The Central Bank fine amounts to €2,370,000, reduced by 30% in a settlement discount scheme.
The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014.
Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third-party account totalling €106,430, one from a client’s personal current account, the other from BOIPB’s own funds.
BOIPB immediately reimbursed the client.
During a full risk assessment of BOIPB in 2015, the Central Bank discovered a reference to the incident in an operational log.
BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank, over one year after the incident.
The Central Bank’s investigation found serious deficiencies in respect of third party payments, including:
- inadequate systems and controls to minimise the risk of loss from fraud,
- inadequate governance, oversight and ongoing review of the systems and control environment,
- lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements,
- lack of compliance monitoring.
BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation.
Failed to disclose
BOIPB failed to disclose an internal report on the incident, to the Central Bank for 19 months.
The internal report identified ongoing systemic control failings in the processing of third party payments.
During that same period, BOIPB “strenuously denied the existence of any such failings in response to the investigation”, the Central Bank says.
BOIPB’s conduct materially added to the time it took to investigate this case, it continues.
Central Bank’s director of enforcement and anti-money laundering, Seána Cunningham, said: “The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.”
The Central Bank said it expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities.