Our Litigator of the Week is Sidley Austin's Tai-Heng Cheng, who got his client off the hook in connection with a larger-than-life case involving a bold cyberheist.

In 2016, hackers stole $100 million of Bangladesh Bank's funds from New York Federal Reserve. To this day, the culprits have not been caught, though North Korean hackers are suspected. But Bangladesh Bank has been keen to hold someone responsible, and set its sights on Cheng's client, Manila-based Rizal Commercial Banking Corp. where some of the stolen funds were briefly deposited, alleging RICO and other violations.

 Cheng, who is the global co-head of Sidley's international arbitration practice, convinced U.S. District Judge Lorna Schofield in the Southern District of New York to dismiss the case. He discussed how he did it with Lit Daily.

Lit Daily: This case sounds like it should be the plot of a movie. Set the stage for us. What happened?

Tai-Heng Cheng: In February 2016, North Korean hackers carried out a brazen cyberheist to empty out the U.S. dollar foreign reserves of Bangladesh that were held by the New York Federal Reserve. They broke into the central bank of Bangladesh's computer system and sent SWIFT codes to the New York Fed to transfer Bangladesh's funds to banks outside the U.S.  

All in, they succeeded in moving around $100 million in funds out of the NY Fed. They reportedly aimed to steal $1 billion. The majority of the funds appear to have found their way to casinos in the Philippines and were never recovered. 

Unfortunately, many questions remain unanswered. Four years after the heist, Bangladesh has refused to release the report of its criminal investigation, which it has delayed over 70 times even though a Bangladesh magistrate has repeatedly set deadlines for the Bangladesh police to submit its report to court. We do not know if the Bangladesh police has investigated its government officials to see if they had a role in stealing from their own foreign reserves, and what they found out in their investigation. 

 

What was at stake for your client?

When the funds were diverted out of the New York Fed, some of them were deposited in RCBC bank in the Philippines briefly, before being withdrawn by the criminals and their accomplices. 

Since 2016, RCBC has proactively taken measures to further strengthen its systems. It participated in a Senate inquiry in the Philippines, paid fines, and made improvements to its cybersecurity. The courts in its own country, the Philippines, are actively overseeing cases about the incident.

In this context, the U.S. lawsuit seemed like an attempt by Bangladesh Bank to re-litigate issues that had already been fully considered or which were still under active review in Philippines courts and agencies. The flurry of media reports quoting Bangladesh Bank right after they filed a lawsuit appeared to me to confirm this was a public relations ploy designed to distract from questions about the negligence or responsibility of its own government officials for permitting cyber hackers to steal Bangladesh's foreign reserves.  

It was important for RCBC to put a stop to the U.S. lawsuit and not be scapegoated. 

 

When and how did you get involved?

RCBC's Philippines counsel, Thea Daep from the V&A Law firm, found me shortly after the U.S. lawsuit was filed. I was actually on a brief vacation in Rajasthan around that time and remember some intense calls from the gardens of my hotel, with peacocks roaming around as I scrambled to learn the facts of what happened. The contrast was quite stark! 

As with any complex international litigation, support among law firms in different countries is crucial. Thea and her team have been terrific throughout this process. 

 

Who was opposing counsel and what were their primary allegations?

Opposing counsel was Cozen O'Connor.  As I read their papers, their main argument was that RCBC and certain of its employees were part of a RICO enterprise with the hackers, and that the U.S. court in New York was the proper forum since funds were removed from the New York Fed. 

 

Who were the members of your team and what individual contributions did they bring to the representation?

The principal team members were my partner Melissa Colon-Bosolet, and associate Ariel Atlas. We were supported by legal assistants Amira Kingori and Arnold Foda. With my global responsibilities at Sidley, I am often overseas, so I was very grateful that the day-to-day management was in Melissa's safe hands.  

Ariel wrote first drafts of all the briefs and needed only light editing.  I am lucky to have such strong attorneys at Sidley. I'm also proud that the majority of this team are women, from partners to legal assistants, and we are diverse in terms of race, ethnicity and sexual orientation. 

 

You were present when senior Bangladesh Bank officials were served in the Philippines. What was that like? 

