Alaina Gimbert and Rob Hunter wrote an excellent piece in Banking Perspectives earlier this year about how fraud in the Central Bank of Bangladesh affects SWIFT’s recent Customer Security Programme (CSP). CSP represents SWIFT’s response to an emerging threat to the security of the ecosystem that surrounds the funds transfer network, which connects the world’s 11,000 financial institutions. This network is critical global infrastructure and must be failsafe.
Because this infrastructure is important, I am picking up where Gimbert and Hunter left off and will address new and important developments. This article will relate some of the late-breaking details of the Bangladesh case, review some developments regarding SWIFT’s security program, address how the CSP is affected by the statutory law governing funds transfers in the United States, and assess what I believe is a possible unintended consequence of CSP as it is affected by U.S. law: derisking.
Update: The Bangladesh Case
New information about the Bangladesh case arrived in the form of headline news. The United States Department of Justice published a criminal complaint, United States v. Park Jin Hyok, whose content immediately became headline news, including a story on the front page of The New York Times. The publicity is easy to understand because the details seem to be drawn from a John Grisham novel.
In this criminal complaint, the Department of Justice laid out in unusual and meticulous detail a pattern of facts showing that state actors from North Korea had perpetrated the fraud on the Central Bank of Bangladesh and also had been involved in the malicious attack on computer systems around the world with the WannaCry virus, as well as the “hack” of Sony, which caused that company (and its officers and employees) significant financial harm.
Before discussing the fraud on the Bank of Bangladesh, let’s take a brief look at the other two cyberattacks referenced in the criminal complaint. The WannaCry virus was more specifically a ransomware cryptoworm that was used to attack unpatched versions of the Microsoft Windows operating system in May 2017. To its credit, Microsoft had developed a patch to prevent such an attack, but many computer systems in many organizations had not been patched. WannaCry is estimated to have adversely affected more than 200,000 computers in 150 countries when it was first unleashed. It had a particularly pernicious impact on the National Health Service (NHS) in England and Scotland, causing the NHS to turn away noncritical patients and, in certain cases, ambulances with patients needing urgent care.
The “hack” on the computer systems of Sony occurred in November 2014. Sony was about to release a new film, The Interview, which was a comedy about a fictional plot to assassinate Kim Jong-un, the North Korean leader.5 The perpetrators of the Sony hack used a variant of the Shamoon viper malware to attack successfully Sony’s systems, and then to reveal personal information about Sony’s employees and their families, unreleased Sony films, and other corporate information, causing the company to shut down its systems. This hack, like the cyberworm used against the NHS, caused material financial losses and also a loss of personal safety and security.
The diverse nature of these attacks, the reckless way that attacks were perpetrated with a conscious disregard for the destructive impact on potential victims, and their borderless reach are all characteristics that warrant attention. The fraud committed against the Bank of Bangladesh is different than these other cyberattacks because this one seems clearly directed at obtaining money. It is also worth noting that, in early 2016, the state actors from North Korea perpetrated a wire fraud against an instrumentality of a sovereign state, Bangladesh. Applying historical precedent, this could be regarded as a classic causa bella under the principles of international law, in that it represents a direct attack on the economy of a sovereign state, which by itself is noteworthy. During World War II, Adolph Hitler initiated a secret plan to counterfeit the U.S. dollar and British pound, a similar kind of economic warfare. But, putting the international law implications aside, the criminal complaint also revealed new details about the fraud that are material to what SWIFT is trying to accomplish – that is, hardening the global banking system’s defenses to cyberattacks.
At the very beginning of the complaint, the Department of Justice announces what the cyberattack represents: “a wide ranging, multiyear conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of [North Korea].” The complaint then reveals the involvement of these North Korean actors in the “fraudulent transfer of $81 million from Bangladesh Bank” and drops another startling fact: that these actors “engaged in computer intrusions and cyberheists at many more financial services victims in the United States, and in the other countries … with attempted losses well over $1 billion.”
