SWIFT has told its bank customers that they are responsible for securing computers used to send messages over its global network, which was used to steal some $81 million from a Bangladesh central bank account at the New York Fed in February.
The theft marked one of the biggest-ever cyber heists.
“SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks," the bank-owned cooperative said in a letter to users dated May 3 that advised them to review security protocols.
"As a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environments," the letter said. "We urge you to take all precautions."
Reuters reviewed the contents of the letter on Wednesday. A person familiar with its contents said it was the first time SWIFT had sent such a letter since the Brussels-based group was founded in 1973.
The letter's details first were reported this week by financial news sites The Banker and Payments Cards and Mobile.
Former SWIFT staffers say the group has always told clients they are responsible for securing their points of access to the SWIFT system. They added that SWIFT does not guarantee that criminals will not gain access to clients’ SWIFT keys, encryption devices that are used to identify legitimate users.
A SWIFT spokeswoman told Reuters on Wednesday that SWIFT registers and authenticates its customers, issuing them encryption tools including digital signatures, and provides them with public key infrastructure (PKI) certificates that identify authorized users of the network.
“Customers are responsible for all messages signed with their certificates and, of course, for protecting their certificates and ensuring only duly authorized operators can use them to sign messages," she said. "SWIFT is not, and cannot be, responsible for messages that are created fraudulently within customer firms.”
The funds stolen in the February attack had been held for Bangladesh Bank at the Federal Reserve Bank of New York before fraudulent orders arrived requesting a transfer to Bangladesh. A New York Fed official said each central bank that holds an account at the U.S. central bank has agreed that the New York Fed can rely on the SWIFT messaging protocols to verify the account owner has sent requests for payments.
This agreement, the official said, is binding under U.S. payments law for “authorized and verified payment orders.”
The rapid fulfillment of payment instructions received via SWIFT messages with valid credentials, is the central purpose of the system, former SWIFT employees and payments industry experts said.
This appears to be Fed’s legal basis for its claim that it did nothing wrong, and it could figure into any lawsuit brought by Bangladesh Bank to reclaim funds.
The New York Fed official told Reuters there were legal incentives for banks to use authentication protocols like SWIFT, and for customers "to safeguard confidential information pertaining to authentication procedures and access to transmitting facilities.”