We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Leah Farrell
The Banks

Bank of Ireland fined €24.5 million for IT failures that had potential 'serious' customer impact

The failures could have led to customers being denied access to basic banking services.

BANK OF IRELAND (BOI) has accepted a €24.5 million fine from the Central Bank of Ireland over a number of deficiencies in its IT systems that could have led to customers being denied access to basic banking services.

It’s the largest penalty the regulator has ever handed out related to IT systems failures at a regulated company, dwarfing the €3.5 million sanction Ulster Bank was forced to pay in 2014 following a major system outage.

Although no such outage occurred within the timeframe of BOI’s failings, the breaches could have had “a very serious impact on customers”, said Séana Cunningham, The Central Bank’s Director of Enforcement and Anti-Money Laundering, in a statement this morning. 

The duration of BOI’s breaches — which occurred over an 11-year period between 2008 and 2019 — coupled with their potential widespread impact on customers and the overall financial system contributed to the Central Bank’s decision to fine BOI the maximum amount allowed under Irish law.

The fine was originally set at €35 million but was reduced by 30% to €24.5 million because BOI accepted the findings of the investigation.

In a statement, BOI said it “fully acknowledges” and “sincerely apologises” for the breaches, “which should not have arisen” in the first place.

“To comprehensively address these breaches the Bank has invested heavily in IT service continuity, completing an extensive Groupwide programme of work between 2015 and 2019,” a spokesperson said.

“This has included technology investment such as infrastructure and network upgrades and enhanced testing, planning and internal procedures. Following the actions taken, Bank of Ireland has robust IT service continuity processes in place and continues to invest heavily in this area as technological requirements evolve.

“The Bank co-operated fully, proactively and voluntarily with the CBI during this investigation.”

Continuity framework

An investigation by the Central Bank found failings in each of BOI’s three lines of defence — internal IT control systems designed to ensure continuity of service in the event of a major outage or disruption.

BOI has admitted to five separate contraventions of European banking regulations, including: 

  1. Failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
  2. Failure to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to senior management
  3. Failure to properly engage and oversee the management of third-party IT service providers with respect to IT service continuity.

The bank was “repeatedly” warned about the deficiencies in its systems by third parties between 2008 and 2015, Cunningham said.

However, BOI only began to take steps to address the issues in 2015.

“Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving,” Cunningham said.

“The extent and duration of these breaches were particularly serious given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations.

“The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.

The Central Bank’s investigation began in 2018 after a 2015 internal BOI audit raised concerns about deficiencies within the bank’s IT contingency systems.

A report was sent to the European Central Bank — BOI’s overarching supervisor — which concluded that further investigation by the Irish Central Bank was required.

The regulator’s probe uncovered deficiencies in the bank’s systems over “a prolonged period”, the Central Bank said.

This is “particularly serious” given that BOI’s reliance on IT — due to the rise of online banking — was “growing year on year, in common with the sector”.

BOI began a major overhaul of its IT systems in 2016, dubbed Project Omega.

But the initiative — which had an initial price-tag of €500 million has faced significant cost overruns, more than doubling in price to €1.4 billion in 2018.

Last year, BOI concluded that certain aspects of its digital transformation had “not matured sufficiently”, according to a note in the bank’s 2020 annual report.

As a consequence, BOI had to write off €136 million of the money spent on this process.

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel