The Bank of Ireland has been fined €1.7m for failures in management of third party payments and obstructing the central bank’s investigation of fraud.
The penalty stemmed from two fraudulent payments totalling €106,430 made in September 2014, when a criminal hacked the email account of one of the bank’s clients and impersonated the individual to send the money.
The money was sent to a corporate bank account at a UK bank.
Although the Bank of Ireland immediately reimbursed the customer, the fraud was only the beginning of the credit institution’s woes.
The bank did not initially report the incident to the police. It only did so a year later, and then at the behest of the central bank after the authority found a reference to the fraud in the bank’s operational incident log during a routine assessment.
This delay was the first of a litany of shortcomings uncovered by the central bank, including inadequate systems and controls, inadequate governance, oversight and ongoing review of the systems and control environment, as well as lack of compliance monitoring.
Added to this was the fact that the Bank of Ireland had commissioned an internal report which identified “ongoing systemic control failings in the processing of third-party payments” — a report which it failed to disclose to the central bank for 19 months during its investigation.
“During that same period, [the Bank of Ireland] strenuously denied the existence of any such failings to the Central Bank in response to the investigation,” the central bank said, which “materially added to the time it took to investigate this case”.
Staff at the Bank of Ireland breached a number of the institution’s own policies and procedures when processing the fraudulent payment.
They failed to ask security questions when taking payment instructions over the phone and did not have a second staff member call back to verify the request, used a phone number provided by the fraudster over email instead of the one on the bank’s records, and released confidential information over email.
“The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly,” Seána Cunningham, director of enforcement and anti-money laundering at the central bank, said in a statement.
The central bank identified a number of red flags which should have alerted the Bank of Ireland.
These included the fact that the fraudster used the phrase “Ireland Account” when referring to the current account and signed off one email with a name that was not that of the client being impersonated.
The request to make two large payments, the second of which exceeded the balance of the client’s account, to an account in a jurisdiction where the client did not live, should also have rung alarm bells.
The central bank issued an initial penalty of €2,370,000, but this was reduced by 30 percent as part of an early settlement discount.
This is the second penalty that the central bank has imposed for regulatory failures leading to cyber fraud. The first was a €443,000 fine against Appian Asset Management in 2018.
“Bank of Ireland regrets the circumstances of this incident and the weaknesses in internal controls and procedures that it highlighted,” the bank said in a statement.
“Bank of Ireland also regrets the approach to this investigation. All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities.”
As published by Vixio PaymentsCompliance