Rizal Commercial Banking Corp. on Tuesday lambasted Bangladesh Bank for its alleged refusal to divulge findings on last year’s $81-million cyber heist.
Unidentified hackers stole $81 million from Bangladesh Bank’s account at the New York Fed in February 2017, using fraudulent orders on the Swift payments system. The dirty money entered the Philippine financial system through a Jupiter, Makati branch of RCBC and later on laundered by a number of individuals in local casinos.
RCBC insisted that the incident was an “inside job” and the central bank of Bangladesh was engaging in a “massive coverup by maligning RCBC.”
RCBC said in a statement Bangladesh Bank should be compelled to disclose its findings which would be crucial to the global fight against cybercrime.
It said while Bangladesh Bank was asked to share the results of the investigation, the latter was coming out with empty sound bites like “wiping out RCBC” which, coming from a Bangladeshi finance minister, was “extremely irresponsible”.
“At least from five reports”•Swift; FireEye, an international cyber security outfit; Bangladesh’s own finance minister; its government-appointed panel; and a Bangladeshi expert”•point to a conclusion that somebody inside BB would have made the heist possible,” RCBC said.
RCBC said it was also reported that Bangladesh Bank had no firewall to protect its system and used second-hand $10 switches, making itself vulnerable to hackers. In January, it said hackers also did trial runs but apparently Bangladesh Bank did nothing to protect its system.
RCBC also mentioned reports that Bangladesh Bank terminated its contract with FireEye. It said the Bangladeshi expert who came out with a similar finding disappeared. He was found days later already out of his wits.
“Bangladesh police investigated some BB people but only for negligence. Up to now, we do not know if anybody has been taken to court,” it said.
“BB should stop making RCBC its scapegoat. RCBC has revealed everything it legally could to the Senate and to the Bangko Sentral ng Pilipinas; BB, however, has concealed everything it could. The contrast is telling,” it said.
On Bangladesh Bank’s statement that it wanted RCBC to return the stolen money, RCBC replied: “If it was stolen by your own people, why ask us? We are actually a victim of BB’s negligence.”
RCBC said it received the funds in February last year in good faith because they were cleared and authenticated by the New York Fed and Swift, whose secure communications system was used by banks all over the world for their transactions.
Three global banks”•Citibank, New York Mellon and Wells Fargo”•remitted the funds to RCBC.
“These organizations are among the most sophisticated in the world and their remittances are accepted as a matter of course,” RCBC said.
It said Bangladesh Bank belatedly requested the funds to be frozen using ordinary email message, not the equivalent of a Code Red message banks used to raise an alarm.
“This resulted in their message being bunched with thousands of ordinary messages RCBC receives from all other banks all over the world each day. Had they sent a Code Red, we would have caught it,” RCBC said, adding that Bangladesh Bank did not reach out to RCBC in any other way.
Bangladesh Bank was able to retrieve only about $15 million, mostly from a Manila junket operator.
Earlier reports said Bangladesh Bank had asked the Federal Reserve Bank of New York to join a lawsuit it plans to file against RCBC for its role in the heist.
Reports said the Fed had yet to respond formally, but there was no indication it would join the suit.
The Bangko Sentral ng Pilipinas fined RCBC a record P1 billion ($20 million) last year for its failure to prevent the movement of the dirty money.