Money hacked from Federal Reserve: BB should move carefully--II

In North American financial market, single transaction cap and limit control are used as effective tools to mitigate the risk associated with fraudulent activities. Whether there was any cap on single transaction and was there any requirement of supplemental documents is not known to us because these are very confidential terms and conditions stipulated under service-level agreement between Bangladesh Bank and the Federal Reserve Bank. However, if such conditions are not in place, the issue will have to be taken up with Federal Reserve Bank to establish these control parameters. We have to keep in mind that single-transaction cap and limit control are evidently two strong control parameters used in modern financial industry.  
Historically the Federal Reserve Bank has very strong supervisory oversight and compliance requirement which are meticulously followed while processing fund transfer request. Under Fedwire Fund Service, different officers have separate and exclusive responsibilities of processing, verifying and releasing the request. Moreover, they have to go through several screening process involving money laundering, sanction countries and high-risk countries' clearance. So breaching of all these standard set procedures at different level is very difficult to carry out fraudulent activities at Federal Reserve system. Although payment through Fedwie Fund Service is known as irrevocable, yet the Fed has right to call back or reverse the entries if detected within reasonable time. It may be mentioned here that money from Bangladesh Bank account has been hacked and transferred to Sri Lanka and Philippine which are rated as high-risk countries for which Federal Reserve Bank was supposed to follow one additional step of compliance prior to executing those fund transfer requests. While preparing the investigation report and prior to lodging formal complaint to Federal Reserve Bank, all of these factors need to be taken into consideration.      
SWIFT IS THE MOST SECURED FINANCIAL MESSAGING SYSTEM: SWIFT (Society for Worldwide Interbank Financial Telecommunication) is recognised as the safest and most secured means of transmitting message among financial institutions. More than 11,000 financial institutions from about 200 countries and territories around the world use this system. This is a secured codified message transmitting system used all over the world by banks and financial institutions to communicate among themselves. This technique is securely used in transmitting fund transfer message and transaction of billions of dollar is being carried out through this SWIFT message. Not only fund transaction, issuing financial instrument including commercial LC and Standby LCs are also carried out through SWIFT message. SWIFT is the technology of directly sending message from institution to institution where only the SWIFT members have access. Only the financial institutions or banks, which are the members of SWIFT and have established SWIFT environment, have access to SWIFT'S messaging services. There are many ways of connecting to the SWIFT environment but directly through permanently leased lines and SWIFT's cloud service (Lite2) are very common. In the SWIFT's environment, every user is provided with strict ID and password at different levels, preferably at entering level, verification level and authorisation level. Originating message is entered by the respective entering level officer using user ID and password and then reviewed by the verifying officer and finally released by the authorisation officer. The level of verification and authorisation vary from officer to officer depending upon the delegation.  Messages sent by the bank and financial institutions are always authenticated using SWIFT's specialised security and identification technology and even encryption is added as soon as the message released from the member's platform enters the SWIFT environment. Messages remain well secured and protected in SWIFT environment throughout the transmission process while transmitting through their operating centres where the messages are processed until they are safely delivered to the receiver. This is not plain and straight-forwarded message, rather there is selective code where required information of the message is inserted and these are delivered by decoding at the receiver end. Passing SWIFT message through hacking will require the involvement of at least three officers with valid ID and Password at the originating SWIFT environment and involvement of people working in SWIFT technology and administration who are responsible in processing, encrypting, decoding and finally delivering the message. Involving so many people in different environments for fraudulent activities is not only difficult but also absurd and therefore SWIFT is still now believed to be the world's safest and most secured means to financial correspondence. Hacking of this system has not been heard yet and probably the hacking of Bangladesh Bank money from Federal Reserve may be the first incident of breaking SWIFT system.
Nevertheless, if it is proved that hacking has taken place in transmitting SWIFT message, this will cause serious concern not only for Bangladesh but also for the international financial industry. So the matter, along with all facts and proof, will have to be submitted to the SWIFT authorities for immediate action. In the alleged hacking, ID and password of Bangladesh Bank's officers might have been used in transmitting these fund transfer messages, otherwise it is very unlikely to produce successful delivery of the message at the receiving end, i.e., Federal Reserve.   
RECONCILIATION HAS A KEY ROLE TO PLAY: Reconciliation is another effective tool to detect any fraudulent activity or any unauthorised transaction. Every bank and even every department should maintain a very strong and efficient reconciliation department. Bangladesh Bank is not an exception to that. Bangladesh Bank reserve has reached close to thirty billion US dollars which are obviously retained in the accounts of many international banks and central banks as well. Of course, the lion share of foreign exchange reserve is maintained with the Federal Reserve Bank in the US. Transactions in the form of either debit or credit regularly take place in these accounts. So very strong and effective reconciliation department is required to match each and every valid transaction with the corresponding entries being passed through these accounts. It was the prime responsibility of the reconciliation department of the Bangladesh Bank to detect this fund transfer transaction on the following day when the officers responsible for this department could not match the alleged debit entries with the corresponding SWIFT message. They should have immediately reported the matter to competent authorities and even could have lodged a complaint with the Federal Reserve who could have either called back the fund transferred or reversed the entries on the following day. It would have been easily possible for preventing subsequent transfers and thus minimise the losses. In this context, our country is in a preferential time zone because we are about eleven/twelve hours ahead. Resultantly, when North American financial market closes, our market opens even prior to running EoD (end of day). So any mistake or unauthorised transaction can be taken up with the North American institution before they open on the following day and as a result, they will get adequate time to take corrective measures. It is commonly practised in an international financial market. Wrongly or fraudulently passed entries can be reversed or fund can be called back by the remitter if detected within one or two days. This kind of action is commonly evident from the statement of NOSTRO account [a bank account held in a foreign country by a domestic bank, denominated in the currency of that country]. If our commercial banks very carefully review the statement of NOSTRO account, they will notice some credit entries followed by corresponding debit entries or vice versa and this happens for either mistakenly passing entries or detecting fraudulent activities.
A strong and efficient reconciliation department is very important not only for Bangladesh Bank but also for commercial banks. Strong and effective reconciliation department ensures peace of mind for the authorities. Bangladesh Bank's reconciliation department must be independent and completely separate from the SWIFT department and Processing Department as well. There will be distinct demarcation between the reconciliation department and processing as well as SWIFT department which will be ensured through separate reporting line. This department will have authorised access to log on the online statement of Federal Reserve Bank account or any other account being maintained with other banks or financial institutions. When a SWIFT message concerning any incoming or outgoing fund transfer is passed or received, the duplicate copies will be electronically passed on to the reconciliation department where responsible officers will match each and every account transaction with the corresponding SWIFT message and higher authority's validation thereon will be required. Any mismatch, un-reconciled items or any unauthorised entries in the account, i.e., transaction with valid SWIFT message will have to be immediately referred to the higher authority and required instruction will be sent out to the respective banks or financial institutions. The secured mode of communication, preferably SWIFT message or telephone with voice recording device, can be used to lodge official complaint. It may be mentioned here that in the organisations of developed countries telephone communication is treated as authentic and valid mode of correspondence because every call and conversation is recorded with date and time.   
The Bangladesh Bank is facing a very serious financial crisis. This is an unprecedented financial defalcation involving the world's trustiest foreign currency custodian, Federal Reserve Bank. Therefore, unearthing the truth as well as remedial measure thereof is important not only for Bangladesh but also for world financial market. Two prime responsibilities now lie with Bangladesh Bank: one is to recover the stolen money while the other is to thoroughly investigate and prepare the reports with facts, figure, evidence and timing. In the investigation report, the responsibility, negligence of duty and accountability will have to be clearly ascertained. Formal complain, along with a report based on the findings of the investigation, will have to be lodged with all the parties concerned including SWIFT headquarters, Federal Reserve Bank, FSB, BIS, FIU of concerned countries. At the same time loopholes and weaknesses in the system of Bangladesh Bank will have to be removed. More stringent control mechanism, including strong and efficient reconciliation department, will have to be established.
In the developed countries whenever any mishap occurs, two simultaneous measures are taken, fixing the present problem and developing the system so as to prevent recurrence of such mistakes. This practice is hardly followed in our country because one incident takes place creating a hue and cry but is eclipsed by another bigger incident. Now time has come for Bangladesh Bank to revisit their control mechanism and take appropriate measures to strengthen its control parameters.
This incident has become a very sensitive issue. Our country's financial interest and Federal Reserve's image and integrity are equally involved with this alleged financial scam. The Bangladesh Bank should therefore move very carefully so that the stolen money is recovered and good relation with the Federal Reserve is also maintained.    
Nironjan Roy, CPA, CMA is a Toronto-based banker.
[email protected]