LONDON (Reuters) - The chief executive of secure messaging system SWIFT said the theft of $81 million (£56.15 million) from Bangladesh’s central bank, by criminals sending fraudulent payment instructions via SWIFT, would force the organization to shrink and review its strategy.
Gottfried Leibbrandt told Reuters he would be forced to scale back some of SWIFT’s operations to help pay for new security initiatives it plans. But he denied the Belgium-based co-operative should have taken these measures sooner.
“Hindsight is always a wonderful thing,” he said in an interview at SWIFT’s London offices.
“You can always say ‘should they have done it before?’, but sometimes it takes these types of events,” he added.
In February, thieves hacked into Bank Bangladesh’s interface with SWIFT’s network — a fund-transfer pipeline that is the backbone of international finance.
They sent payment instructions to the Federal Reserve Bank of New York, telling it to transfer $951 million from Bank Bangladesh’s account to accounts in the Philippines. Most of the transactions were blocked but four went through, amounting to $81 million that remains missing.
Industry officials say it was long understood that the biggest weakness in the SWIFT system was users’ access points to the core network, since not all banks had strict security practices for safeguarding the keys to their SWIFT terminals.
However, Leibbrandt, a former management consultant with McKinsey who joined SWIFT in 2005 and has been CEO for four years, said that before February he had been unaware of any attempts to hack into a bank’s SWIFT terminal. Consequently, he concentrated SWIFT’s security activities on its own infrastructure.
After the Bangladesh theft, other banks came forward and revealed they had been victims of attacks. SWIFT discovered, by examining inquiries to its customer support department, that other banks had also likely been compromised.
The incidents have changed industry perceptions about how trustworthy SWIFT messages really are.
Last week, SWIFT unveiled measures to tighten up security throughout the broader system, including adding additional authentication factors to the software it sells users and the possible development of a service that would allow it to spot suspicious payment instructions sent across its network.
Some critics said SWIFT and the banks that own it should have acted earlier.
“With the evolution of cyber criminality over the last 10 years, why hasn’t SWIFT and the community done more?” said Leonard Schrank, who was SWIFT chief executive from 1992 to 2007.
“These are things that could have been done years ago,” he added.
Leibbrandt rejected such criticism. He said while he was under pressure to make the programme a success, he was confident that hacking of clients’ SWIFT architecture could be turned “into a nuisance rather than a potentially threatening situation”.
He said the planned measures would require investment. This may mean that SWIFT’s user banks may not continue to enjoy falling costs for sending messages.
It also means that SWIFT itself would shrink.
“We need to take a look at what we are doing. We cannot carry on with everything we did before and do this on top, that wouldn’t be credible,” the CEO said.
He said SWIFT would pull back from “a few areas” but declined to name any candidates.
“There are no holds barred in solving this problem, so as far as I am concerned, nothing is off the table.”
Some former SWIFT executives say that wouldn’t be a bad thing because the company has become involved in providing too many services.
For the past decade, revenue from non-core activities such as consulting and training has risen sharply and in 2014, the most recent year for which data is available, the core messaging service generated less than half of SWIFT’s total revenues for the first time.
John Doyle, who previously ran SWIFT’s North American business, said the unit which sells interfaces with the core network to banks could be spun off.
“They are going to be looking at things that don’t really add value to the core (messaging) service,” he said.
Reporting by Tom Bergin; editing by Stuart Grudgings