.
The BB conducts approximately 85 per cent of its international transactions in the US dollars, and it does so through its custodial account at the New York Fed.
On average, the BB holds more than a $1 billion balance in the account, according to the document filed with the US court.
The BB chose the New York Fed for its account because of the New York Fed’s central role in the worldwide financial system.
It provides banking and financial services to about 250 other foreign central banks, governments and official international institutions, such as the International Monetary Fund.
INVESTIGATION IN BANGLADESH
Mostafa Kamal, special superintendent of organised crime of CID, told The Daily Star that their investigation is being delayed as their vital counterparts in Philippines are not providing information they sought earlier.
“We have almost completed our investigation here and are waiting for information from other countries including the Philippines. We will submit charge sheet in the case within three to four months of receiving those information,” he told The Daily Star recently.
A CID official involved in the investigation said they are waiting for information from the Philippines, China and Sri Lanka. As much as 90 per cent of the information lies with Philippines.
Apart from communicating through the formal channel, the officials said they are trying to gather information through Bangladesh embassy staff in the respective countries.