Maloney Presses New York Fed for Answers on $81 million Bangladesh Central Bank Heist

Mar 22, 2016
Press Release

WASHINGTON, DC. – Today, Congresswoman Carolyn B. Maloney (NY-12) sent a letter to Federal Reserve Bank of New York President William Dudley pressing him for answers on the New York Fed’s actions in the recent heist of $81 million from the Bangladesh central bank’s account at the New York Fed. Rep. Maloney is the Ranking Member of the House Financial Services Subcommittee on Capital Markets and GSEs, as well as a senior member of the House Oversight and Government Reform Committee. A copy Rep. Maloney's letter can be found here.

“This brazen heist from the Bangladesh central bank’s account at the New York Fed threatens to undermine the confidence that foreign central banks have in the Federal Reserve, and in the safety and soundness of international monetary transactions,” Rep. Maloney said. “We need a thorough investigation to determine how these criminals were able to manipulate the system so that banks and financial institutions can institute standards that will prevent hackers and cyber criminals from siphoning money out of accounts like those held at the New York Fed again.”

Specifically, Rep. Maloney’s letter questioned why the New York Fed blocked 30 of the 35 fraudulent transfer orders, but did not block the first 5 transfer orders. The congresswoman also questioned why the New York Fed requested reconfirmation from Bangladesh Bank for all 35 transfer orders, but did not wait until it received reconfirmation before executing the first 5 orders. Rep. Maloney requested a confidential briefing from New York Fed staff to get answers to lingering questions could, including:

  • Is it appropriate to rely solely on authentication from SWIFT for outgoing payments from the accounts of foreign central banks? Are additional authentication protocols necessary to prevent this kind of cyber theft in the future?
  • Why did the New York Fed block the last 30 transfer orders, but not the first 5 orders? What was it about the last 30 transfer orders that raised the New York Fed’s suspicions?
  • Press reports indicate that the New York Fed requested reconfirmation from Bangladesh Bank of all 35 transfer orders, but executed the first 5 transfer orders without receiving any reconfirmation.[1] Why did the New York Fed request reconfirmation from Bangladesh Bank, but not wait until it received reconfirmation before executing the first 5 transfer orders? What is the New York Fed’s policy regarding reconfirmations of large transfers from the accounts of foreign central banks, and was that policy followed in this case?
  • Why did the New York Fed not question the apparent misspelling in the $20 million transfer order to the Sri Lankan account, as a correspondent bank did?

The full text of Maloney's letter is below.

 

Dear President Dudley,

I am writing with regard to the recent theft of roughly $81 million from the Bangladesh central bank’s account at the New York Fed. This incident highlights a number of issues that warrant careful attention.

According to press reports, on February 4, 2016, cyber criminals sent 35 orders, via the Swift financial messaging system, to transfer roughly $951 million out of Bangladesh Bank’s account at the New York Fed to a series of private accounts in other countries.[1] The New York Fed executed 5 of these orders, transferring a total of $101 million to four private accounts in the Philippines and one to the account of a non-governmental organization in Sri Lanka. The New York Fed did not carry out the remaining 30 transfer orders, totaling $850 million, and instead sought reconfirmation from Bangladesh Bank.[2] Fortunately, the $20 million transfer to the Sri Lankan account was halted when a correspondent bank questioned a misspelling in the transfer instructions. However, four transfers to private accounts in the Philippines, totaling $81 million, were successfully executed, and the criminals appear to have laundered the money through local Philippine casinos.[3]

As you know, the New York Fed’s Markets Group provides banking services to approximately 250 foreign central banks and other foreign official institutions.[4] Foreign central banks establish accounts at the New York Fed in order to accommodate international monetary transactions, settle their U.S. dollar obligations, and hold their foreign reserves. Through these accounts, the New York Fed provides foreign central banks with payments services that allow them to send and receive U.S. dollars through the Fedwire Funds Service. Providing foreign central banks with safe, reliable access to U.S. markets and to Fedwire supports the U.S. dollar’s role as the world’s principal reserve currency.[5]

According to the New York Fed, “For outgoing payments, [foreign official account holders] send us payment instructions by authenticated SWIFT, and we execute payments through Fedwire®.”[6] In the case of the transfers from Bangladesh Bank’s account, the New York Fed has stated that, “The payment instructions in question were fully authenticated by the SWIFT messaging system in accordance with standard authentication protocols.”[7] Nevertheless, several questions remain:

  • Is it appropriate to rely solely on authentication from SWIFT for outgoing payments from the accounts of foreign central banks? Are additional authentication protocols necessary to prevent this kind of cyber theft in the future?
  • Why did the New York Fed block the last 30 transfer orders, but not the first 5 orders? What was it about the last 30 transfer orders that raised the New York Fed’s suspicions?
  • Press reports indicate that the New York Fed requested reconfirmation from Bangladesh Bank of all 35 transfer orders, but executed the first 5 transfer orders without receiving any reconfirmation.[8] Why did the New York Fed request reconfirmation from Bangladesh Bank, but not wait until it received reconfirmation before executing the first 5 transfer orders? What is the New York Fed’s policy regarding reconfirmations of large transfers from the accounts of foreign central banks, and was that policy followed in this case?
  • Why did the New York Fed not question the apparent misspelling in the $20 million transfer order to the Sri Lankan account, as a correspondent bank did?

In order to better understand these important issues, while also protecting the confidentiality of Bangladesh Bank and other foreign central banks with accounts at the New York Fed, I respectfully request a confidential briefing from the appropriate staff at the New York Fed. If you have any questions about this request, please contact Ben Harney on my staff at (202) 225-7944.

 

###

 

 

[1] See Mallet and Chilkoti, “How Cyber Criminals Targeted Almost $1bn in Bangladesh Bank Heist.”

[1] See e.g., Victor Mallet and Avantika Chilkoti, “How Cyber Criminals Targeted Almost $1bn in Bangladesh Bank Heist,” Financial Times (March 18, 2016); Syed Zain Al-Mahmood and Cris Larano, “From the Fed to the Philippines: Bangladesh’s Stolen-Money Trail,” Wall Street Journal (March 18, 2016).

[2] Id.

[3] Id. (“In previous [Philippine] Senate testimony, Julia Bacay-Abad, executive director of the Anti-Money Laundering Council, said the money apparently had been used to buy gambling chips. The council’s investigation ended at the casino’s doors, however. Gambling facilities aren’t covered by the Philippines’ Anti-Money Laundering Law.”).

[4] See New York Fed, Services for Central Banks and International Institutions, available at: https://www.newyorkfed.org/aboutthefed/fedpoint/fed20 (last accessed March 20, 2016).

[5] See New York Fed, Providing Banking Services to Central Banks and Relevance to Monetary Policy Implementation, at 9 (September 2015), available at: https://www.newyorkfed.org/medialibrary/media/banking/international/09.29.2015-cbias-1.30pm.pdf (last accessed March 20, 2016).

[6] See New York Fed, Services for Central Banks and International Institutions.

[7] New York Fed, Statement on Media Reports About Bangladesh (March 9, 2016), available at: https://www.newyorkfed.org/newsevents/statements/2016/0311-2016 (last accessed March 20, 2016).

[8] See Mallet and Chilkoti, “How Cyber Criminals Targeted Almost $1bn in Bangladesh Bank Heist.”