I believed that Bangladesh Bank filed the U.S. lawsuit as a public relations exercise to play to the electorate in Bangladesh. Right after filing the lawsuit, it made statements to the international press that seemed to be to be factually inaccurate and defamatory.  

RCBC bank and one of its employees who felt defamed could not take that lying down. So they filed a lawsuit in the Philippines against Bangladesh Bank. In the Philippines legal system, like in the U.S., a defendant needs to be served to get the case going.  

After Bangladesh Bank got all the media attention it wanted from filing the lawsuit, it approached us to try to settle the case. It's a bit odd to offer to settle right after filing a major lawsuit, which appeared to confirm the lawsuit was all about publicity.  

When they came to the Philippines for settlement discussions, before the talks began, a sheriff served the Bangladesh bank officials at the meeting room in the hotel. The lawyers and Bangladesh Bank were obviously unhappy about this and kept complaining to the U.S. court later on, even though the Philippine service was of course irrelevant to the jurisdictional arguments before the court. 

This whole incident reminded me of the time when students at Yale Law School served Slobodan Milosevic with a lawsuit for his genocide by handing him the complaint in person when he landed at an airport in the United States.  Things we learn in law school do come in handy, even decades later! 

 

What was your overall theme or message in litigating the case?

A key theme for RCBC was this lawsuit falsely attempted to turn a victim, RCBC, into a villain. Why would RCBC participate in an enterprise that would hurt its own business and reputation when the heist inevitably became public? It simply made no sense.

The cyberheist involved the New York Federal Reserve—which made it tricky to show that the US federal court lacked jurisdiction. How did you counter the RICO argument?

We tried to show the court that there was no RICO case because the heist was a single incident, not a pattern of racketeering. This point was crucial in persuading the court that the RICO claim was not adequately pled, destroying federal jurisdiction.  

It's important to convey key points early and often, so I made this argument at the first opportunity, which was the initial procedural conference with the court.  Counsel for the casino defendants, who prepared the motion to dismiss brief on jurisdiction, repeated this argument in consultation with us. Coordinating with co-defendants was another important aspect in achieving this early complete victory. 

 

How did you persuade the court not to exercise its jurisdiction over state law claims in its discretion?

This was challenging as well. I think it was important to reassure the court that there was a respected peer court in the Philippines seized of the same dispute, and that the Philippines court had access to U.S. documents and evidence. For this reason, we filed a forum non conveniens motion, even though the odds of winning that were uncertain. But the motion gave us a vehicle to tell the court about the Philippines proceeding and how it was being properly conducted.  

It also allowed us to draw the court's attention to the fact that a RCBC employee who is a plaintiff in the Philippines case against Bangladesh Bank was able to obtain third party discovery from a U.S. correspondent bank through which the stolen funds were transmitted, using 28 U.S.C. Section 1782. Whether we won or lost the motion was secondary to getting these facts before the court so that the court could take this into consideration when deciding whether or not to exercise supplemental jurisdiction. 

 

Was staying discovery a critical consideration? How were you able to achieve that goal?

Staying discovery for defendants is often important.  A lot of time could pass before motions to dismiss are decided. It seemed totally unfair for RCBC to have to spend legal fees and management bandwidth on U.S. discovery when the case didn't even belong in a U.S. court. 

The court was persuaded to stay discovery pending its decision on motions to dismiss at the first procedural conference.  In my oral argument, I emphasized that the RICO claim was implausible. Without it, there was no federal jurisdiction, which would preclude discovery. The court accepted that there were enough concerns about the RICO claim and federal jurisdiction that it stayed discovery.   

 

This case has been closely watched worldwide by banks, casinos and government and private cybersecurity experts. What's the takeaway?

That the threat of global cyber hacking is very real. To address this global issue, everyone should take a hard look at their own processes, and strengthen international cooperation, rather than play the blame game. 

 

Have you ever had a case like this before? What will you remember most?

Most of my cases are high stakes international disputes. But the cyberheist aspect of this case makes it unique.  A moment I will never forget is when I first met the chairman of RCBC in Manila. She ordered lunch for me and then looked me in the eye, and said, "You better win this." I'm glad we didn't let her down.