Standard Chartered: How Altering SWIFT Messages Doesn't Pay
While Standard Chartered tries to quickly settle a case on illegally siphoning billions of dollars in payments from Iranian banks through its New York office, message experts are surmising just how the bank technically relied on electronic messages to do the dirty deed for nearly a decade.
An order by the New York State Department of Financial Services demanding the British bank explain at a hearing on Wednesday why its New York banking license shouldn't be revoked indicates that Standard Chartered's London office altered part of the message masking Iranian banks as the source. While the order suggests that the bank's London office masked the data fields identifying the senders of the messages as being Iranian banks, technically speaking that's not exactly what might have occurred happened, according to some data management specialists who contacted www.iss-mag.com on Monday. Iran is on a US sanctions list so US banks cannot do business with any firms in that country.
SWIFT message types refer to standardized messages which are electronically transmitted over a network operated by SWIFT, a La Hulpe, Belgium headquartered global messaging network used by over 10,000 financial firms. A payment message indicates how much money should be transferred from one bank to another at whose instruction and whose benefit. Although the sender of a SWIFT message indicating a payment would be made might actually be an Iranian bank, in SWIFT-speak the sender would have been Standard Chartered's London office. The receiver of the message would likely have been Standard Chartered's New York office. What Standard Chartered payment operations executives in London likely did was change a separate data field requesting the identity of the ordering bank or customer -- an Iranian bank --to read as "Unknown." SWIFT declined to comment for this article.
"The sender and the receiver are indicated in BIC codes in the two headers of the payment message which physically define the start and end points of the message," explains Fiona Hamilton, vice president of operations for Volante Technologies in Europe, the Middle East and Africa. "One can't use a different logical terminal identifier -- which is what BIC codes are in headers-- because the message wouldn't make sense from a network routing perspective." The New York and London-based Volante specializes in software transforming SWIFT messages into proprietary message types and vice-versa. BIC codes are the IDs issued by SWIFT to identify a financial institution.
The data fields for the ordering bank and the beneficiary bank -- the bank ultimately receiving the payment -- are part of the body of the SWIFT payment message which can be changed before the message is transmitted through its network. "All SWIFT can do is validate that they are syntactically and semantically correct according to the specification," says Hamilton.
In layman's terms: if the information in the ordering bank and beneficiary bank data fields comply with SWIFT's rules for how the fields can be populated, the message can automatically be transmitted through the SWIFT's network. The ordering party or customer field could even be populated with the phrase "Unknown." Even if a bank's software designed to flag suspect fund transfers does spit out the messages with "Unknown" as potentially suspicious, unless an investigations specialist actually researches what is remiss, the payment will be processed. It will not be stopped because there is no instruction requesting that it be stopped.
Standard Chartered has been charged with hiding $250 billion in transactions tied to Iran -- a country clearly listed on a U.S. government sanctions list. That's the list of foreign governments, corporations and individuals which US firms cannot do business with. The DFS has characterized Standard Chartered as a "rogue" institution based on plenty of emails it has retrieved indicating that senior ranking executives in its London office did not prevent the bank from engaging in illegal wire transfers Iranian banks to other banks; nor did those officials heed warnings from its London office.
Standard Chartered, which earned some hefty fees as the go-between for nearly a decade, has downplayed the severity of the wrongdoing. It alleges only $14 million in payments may have violated US laws because the DFS "incorrectly" interpreted US regulations. Still it appears willing to negotiate some sort of penalty rather than lose its New York banking license and be cut off from the US bank market. Faced with similar accusations, Barclays Bank; Credit Suisse; Lloyds Banking Group; JP Morgan Chase; and ING Bank have previously agreed to settlements totaling $2 billion into how those banks processed money or assets tied to sanctioned countries.
Legal experts say that the DFS has a low burden of proof; it can just argue that Standard Chartered's poor recordkeeping practices indicate it contributed to a lack of safety and soundness in the US banking system. Standard Chartered, on the other hand, must prove a regulator's findings were "arbitrary and capricious" to overturn any decision.
Written by Chris Kentouris, Editor-in-chief (Chris can be contacted through Chris.Kentouris@hotmail.com)