RCBC turns table on Bangladesh Bank

MANILA, Philippines — Listed Rizal Commercial Banking Corp. (RCBC) yesterday turned the tables on Bangladesh Bank, saying the negligence of the foreign bank led to the $81 million cyber heist in February last year.

George dela Cuesta, first senior vice president and head of legal affairs at RCBC, said Bangladesh Bank should stop covering up the incident and should divulge its own findings as reports say the theft was an inside job.

“Bangladesh Bank should stop making RCBC its scapegoat,” he said.

Dela Cuesta pointed out RCBC revealed everything it legally could to the Senate and to the Bangko Sentral ng Pilipinas (BSP).

“Bangladesh Bank, however, has concealed everything it could. The contrast is telling,” he added.

Hackers stole $81 million from the funds of Bangladesh Bank at the Federal Reserve Bank of New York which found its way to the Philippines. RCBC was used as a conduit where the stolen funds were deposited and withdrawn through the use of fictitious accounts.

The funds were laundered through several casinos as these were previously not covered by the Anti Money Laundering Act (AMLA). President Duterte signed Republic Act 10927 last July to include casinos under the AMLA.

The legal counsel said at least from five reports – SWIFT; FireEye, an international cyber security outfit; Bangladesh’s own finance minister; its government-appointed panel; and a Bangladeshi expert – they point to a conclusion that somebody inside Bangladesh Bank had made the heist possible.

It was also reported the Bangladesh Bank had no firewall to protect its system and used second-hand $10 switches, making itself vulnerable to hackers.

Bangladesh Bank has reportedly terminated its contract with FireEye.

“Bangladesh police investigated some Bangladesh Bank people but only for negligence. Up to now, we do not know if anybody has been taken to court,” Dela Cuesta said.

According to Dela Cuesta, Bangladesh Bank must be compelled to disclose its findings that are crucial to the global fight against cybercrime.

Instead of sharing the results of investigation, RCBC said the statement made by Bangladesh Finance Minister Abdul Maal Muhith that he wanted to “wipe out” RCBC from the world was “extremely irresponsible”.

Bangladesh Bank wants RCBC to return the stolen money.

“If it was stolen by your own people, why ask us? We are actually a victim of Bangladesh Bank’s negligence,” Dela Cuesta said.

RCBC said it received the funds in February last year in good faith because these were cleared and authenticated by the New York Fed and SWIFT, whose secure communications system is used by banks all over the world for their transactions.

Furthermore, global banks Citibank, New York Mellon, and Wells Fargo remitted the funds to RCBC.

“These organizations are among the most sophisticated in the world and their remittances are accepted as a matter of course”, Dela Cuesta said.

Bangladesh Bank belatedly requested RCBC to freeze the funds to be frozen using ordinary email message, not the equivalent of a Code Red message banks use to raise an alarm.

“This resulted in their message being bunched with thousands of ordinary messages RCBC receives from all other banks all over the world each day. Had they sent a Code Red, we would have caught it,” he said.