Slow Finality

Slow finality in the traditional banking system means there is a delay between when transactions are approved, and when money moves. This is a story about the unreasonable effectiveness of slow finality, and the laws that make it thus. Here I look at two recent cyber bank heists, one of which was stopped by slow finality, and one which was not. I then look at the laws around banks' obligations to stop fraudulent transfers, and conclude there is very strong regulatory pressure for banks to stop fraudulent wire transfers, and banks are good at it.

The 2016 Bangladesh Bank robbery (BBR) and 2015–2016 SWIFT banking hacks (SBH) both involve valid-but-malicious SWIFT money transfer requests. In the BBR, slow finality prevented most of the money from being stolen, in the SBH slow finality was unsuccessful and the malicious transfers were not detected before finalizing.

I won't say much about the BBR as it is the less interesting of the two, for the most part it is a success story of slow finality. Hackers sent malicious money transfers from a bank, they were noticed before they finalized, and were stopped. On a blockchain, this would be like if someone stole your private key but was unable to steal your money. It's really cool.

The SBH are a different story. In that case the hackers were careful to cover their tracks, and a malicious SWIFT transfer request from the Ecuadorian Banco del Austro (BDA) to Wells Fargo was processed. Despite the transfer request appearing valid, and Wells Fargo following SWIFT procedure, Wells Fargo was later sued by the BDA that these security procedures were insufficient.

Wells Fargo's request to dismiss was denied, and two years later BDA and Wells Fargo reached a private settlement. There are a lot of reasons that a private settlement could have happened, but here's the vibe I get: it would have been, monetarily, positive expected value for Wells Fargo to fight the lawsuit, but the strictness and vagueness of US regulation around slow finality meant a low-probability loss would have set a strict (read, expensive) judicial construction of the regulation.

The Law

In the US, responsibility for fraudulent wire transfers is governed byArticle 4A of the Uniform Commercial Code (UCC) which establishes, banks must:

  1. Have reasonable security procedures.
  2. Execute those procedures in good faith.

In the SBH, Wells Fargo's security procedures were to comply with SWIFT transfer requests. Wells Fargo argues that SWIFT has good security procedures and then satisfies the article 4A requirements by executing them in good faith.

On the other hand, BDA argues that SWIFT alone is insufficient procedure and that Wells Fargo had sent them some (seemingly non-legally binding) communication indicating they had a process in addition to the one laid out by SWIFT.

Banco del Austro argues also that a July 31, 2014 communication from Wells Fargo in which the bank described its "financial crimes risk management program" incorporated additional safety measures into the agreed-upon security procedure.
Banco del Austro's contractual arguments fail as a matter of law. The Agreement, which constitutes the "entire agreement and understanding with respect to the matters addressed," requires only that Wells Fargo adhere to the SWIFT authentication procedures when processing orders received via SWIFT.

So there seems to be some consensus in the court that complying with SWIFT security procedures is the name of the game.

Analysis

Putting threads together, here's the story:

The law around wire transfers is that you must, in good faith, comply with the SWIFT security procedures. In the SBH Wells Fargo did exactly that, and executed transfers that took money from BDA and gave them to hackers. When BDA sued, Wells Fargo chose to privately settle instead of going to court.

My two takeaways are:

  1. Slow finality is highly effective.
  2. Banks are legally obligated to have highly effective slow finality.

Another interesting fact in favor of how powerful Article 4A is comes from this quote from Reuters:

Wells Fargo refunded to BDA $958,700 out of the $1,486,230 it transferred to an account.

Lacking legal action, and knowing how tenuous the case for legal action was, most of the lost funds were returned voluntarily! The entire lawsuit is around the $0.5M that was not, the unreasonable effectiveness of slow finality, and the laws that make it thus.

For more on this, see banks and defi.