When the Federal Reserve Bank of New York cleared five transactions made by the Bangladesh Bank hackers, the money went in two directions. On Thursday, February 4, the Fed’s system sent $20 million (£15m) to Sri Lanka and $81m (£61m) to the Philippines.
The Sri Lankan transaction contained a small but crucial error: The money was being sent to a bank account in the name of a nonprofit foundation, but the electronic message spelled it “fundation”. That prompted Deutsche Bank, an intermediary in the transaction, and a Sri Lankan bank to contact Bangladesh Bank, which led to the payment being cancelled and the money returned.
That Thursday, over the space of a few minutes, the New York Fed also cleared four transactions to accounts with Rizal Commercial Banking Corp (RCBC) in the Philippines – for $6m (£4.5m), $30m (£23m), $20m (£15m) and $25m (£19m). Each account was in the name of an individual, according to RCBC lawyer Maria Cecilla Estavillo, who testified at a Philippine Senate committee examining the heist. All the names were false.
The accounts were at a branch of RCBC in Jupiter Street, on the edge of Manila’s business district.According to testimony by Estavillo and bank officials, $22.7m was withdrawn from one of the RCBC accounts during the afternoon of Friday, February 5. But the rest of the money stayed in the RCBC.
Over that weekend, Bangladesh Bank was struggling to understand what had happened and to cancel the hackers’ fraudulent payment requests; meanwhile, the Fed had raised concerns over some of the requests but did little more.
Late on Monday, according to Bangladesh Bank sources and the Philippine senate testimony, Bangladesh Bank sent messages via the SWIFT bank messaging system to RCBC asking it to freeze the money that had arrived in the four individuals’ accounts. It was a holiday in the Philippines for Chinese New Year celebrations.
The following morning nearly $58m (£44m) was moved out of those accounts. That evening, RCBC told Bangladesh Bank that it had frozen the four suspect accounts – but that only $68,305 (£51,665) was left in them.
RCBC officials told the Senate committee that the SWIFT messages from Bangladesh Bank had been wrongly formatted and were not marked as urgent, so they had gone into a large pile of unread messages for almost the whole day. Staff had only got to them in the evening, RCBC said.
Under Philippine banking laws, the stolen funds could not be frozen until a criminal case was lodged, even though they were still in the banking system. And over the next few days, most of the $81m disappeared into the country’s casino industry, which is exempted from anti-money laundering laws. Though $18m was recovered, otherwise the trail went cold.
At the Senate hearing, bank officials pinned the blame for the disappearance of the money on the manager of the Jupiter Street branch, accusing her of allowing accounts to be opened under false names. The manager, who was sacked in March, said she had acted on instructions from senior officials and was being made a scapegoat. RCBC and the branch manager declined to comment.
Last month, in an annual report given to shareholders, RCBC said it had begun instituting reforms to prevent such events from happening again.