The Federal Reserve Bank of New York, in its first extensive remarks on cybersecurity following the theft of $81 million from accounts it held for the central bank of Bangladesh, said the incident is a "wake-up call" for the global financial system and the Fed is taking the issue "very seriously."
However, a senior New York Federal Reserve official said in an interview with CNBC that the central bank has no authority to inspect or oversee the cybersecurity precautions at foreign central banks that keep their assets at the New York Fed. That means there can be varying cybersecurity risk levels around the world for transactions between global central banks and the New York Fed.
The New York Fed stands at the center of the globalized, dollar-denominated world, maintaining as many as 250 accounts for central banks that contain approximately $3 trillion in assets. One of the reasons those funds are concentrated in New York is that the United States is seen as among the safest places in the world for central bankers looking to protect assets. At the same time, that massive pool of money represents a rich and tempting target for international thieves and their growing attempts at cybertheft.
The amounts involved are staggering: The Federal Reserve official told CNBC, for what appears to be the first time, that as much as $80 billion is electronically wired into or out of international accounts at the New York Fed on an average day.
"I'm surprised it hasn't happened before," said a former senior New York Fed official who left the bank several years ago, referring to cyberthefts from the Fed.
Current and former Fed officials in this story spoke to CNBC on condition of anonymity.
In February, cybercriminals attempted to transfer $951 million from the account of the Bangladesh Central Bank at the New York Fed. Of that amount, $81 million was sent to accounts in the Philippines and then onto casinos there. The remaining transfers were blocked before the money could be sent from the New York Fed. It is unclear where the missing money is now, or who stole it. One technique that may have been used in the heist is inserting malware into the system involving SWIFT electronic messages that are used in international finance to authorize the transfer of money between financial institutions.
The Society for Worldwide Interbank Financial Telecommunications, which is itself operated by a financial cooperative based in Brussels, said in a statement Tuesday that it "is aware of a malware that aims to reduce financial institutions' abilities to evidence fraudulent transactions on their local systems." SWIFT also said that the Bangladesh hack is not the only time thieves have attempted to break into an international financial institution's software. "There are other instances in which customers' internal vulnerabilities have been exploited," SWIFT said. The cooperative said it made a mandatory software update available to its customers this week.
The New York Fed has repeatedly emphasized that its own computers were not compromised in the Bangladesh case. However, it appears that the overall process for transferring money out of accounts at the New York Fed was compromised.
At the New York Fed, the official declined to say what measures, if any, the institution has taken to tighten security in the wake of the attack. "We can't comment on specific security procedures and internal processes for obvious security reasons," he said.
The official added that security by end users of electronic systems and the bank is "critical to the stability of the global financial system."
Still, the official acknowledged the Fed has no ability to control cybersecurity procedures at the roughly 250 foreign central banks around the world that have accounts at the Fed. "Every user of authenticated financial messaging traffic is ultimately responsible for its own systems," the official said. Pressed on whether the Fed should take a more aggressive role in the cybersecurity of its foreign counterparts, the official said: "I guess I'm struggling a little bit to understand in what context we would be involved."
"For example," the official said, "why would the Bank of England have any right to come into the Fed and look at the end security of our systems?"
In a 2014 operating circular issued to institutions seeking electronic connections to the Federal Reserve, the Fed wrote that those institutions should comply with security measures "required" by a reserve bank, but each one should also "exercise its own independent judgments about security and additional steps or procedures needed to prevent fraud, unauthorized access or other unauthorized use of an Electronic Connection."
That raises the question of just who is responsible for covering the loss when money is stolen from Fed accounts. In the same circular, the Fed spelled out what it considers its own liability. "The Reserve Banks are not liable for loss or damage resulting from a problem beyond their reasonable control," the Fed wrote. That includes "malware received from or introduced by any entity other than a Reserve Bank."
It's unclear whether there have been any other previous heists from accounts at the Fed. Asked whether there have been other hacking attempts to fraudulently transfer assets out of a Fed account, the official said: "I am not aware of attempts in the central bank context." CNBC then asked whether there had been hacking attempts in a non central-bank context — that is, in the accounts the Federal Reserve maintains for private banks. A Federal Reserve spokesperson declined to answer and said simply: "Check with the private banks."
The public would not necessarily know if even large amounts of money have ever been stolen from accounts at the New York Fed. The Fed says it is not bound by any disclosure requirements to report thefts. "I am not aware of any laws or regulations that require public disclosure, certainly by the Fed," the official said.
CNBC contacted a number of large banks to ask if they would have to disclose a cyberheist from their accounts at the Fed. One bank said it would not have to make any public disclosure of such a heist, so long as the amount stolen was not material to the bank. The private bank would have to file what's known as a "suspicious activity report" of illicit hacking to the U.S. Treasury, but those documents are not released to the public.
A former federal law enforcement official said public disclosure of thefts from the New York Fed would improve security, and keeping incidents hidden could make matters worse. "If it's under the table and nobody sees it, I think that does a disservice because I think the problem continues to grow and fester unchecked," he said. He explained that law enforcement would sometimes like thefts to be kept confidential during investigations to avoid tipping off thieves as to how much investigators know.
But generally, he said both the big banks and the New York Fed are averse to disclosing cybertheft: "They don't want people to lose confidence in the integrity of the system, that's why."
Historically, there is one incident on the public record in which accounts at the New York Fed were tapped by a fraudster. In the 1980s, thieves used apparently bogus Telex messages to route money into private accounts. In that case, the central bank account victimized was not that of Bangladesh, but Uganda.