New York Fed initially blocked transfers in $81 million bank heist

The New York Federal Reserve originally blocked, then later approved, four fraudulent requests that led to the theft of $81 million from the Bangladesh central bank’s account, Reuters reports.

The New York Fed originally received 35 requests for money transfers on the day of the February theft, all of which it rejected because the requests were not properly formatted, according to a bank official.

{mosads}But later in the day, the cyber thieves re-submitted the requests with the correct formatting. The requests were authenticated by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), an international network used by banks to exchange information about financial transfers.

On that try, the New York Fed approved five requests for $101 million. One request for a $20 million transfer was later rejected because of a spelling mistake.

The Fed blocked the 30 rejected requests because they were flagged for economic sanctions review and were only later deemed fraudulent.

A Bangladesh Bank official told Reuters the Fed should have rejected all of the requests on both tries.

“Of course, we asked the Fed why the repetition of the names did not create red flags,” a separate source close to the Bangladesh Bank told Reuters.

“They are saying they rejected 35 badly submitted ones,” the source said. But when the fraudulent requests were re-submitted, the New York Fed “paid five of them and stopped 30. Why? They can give no answer.”

The New York Fed declined to comment on whether it missed any red flags. It has said there were no problems with its procedures in approving the SWIFT requests.

The Bangladesh Bank has already hinted that it believes at least some of the blame for the theft rests with the New York Fed.

“We view this as a major lapse on the part of FRB NY,” the bank said in an internal report of the incident, which indicated that the bank was considering litigation against the Fed branch.

The report comes as the New York bank continues to draw scrutiny on Capitol Hill. 

The House Science Committee has launched an investigation into the New York Fed, requesting a briefing by the New York Fed on the status of its investigation and “all documents or communications related to any review conducted by the NY Fed of its own information technology.”

The query comes on the heels of a report indicating that the Federal Reserve was breached more than 50 times between 2011 and 2015.

The Fed’s cybersecurity team logged 310 incident reports during the four-year span, 140 of which were classified as hacking attempts.

Out of those 310 incidents, the Fed identified 51 incidents of “information disclosure” — a broad classification that includes access by hackers or emails sent by Fed employees to the wrong recipient.

But the 140 reports represent only a portion of all cyber attacks on the Fed. They include only incidents affecting the Washington, D.C.-based Board of Governors — a federal agency subject to Freedom of Information Act requests.

Excluded are the Fed’s 12 privately owned regional banks, of which the New York Fed is one.