By Bianca Cuaresma, Mia Mallari & Rea Cu
THE plot to rob $1 billion from Bangladesh central bank’s accounts at the Federal Reserve Bank of New York (FRBNY) has implicated a Philippine bank and casinos in a story shaping up to be one of the biggest documented cases of money laundering in the country.
The case highlights the threat from global hackers mounting cyberattacks and using real bank codes to make orders seem genuine. This case proves that, despite efforts by banks to fortify their defenses against cyber criminals, hackers have also upgraded their skills to breach servers by using both technical expertise and insider contacts in targeted financial institutions.
In this case, unknown hackers breached the computer systems of Bangladesh Bank (BB) and transferred $81 million from its account at the FRBNY to the Rizal Commercial Banking Corp. (RCBC). The money ultimately found its way to Philippine casinos.
Secure banking system
How this happened is still murky as we go to press. The New York Fed has said its systems were not breached. For its international money transfers, the New York Fed uses the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system, a messaging network used by banks and other financial institutions to securely and quickly send money-transfer instructions. Brussels-based SWIFT, a cooperative owned by some 3,000 global financial institutions, securely sends payment instructions between institutions’ accounts using codes.
According to its web site, every order should come from the SWIFT system of the member-bank. As compliance, SWIFT will call the member-bank to confirm the payment instruction. On the BB fund heist, SWIFT said in a statement in early March that it is suspected that hackers accessed the SWIFT system in BB to transfer funds from the account with the FRBNY.
The $81-million stolen money from BB was first transferred to correspondent banks, as BB does not have an account at RCBC. Dollar remittances to the Philippines have to pass through US correspondent banks. In this case, the money passed through Wells Fargo Mellon Bank, Citibank and Bank of New York. From these banks, the $81 million did not enter directly to the branch of RCBC on Jupiter Street, Makati City, as the money has to pass through the bank’s Settlement Division, which is part of RCBC’s head office. From here, it was credited to RCBC’s branch on Jupiter on February 6.
The attackers, who stole the credentials needed to authorize payment transfers, actually asked the FRBNY to make three dozen massive money transfers. Four of these asked that money be transferred to accounts in the Philippines, totaling about $80 million.
However, a fifth request for $20 million, to be sent to an apparently fictitious Sri Lankan nonprofit group, was flagged as suspicious by a routing bank, because of a typographical error—the criminals misspelled the recipient’s name “Shalika Foundation” as “Shalika Fundation.” Fortunately, the Bangladesh central bank was able to stop that transaction and recover the full amount of $20 million.
The Panama Papers
As the Senate investigation on the Bangladesh central bank cyber heist continues, money-laundering news refuse to die down. Discussions continue to center on policy loopholes that are costing the financial industry billions of dollars in lost transactions.
Recently, the financial world was rocked by one of the biggest leaks in history—the Panama Papers. These consist of 11.5 million files from the database of the world’s fourth-biggest offshore law firm, Mossack Fonseca. The records were obtained from an anonymous source by the German newspaper Süddeutsche Zeitung, which shared them with the International Consortium of Investigative Journalists (ICIJ). The ICIJ, in turn, shared them with a large network of international partners, including BBC and The Guardian.
On its web site, the ICIJ said the leaked data cover 38 years of transactions, from 1977 to 2015. The documents reveal the offshore holdings of 140 politicians and public officials from around the world, including current and former world leaders. Major global banks were also mentioned.
While the preliminary leak was still partial, the ICIJ vowed to disclose the entire list in mid-May. “It allows a never-before-seen view inside the offshore world—providing a day-to-day, decade-by-decade look at how dark money flows through the global financial system, breeding crime and stripping national treasuries of tax revenues,” the ICIJ said.
How the Philippines got involved
Meanwhile, pundits say the ongoing Senate investigations on the $81-million cyber heist from the Bangladesh central bank and how the money was coursed through a local bank before it found its way to Philippine casinos will surely give the country a bad reputation.
