Bank of Ireland fined €1.6m for funding fraudsterby
Bank of Ireland was reprimanded for five regulatory breaches, resulting in over €100,000 being transferred to a fraudster who hacked a client's email account in 2014.
Bank of Ireland has been fined €1.66m by the Central Bank for five regulatory breaches six years ago, which resulted in a cyber-fraud incident where €106,430 of the bank and the victim’s funds were transferred to the fraudster.
In September 2004, the fraudster hacked into the victim’s email account and impersonated a client of Bank of Ireland's former subsidiary, Bank of Ireland Private Banking Limited (BOIPB). The fraudster deceived the bank into transferring a total of €106,430 (£96,450.00) in two separate payments into a UK bank account.
Bank of Ireland Private Banking gave the victim’s confidential account information to the scammer without asking any security questions. The bank then failed to follow confirmation procedures and did not contact the client to confirm the request using their given contact details.
Bank of Ireland immediately reimbursed the victim with the stolen amont, but did not report the crime to either the police or the Central Bank.
A year later
In a statement on Tuesday, Central Bank said that the bank had failed to notify An Garda Síochána (The Irish Police) until after being found out by Central Bank a year later.
The cyber-fraud was discovered during a full risk assessment of BOIPB in 2015 where Central Bank uncovered a reference to the incident in an operational incident log.
Central Bank then demanded full details of the incident from Bank of Ireland and ordered the crime be reported to An Garda Síochána.
In a statement, Bank of Ireland admitted: “All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities.”
“BOIPB's failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice. BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter,” said Central Bank director of enforcement and anti-money laundering Seána Cunningham.
“Reporting illegal activity is essential in the fight against financial crime,” she added.
Central Bank investigation
Central Bank proceeded to investigate the case and found five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) committed by Bank of Ireland Private Banking Limited:
- Inadequate systems and controls to minimise the risk of loss from fraud
- Inadequate governance, oversight and ongoing review of the systems and control environment
- Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
- Lack of compliance monitoring.
The original fine given by Central Bank was €2,370,000, which was then reduced by 30% “in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure”.
Central Bank response
In a press release, Central Bank accused BOIPB of failing to be open and transparent which mislead the Central Bank throughout the investigation.
According to Central Bank, “BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments.
Central Bank added that “BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation” throughout the period, and its poor conduct unnecessarily lengthened the investigation.
Delayed remediation from Bank of Ireland
BOIPB’s delay in remediation has also been questioned by Central Bank, which took until February 2016 to complete the third party payment processes, a full 17 months after the cyber-fraud took place. The Risk Mitigation Programme (RMP) covering the third party payment processes was completed the following August.
“The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank's investigation were aggravating features in this case,” commented Cunningham.
According to Bank of Ireland, “policies, processes and controls have been strengthened to ensure customers are protected.”
“The bank has significantly enhanced training for all colleagues on fraud prevention and customer protection. The bank's senior management understands the fundamental importance of professional, open and transparent engagement with all regulatory authorities,” it added.
Since 1 September 2017, BOIPB has been integrated as a business unit within the Retail Division of BOI and is no longer a MiFID firm.