The Governor and Company of the Bank of Ireland get €1.66m fine
The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014.
The Central Bank of Ireland has announced the imposition of a €1.66 million fine on the Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB).
The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014. Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third party account totalling €106,430: one from a client’s personal current account, the other from BOIPB’s own funds. BOIPB immediately reimbursed the client.
During a Full Risk Assessment of BOIPB in 2015, the Central Bank discovered a reference to the incident in an operational incident log. BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank over one year after the Incident.
The Central Bank’s investigation identified serious deficiencies in respect of third party payments, including:
- Inadequate systems and controls to minimise the risk of loss from fraud;
- Inadequate governance, oversight and ongoing review of the systems and control environment;
- Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements;
- Lack of compliance monitoring.
BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation. BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments. During that same period, BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation. BOIPB’s conduct materially added to the time it took to investigate this case.
Remediation in relation to third party payment processes took place in February 2016, 17 months after the incident, and then only following the Central Bank’s intervention. In August 2016, the Central Bank determined that a Risk Mitigation Programme (RMP) relating to third party payment processes was completed.
This is the second time the Central Bank has imposed a sanction on a firm where a client has suffered a loss from cyber-fraud as a direct result of the firm’s regulatory failings.