Codes

There is an interesting article about Bangladesh’s banking system written by Joseph Allchin in the April 12 issue of the International New York Times. The piece is titled “Bangladesh’s other banking scams.”

It turns out, from conventional banking measures, all three state-owned commercial banks (SOCBs) in Bangladesh are so badly managed they are subject to all sorts of scams. The hacking of $101 million (of which $81 million ended up in the Philippines) is simply the tip of the iceberg.

The SOCBs in Bangladesh routinely lend out money on the basis of political influence (a phenomenon we call “behest loans” here). These SOCBs have, by the IMF’s description, “extremely high” rates of non-performing loans.

According to the latest data, Bangladesh’s SOCBs have an average of 11% of their loan portfolio as nonperforming. In most other jurisdictions, a 4% nonperforming loan ratio is considered alarming. Among Philippine banks, in an environment of low interest rates, the norm now is to keep nonperforming loan ratios to the vicinity of 2%.

Allchin quotes Fahmida Khatun, research director at the Center for Policy Dialogue at Dhaka, who was once appointed by the caretaker military government to the board of SOCB Janata Bank, to support his observation about how badly run the Bangladeshi banks are. Loans, says Khatun, are typically assessed not on the basis of business potential but “the influence or the connections of the person.”

Not surprisingly, these “behest” loans are the same ones that go sour, leading to the very high nonperforming loan ratio. Even more scandalous, some of the loans that go sour are refinanced by the state-owned banks when the borrower’s political stock improves.

Not only are the loan portfolios badly managed, the administration of the banks need urgent improvement as well.

For instance, in the case of the $101 million hacking, a computer security firm helping in the investigation notes with alarm the timeline of events surrounding the theft.

It turns out that the hackers hit Bangladesh Bank late on a Thursday. As in most Islamic countries, the weekend in Bangladesh is Friday and Saturday.

When the New York Federal Reserve Bank sent messages concerning the transaction to Bangladesh Bank, there was no one around to receive those messages. The US bank was concerned about the size of the withdrawals and the fact that they were directed to private accounts.

We now know that the $20 million coursed through Sri Lanka was intercepted only because of a misspelling of the intended beneficiary account. That gave Sri Lankan authorities, who work on Fridays, reason to hold the fund transfer.

From the ongoing investigation, we now know that personnel from the Bangladesh Bank did report for work for a few hours on Friday. They, however, did not get the message from New York because Bangladeh Bank’s computer system was down (precisely because of the hacking). The Bangladesh Bank employees simply left it at that.

Whoever opened the RCBC account a year before the actual hacking happened in Dhaka must have been particularly smart – and surely part of the hacking conspiracy. RCBC has no bank-to-bank links with Bangladesh Bank. Therefore the stolen funds had to be coursed through US-based correspondent banks.

The absence of bank-to-bank links between RCBC and Bangladesh Bank worked to the advantage of the syndicate that had to move the funds out of the banks as quickly as possible before countermeasures could be undertaken.

RCBC could have immediately frozen the dirty money flowing through its system had Bangladesh Bank sent “high priority messages.” What they received instead were “vague” and “ambiguous” messages that could not have prevented RCBC from holding on to the suspicious money.

Deposited money belongs to the depositor, after all. Under our laws, it requires a court order to prevent a depositor from accessing his own deposits.

There was a way to stop the money from moving out of RCBC’s vaults, however.

Bangladesh Bank could have used the appropriate codes provided for in the SWIFT system. SWIFT, for Society of Worldwide Interbank Financial Transactions, designates a code – MT192 – to request a cooperating bank to cancel a transaction or stop payment.

There is another message code – MT 199 – which is a free-format, high-priority message to alert RCBC. The local banks records show that while RCBC did receive several MT192 messages and 111 MT199 messages during the critical period after Feb. 5, none of them came from Bangladesh Bank.

What the Bangladesh Bank eventually sent RCBC were NT999 messages. This code is for unauthenticated free-format messages. This message code is considered routine and was not indicative of stop-payment messages.

Without an MT192 message, the RCBC is constrained to allow withdrawal of deposited funds. The Bangladesh Bank showed utter unfamiliarity with the SWIFT coding system for urgent messages.

Feb. 9 and 10 were the critical days when the deposits were received and then hurriedly withdrawn. Bangladesh Bank fully clarified the circumstances of the funds to RCBC only on Feb. 10. By then, a determined group at the bank’s Jupiter branch had quickly disbursed the money.

The hackers were lucky. It might be easy for them to hack Bangladesh Bank, but they had to run through a maze of international bank controls to get the money through.

That was not an easy thing to do. At every step of the way, the existing controls could have stopped the money and impounded the cash.

The hackers planned their way through this maze of controls by setting up dummy accounts way ahead of the heist. They were helped along the way by incompetence in Dhaka and criminal conspiracy in Manila.