THE CENTRAL BANK of Ireland has fined Bank of Ireland €1,660,000 after an investigation found “serious deficiencies in respect of third party payments”.
Bank of Ireland has been fined for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007.
The breaches, which varied between one and 10 years, were committed by the bank’s former subsidiary, Bank of Ireland Private Banking Limited (BOIPB).
The investigation was sparked by a cyber fraud incident in 2014, which Bank of Ireland did not report to the gardaí until requested to do so a year later by the Central Bank. It involved two payments made by BOIPB to a third party account to the value of €106,430.
One of the payments was made from a client’s personal current account, and the other was made from BOIPB’s own funds. The payments were requested by a fraudster impersonating a client who had hacked the client’s email account.
The Central Bank found a reference to the incident in an operational incident log during a full risk assessment in 2015. It has ruled that Bank of Ireland had inadequate systems and controls to minimise the risk of loss from fraud and that its governance, oversight and review of systems and control environment were also inadequate.
Additionally, the investigation found that Bank of Ireland had a lack of staff training and that fulfilling instructions from clients were given priority over security and regulatory requirements, as well as a lack of compliance monitoring.
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said that BOIPB’s “failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud”.
In a statement, Bank of Ireland said that it “regrets the circumstances of this incident and the weaknesses in internal controls and procedures that it highlighted”.
It says it has apologised to the customer involved and fully reimbursed them.
The Central Bank determined that an appropriate fine was €2,370,000 but this was reduced by 30% in line with its settlement discount scheme. It said that BOIPB’s conduct during the investigation misled the Central Bank and made the investigation take longer than it might have otherwise.
According to the ruling, BOIPB took 19 months to disclose an internal report to the Central Bank which pointed to systemic control failings in how third party payments were processed and that BOIPB denied the existence of such failings during the same period.
Additionally, the Central Bank said that it took an “excessive amount of time” for BOIPB to remediate the deficiencies.
“That risk crystallised twice. BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter. Reporting illegal activity is essential in the fight against financial crime,” Cunningham said.
“The Central Bank expects pro-active engagement from regulated entities – that extends from self-reporting through remediation and full cooperation with the investigation. The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.”
In its statement, Bank of Ireland said that it “regrets the approach to this investigation”.
“All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities.”
Bank of Ireland said that it had strengthened its policies, processes and controls following the incident, and enhanced training for staff on fraud prevention and customer protection.
BOIPB merged into the Bank of Ireland in September 2017 and is now a business unit in the bank’s retail division under the same name.
To embed this post, copy the code below on your site
have your say