Unlike the objective of these North Korean state actors regarding Sony, where the motive was to retaliate for the perceived attack against their leader, who was ostensibly sullied by the Sony’s film, here the cyberattack on financial institutions was simpler in its objective. It was, according to the complaint, to further “the goal of stealing money from banks.” Upon reflection, it is not a complete surprise that North Korea, one of the poorest nations on earth, would have state actors become cyberthieves in an effort to level the playing field.
The criminal complaint continues to describe the methodology used to steal money from banks. In the scheme described, a North Korean actor creates a spearphishing message that is designed to have social engineering consequences in the targeted financial institution, and to cause a person within the target financial institution to respond in a manner that opens the door of the financial institution’s computer system to the perpetrators. As the complaint frames it, the response of the person who succumbs to the phishing is a response that “grants access to the bank’s computer network.”
Once the malefactors have gotten into the financial institution’s general computer network, they work their way through the internal network to the “SWIFT communication system,” exploiting the absence of a firewall between the institution’s general computer system and its SWIFT interface. In other cases, where the malefactors encountered a firewall, the “firewall was modified to allow inbound access using a specific port, and then shortly afterward malware used that port to begin accepting commands.” Then, through the use of the inserted malware, the state actors cause the financial institution to send fraudulent SWIFT messages, achieving the overall objective of stealing money from the victimized financial institutions. But the nefarious scheme did not stop with theft.
It continued with the additional steps needed to perfect a cover-up. The state actors inserted malware that worked to destroy the audit trail that would enable the victim financial institutions to detect that they had sent fraudulent payment orders over the SWIFT network. In the words of the criminal complaint, the malware enabled the malefactors “to conceal their activities and cover their tracks.”
The complaint reveals that the North Korean actors “were successful in gaining access to multiple other banks in multiple countries.” It proceeds to name Vietnam, the Philippines, and countries in Africa and Southeast Asia. Judging by a list of victimized financial institutions, they appear to be predominately located in emerging markets. The Bank of Bangladesh also is situated in an emerging market country. It is now obvious that the state actors were very successful in raising hundreds of millions of dollars of ill-gotten gains, gains that might be used to finance future operations.
The facts described above appear in the form of a sworn criminal complaint executed by an agent of the Federal Bureau of Investigation. In making the complaint public, and notably in revealing specific details of its case, the Department of Justice most probably was not expecting that North Korea would make the named defendants available for trial in the United States. Assuming that this was not the governmental objective, that leaves the likely objective of the government being to provide normally secret details so that the financial industry could better prepare to guard itself against what represents a clear and present danger.
SWIFT’S CUSTOMER SECURITY PROGRAM
To its credit, SWIFT responded to the Bank of Bangladesh fraud, and other similar frauds that came to light in early 2016, in a deliberate and thoughtful manner, well before the details set out in the criminal complaint were publicly known. The response was SWIFT’s Customer Security Programme, which is carefully crafted to enhance the security of the ecosystem connecting financial institutions that are transferring funds among each other using instructions sent via the SWIFT network. As Gimbert and Hunter pointed out in their article, the program has three basic components: improved information sharing, enhanced tools to combat fraud, and a new customer security controls framework. Before examining some of the framework’s details, there is an important component of SWIFT value-transfer messages that the reader must understand.
In a typical funds transfer – it doesn’t matter whether the transfer is denominated in the U.S. dollar, the euro, or the yen – one bank will send a payment order to another bank, asking it to transfer bank credit to a third party, called a “beneficiary.” In this relationship between banks, the bank sending the payment order typically is described as the respondent bank, and the bank receiving the payment order (and acting upon it) typically is described as the correspondent bank.
