The lost Bangladesh Bank $101m from reserve


When hackers tried to steal nearly $1 billion from Bangladesh bank, the Federal Reserve Bank of New York failed to spot warning signs and nearly let all the money go. This is what Krishna N. Das and Jonathan Spicer said in an investigative report at Reuters, an international news agency.  The report says, “Jupiter. That single word, by a stroke of luck, helped stop the Federal Reserve Bank of New York from paying nearly $1 billion to the cyber-criminals behind a notorious bank heist earlier this year, according to sources familiar with the incident. But the Fed was tricked into paying out $101 million”. But the losses could have been much higher had the name Jupiter not formed part of the address of a Philippines bank where the hackers sought to send hundreds of millions of dollars more. By chance, Jupiter was also the name of an oil tanker and a shipping company under United States’ sanctions against Iran.

Currently, the amount of Foreign Exchange Reserves in Bangladesh is $290 million.  Compared to its reserve the amount of hacked money is very less. But the image of the country is shaken through this incident. However, in the investigations it is proved that Bangladesh Bank is not liable for the heist.

Quite unfortunately following the bank heist, former Bangladesh Bank Governor Atiur Rahman resigned amidst criticism just months before his normal retirement at beginning of August. As Governor of the Central Bank of Bangladesh, he took many laudable steps in developing the country’s economy by developing programs such as a women entrepreneur’s loan, a loan for landless farmer and special programs around Green Finance. The former governor also worked to automate and digitize the banking sector of Bangladesh.

Following the Bangladesh Bank reserve heist two Deputy Governors- Najnin Sultana and Abul Kashem were sacked after Dr Atiur Rahman’s resignation, though none of those were assigned in their post. The media and people criticized the heist and some consider it as ‘Theft’ following the past records -in the banking sector.  On 2 August , Krishna N. Das, Jonathan Spicer and Sirajul Kadir in a report to Reuters said that a team of Bangladesh Bank have been staying in Manila to recover $63 million. It also said that on February 4 and 5, the hackers were trying to steal $1 billion from the Federal Reserve Bank of New York but they succeeded to transfer $81, $18 million from them has been recovered till now.

The report has found that the payment orders sent by the hackers were exceptional in several ways. They were incorrectly formatted at first; they were mainly to individuals; and they were very different from the usual run of payment requests from Bangladesh Bank. Yet it was the word Jupiter that set the loudest alarm bells ringing at the New York Fed. Even then NY Fed appeared to react slowly. By the time the fraud was discovered, the New York branch of the US central bank had approved five of the payments that  took $101 million from Bangladesh Bank reserve and paid it to accounts in Sri Lanka and the Philippines – including $81 million to four accounts in the names of individuals.

The Bangladesh Bank has claimed Rizal Commercial Banking Corp (RCBC)’s responsibility for this heist, however, the bank authority denied the accusation. The president of the RCBC Lorenzo Tan resigned amidst criticism following the heist but he claimed his innocence in this regard.  He said “As shown by RCBC’s own investigation, the allegations of my involvement in the current money-laundering issue are unfounded and baseless. I resigned to give the board a free hand in directing the course of the bank’s future.”  He added “Despite having been cleared of any wrongdoing, as president and CEO of RCBC, I take full moral responsibility for this sad incident in the history of the bank. With a heavy heart, I feel the time has come for me to move on and provide my services elsewhere.”

In the reports published by Reuters it is also found that the RCBC bank officials had asked how the money is coming in Jupitar branch and how were they transferring the same legally? For this they also stopped transaction temporarily.
What is evident, according to investigative reports by cyber-security company FireEye seen by Reuters, is that someone obtained the computer credentials of a SWIFT operator at Bangladesh Bank, installed six types of malware on the bank’s systems and began probing them in January. The hackers did a series of test runs, logging into the system briefly several times between January 24 and February 2. One day they left monitoring software running on the bank’s SWIFT system; on another they deleted files from a database.

On February 4, the hackers began sending fraudulent payment orders via SWIFT and sent SWIFT message to transfer of $20 million from the central bank of Bangladesh to an account in Sri Lanka. Over the next four hours, 34 more orders arrived asking the US central bank to move a total of nearly $1 billion from the account it holds for Bangladesh Bank.  First, all 35 of the messages lacked the names of “correspondent banks” – the necessary next step in the payment chain that stopped the immediate transaction. However, among the all requests the bank approved only five messages that took $101 million from the reserve to Philippines and Srilanka.

The reporters of the Reuters have interviewed investigators, lawyers and current and former central bank officials in several countries, as well as its review of payment messages, emails and other documents that show indiscipline and bungling at all the financial institutions involved. But the most striking is the inertia and clumsiness at the New York Fed, the most powerful of the US central bank’s 12 regional units and a mainstay of global finance.

We do not know when will get back the hacked money. Even getting back the image that has been lost through the BB cyber heist incident is more difficult. There are couples of researches and investigations done in the country about the heist.  We should pay heed to those and work on the lackings that we have. We also need to ensure that our lacking and self-motif might not harm our beloved country’s economy.  We know there are many  exchanges of opinion about Central Bank’s limitations- how finance ministry will control it, what would be arena of autonomy. But we should not put the Bangladesh Bank cyber heist into the above debate. If we say the Bangladesh Bank is also responsible equally in this cyber heist, we ourselves havemade our case weak. However, it is already clear who were behind the heist?-Federal Reserve of New York and Rizal Commercial Banking Corp (RCBC)! It is high time to take this matter under serious consideration.