An Ecuadorian bank and Wells Fargo have reached an out-of-court settlement over a 2015 cyber heist, providing a possible precedent for the Bangladesh central bank’s planned suit to recover $66 million still lost in one of the world’s biggest such cases.
A suit by Ecuador’s Banco del Austro against Wells Fargo & Co was quietly settled in February, less than a month before a trial date was set, and the U.S. district court in Manhattan sealed all discussions, according to court documents. No other major media has reported the settlement.
Wells Fargo did not comment on the settlement, and a representative for Banco del Austro could not be immediately reached.
Banco had sought to hold Wells responsible for authorizing the fraudulent transfer of $12 million from its account in 2015.
Hackers breached Bangladesh Bank’s systems in early 2016 and tricked the Federal Reserve Bank of New York into sending as much as $81 million to accounts at Rizal Commercial Banking Corp (RCBC) in the Philippines. The accounts were held in fake names and most of the money disappeared into casinos in Manila.
Some of the funds were recovered but about $66 million remains untraced.
No one has been criminally charged for the heist despite an international investigation and two years of finger-pointing among Bangladesh, Philippines, the Fed and the SWIFT communication network that was used. Bangladesh Bank has threatened to sue Manila-based RCBC, and any legal fallout could set a precedent amid a rash of electronic heists at financial institutions around the world. “This is a tricky issue. We can’t reveal our strategy. But yes we are reviewing each and every case, including the Ecuador one,” Bangladesh Bank’s deputy governor Abu Hena Mohd. Razee Hassan said in a recent interview.
While Bangladesh has not taken any legal action, bankers and lawyers saw the cyber-heist suit by Banco against Wells Fargo as a test for any options available to Bangladesh.
They said the settlement could signal that Wells compensated Banco in some way, a possibly encouraging sign for Bangladesh Bank, But it could still struggle to get a hearing in the United States and prove that Manila-based RCBC had a contractual obligation to freeze the stolen funds.
“There are an awful lot of reasons for people to settle (and) there are all sorts of laws that may or may not apply,” said Peter Jaffe, a senior associate at Washington-based law firm Freshfields Bruckhaus Deringer LLP. “RCBC was not the one that was hacked. Someone may think that RCBC should have done something different when it saw money coming through its accounts, but that is not really a cyber security issue at that point,” Jaffe said. “I don’t think you would necessarily look to cyber security law (or U.S. commercial code) to determine … obligations and rights.”