SWIFT is the premier telecommunications service for communicating internationally this kind of value message. On the SWIFT network, not every correspondent bank will be amenable to receive payment instructions from every other respondent bank. Remember that there are 11,000 banks on the SWIFT network. To enable a correspondent bank to be selective regarding the respondent banks that the correspondent bank wishes to do business with, SWIFT introduced what is characterized as its “Relationship Management Application” (RMA). As SWIFT explains, RMA “enables financial institutions to define which counterparties can send them [value transfer] messages.” Further, SWIFT has also introduced something called “RMA Plus,” which enables a correspondent to be even more particular and to select the types of value transfer messages that the correspondent will receive from a particular respondent (e.g., only letters of credit).
RMA and RMA Plus have a direct relationship with the CSP because the ability for a correspondent bank to be selective gives the correspondent bank leverage over a respondent bank. If a correspondent bank, for example, is not satisfied that a respondent bank is taking the needed precautions to protect the funds transfer ecosystem against payment fraud and cyberattack, then the correspondent bank can take unilateral action and, effectively, cut the respondent bank off from sending a value transfer message to the correspondent bank over the SWIFT network. And, from certain objective indicators, it would appear that some correspondent banks are using this leverage and cutting off respondent banks. SWIFT explains that, by using RMA, “many institutions are rationalizing their correspondent banking relationships in order to remove higher risk correspondents and to help reduce the risk of fraudulent transactions.” If correspondent banks as a group take parallel action against a specific respondent bank or respondent banks, then the respondent bank or respondent banks will find itself or themselves unable to send or receive payment messages. For an individual respondent bank, or for a class of such banks, this is potentially franchise ending.
There are two components to the new customer controls. The first is the specific controls designed to enhance security. There are seven: (1) Restrict internet access and protect critical systems from the general information technology; (2) reduce attack surface and vulnerabilities; (3) physically secure the environment; (4) prevent compromise of credentials; (5) manage identities and segregate privileges; (6) detect anomalous activity with respect to systems and transactional records; and (7) plan for incident response and information sharing.
An analysis of each one of the mandatory controls is beyond the scope of this article. There are, however, several observations about the controls and how they relate to what happened with respect to the cyberattack by North Korea. The first control, for example, involves protecting the general computer systems within a financial institution, and also the critical systems (i.e., SWIFT) that might be penetrated in the event that the general computer system is compromised. This control has obvious relevance to the facts of the Bangladesh case, where phishing was used to get access to the general computer environment, and where there was no firewall to protect the SWIFT application. Another control is to detect anomalous activity. In the Bangladesh case, some of the fraudulent transfers were paid to beneficiaries with which a central bank would not ordinarily do business. A control like the one envisioned by SWIFT would have detected the suspicious transfers in the Bangladesh case and presumably would have stopped the fraud before it reached $81 million.
The second component of SWIFT’s CSP is attestation. SWIFT expects that financial institutions that are connected on the network will attest to their compliance with the mandatory controls and make the results available upon request to any correspondent bank that makes an inquiry. Note that a dialogue between the correspondent bank and a respondent bank regarding the attestation could be brought into focus by the threat represented by RMA. If a correspondent bank became uncomfortable that a given respondent bank was taking the needed action to secure the funds transfer ecosystem, or its SWIFT connection, then it could simply configure RMA such that the respondent bank could no longer send value-transferring payment orders to the correspondent bank. This is precisely how the incentives are intended to work – the attestation is designed to be supported by the discipline of counterparty management. If a correspondent bank believes that its respondent bank is a weak link in the ecosystem, then it is expected to take the necessary action to push the respondent bank toward reform.
This is not to say that counterparty discipline is the only tool for fostering compliance. SWIFT has also reminded financial institutions that it reserves the right to inform the home country supervisors of a noncompliant financial institution that the financial institution has not attested. Presumably, any prudential supervisor hearing that an institution within its jurisdiction has not taken minimal steps to secure itself from cyberattack would respond appropriately. Further, as of January 1, 2019, SWIFT is reserving the right to notify host country supervisors of financial institutions that have failed to timely reattest, or that have not confirmed full compliance with the mandatory controls. In 2019, SWIFT plans to make a report available to messaging counterparties to look up those users of the network who have not attested and are noncompliant. Together, these represent progressive steps designed and intended to enhance the security of the ecosystem by giving an incentive to all network participants to work toward ensuring there are no weak links.
