How NY Fed fum­bled over Bangladesh Bank cy­ber-heist

The Pak Banker - - COMPANIES/BOSS -

Jupiter. That sin­gle word, by a stroke of luck, helped stop the Fed­eral Re­serve Bank of New York from pay­ing nearly $1 bil­lion to the cy­ber-crim­i­nals be­hind a no­to­ri­ous bank heist ear­lier this year, ac­cord­ing to sources fa­mil­iar with the in­ci­dent. When hack­ers broke into the com­put­ers of Bangladesh's cen­tral bank in Fe­bru­ary and sent fake pay­ment or­ders, the Fed was tricked into pay­ing out $101 mil­lion. But the losses could have been much higher had the name Jupiter not formed part of the ad­dress of a Philip­pines bank where the hack­ers sought to send hun­dreds of mil­lions of dol­lars more. By chance, Jupiter was also the name of an oil tanker and a ship­ping com­pany un­der United States' sanc­tions against Iran. That sanc­tions list­ing trig­gered con­cerns at the New York Fed and spurred it to scru­ti­nise the fake pay­ment or­ders more closely, a Reuters ex­am­i­na­tion of the in­ci­dent has found.

It was a "to­tal fluke" that the New York Fed did not pay out the $951 mil­lion re­quested by the hack­ers, said a per­son fa­mil­iar with the Fed's han­dling of the mat­ter. There is no sug­ges­tion the oil tanker or ship­ping com­pany was in­volved in the heist.

The Reuters ex­am­i­na­tion has also found that the pay­ment or­ders sent by the hack­ers were ex­cep­tional in sev­eral ways. They were in­cor­rectly for­mat­ted at first; they were mainly to in­di­vid­u­als; and they were very dif­fer­ent from the usual run of pay­ment re­quests from Bangladesh Bank. Yet it was the word Jupiter that set the loud­est alarm bells ring­ing at the New York Fed. Even then it ap­peared to re­act slowly. By the time the fraud was dis­cov­ered, the New York branch of the U.S. cen­tral bank had ap­proved five of the pay­ments. It took $101 mil­lion from Bangladesh Bank and paid it to ac­counts in Sri Lanka and the Philip­pines - in­clud­ing $81 mil­lion to four ac­counts in the names of in­di­vid­u­als. Most of that $81 mil­lion re­mains lost.

It was among the most au­da­cious cy­ber-heists ever to emerge - shin­ing a light on wor­ry­ing weak­nesses in the global fi­nan­cial sys­tem and into a lit­tle-known cor­ner of the U.S. Fed­eral Re­serve: its Cen­tral Bank and In­ter­na­tional Ac­count Ser­vices unit (CBIAS), which one for­mer em­ployee de­scribed as a "bank within a bank." In­ter­views with in­ves­ti­ga­tors, lawyers and cur­rent and for­mer cen­tral bank of­fi­cials in sev­eral coun­tries, as well as a Reuters re­view of pay­ment mes­sages, emails and other doc­u­ments, show dis­ar­ray and bungling at all the fi­nan­cial in­sti­tu­tions in­volved. But the most strik­ing is the in­er­tia and clum­si­ness at the New York Fed, the most pow­er­ful of the U.S. cen­tral bank's 12 re­gional units and a main­stay of global fi­nance.

The heist re­vealed that the New York Fed lacked a sys­tem for spot­ting po­ten­tial fraud in real time - even though such sys­tems are used else­where - in­stead re­ly­ing at times on check­ing pay­ments after they were made, usu­ally for prob­lems such as vi­o­lat­ing U.S. sanc­tions.

Months of bit­ter fin­ger-point­ing over who is to blame for the fi­asco have dam­aged the sen­si­tive diplo­macy of correspondent bank­ing, where big West­ern in­sti­tu­tions are en­trusted with safe­guard­ing the trea­sures of smaller economies.

Newspapers in English

Newspapers from Pakistan

© PressReader. All rights reserved.