• Tuesday, May 21, 2019
  • Last Update : 06:44 pm

The Bangladesh Bank heist and beyond

  • Published at 11:48 pm February 3rd, 2019
Web_bangladesh-bank
Not as secure as it could be Mohammad Ponir Hossain

How can we avoid another Bangladesh Bank heist from occurring?

Last week Bangladesh Bank sued Philippine Bank RCBC and some of its staff for the reserve heist in 2016 in a US court. I have seen media people asking the Governor of Bangladesh Bank “Why so late? Why has the local investigation report not been released yet? Should we sue Federal Reserve (Fed) too?”

In order to get the money back, we should also sue Fed?I was most bewildered.

Thank God senses prevailed with the Bangladesh Bank and they didn’t press charges for the money lost, rather requested for the Fed’s help and guidance in every possible way to get back the remaining part of the lost $81 million.

I wish and pray for Bangladesh Bank to get back the money which was illegally remitted out of the country, allegedly, by hackers, to the utter belief of most of the treasury and dealing room experienced people -- due to process failure at the central bank’s end.

Did this kind of hacking happen in other parts of the world? Yes, of course. The question has been raised, why so much of hue and cry for Bangladesh Bank money? The honourable governor himself has raised this question.

We all know our governor, unlike his predecessor, is respected and despised for not being too media friendly or not wanting to see his photograph every day on the front page or business pages of every newspaper or electronic media.

Reports say that the hackers identified some serious disconnects in the treasury management and outward remittance control process followed in the Bangladesh Bank dealing room, and wanted to just take away approximately $1bn out of the very high reserve built by our previous.

Again, thank God, they were only able to take $101m out of our state coffers. Thanks to the inward remittance and client payment control mechanism followed in SriLanka, $20m was sent back to Bangladesh Bank.

The ministry of finance formed an investigation committee chaired by a distinguished former governor -- a computer science professor from BUET and an additional secretary at the ministry of finance. Since they didn’t have any direct treasury dealing room, fund transfer,dealing room audit, or control background, they must have talked to treasury experts, experts with regular fund transfer under SWIFT mechanism knowledge, or performed counter party deal settlement background in preparing their findings.

But who, what and which is at fault?

In our audit days -- after any severe audit failures, we had to run an “accountability audit” to find out what process, which delivery platform, or which persons are accountable. It can’t be always one person or a few people, it could be due to the absence of the standard “process guide” on how to process and control an outward fund transfer.

In the “dealing room” culture -- off-time transactions, holiday transactions, out-of-market transactions, dealing limit, daylight limit, open position, squaring up are well-known connotations, and befitting control measures including “cyber security assurance” are always being taken in every large dealing rooms, not to talk about central bank only. 

We have already hoped and prayed for Bangladesh Bank to get back its lost money through the legal suit registered with the US court, at the same time we wanted Bangladesh Bank to make sure that a proper process guideline could be put up around all treasury dealing room activities, funds transfer, maintaining the firewall between all treasury front office and back office, including ensuring better access control.

We can also hope for the government to be a little more careful about who should be put up for investigations regarding financial crimes, and what credentials or background or training do they need to investigate into large or cross-border financial crimes. Most of the emerging market regulators are putting “forensic audit,” mostly coming from “big four” with befitting credentials to independently investigate into financial or personal scams. A former boss or junior investigating into a senior or junior’s alleged activities are likely to be influenced by favours or disfavours.

Only a befitting process guide to ensure appropriate transaction processing, delegation of authority, proper maker-checker practice, and regular monitoring of the transactions trail and a“right person for the right job”attitude can help us avoid any further loss  of state funds.


Mamun Rashid is a leading banker and was engaged in treasury audits across the globe while working for three major global banks.