The Future of Payments

Unintended Consequences? 80 BANKING PERSPECTIVES QUARTER 4 2018 A ALAINA GIMBERT AND ROB HUNTER WROTE an excellent piece in Banking Perspectives earlier this year about how fraud in the Central Bank of Bangladesh affects SWIFT’s recent Customer Security Programme (CSP). 1 CSP represents SWIFT’s response to an emerging threat to the security of the ecosystem that surrounds the funds transfer network, which connects the world’s 11,000 financial institutions. This network is critical global infrastructure and must be failsafe. Because this infrastructure is important, I am picking up where Gimbert and Hunter left off and will address new and important developments. This article will relate some of the late-breaking details of the Bangladesh case, review some developments regarding SWIFT’s security program, address how the CSP is affected by the statutory law governing funds transfers in the United States, and assess what I believe is a possible unintended consequence of CSP as it is affected by U.S. law: derisking. UPDATE: THE BANGLADESH CASE New information about the Bangladesh case arrived in the form of headline news. The United States Department of Justice published a criminal complaint, United States v. Park Jin Hyok , 2 whose content immediately became headline news, including a story on the front page of The New York Times . 3 The publicity is easy to understand because the details seem to be drawn from a John Grisham novel. In this criminal complaint, the Department of Justice laid out in unusual and meticulous detail a pattern of facts showing that state actors from North Korea had perpetrated the fraud on the Central Bank of Bangladesh and also had been involved in the malicious attack on computer systems around the world with the WannaCry virus, as well as the “hack” of Sony, which caused that company (and its officers and employees) significant financial harm. Before discussing the fraud on the Bank of Bangladesh, let’s take a brief look at the other two cyberattacks referenced in the criminal complaint. The WannaCry virus was more specifically a ransomware cryptoworm that was used to attack unpatched versions of the Microsoft Windows operating system in May 2017. To its credit, Microsoft had developed a patch to prevent such an attack, but many computer systems in many organizations had not been patched. WannaCry is estimated to have adversely affected more than 200,000 computers in 150 countries when it was first unleashed. 4 It had a particularly pernicious impact on the National Health Service (NHS) in England and Scotland, causing the NHS to turn away noncritical patients and, in certain cases, ambulances with patients needing urgent care. The “hack” on the computer systems of Sony occurred in November 2014. Sony was about to release a new film, The Interview , which was a comedy about a fictional plot to assassinate Kim Jong-un, the North Korean leader. 5 The perpetrators of the Sony hack used a variant of the Shamoon viper malware to attack successfully Sony’s systems, and then to reveal personal information about Sony’s employees and their families, unreleased Sony films, and other corporate information, causing the company to shut down its systems. This hack, like the cyberworm used against the NHS, caused material financial losses and also a loss of personal safety and security. The diverse nature of these attacks, the reckless way that attacks were perpetrated with a conscious disregard for the destructive impact on potential victims, and their borderless reach are all characteristics that warrant attention. The fraud committed against the Bank of Bangladesh is different than these other cyberattacks because this one seems clearly directed at obtaining money. It is also worth noting that, in early 2016, the state actors from North Korea perpetrated a wire fraud against an instrumentality of a sovereign state, Bangladesh. Applying historical precedent, this could be regarded as a classic causa bella under the principles of international law, in that it represents a direct attack on the economy