An Ecuadorian bank and Wells Fargo have reached an out-of-court settlement over a 2015 cyber heist, providing a possible precedent for the Bangladesh central bank’s planned suit to recover $66 million still lost in one of the world’s biggest such cases.
A suit by Ecuador’s Banco del Austro against Wells Fargo & Co was quietly settled in February, less than a month before a trial date was set, and the US district court in Manhattan sealed all discussions, according to court documents. No other major media has reported the settlement.
Wells Fargo did not comment on the settlement, and a representative for Banco del Austro could not be immediately reached.
Banco had sought to hold Wells responsible for authorizing the fraudulent transfer of $12 million from its account in 2015.
Hackers breached Bangladesh Bank's systems in early 2016 and tricked the Federal Reserve Bank of New York into sending as much as $81 million to accounts at Rizal Commercial Banking Corp (RCBC) in the Philippines. The accounts were held in fake names and most of the money disappeared into casinos in Manila.
Some of the funds were recovered but about $66 million remains untraced.
No one has been criminally charged for the heist despite an international investigation and two years of finger-pointing among Bangladesh, Philippines, the Fed and the SWIFT communication network that was used. Bangladesh Bank has threatened to sue Manila-based RCBC, and any legal fallout could set a precedent amid a rash of electronic heists at financial institutions around the world.
“This is a tricky issue. We can’t reveal our strategy. But yes we are reviewing each and every case, including the Ecuador one,” Bangladesh Bank’s Deputy Governor Abu Hena Mohd Razee Hassan said in a recent interview.
While Bangladesh has not taken any legal action, bankers and lawyers saw the cyber-heist suit by Banco against Wells Fargo as a test for any options available to Bangladesh.
They said the settlement could signal that Wells compensated Banco in some way, a possibly encouraging sign for Bangladesh Bank, but it could still struggle to get a hearing in the United States and prove that Manila-based RCBC had a contractual obligation to freeze the stolen funds.
“There are an awful lot of reasons for people to settle [and] there are all sorts of laws that may or may not apply,” said Peter Jaffe, a senior associate at Washington-based law firm Freshfields Bruckhaus Deringer LLP.
“RCBC was not the one that was hacked. Someone may think that RCBC should have done something different when it saw money coming through its accounts, but that is not really a cyber security issue at that point,” Jaffe said. “I don’t think you would necessarily look to cyber security law [or US commercial code] to determine ... obligations and rights.”
At issue is the New York Uniform Commercial Code, which says a bank that is tricked by thieves must reimburse the customer, unless it can prove it used a mutually-agreed protocol for verifying the payment messages. The customer could counter that the security protocol was not “commercially reasonable.”
In 2016, the judge rejected an attempt by Wells to dismiss Banco’s allegations because the Manhattan court could not rule that use of SWIFT’s security system alone was enough.
Bangladesh has a correspondent-banking contract with the New York Fed, which has repeatedly stressed that each of its foreign clients has agreed that it can rely on SWIFT protocols. The payment messages it received from the hackers in February 2016 were verified by SWIFT and directed the Fed to send much of the funds to RCBC.
It is unclear what obligation RCBC has to Bangladesh Bank and whether US law would apply.
The Philippine bank said it had received advice from lawyers in the United States that it had “strong and valid” defences against any suit by Bangladesh Bank.
“There is no act attributable to RCBC which caused the loss or the theft from Bangladesh Bank,” it said in a statement on Monday. “We reiterate that RCBC was merely a beneficiary bank, meaning, the payment instructions which are alleged to have been the result of hacking were not executed by it.”
In the immediate wake of the heist, Bangladesh’s central bank had threatened to sue the New York Fed and SWIFT, though relations have since warmed and the pair has committed to help recover the funds. The Fed and SWIFT, which has since strengthened its security protocols, declined to comment on implications of the Banco-Wells settlement.
Financial firms around the world have reviewed defences after a rash of cyber heists involving SWIFT, the latest targeting Malaysia’s central bank.
Bangladesh State Minister for Foreign Affairs Md Shahriar Alam said in a recent interview that the central bank is determined to be reimbursed and that preparations are at a “final stage” for a suit.
“It’s obvious that we will be filing a case,” likely in the United States, he told Reuters while in New York. “There are frustrations in Bangladesh about it. But together we should have done better by now.”