The controls and RMA work together to enable a correspondent bank (and the community of correspondent banks) to use individual and collective power over any respondent bank that has not complied with CSP to enhance the security of the network. This is the overall design, and it was created to operate in precisely this fashion throughout the world. In the United States, unlike the rest of the world, there is a statutory infrastructure that backstops the rules governing funds transfers. This statute is Article 4A of the Uniform Commercial Code (UCC). In my view, there are specific provisions of UCC that work to give incentives to further correspondent banks to push their respondent banks to take necessary precautions.
IMPLICATIONS OF ARTICLE 4A OF THR UCC
A payment order to effect a funds transfer, which is sent by a respondent to a correspondent bank situated in the United States, will typically be sent through the SWIFT system and governed by Article 4A of UCC. Let us envision a payment order that was sent by a financial institution located in an emerging market country that had been infiltrated by a malefactor like the North Korean malefactor charged in the criminal complaint. This payment order will not be authorized by the respondent bank because it has been designed by the perpetrator to move funds not to an intended beneficiary but to a confederate of the malefactor.
Yet, even though the payment is not authorized by the sending respondent bank, the respondent bank might nonetheless be held responsible for the payment order by operation of law, and more specifically by operation of certain provisions of Article 4A. If the correspondent bank verified the payment order in accordance with a “security procedure” that is commercially reasonable and the product of an agreement between the respondent bank and the correspondent bank, and the correspondent bank is able to prove such compliance (which is ordinarily not difficult – the correspondent bank shows that its equipment “authenticated” that the message was issued by specific equipment at the respondent bank), then the respondent bank will be liable for the unauthorized order to the correspondent bank, provided that the correspondent bank has acted in “good faith.”
These particular statutory rules place the correspondent bank in the position where, if it follows the agreed-upon security procedure, it is not liable for the unauthorized payment. This is the design of Article 4A – it encourages commercially reasonable security procedures through the use of liability rules. However, there are two important details that might disrupt this generalized allocation of fraud loss to the respondent bank. The first relates to the security procedure itself. It must be “commercially reasonable.” Article 4A provides that commercially reasonability is a question to be decided by a judge, who shall consider a number of factors, including “the circumstances of the customer known to the bank.” Because of the way in which the new SWIFT CSP functions, it will likely enable the correspondent bank to know the circumstances of its respondent bank in far more detail than the correspondent bank had known before SWIFT’s attestation program.
Let’s hypothesize that a correspondent bank learns through the attestation process that a respondent bank is not complying with SWIFT’s mandatory security controls. By way of illustration, perhaps the respondent discloses that it does not have a firewall protecting the SWIFT application from its general computer network. This is a circumstance of the respondent bank that is now known to the correspondent bank. Can the correspondent bank continue with business as usual? More specifically, can the correspondent bank continue to offer a security procedure that depends on SWIFT verification knowing that the respondent bank may be a victim of a fraud like the one documented in the criminal complaint?
One might argue that these facts cry out for some kind of compensating control, to offset the obvious weakness pointed up in the attestation. Is it the correspondent bank’s responsibility to be its respondent bank’s keeper? Perhaps not, but doesn’t the correspondent bank have a larger role with respect to the ecosystem and in hardening the weak links that threaten the ecosystem? Arguments can be made on either side of this question.
Another question arises with respect to the correspondent bank’s “good faith.” Under New York law, “good faith” means “honesty in fact and the observance of reasonable commercial standards of fair dealing.” If, in the example being considered, the correspondent bank continues to process funds transfers from a respondent in a business-as-usual manner while knowing the respondent has not implemented SWIFT’s mandatory controls, is it assuming the risk of fraudulent transfers? If it continues processing (rather than configuring RMA such that the respondent cannot continue to place the correspondent bank in the position of an enabler), is it acting in good faith? Suppose that other, similarly situated correspondent banks are taking that action and excluding a respondent bank that is noncompliant. Does this influence the legal analysis?
