The Biggest Fintech Fails of 2016


April 14, 2017
The Biggest Fintech Fails of 2016

Scandals, frauds, bankruptcies and wipe-outs are nothing unusual in the financial world. They accompanied the industry since it was born, and 2016 was no different. Last year there were a couple of failures that cost billions of dollars and could lead to serious problems in the whole global economy.

Deutsche Bank

One of the world’s largest banks faced a real danger of insolvency when struggling for a lower penalty imposed by the U.S. Department of Justice. The DOJ wanted to fine Deutsche Bank with an astronomic amount of 15 billion US dollars for misselling of residential mortgage-backed securities (RMBS) in the run-up to the financial crisis of 2008.

The dragging negotiations with the DOJ led to nervous market reactions: since the beginning of 2016, the bank’s stock price dropped by half at the end of September, causing its market capitalization to be as low as the proposed fine. The bank would definitely fail and the effect of such wipe-out would be disastrous for the European economy.

Fortunately, the day before Christmas the DOJ and Deutsche Bank finalized a settlement and the fine was reduced to 4.2 billion USD.

The bank was also fined with almost half a billion USD for transactions in Russia, which were used for money laundering and offshoring.

Topping this up, there was a “stress test” conducted yearly by the Federal Reserve on the U.S. lenders, and Deutsche Bank failed it again–the second consecutive year. The findings from the Fed report were so disturbing that even the International Monetary Fund issued a warning.

And for the consumers, Deutsche Bank encountered three IT glitches within a couple of months–and those were irritating for clients who couldn’t withdraw their money from ATMs, pay with cards or get the right information on their deposits and debits in the DB’s online banking platform .

Bangladesh Bank


This was a serious deal: a hefty $81 million was stolen from the bank through fraudulent SWIFT transfers in just one February weekend. Most of this money vanished in the air–in the Philippine air, to be precise since the target accounts were kept by Rizal Commercial Banking Corporation based in the Philippines.

One could think it was a really bold move to steal such a huge amount and hope to get away with it. In fact, the perpetrators were even more courageous and reached for tenfold more of the money: using SWIFT credentials of Bangladesh Central Bank employees, the hackers managed to send more than three dozen fraudulent money transfer requests worth $951 million to the Federal Reserve Bank of New York. If all of these requests were fulfilled, the Bangladesh Bank’s funds would have been transferred to bank accounts in the Philippines, Sri Lanka and other parts of Asia.

Fortunately for the central bank of Bangladesh, most of the transfers worth $851 million were halted by the NY banking system as suspicious. But five requests were given a green light: $20 million was sent to Sri Lanka and $81 million to the Philippines. In the end, Bangladesh Bank lost about $63 million.

These February events revealed weaknesses in the SWIFT system, which is an essential platform in modern banking as it not only provides a fast and reliable method of transferring money among banks throughout the world but also helps prevent money laundering and supporting terrorist organizations and bloody regimes. As with almost everything in terms of security , the whole SWIFT system is as strong as the weakest member bank. When hackers managed to exploit vulnerabilities in Bangladesh Bank’s security firewalls, they could conduct a criminal operation involving banks around the globe and steal enormous amounts of money.



Forex Capital Markets, or FXCM, one of the biggest Forex broker in the U.S., was thrown out of its home country this February as a result of the settlement with the U.S. Commodity Futures Trading Commission (CFTC). The company agreed to pay a $7 million penalty, withdraw its CFTC registration, and not to re-register in the future, which means it will not be allowed to operate in the United States. The same day the settlement was announced, the self-regulatory organization for the U.S. futures industry, the National Futures Association (NFA), barred FXCM from its membership.

The reason for this ban dates back to previous years of FXCM’s operations. The firm was supposed to act as a broker–at least it promised its customers to do so–by taking prices from a number of major banks and allowing clients to trade the best price at any given time. In this system called direct market access (DMA), FXCM would get a commission on every trade, while the banks take the risk on the trades.

But according to the CFTC findings, FXCM simply lied to its retail clients and was, in fact, using a market maker system more commonly used by FX brokers: a company closely related to the broker acted as the market maker for its trades. This means FXCM was the counterparty to every trade and would profit only when its customers lost money and would lose money whenever its customers profited.

The company sold its U.S. customer base to a rival FX broker and currently operates outside the country under new name and management.

Polish Financial Supervision Authority

KNF Poland

The national regulator in Poland was in the spotlight during the first days of this February, when it turned out its website was hijacked and used as the source of malware infection. But it wasn’t a typical attack on every user of the website: it was precisely targeted to visitors from selected institutions, mostly banks, visiting a specific page of the site.

The attack was discovered this year, but it began last October when hackers exploited a server vulnerability and injected a malicious code into a JavaScript library embedded in one of PFSA’s subpages. This code checked every visitor’s IP address against the list of targets, and when there was a match, a user was redirected to a site trying to attack the user’s browser by exploiting vulnerabilities in Silverlight and Flash plugins.

If the attack was successful, the user’s system got infected with a trojan. The malware would then communicate with its master servers and execute their orders by stealing user data, encrypting them and sending them back to hackers.

Fortunately, nothing bad happened and there were no damages–neither in data leak nor in stolen money. Security teams from banks responded quickly and eliminated the threat. Nevertheless, the idea and the mechanism of the attack could make it very effective.

Financial institutions are not superheroes immune to events that oppress other industries. They deal with the same issues and sometimes they fail. Let’s hope “sometimes” will from now on happen less often than in the past.