There are many different types of risk that an entity may face. However I confess I had rarely thought about a day of the week as a risk until I read a story on the Wall Street Journal (WSJ), by Syed Zain Al-Mahmood and Cris Larano, entitled “From the Fed to the Philippines: Bangladesh’s Stolen-Money Trail”. Their article detailed the initial investigations around the fraudulent transfer of money from the bank account of the Central Bank of Bangladesh, out of the Federal Reserve Bank of New York (the Fed).
The theft occurred in early February but was not publicly reported until early March. On Friday, February 5, the Fed began to receive requests for wire transfers purportedly from the central bank of Bangladesh. Some $101 million was wired out from the Fed on that Friday but there were requests for an additional $950 million to go out as well. In Bangladesh, the weekend is Friday and Saturday. It turned out that the Fed had sent out 35 separate requests for confirmation that the requests were legitimate and requesting the Bangladesh central bank reconfirm the initial requests to transfer the money. However, “The computer terminal that connected Bangladesh’s central-bank computers to the secure interbank messaging system knows as Swift was “unresponsive” on Feb. 6, the morning after the theft, a senior official working at the bank’s secure server room said in the police report seen by The Wall Street Journal.” Moreover, “According to the report, Zubair Bin Huda, the senior official in charge of the glass-walled server room – known as the “Dealing Room” – was concerned when a printer connected to the terminal couldn’t print out the interbank messages received during the night.”
It was not until the Bangladesh workweek began on Sunday that Bangladesh central bank employees hooked up a backup server and printed out the 35 messages from the Fed. They were able to stop the fraudulent transfers at that point, thus averting another set of transfers for the remaining $950 million, which had been requested, but $101 million had already been transferred out. The Bangladesh central bank then “sent urgent messages to the Philippines central bank on Feb. 8 asking it to freeze four accounts” where the money had been sent but by then it was too late.
Of the $101 million, “$20 million [went] to Sri Lanka … to the account of a newly formed nongovernmental organization, according to the officials in Dhaka. The Sri Lankan bank handling the account reported the unusual transaction to the country’s central bank and authorities reversed the transfer.” Unfortunately the remaining $81 million was wired to a bank in the Philippines. On Monday, February 8 (the first day of the workweek in the Philippines), “Senior Bangladeshi officials sent urgent messages to the Philippines central bank on Feb. 8 asking it to freeze four accounts at the RCBC where $81 million had flowed”.
An executive at Rizal Commercial Banking Corp (RCBC), Romualdo Agarrado, testified at a Philippine Senate hearing that the bank did receive the requests from Bangladesh, on February 9, they did issue stop orders internally but one bank manager “Maia Santos Deguito ignored it. Instead, she moved the money to a foreign-currency account opened Feb. 5 under the name of Centurytex Trading, a local brokerage firm owned by businessman William Go, Mr. Agarrado testified.”
From there the money was then washed out through casinos in the Philippines. In an article in the Financial Times (FT), entitled “Philippines eyes reform in wake of $81m heist”, Avantika Chilkoti reported, “$50m was passed on to two casino groups and another $31m delivered in cash to a “junket agent” organizing trips for gamblers.” The Philippines, with one of the most porous anti-money laundering (AML) regimes around, has completely exempted the country’s casinos from its even more paltry laws.
This was clearly a very sophisticated crime, with many moving parts. However the basic timing is something that companies need to consider as a risk going forward. Have you thought about getting a request to make a payment late Friday as suspicious? What about a suspicious payment request on a Thursday? Did you consider the weekend days of the country where the payments were being wired to? Did you send a request for confirmation as the Fed did, 35 times?
What if there was no response, as was the case from the central bank of Bangladesh. Does that mean the bank was incompetent? How about a potential inside job that took the primary server down so the individual requests for confirmation could not be printed out? Or maybe they are all simply out at the beach for the weekend?
The reason you need to continually evaluate risk is because the risks change. Risks change because the bad guys change in their approaches to getting your money. Whether those bad guys are within your organization or without, you need to evolve your risk assessments and risk management as new risks arise.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016