New York Fed Stands By Its Fund-Transfer Procedures in Letter
The Federal Reserve Bank of New York defended fund-transfer procedures that have come under scrutiny after the theft of tens of millions of dollars from Bangladesh’s account at the New York Fed, in a letter released by a lawmaker Friday.
Thomas Baxter, the head lawyer and executive vice president at the New York Fed, was responding in an April 14 letter to enquiries from Rep. Carolyn B. Maloney (D., N.Y.), who asked the Fed for information about its procedures for recalling transfers that turn out to be fraudulent.
She asked the Fed for the details following a cyberattack on Bangladesh’s account in February, in which thieves made off with $81 million that still hasn’t been traced. The New York Fed repeatedly has said its own systems weren’t compromised.
In the letter, Mr. Baxter said the Fed’s procedures, unlike Swift authentication protocols, are for preventing dollars from being transferred to individuals or firms that have been placed under sanctions and “are not designed to protect our customers from an unauthorized transfer.” The Society for Worldwide Interbank Financial Telecommunication, known as Swift, is a cooperative that runs the international messaging system between banks.
The New York Fed screens payment instructions automatically and selects some for manual review. The manual review can happen either before or after the payment is executed.
A timeline pieced together by the Journal, citing people familiar with the events, showed that the New York Fed flagged a dozen orders as suspicious hours after they arrived and repeatedly tried to reach officials in Bangladesh. But when they didn’t answer, it then waited over the weekend before trying to stop payment on another five transfers it already had authorized.
Mr. Baxter confirmed that “several” instructions in a batch of 30 orders were flagged for sanctions compliance review.
“Consistent with our procedures, and in part as a result of determining that there was potentially suspicious activity with respect to the pending payments [on Feb. 4], on the next day, Feb. 5, the New York Fed reviewed all transactional activity in the Bangladesh account from Feb. 4 that had been executed before the potentially suspicious activity was detected,” Mr. Baxter said.
“Based on this review, on Feb. 5 we again contacted the central bank of Bangladesh, this time with additional inquiries about the purpose of certain payments that had been executed the prior day.”
The congresswoman in a statement said that the New York Fed’s letter provided key information, but she remained concerned there were critical security gaps in the international payments system. She said she would push the New York Fed to expedite its review of its own security procedures to avoid a repeat incident.
The release of the April letter from the New York Fed came on the same day Sen. Sherrod Brown (D. Ohio), the ranking Democrat on the Senate Banking Committee, said breaches such as the one in Bangladesh were a worrying sign for the global payments system.
A New York Fed spokeswoman had no additional comment. In the letter, Mr. Baxter said: “The Federal Reserve is continually assessing its own internal control environment as security threats evolve, and we expect other central banks and commercial banks to do the same.”
A second attack besides the one in Bangladesh was disclosed late Thursday by Swift, which it said involved an unnamed commercial bank. On Friday, computer security researchers at BAE Systems said a bank in Vietnam had been targeted with malicious software. The BAE researchers didn’t specify the Bangladesh attack, but they linked their report back to their earlier findings on the Bangladesh breach. It isn’t clear if the bank BAE referred to in Vietnam was the same bank Swift referred to.
Swift declined to comment on the report.
Swift said Thursday it had found evidence of a “few” additional incidents at customers of its payments messaging system, and had recently notified customers about a “small number of recent cases of fraud at customer firms.”
Bangladesh’s central bank has been trading accusations with Swift over who is responsible for the theft of the $81 million from the bank’s account at the New York Fed.