According to two individuals with direct knowledge of the matter, hours before four fraudulent requests for transferring $81 million from a Bangladesh bank account were approved by the Federal Reserve Bank of New York, the same requests had been blocked by the Fed branch as they were found lacking in information that was needed for making the money transfer. In February, on the day of the theft, about 35 requests for transferring funds to numerous overseas accounts had been initially rejected by the New York Fed. Therefore, the later decision of the Fed for fulfilling a number of the resubmitted requests raises questions about whether some red flags were missed.
The requests cyber-threat transfers had been denied by the US central bank’s New York branch because they were not in the proper format for the SWIFT formatting system, which is the network used by banks for making international financial transfers. As per the official of the Bangladesh Bank, the transfer requests lacked the names of correspondent banks that typically get the wired funds. The requests were rejected by the Fed, which had come from hackers who had broken into the SWIFT network via the Bangladesh Bank systems. However, the cyber-thieves submitted those 35 requests again later in the day.
The messages boasted the proper format on the second try as per the New York official. SWIFT had authenticated the requests, which is the first line of defense used against any fraudulent wire transfers. Even though they complied technically, 30 of the requests were once again rejected by the New York Fed, but they chose to approve five requests, which totaled about $101 million. Later on, one of those five transfers that was for $20 million was reversed because there was a spelling error. It was stated by the New York Fed that the 30 requests had been blocked as they were flagged for an economic sanctions review.
They were termed as fraudulent requests later on. A source close to the bank and an official for the Bangladesh Bank said that all requests should have been rejected by the New York Fed on both the first and second try. The source with direct knowledge of the issue and who is close to the bank said that the four transfers had some anomalies that should have raised questions immediately at the New York Fed. The source said that individual recipients were paid in the transfers, which was a deviation of pattern for Bangladesh’s central bank.
Moreover, the false names used on the four approved requests were also on some of the 30 requests that had been rejected by the bank, which should have alerted them definitely. SWIFT and Bangladesh Bank didn’t comment on the matter. The New York Fed didn’t say anything on whether it missed any red flags and added that procedures for approving SWIFT transfers had had no problems. The SWIFT messaging system has come under heavy criticism due to this cyber theft from the Bangladesh bank and disclosures about other similar attempts of fraud.