The Federal Reserve Bank of New York and Bangladesh’s central bank have agreed to withdraw additional payment security measures put in place after one of the world’s biggest cyber heists, the theft of $81 million from Bangladesh Bank’s account at the Fed, two sources said.
The decision comes after SWIFT, the global financial messaging platform, promised in May to strengthen security on software tools used by its clients and to develop new tools that would spot a compromised account and raise a red flag when a payment instruction deviates from normal patterns.
The decision was taken at a meeting in New York this week between officials from Bangladesh Bank, the New York Fed and SWIFT, said a source close to Bangladesh Bank who has direct knowledge of the matter. They have agreed on a tentative timeline to withdraw the additional security measures but the source declined to give details.
“(The New York Fed and Bangladesh Bank) want to use (only) SWIFT for secure communication,” said the source, declining to be named as he was not authorized to brief the media. “We are talking about normalizing our communication channels as soon as possible.”
The New York Fed and SWIFT could not immediately be reached for comment.
In early February, hackers used stolen Bangladesh Bank credentials to send three dozen SWIFT messages to transfer nearly $1 billion from its Fed account, eventually managing to route $81 million to a bank in the Philippines. Most of the money was laundered through casinos in Manila and remains missing.
Following the heist Bangladesh Bank initiated a new protocol under which the Fed could only clear any SWIFT request from Dhaka after a voice authentication. Fed officials had to call one of two or three Bangladesh Bank officials whose voice samples were shared with the Fed.
A senior Bangladesh Bank official in Dhaka, who declined to be named, said more time was needed “to improve the system” before moving back to a SWIFT-only transfer mechanism.
Both sources said the New York Fed wanted to do away with the additional measure as it delayed genuine transfer instructions. SWIFT has told Bangladesh Bank its system was secure and that the Asian bank needed to tighten its own defenses to prevent criminals from hacking into their computer systems.
Bangladesh Bank spokesman Subhankar Saha said he was not aware of the agreement and would comment only after the bank’s delegation came back from the United States.
The bank said in a statement on Wednesday that its officials discussed with the New York Fed and SWIFT “certain technical details” of the heist to enhance their understanding of how the fraud occurred and “steps that have been and will be taken to remediate the event.”
The Bangladeshi delegation also requested the New York Fed to put more pressure on the Philippines’ Rizal Commercial Banking Corp (RCBC), to recover the rest of the stolen money, said the source close to Bangladesh Bank. The funds were routed to four accounts at the bank before they disappeared into casinos in the city.
The New York Fed in June wrote to the Philippines’ central bank, prodding it to help Bangladesh Bank retrieve the money. Bangladesh Bank officials believe the nudge from the Fed was one of the reasons the Philippines central bank this month slapped a record fine of 1 billion pesos ($21 million) on RCBC in connection with the heist.