NY Fed responds, defends its role

The Federal Reserve Bank of New York has rejected claims that it had executed five payment orders without receiving reconfirmation it had sought from Bangladesh Bank, costing the central bank of Bangladesh $81 million in reserve heist.

The press reports that suggested the Fed requested reconfirmation from the BB for payments but did not wait for the responses are incorrect, the Fed said yesterday.

"We do not have a policy of 'reconfirming' payment instructions from central banks unless there is a fatal formatting error or a manual review, either prior to or after payment execution, gives us a reason to inquire about the nature or purpose of an instruction," the Fed said.

The Fed's reply came nearly two months after US Congresswoman Carolyn B Maloney raised questions about the New York Fed's actions regarding the $101-million heist from the BB account.

Of the sum, the payment of the $20 million that was channeled to Sri Lanka was stopped after suspicion arose and was later returned to the BB account. The rest $81m went to various accounts in the Philippines.

The BB expects to get back a portion of the money. 

BB Lawyer Ajmalul Hossain earlier told The Daily Star that the Fed was negligent in not taking appropriate action in respect of the fraudulent payment instructions that were received.

“The Fed requested information from Bangladesh Bank after they had actually made the payments. If the Fed made a query about some doubtful transactions, we think it was incumbent upon the Fed to at least send a message to the beneficiaries' bank to hold those payments and not make payments on instructions of the beneficiaries,” he told The Daily Star in mid-April.

The Fed replied only to the queries raised by the Congresswoman.

It, however, did not say anything about why it did not stop payments of the funds from its system even though the Fed had suspected something wrong in the orders. Nor did it take any step to ask the banks in Sri Lanka and the Philippines to stop payments to the private beneficiaries.

The funds were not released to the hackers until February 9, five days after the Fed raised red flags and started sending out queries.

In its reply, the Fed said every payment that is executed by the New York Fed on behalf of its central bank account-holders results in an advice being issued to the account-holder, indicating that its instructions have been carried out.

"The advice is sent immediately after the payment is executed. It is the responsibility of the account-holder to review such notices," it said.

On February 4, cyber criminals sent 35 orders via the SWIFT financial messaging system to transfer roughly $951 million from the BB account with the Fed to a number of private accounts in other countries.

The Fed executed five of the orders, transferring a total of $101 million to four private accounts in the Philippines and one to the account of a non-governmental organisation in Sri Lanka.

The Fed didn't carry out the remaining 30 transfer orders, involving $850 million, and instead sought reconfirmation from the BB.

Replying to the US Congresswoman's query that why the Fed blocked the last 30 transfer orders, but not the first 5 orders, the Fed said, "On February 4, the New York Fed contacted the central bank of Bangladesh to inquire about the purpose of certain pending payments that had not yet been executed.

“Consistent with our procedures and in part as a result of determining that there was potentially suspicious activity with respect to the pending payments, on the next day, February 5, the New York Fed reviewed all transactional activity in the Bangladesh account from February 4 that had been executed before the potentially suspicious activity was detected.

“Based on this review, on February 5 we again contacted the central bank of Bangladesh, this time with additional inquiries about the purpose of certain payments that had been executed the prior day."

It also said when the Fed received an authenticated payment instruction via SWIFT, there are additional processing steps that must take place before the Fed acts on the instruction.

Unlike the SWIFT authentication protocols, these steps are not designed to protect our customers from an unauthorised transfer. Rather, the New York Fed performs diligence to protect itself from unwittingly transferring dollars to a sanctioned jurisdiction or person.

"Automated systems screen the payment instructions for sanctions compliance and also to ensure the instructions are properly formatted. If an instruction fails one of these automated screens, a New York Fed employee will manually review the payment instruction for the cause of the failure."

The Fed said the vast majority of authenticated instructions received from foreign official account holders are not flagged for manual review by the automated systems.

On the afternoon of February 4, the Fed said, after certain earlier payments had been screened and cleared for execution, several instructions submitted in a batch of 30 were flagged for sanctions compliance review.

"These instructions were nagged close in time to each other. As a result of the manual review or the group of nagged messages, the New York Fed determined that the activity in question was potentially suspicious and the payment instructions should not be executed without additional inquiry to the central bank, including an inquiry as to the intended purpose of the payments."

In response to the reply, Maloney, the Ranking Member of the House Financial Services Subcommittee on Capital Markets, said, “While the New York Fed's response to my initial inquiry provides key information about the Bangladesh Bank incident, I remain concerned that there are critical security gaps in the international payment system.

“I will be urging the New York Fed to expedite its review of its security protocols to ensure that this kind of brazen cyber heist doesn't happen again. We must ensure the safety and soundness of international monetary transactions.”

Maloney sent the letter to the Fed president on March 22.

The New York Fed provides banking services to about 250 central banks and other foreign official institutions. Foreign central banks establish accounts at the New York Fed in order to accommodate international monetary transactions, settle their US dollar obligations, and hold their foreign reserves.