The Central Bank of Ireland has reprimanded and fined the Bank of Ireland for five breaches of the MiFID regulations committed by its former subsidiary Bank of Ireland Private Banking.
The central bank determined the appropriate fine to be €2.37 million, which has been reduced by 30 per cent to €1.6 million for early payment.
The investigation arose from a cyber fraud incident that occurred in September 2014. Acting on instructions from a fraudster impersonating a client, Bank of Ireland Private Banking made two payments to a third party account totalling €106,430 - one from a client’s personal current account, the other from its own funds.
It immediately reimbursed the client, but had not reported the cyber fraud to the police, and only did so at the request of the central bank over a year after the Incident.
The Central Bank of Ireland found serious deficiencies in respect of third party payments, including: inadequate systems and controls to minimise the risk of loss from fraud; inadequate governance, oversight and ongoing review of the systems and control environment; and a lack of staff training or compliance monitoring.
Bank of Ireland Private Banking's failure to be open and transparent had the effect of misleading the course of the investigation - failing for a period of 19 months to disclose internal reports commissioned following the incident, which identified ongoing systemic control failings in the processing of third party payments.
Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the central bank’s intervention. In August 2016, the Central Bank of Ireland determined that a Risk Mitigation Programme relating to third party payment processes was completed.
The central bank’s director of enforcement and anti-money laundering Seána Cunningham said: “We have a clear expectation that firms are alert to the real and increasing risks from cyber fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.
"This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security."
Recent Stories