BB heist: Risk management with internal controls approach

Since the time Bangladesh Bank's 'illegal' fund transfer came to light and became a public knowledge, controversy, recrimination, temper and emotion flew so high that the people digressed from the real issues at stake. To our mind the real issues are: a) why and how this happened; b) how to prevent, or reduce, future occurrences.
The first issue has a very wide scope. While the investigation is under way, we do not have sufficient information to answer the HOW from a technical perspective, but we can examine this incident from an administrative and policy perspective, and the answer is clear: It comprises of, existence or lack of existence of an internal control system within this organisation and the practice of or absence of audit and accountability.
As an analytical hypothesis we may assume that Bangladesh Bank (BB) has very slack internal control practices, and test that hypothesis against available evidence.
Let us start with one undisputable fact: US$101 million has left Bangladesh Bank through unauthorised funds transfers.
Conclusion from that fact: sufficient safeguards, or internal controls, did not exist at Bangladesh Bank. If such controls existed, even a technical compromise such as malware or virus or a complicit insider's actions would not have resulted in the funds actually being transferred.
The second issue, whether it can happen again in Bangladesh Bank, depends on how forceful has been the internal control mechanism within this organisation and in perspective how far they are willing to make this further robust. Having said that, in the world of finance risk is never eliminated but can be controlled and mitigated.
What is internal control then, which draws so much significance? Internal control is no jargon. This is widely practised worldwide. It is practised by financial institutions, corporate bodies, government organisations, military, project managers, airplane pilots or any other orderly managed entity. Internal control is a stringent, constant and consistent application of certain process guidelines adopted within the organisation as the "Standard Operating Procedure" (SOP). Simply speaking, internal control is the continuous process of overseeing if SOP is being followed on day-to-day transaction to transaction basis. Bangladesh Bank in that sense has a very wide-ranging internal control responsibility. So the question is: can there be slackness within the central bank which regulates fifty-odd banks in Bangladesh?
SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a core financial services infrastructure. With its guarantee of resilience and need for security, SWIFT is under constant scrutiny to remain running and provide constant security. It meets its security obligations and promises through clearly understood and closely audited internal controls and security practices. Before delving into the issues, we will describe SWIFT for non-bankers.
Think of SWIFT as a very secure messaging system. Due to the technical safeguards the explanation of which are beyond this article, when Bank A sends a SWIFT message to Bank B, both parties can be sure of the following: the message indeed came from Bank A, and it was indeed received by Bank B, and that it was not altered or tampered with in the middle by some attackers. The messages, formally known as "advise", have to follow a specific format or syntax.
Before the Internet, before modern networking, similar advices were sent via Telexes or Telegrams. There were no similar safeguards at that time: it was easy for a telex operator to send a fake telex and cause a bank transfer if he had the requisite information. One of the reasons SWIFT was born was to prevent these types of fraud. If the criminals do not have access to a SWIFT terminal/computer, they cannot send SWIFT messages.
SWIFT has stated that their core network was not compromised to send the messages, and BB has not disputed. Therefore, we may conclude that the endpoint in BB was compromised.
The question is, HOW? Was it one or more insiders, as various persons on social media are claiming? Or is it a virus/malware, as the preliminary report suggests? Or, a combination thereof?
FAILURE OF INTERNAL CONTROLS: Regardless of the exact answer, we may presume that lack of strict, valid and regularly tested internal controls resulted in this massive failure.
Computer networks are protected with a specialised device called a "Firewall". Like the walls in your house protect the contents inside the house from the outside: rain, heat, thieves, the firewall protects the contents of the network from the bad elements outside: hackers, viruses, etc.
Various reports have stated that the SWIFT software was installed on the same computer that was running the Real-time gross settlement systems (RTGS) that the 56 banks in Bangladesh are supposed to use, or the SWIFT computer and the RTGS computer shared the same network.
If the reports are correct, this was a very basic control failure. We understand that three banks were connected to the RTGS. But in theory, all 56 banks could have been connected, and that would mean there would be 56 different doors on the firewall for attackers to come in. In that case, instead of worrying about the security of only its own network, BB now has to worry about the security of all the other banks that could touch the SWIFT system through the RTGS network.
The media has also reported the existence of USB (Universal Serial Bus) slots on the computers. Ever since Edward Snowden removed highly confidential US defence and espionage information from the NSA (National Security Agency), it is standard practice in the USA even in the commercial sector to block access to USB drives. If the most sensitive computers at BB had functioning USB slots, this was a catastrophic control failure.
The above two are two obvious ways of how a virus or malware could have entered the SWIFT computers. We do not yet know whether there was updated anti-virus/anti-malware programs or other technical safeguards on those computers. If there was none, that would also be a control failure.
Those address the Technical part of the HOW question. How about the People part? An undisputed fact is that, the fund transfer instructions were sent after the end of the workday in Bangladesh. If there were CCTV (closed-circuit television) footage showing the SWIFT computers during that period, it could conclusively prove whether there was a person working on the computers or not. If the computer room was not under surveillance, that is a control failure.
We have heard from various sources that between three to eight staff members were authorised at various levels to send SWIFT messages and to approve transactions depending on the amount. Why, then, is the controversy about internal collusion with the criminals? If there is footage showing all of the authorised persons leaving the building (at the lift, or at the lobby) before the first suspect SWIFT message was sent, that would eliminate them as suspects who could have personally sent those messages. No such footage has been mentioned, and the cloud of suspicion still hangs over the BB employees. Conclusion: such footage does not exist, pointing to another control failure.
Using electronic access cards to enter and exit the treasury/wire room where the SWIFT computers are located could also have exonerated the innocent or pointed the finger at the guilty party, because all access/exist would have been logged with timestamps. Alas, no such logs exist!
Here are some critical controls that could have prevented this, or mitigated it to the point of finding the guilty party:
1. Robust technical controls: rigidly maintained and updated firewalls, updated anti-virus, anti-malware product, blocking of USB drives, and lastly, isolated SWIFT computers that were not connected to anything else, nor shared for any other task.
2. Robust administrative controls: video surveillance of critical areas including the treasury room, logged exit and entry of the treasury room, segregation of duty where the log and video monitoring was handled by an independent body, and segregation of duty for sending and authorising SWIFT messages.
Lastly, one more comment about an additional technical control. Banks these days use intelligence and behavioural analysis software that assists in one of the basic tenets of banking: KYC (know your customer).  If out of nowhere large amounts are being disbursed to parties who have never received funds from the bank, the intelligence software would flag it, and raise alarms. Functioning of such intelligence and behavioural analysis software should be independent of the treasury department, ensuring that multiple people from multiple departments would have to be part of the conspiracy. Any exception in the functioning of the software should also raise an alarm. More on such exceptions later.
Control failures take various forms. Granting a loan to a borrower without sufficient credit-worthiness is a control failure. Not pursuing a loan defaulter to the fullest extent of the law is a control failure. As custodians of the bank depositor's money, it is the moral, ethical and legal duty of bankers and their higher-ups to implement, adhere to, and execute such controls.
"TOO-BIG-TO-FAIL" OR "TOO- POWERFUL-TO-COMMIT-MISTAKES": Within the very context of Bangladesh Bank's presumed internal control culture we may indulge on something very fascinating. You might have heard or read the phrases: "Too-Big-to-Fail" or "Too- Powerful-to-Commit-mistakes". These concepts are a kind of moral hazard. The phrases were widely used during subprime mortgage crisis in the USA to describe a tendency of people working in big and powerful organisations who make erratic decisions defying standard operational procedures. Professionals describe moral hazard as the tendency of doing something irrational, cost and consequences of which are borne by someone else. Those who made subprime decisions got away with impunity and financial rewards while the cost was paid by the tax-payers of the USA.
A specific example in case is the estimated written-off loss of Sonali Bank of Tk 17 billion or 1700 crore (equivalent US $ 220 million) in Hall-Mark case. The total amount of the scam was Tk  40 billion (4000 crore), and compared to that, the Tk  8.0 billion (800 crore) stolen from BB is only 20 per cent. When the scam first came to light the amount of scam was ridiculed as peanut. After all, Sonali Bank was too-big-to-fail. Though Hall-Mark was clearly a scam and thus a criminal offence, the bank authority was asked to file a civil case in Artho Rin Adalat. On legal disputes, if you choose a wrong forum you have already lost half the battle well before the battle had begun. Hall-Mark is no exception.
