On 27 July 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB). BOI has admitted the breaches, which vary in length from one to ten years.
In line with its published Sanctions Guidance, the Central Bank has determined the appropriate fine to be €2,370,000, which has been reduced by 30% in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure.
The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014 (the Incident). Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third party account totalling €106,430: one from a client’s personal current account, the other from BOIPB’s own funds. BOIPB immediately reimbursed the client. During a Full Risk Assessment of BOIPB in 2015, the Central Bank discovered a reference to the Incident in an operational incident log.
BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank over one year after the Incident.
The Central Bank’s investigation found serious deficiencies in respect of third party payments, including:
- Inadequate systems and controls to minimise the risk of loss from fraud
- Inadequate governance, oversight and ongoing review of the systems and control environment
- Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
- Lack of compliance monitoring.
BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation. BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments. During that same period, BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation. BOIPB’s conduct materially added to the time it took to investigate this case.
This is one of two aggravating factors in this case; the other being the excessive amount of time it took BOIPB to fully remediate the relevant deficiencies. Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the Central Bank’s intervention. In August 2016, the Central Bank determined that a Risk Mitigation Programme (RMP) relating to third party payment processes was completed.
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said: “The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.
This is the second time the Central Bank has imposed a sanction on a firm where a client has suffered a loss from cyber-fraud as a direct result of the firm’s regulatory failings. BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice. BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter. Reporting illegal activity is essential in the fight against financial crime.
This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security. The Central Bank expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities.
The Central Bank expects pro-active engagement from regulated entities – that extends from self-reporting through remediation and full cooperation with the investigation. The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.”
As published by the Central Bank of Ireland