Although Philippine authorities have no clear picture yet of where the stolen money ended up, here’s a timeline of what was made public so far:
- May 15, 2015. Four dollar bank accounts were opened under the names of Enrico Teodoro Vasquez, Alfred Santos Vergara, Michael Francisco Cruz and Jessie Christopher Lagrosas in the Jupiter, Makati City, branch of RCBC. With identical initial deposits of $500, the fake accounts remained idle until February 4, 2016.
- February 4, 2016. Hackers broke into BB’s account with the FRBNY, ordering 35 transfers worth $951 million, of which $81 million was ordered transferred to RCBC Jupiter branch.
The FRBNY did not execute 30 of the 35 transfers due to “lack of details.” The remaining five transfers, worth $101 million, could not be blocked, but $20 million has been salvaged. That’s how $81 million in stolen money found its way to the four fake RCBC bank accounts.
According to reports, $6 million was deposited to Cruz’s account, $19.99 million to Vergara, $25 million to Vasquez and the bulk, or $30 million, to Lagrosas. The money was then consolidated and deposited in a dollar account of William So Go of DBA Centurytex Trading.
- February 5 to 13. From William So Go’s account, the alleged stolen money was transferred to money-transfer company PhilRem Services Corp. PhilRem converted into pesos some of the $81 million, and delivered the money in cash tranches to a registered casino junket operator, and to two casino operators.
- February 8. BB sent a “stop-payment” order to RCBC. It was not executed, because February 8 is a Chinese New Year nonworking holiday in the Philippines.
- February 9. RCBC received a SWIFT code from BB requesting for a refund or putting payment on hold if the funds had been transferred, or freeze them for proper investigation. Despite the stop-payment order, RCBC Jupiter branch allowed withdrawals from the accounts, amounting to $58.15 million.
- February 16. BB Governor Atiur Rahman told Bangko Sentral ng Pilipinas (BSP) Governor Amando M. Tetangco Jr. that SWIFT code MT103 on February 4, which ordered the inward remittance to the Philippines of $81 million, “is fraudulent.” Rahman then asked Tetangco to help them recover the stolen $81 million from their account with the FRBNY.
- February 19. The Anti-Money Laundering Council (AMLC) started its investigation on RCBC and the account holders.
- February 23. William So Go said RCBC Jupiter Branch Manager Maia Santos-Deguito asked him to meet her at Fort Bonifacio in Taguig City, which made the businessman “suspicious.” Go said Deguito revealed to him that she opened fictitious dollar and peso bank accounts for Centurytex at RCBC
Jupiter without his knowledge. - March 1. The Court of Appeals, acting on AMLC’s request to freeze 44 bank accounts allegedly involved in the bank heist, started freezing for six months the accounts of Cruz, Lagrosas, Vergara, Vasquez, So Go, Centurytex Trading, Kam Sin Wong and other related accounts.
- March 12. Deguito and her husband were off-loaded from a Philippine Airlines Flight 432 to Tokyo on orders of the immigration bureau.
- March 15. The Senate Blue Ribbon Committee started its investigation on the BB fund heist. The BB governor resigned, while three of his subordinates were fired.
- March 17. On the resumption of the Senate Blue Ribbon Committee probe, RCBC discloses that Go’s signatures in his supposed Jupiter accounts were forged.
Part of loot returned
Wong, meanwhile, through his lawyers, earlier this month returned P38.28 million to the AMLC.
AMLC Executive Director Julia Bacay-Abad said P38.28 million in cash arrived at the AMLC office, and was immediately counted with the assistance of the BSP cash department, which confirmed the amount.
The funds surrendered represented the funds abandoned by Gao Shu Hua in Eastern Hawaii Leisure Co. Ltd. and/or Midas Casino.
The returned funds were the second installment from Wong’s side, following the $4.63 million returned to AMLC also earlier this month.
The return of the funds, according to Wong’s legal counsel, is a “token of utmost sincerity and effort to cooperate and retrieve the funds” involved in the current AMLC cases. A third tranche of return is in the offing.
RCBC actions
RCBC has announced earlier the termination of the top 2 officials of the bank’s Jupiter branch for falsification of documents and breach of policies in light of the alleged money-laundering involvement.
In a statement, RCBC said Deguito and Assistant Manager Angela Torres were relieved of their respective positions for violating bank policies and procedures and falsification of commercial documents.
“Other branch and bank officials are expected to be meted out various sanctions, ranging from termination to suspension, in the coming days, when the internal investigation is expected to be completed,” the bank said in a statement.
The bank also said Deguito’s and Torres’s breaches facilitated the alleged laundering of $81 million of remittance that is now being investigated by the Senate and other government agencies.
RCBC has also vowed to strengthen internal operations, after being muddled in the recent $81-million cross-border heist, with cash allegedly being stolen from Bangladesh finding its way to the Philippine banking system through RCBC. The bank said it has taken “immediate steps” to improve its operational processes.
Among these steps include the reduction of its straight-through-processing threshold amount for both inward and outward remittances.
Greater focus is said to be given on unusual transactions, which will be escalated to the group head through separate and “frequent” operation reports.
The BSP, aside from participating in the Senate hearings, issued a separate memorandum, ordering banks to take “extra caution” and “vigilance” in their transactions with foreign-exchange dealers, money changers and remittance agents, following the allegations of cross-border money-laundering involvement of one of the local banks.
The memorandum issued this month said financial institutions shall perform “enhanced due diligence” upon onboarding and during transaction monitoring as consistent with regulations and the banks’ procedures, as provided under its Money Laundering and Terrorist Financing Prevention Program.
The central bank said that when dealing with remittance agents as remittance partners of a tie-up, or if the accounts are being used to facilitate their business, the banks have the “ultimate responsibility” to conduct appropriate due diligence necessary to ensure that they will not be used as a channel for money-laundering and terrorist-financing activities.
Policy recommendations
With this controversial case, the government and private agencies believe it is time to review laws and policies in place to prevent further damage from money laundering.
Finance Undersecretary Gil S. Beltran said that, although the local banking system remains strong, there is a clamor to tighten the rules following the incident.
Among the more salient laws to be amended include the lifting of the country’s bank-secrecy law.
The law on the secrecy of bank deposits states that all deposits of whatever nature with banks or banking institutions in the Philippines, including investments in bonds issued by the government of the Philippines, its political subdivisions and its instrumentalities, are hereby considered as absolutely confidential in nature and may not be examined, inquired or looked into by any person, government official, bureau or office.
Exceptions are only provided by the law in cases of presentation of written permission of the depositor, or in cases of impeachment, or upon order of a competent court in cases of bribery or dereliction of duty of public officials, or in cases where the money deposited or invested is the subject matter of the litigation.
The BSP governor and the finance secretary, as well as the AMLC executive director, have all expressed views on the amendment of this law.
“We have to update the law because when the case reaches the AMLC, it is already in the investigation state, so the incident has already happened. We need some kind of preventive measures. Right now, the prevention of this particular illegal activity is being hampered by the very strict bank-deposit secrecy law,” Tetangco said.
“So for us to be able to, let’s say, track the flow of funds, we need an extra authority. Because once the banks go to bank deposit, the trail turns cold, and we cannot look into it from an examination point of view,” he added.
The central bank chief also chairs the AMLC.
The AMLC’s Abad backed Tetangco’s proposal, but admitted it will be an “uphill battle to lift the bank-secrecy law.”
The Department of Finance also said it has long been vocal against the “highly restrictive” provisions protecting money launderers and tax evaders behind the veil of bank secrecy and, thus, supports relaxing it under certain circumstances.
“The DOF, likewise, supports the inclusion of casinos and real-estate dealers on the list of covered institutions for transactional reporting. The DOF believes that the power to suspend transactions ought to be granted to the Anti-Money Laundering Council, and the Bangko Sentral ng Pilipinas be given supervisory authority over remittance companies,” the DoF said.
“We ought to strengthen the regulatory regimes that govern our money flows. We need a long-term legal remedy by way of an amendment to AMLA [Anti-Money Laundering Act],” it added.
The bank-secrecy law was enacted in 1955 to “give encouragement to the people to deposit their money in banking institutions, and to discourage private hoarding so that the same may be properly used by banks in authorized loans to assist in the economic development of the country.”
Aside from the notorious bank-secrecy law, the AMLC also bared its preparations to propose to Congress amendments to the law to address deficiencies in the anti-money-laundering laws in the country.
“Just for now, what we will propose to Congress is to amend the law, primarily to include the casino sector in the coverage of the law. Second, probably, strengthen the supervisory authority of the Bangko Sentral ng Pilipinas over the remittance companies,” Abad said.
“Also, include the real-estate brokers and agents in the coverage of the law, because these are the sectors that are vulnerable to money laundering. So these are among the amendments to the law,” she added.
In the Senate hearing this week, RCBC Legal and Regulatory Affairs Head Maria Celia F. Estavillo also bared their intended proposals to the law.
Estavilla said: “Perhaps, the law should be amended to include some withholding power, for the banks, at least to clarify that these banks have holding power when we receive certain messages,” referring to interbank messages.
Looking more closely, the AMLC should be given “more teeth” to curb potential laundering schemes such as these, as they are gaining traction in the local and international scene.
A local banking expert, who requested anonymity, said employees of the AMLC must also be given proper attention.
“First of all, the safeguards and checks are as good as the people and employees implementing them. In this regard, perhaps, banks will need to crack down on training further,” the expert said.
“The sheer volume of remittance agents, pawnshops and money changers makes it very difficult for the BSP to monitor the volume of transactions,” the expert added.
As such, implementing the know-your-customer process on each client that passes through the pawnshops and moneychangers of the Philippines remains an arduous task.
“With the amounts and volume of funds being sent from abroad, this may be something we need to consider. An AMLA with more teeth, stricter licenses for remittance agents and pawnshops, plus a more definitive jurisdiction for compliance, will help ensure that we are not the haven of money laundering being painted by foreign media,” the expert added.
While industry experts believe the local banking industry is still strong and resilient, concerns have been raised with the sector’s reputation, especially in the light of this cross-border bank heist.
French Ambassador to the Philippines Thierry Mathou told the BusinessMirror that, while it still has not come to the point of worry, they are “monitoring very closely” the situation in the Philippines, and solutions “have to be done” to plug loopholes.
Image credits: Jason Arlan Raval/Bangko Sentral ng Pilipinas via AP, AP/Bullit Marquez
3 comments
The hackers did not breach Bangladesh central bank and the NY feds system, they were actually working with those Bangladesh bank officials to rob their central bank. How else could you explain how the hackers got all those hand prints and other biometric information, from 6 different bank officials and placed serially and in proper order needed to activate the transfer requests?
The payment requests were valid, the system wasn’t breached, there was no urgent messages to stop payment, the Central Bank Governor of Bangladesh failed to inform their own authorities of the theft for a month and the Finance Minister of Bangladesh himself said that he is 100% sure that their own bank officials are involved in the crime. This cyber heist is an inside job and home made in Bangladesh.
A cyber heist this big and elaborate needed inside help and that is exactly what this hackers have. Transfers can’t happen unless provided with a hand print and some other biometric information which can only come from officials within the Bangladesh Central Bank. At the time of the heist, Bangladesh claimed that their security systems were malfunctioning, rather convenient don’t you think? What’s more is that they asked to RCBC (which by the way they are not correspondents) to check for fraudulent transactions but sent it through an unauthorized free message format without even marking it URGENT.
Now I’m not saying that this was all Bangladesh. Clearly they had help from those Chinese men and Deguito. They know that laws here and its loopholes, and Deguito, ambitious as she is proved to be a good investment for the real mastermind. She opened fictitious accounts, wired the money and then tried to flee the country.
One has to question the possible complicity of some elements within Bangladesh because it is very difficult to breach the Federal Reserve Bank of New York because it is not a regular bank. The Swift system at banks is very secure, it uses a smart card containing a unique digital key inserted into a special machine, and a complex authentication process. RCBC a reputable bank is just a small part of the puzzle and dragged into this mess.
This cyber heist has already sent tremors around the world among banks and large corporations.
It’s a wake-up call!