BASIC Bank scam presents a more dismal picture. No appropriate legal measure was initiated in this case. This bank was not too big. But the people who covered up the crime were Too-Powerful-to-Commit-Mistakes. Bangladesh's banking sector losses in Hall-Mark, BASIC Bank scam, Bismillah Group scam in recent past add up to more than US $ 1.7 billion. In comparison Bangladesh Bank's $ 100 million is indeed peanuts.
In the recent past Bangladesh Bank imposed a fine of Tk. 1.0 million (10 lakh) on Farmer's Bank and then condoned this under changed circumstances. Erring managing director of Agrani Bank could not be tamed by Bangladesh Bank due to his powerful links. Depositors' money at stake in these two cases far exceeds $100 million, yet things are not as seriously viewed as the Bangladesh Bank debacle. Undeniably, the pattern of moral hazard in our country's financial sector is diverse and paradoxical.
CRITICAL LEGS UPON WHICH GOOD GOVERNANCE AND RISK-MANAGEMENT STAND: Standard Operating Procedures, Internal Controls, Auditors and Exception Reporting are intricately linked. Think of them as the critical legs upon which good governance and risk-management stand.
Let us illustrate this with an example. Standard Operating Procedures are the road upon which a car is supposed to travel. If the car goes off the road, an accident might happen. Internal controls are the traffic rules that govern how a car is supposed to travel on the road: what speed, what equipment, what signals, which side of the road, when to stop, when to go. The board of directors, and auditors, both internal and external reporting to the board, are the traffic police who enforce those rules. But since we cannot predict every occurrence in life, there will be exceptions: the car might get a punctured tire, and have to stop by the side of the road. Then we have to notify the police so they can ensure safety and security of everyone and prevent accidents.
This is illustrated by a real-world example. In 1986, a system administrator at a research lab was asked by his boss to look into a 75-cent accounting discrepancy. At that time, computers were new, and usage was charged to users. Imagine this: less than a dollar. Spending more than 10 minutes in the investigation would have cost more than that dollar. But the employee was tenacious. He unravelled the mystery, and found that hackers working for the Soviet Union were breaking into US military computers through the research lab. Interested readers may read more about this here: http://bit.ly/1Lz21hM.
On Friday, February 05, 2016 a BB official visited the SWIFT computers per the SOP to look at overnight instructions. He found that there were no printouts on the printer, contrary to expectations. A team then tried to solve the printing problem, and the later discovered software problem. Valuable time was spent in chasing this problem.
We do not treat the possibility of a brick falling on our finger, and the possibility of a brick falling on our head, with the same seriousness. This is the heart of risk management: each asset has a value. The higher the risk, the higher the possible impact. The issue with the SWIFT terminals and printers should have been treated as major emergencies. But as a proper risk analysis was never conducted, the officials did not grasp the importance of what the exceptions were telling them, and treated them as routine instead of escalating them properly.
Exception reporting is a type of report that identifies all events which are considered outside of normal and acceptable range of activities. This did not happen after the printer failure, and all evidence indicates when the actual fraud/theft was discovered, that process failed again.
Much fury is centring on the delay in reporting the incident. The outgoing governor in his farewell press conference has claimed that Bangladesh Bank reported the incident as per protocol. But he did not elaborate about to whom the matter was reported.
We conclude this article with this observation: we can never anticipate all possible threats and risks, nor can we eliminate all of those that we know about. Our job, as banking and security professionals, is to evaluate risks, and then reduce or mitigate them to an acceptable level using available resources. We should report in advance those that are not fully mitigated  to the Board so that it may be aware. We should follow Standard Operating Procedures, establish robust internal controls, and report any exceptions to the proper internal or external authorities. Only then we can be sure to have properly executed our fiduciary duty.
Dilwar H Choudhury is a retired banker with major exposure on operational banking, risk management, legal and compliance; Javed Ikbal has extensive professional experience with security of federal institutions and banks in the USA and of the SWIFT network, as well as wide-ranging experience in financial
services infrastructure protection against banking malware and organised cybercrime.
[email protected]