Bank of Ireland fined €1.6m for cyber security breaches

The Central Bank of Ireland has reprimanded and fined the Bank of Ireland for five breaches of the MiFID regulations committed by its former subsidiary Bank of Ireland Private Banking.

The central bank determined the appropriate fine to be €2.37 million, which has been reduced by 30 per cent to €1.6 million for early payment.

The investigation arose from a cyber fraud incident that occurred in September 2014. Acting on instructions from a fraudster impersonating a client, Bank of Ireland Private Banking made two payments to a third party account totalling €106,430 - one from a client’s personal current account, the other from its own funds.

It immediately reimbursed the client, but had not reported the cyber fraud to the police, and only did so at the request of the central bank over a year after the Incident.

The Central Bank of Ireland found serious deficiencies in respect of third party payments, including: inadequate systems and controls to minimise the risk of loss from fraud; inadequate governance, oversight and ongoing review of the systems and control environment; and a lack of staff training or compliance monitoring.

Bank of Ireland Private Banking's failure to be open and transparent had the effect of misleading the course of the investigation - failing for a period of 19 months to disclose internal reports commissioned following the incident, which identified ongoing systemic control failings in the processing of third party payments.

Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the central bank’s intervention. In August 2016, the Central Bank of Ireland determined that a Risk Mitigation Programme relating to third party payment processes was completed.

The central bank’s director of enforcement and anti-money laundering Seána Cunningham said: “We have a clear expectation that firms are alert to the real and increasing risks from cyber fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.

"This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security."

    Share Story:

Recent Stories


Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.

Achieving operational resilience in the financial sector: Navigating DORA with confidence
Operational resilience has become crucial for financial institutions navigating today's digital landscape riddled with cyber risks and challenges. The EU's Digital Operational Resilience Act (DORA) provides a harmonised framework to address these complexities, but there are key factors that financial institutions must ensure they consider.

Legacy isn’t the enemy: what FSIs can do to keep their systems up and running
In this webinar we will examine some of the steps FSIs have already taken to rigorously monitor and test systems – both manually and with AI-powered automation – while satisfying the concerns of regulators and customers.

Optimising digital banking: Unifying communications for seamless CX
In the digital age, financial institutions risk falling behind their rivals if they fail to unite fragmented communications ecosystems to deliver seamless, personalised customer experiences.

This FStech webinar sponsored by Precisely explores vital strategies to optimise cross-channel messaging through omnichannel orchestration and real-time customer data access.