The Bank of Ireland (BOI) has been fined €1.66m (£1.49m) and reprimanded for a series of regulatory breaches causing loss to a client, and for misleading the Central Bank in the course of its investigation
The Central Bank said its €2.37m penalty had been reduced by 30% under its settlement discount scheme.
The fine related to five breaches of the MiFID regulations committed by BOI’s former subsidiary, Bank of Ireland Private Banking Ltd (BOIPB). BOI has admitted the breaches, which vary in length from one to ten years and spanned the period from November 2007 to January 2018.
The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014. Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third party account totalling €106,430: one from a client’s personal current account, the other from BOIPB’s own funds. BOIPB immediately reimbursed the client.
During a full risk assessment of BOIPB in 2015, the Central Bank discovered a reference to the incident in an operational incident log.
However, BOIPB had not reported the cyber-fraud to the police authorities, and only did so at the Central Bank’s request over a year after the incident occurred.
In addition, the regulator said BOIPB’s failure to be open and transparent had the effect of misleading its team in the course of the investigation.
BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the incident, which identified ongoing systemic control failings in the processing of third party payments.
During that same period, BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation. BOIPB’s conduct materially added to the time it took to investigate the case.
The Central Bank was also critical of the excessive amount of time it took BOIPB to fully remediate the relevant deficiencies. Remediation in relation to third party payment processes took place in February 2016, 17 months after the incident, and then only following the Central Bank’s intervention.
In August 2016, the Central Bank determined that a risk mitigation programme (RMP) relating to third party payment processes was completed.
Seána Cunningham, the Central Bank’s director of enforcement and anti-money laundering, said: ‘The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.
‘BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice.
‘BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter. Reporting illegal activity is essential in the fight against financial crime.
‘This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security. The Central Bank expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities.’
The investigation found that BOIPB staff, in breach of BOIPB’s policies and procedures, had released confidential account details to the fraudster in response to an email request, and failed to ask security questions of the fraudster when taking transfer instructions and responding to requests for account balances over the telephone.
Staff did not use the telephone number held for the client on BOIPB’s database, instead speaking to the fraudster on a telephone number provided in a fraudulent e-mail instruction, and did not have a second staff member complete a call-back to verify the request.
In addition, bank staff failed to note that the fraudster’s emails contained errors and discrepancies, including signing off an email sent from the client’s email account with an entirely different name.
In a statement, Bank of Ireland said it regretted the circumstances of the incident and the weaknesses in internal controls and procedures that it highlighted.
The bank said: ‘As soon as the bank became aware of the issue we ensured that the customer involved was fully reimbursed.
‘BOIPB has been fully integrated into the Bank of Ireland Group in 2017 to further enhance the protection for customers.
‘In addition, the bank has significantly enhanced training for all colleagues on fraud prevention and customer protection. The bank’s senior management understands the fundamental importance of professional, open and transparent engagement with all regulatory authorities.’