I’m asking these questions to illustrate how the statutory infrastructure in the United States might affect decision-making regarding SWIFT’s CSP. In their article, Gimbert and Hunter asked whether the SWIFT CSP might “trigger a new form of derisking.” This point is drawn into sharper relief by the details in the criminal complaint and by an awareness of the amplifying effects of Article 4A.
Regarding risk management generally, a correspondent bank can take five different approaches to this emerging funds transfer risk. It can: (1) avoid or prevent the risk, (2) reduce the risk, (3) share the risk, (4) transfer the risk, or (5) accept the risk. This is elementary risk management. More specifically, a correspondent bank may elect to avoid the risk relating to a noncompliant respondent bank or to cease taking that risk if it has already commenced doing so. This is where RMA and RMA Plus factor into the analysis. SWIFT has created a tool that the correspondent bank can readily use to avoid the risk relating to the noncompliant respondent bank.
A NEW ERA OF DERISKING?
As the criminal complaint makes clear, the funds transfer frauds attributable to state actors have been aimed largely at emerging market countries, where security practices tend to be at the trailing edge. At the same time, many correspondent banks tend to be in the industrialized countries that also are countries associated with reserve currencies like the U.S. dollar, the euro, and the yen. Because the premier reserve currency is the U.S. dollar, many correspondent banks have the United States as their home country, and Article 4A frequently provides the legal infrastructure for wholesale credit transfers made by these correspondent banks.
Many of these correspondent banks may decide that their best option is to avoid completely the risk of a noncompliant respondent bank and take direct action against such a respondent bank. If the noncompliance is indicative of the state of security practices in a particular emerging market country, then many respondent banks in that jurisdiction may experience the same reaction. The result will be a derisking that affects the entire country and the country’s ability to access certain financial markets.
What are the alternatives? One possibility is for a correspondent bank to assist respondent banks in complying with the SWIFT mandatory security controls and to help them in upgrading the controls so that they can attest to compliance. But if a correspondent bank lends such aid, does it face the same potential liability as the biblical Good Samaritan? In this story (at least its law school variation), the Good Samaritan rescuer is liable if its rescue attempt happens to be negligent (notwithstanding good intentions). The moral is that if you should decide to attempt a rescue, you need to do it using ordinary care or not do it at all.
Applying this lesson to a correspondent bank’s decision to assist a respondent bank in upgrading its funds transfer security, a correspondent bank might decide it does not wish to place itself in such a sensitive position. A correspondent bank taking on such a noble role would likely find that the talent it was devoting to the cause of aiding the respondent bank was increasing its costs. At the same time, the prospective profitability of the funds transfer business flowing from any given respondent bank tends to be quite small. When a cost/benefit analysis is done, the conclusion often is that this kind of assistance is not good business, and that does not account for the possibility that, if the security controls fail, the correspondent bank will be blamed. From a business perspective, this type of undertaking would not be seen as being in the best interests of the correspondent bank’s shareholders.
Some also question whether SWIFT should foster better network security by network rules that could be administered by SWIFT or agents working for SWIFT. This would lift the burden from the correspondent banking community and place it on the communications service provider. Instead of pressure for compliance being provided by a counterparty, the pressure would be applied by the service provider. The residual risk is that if the security fails, the service provider may be blamed. It is perhaps understandable that SWIFT’s CSP places the disciplinary responsibility largely on the correspondent banks, with the clear objective that such pressure will foster better security procedures in the respondent bank community.
For now, the jury is still out whether SWIFT’s CSP will lead to a new round of derisking. It is not, of course, inevitable. Any particular respondent could adopt the controls needed to comply fully with SWIFT’s CSP. The necessary tools are available. But as the criminal complaint reveals, there should be no doubt about the need to harden the security of systems that make global funds transfers. And, in the United States, Article 4A will have, in my view, an amplifying effect.