13 Oct 2016
In this exclusive Of Counsel piece, Julie Copeland and Mirella A. de Rose of Lewis Baach pllc, consider two recent events which highlight the importance of real time monitoring of suspicious transactions.
We have written recently about the need for financial institutions, even in light of the increasingly complex anti-money laundering regulatory environment, to focus on the fundamentals of compliance. (Going Back to the ABC’s of Compliance). Two recent events in the AML world highlight the risks of ignoring these basic principles.
In January of this year, Wells Fargo Bank (Wells) – which currently has other unrelated problems – was sued by Ecuadorean Banco Del Austro, S.A. (Austro) for, among other things, failing to catch suspicious transactions in Austro’s correspondent account with Wells. The action, filed in Manhattan state court and subsequently removed to federal court, alleges that during a week and a half period in January 2015, Wells processed twelve unauthorized transfers totaling over $12 million out of Austro’s account. The transactions were allegedly perpetrated by hackers who obtained Austro’s SWIFT codes, illegally accessed Austro’s computer system, logged onto the SWIFT network and requested the transfers. Austro cited the following red flags that it claimed should have alerted Wells to the suspicious nature of the transactions: i) the transactions were performed at odd times of day, always after regular business hours and sometimes after midnight; ii) the transactions involved transfers in unusual amounts with cents on the dollar for an institutional account where large round dollar amounts are the norm; iii) the transactions were unusually frequent (12 in nine days); iv) the beneficiaries were in “unusual geographic locations” (ten out of the twelve transfers were to beneficiaries located in Hong Kong and Dubai); and v) the same beneficiary received funds from multiple originators.
A month after Wells was sued, in February of this year, the Federal Reserve Bank of New York – which as the most powerful regional branch of the U.S. central bank processes transactions for most of the central banks of the world – effected unauthorized transactions from the account of the central bank of Bangladesh. As with Austro, hackers used stolen Bangladesh central bank credentials to infiltrate the bank’s computer system and send SWIFT messages requesting transfers totaling almost $1 billion out of the central bank’s account. Out of the $1 billion requested, $81 million in unauthorized transactions were processed.
The transactions in the New York Fed case – which is still under review by multiple law enforcement and regulatory agencies – bear striking resemblances to those detailed in the Wells complaint, the merits of which have similarly yet to be resolved: i) the payment requests were to individuals rather than institutions; ii) 34 orders arrived in four hours requesting nearly $1 billion in transfers out of the account; and iii) the slew of payment requests were inconsistent with transactions previously processed on behalf of the central bank of Bangladesh. Over the eight months leading to January 2016, the Bangladesh central bank issued 295 payment requests to the Fed, averaging fewer than two per working day and, according to news sources, none of these had been to individuals.
Suffice it to say that although liability remains disputed in respect of both matters, there appear to have been numerous red flags in each that should have alerted staff to abnormalities in the requested transfers. Patterns of transactions that are not consistent with previous account history are indicative of potentially suspicious activity. Central banks do not normally send funds to individuals as opposed to companies or institutions. In the Wells case, the plaintiffs allege that the same beneficiary received funds from multiple originators, a classic red flag for money laundering. In the Federal Reserve matter, the sheer volume of transfer requests was so out of whack with prior activity that it should have prompted actions to determine the validity of the request sooner than it did.
Both of these matters underscore significant cybersecurity concerns, but perhaps more importantly, they emphasize fundamental weaknesses in the systems of two major financial institutions for real time monitoring of suspicious transactions. Financial institutions need to do more than put a system in place to identify red flags; that system needs to identify them in time to prevent fraudulent transactions from being processed. The Wells and New York Fed cases demonstrate that this seemingly obvious guidance can often be overlooked – at great financial and reputational cost to the parties involved.
Count reading this article to your CPD minutes, by signing up to our CPD WalletFREE CPD Wallet