Bank of Ireland fined €1.66m for cyber breach and failure to notify the central bank

July 30, 2020

The Bank of Ireland has been fined €1.66m ($1.95m) by the Central Bank of Ireland for misleading the institution about a security breach back in 2014.

The regulatory slap on the hand originated from the cyber fraud incident that occurred in September 2014. The incident involved a criminal impersonating a client, convincing the bank to make two payments to a third party account totalling €106,430 ($125,126).

One of the payment from the client’s personal account and one from the Bank of Ireland’s own funds. The client was reimbursed when the fraud was discovered.

However, the bank failed to report the incident to the authorities.

Instead, the central bank first learned about the incident during a risk assessment of bank in 2015, when the central bank discovered a reference to the incident in an operational incident log.

It was only after that discovery that the bank finally alerted the police.

During its investigation the central bank found serious deficiencies in respect of third party payments such as failure to set up proper systems and controls to minimise the risk of loss from fraud, inadequate governance, lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements, and a lack of compliance monitoring.

The central bank argued that the bank’s failure to be open and transparent had the effect of misleading the central bank in the course of the investigation, having neglected to disclose the a report detailing its own systematic failures for19 months following the incident.

To make matters worse, the Bank of Ireland kept denying that there were any such failings.

The bank was also sanctioned for only plugging the holes in its systems in 2016.

Seána Cunningham, director of enforcement and anti-money laundering at the central bank, said, “The central bank has a clear expectation that firms are alert to the real and increasing risks from cyber fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.”

Initially, the central bank said that the appropriate fine would be €2.37m (2.78m), but that was reduced by 30% in accordance with the settlement discount scheme provided for in the central bank’s administrative sanctions procedure.