Bangladesh's central bank has suggested the Federal Reserve Bank of New York had a "major lapse" in allowing hackers to transfer $101 million in transactions that it later flagged as suspicious, according to an internal document seen by Bloomberg.
The document, dated March 13, sheds new light on Bangladesh Bank's interpretation of a cyber heist in which hackers tried to steal nearly $1 billion last month. It outlines the strategy for recouping the stolen cash, including possible legal measures, and doesn't appear to include input from anyone outside the central bank.
It also shows the New York Fed and Bangladesh put in place greater security measures on transfers immediately after the theft.
In early February, the Federal Reserve Bank of New York blocked 30 transactions from Bangladesh's account valued at $850 million because of a lack of beneficiary details, according to the Bangladesh Bank document. However, the New York Fed allowed another five transactions to go through "which they subsequently flagged for due diligence review," it says.
"We view this as a major lapse on the part of FRB NY," the document says, referring to the New York Fed. Bangladesh is engaging legal counsel in New York City "to establish precise grounds of initiating lawsuit claiming recompense," it says.
New York Fed spokeswoman Andrea Priest said they aren't commenting beyond a statement earlier this month. The instructions to make the payments from the account of Bangladesh's central bank followed standard protocols and were authenticated by the SWIFT message system used by financial institutions, a Fed spokeswoman said on March 8.
Subhankar Saha, spokesman for Bangladesh Bank, said he won't comment on any internal document or any part of the investigation.
Investigators are still trying to determine the masterminds of the heist. Earlier this month Bangladesh Finance Minister Abul Maal Abdul Muhith said the Fed was responsible for the stolen funds.
About $81 million ended up in the Philippines and most has disappeared. Philippine authorities have accused a branch manager at Rizal Commercial Banking Corp. of laundering money, a charge she has denied. Another $20 million sent to Sri Lanka was returned by Pan Asian Banking Corp. after it spotted a spelling error in the beneficiary's name and flagged that to Bangladesh authorities.
The suspect transfers were made on Thursday, Feb. 4. Bangladesh's central bank -- with limited staffing on the Friday-Saturday weekend -- didn't detect the fraud until two days later, in part because of a printer error. It also received two SWIFT messages from the New York Fed dated Feb. 4 "mentioning about 'doubtful' Payment Instructions," according to the document.
On Feb. 6, a Saturday, Bangladesh Bank immediately contacted SWIFT about the issue and was advised to "cordon off" the local server while damage assessments were carried out, according to the document. Bank officials also called the New York Fed on a phone number that appeared on its website, but couldn't connect with anyone, it said. Central bank officials sent four e-mails and a fax to the New York Fed to try and get them to stop payment, it said.
Two days later, when the SWIFT system was back up and running, Bangladesh Bank sent messages to stop payment on all the suspect transactions, according to the document. The New York Fed responded on Feb. 9 outlining the steps they took and setting up a conference call it said.
The New York Fed "also insisted upon a security clearance protocol to be signed to smoothen future operations" that was executed on Feb. 15, the document said. The agreement between the two banks "put in place a multi-tiered payment authentication system."
The Philippines on Tuesday filed a money laundering complaint at the Department of Justice against two more people allegedly involved in the heist. A nine-page complaint filed by the Anti-Money Laundering Council named respondents Kim Wong and Weikang Xu. Both couldn't be reached to comment on the allegations.
Wong, president and general manager of Eastern Hawaii Leisure Co. Ltd., received 1 billion pesos ($21.6 million) from local remittance company Philrem Service Corp. from Feb. 10 to Feb. 11, the agency said, citing its investigation. Philrem also transferred $30.6 million to Chinese national Xu from Feb. 5 to Feb. 13, according to the complaint, citing the company's testimony at the Senate hearing.
Eastern Hawaii couldn't be contacted. Victor Fernandez, Wong's lawyer, told Philippine Senate investigators on March 17 his client is in Singapore for medical treatment and will be back on the 28th to answer the charges. Xu didn't attend two previous hearings despite receiving an invitation.
The Bangladesh central bank document also sheds light on how banks responded to the "stop payment" SWIFT messages that Bangladesh Bank sent on Feb. 8 to try and halt the illicit transfers. Wells Fargo & Co. responded on the same day, while Bank of New York Mellon Corp. wrote back the next day and said it was unable to locate the transaction in question, according to the document. Citigroup Inc. didn't respond to four messages, according to the document.
Richele Messick, a spokeswoman at Wells Fargo, declined to comment, as did Kevin Heine, a spokesman for BNY Mellon, and Jennifer Lowney, a Citigroup spokeswoman.
SWIFT is a member-owned cooperative that provides international codes to facilitate payments between banks globally. It can't comment on the investigation, according to Charlie Booth from Brunswick Group, a corporate advisory firm that represents SWIFT.
"We reiterate that the SWIFT network itself was not breached," Booth said in an e-mail. Separately, he wrote: "Our priority at this time is to encourage customers to review and, where necessary, to reinforce their local operating environments."