We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

Strictly necessary cookies

Cookie name Duration Cookie purpose
ASP.NET_SessionId Session This cookie holds the current session id (OPPassessment only)
.ASPXANONYMOUS 2 Months Authentication to the site
LSI 1 Year To remember cookie preference for Law Society websites (www.lawsociety.ie, www.legalvacancies.ie, www.gazette.ie)
FTGServer 1 Hour Website content ( /CSS , /JS, /img )
_ga 2 Years Google Analytics
_gat Session Google Analytics
_git 1 Day Google Analytics
AptifyCSRFCookie Session Aptify CSRF Cookie
CSRFDefenseInDepthToken Session Aptify defence cookie
EB5Cookie Session Aptify eb5 login cookie

Functional cookies

Cookie name Duration Cookie purpose
Zendesk Local Storage Online Support
platform.twitter.com Local Storage Integrated Twitter feed

Marketing cookies

Cookie name Duration Cookie purpose
fr 3 Months Facebook Advertising - Used for Facebook Marketing
_fbp 3 months Used for facebook Marketing
Central Bank fines Bank of Ireland €2,370,000 for MiFID breaches
Central Bank Governor Gabriel Makhlouf Pic: RollingNews.ie

28 Jul 2020 / regulation Print

Central Bank fines Bank of Ireland €2,370,000

The Central Bank of Ireland has reprimanded and fined the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (MiFID).

The offences were committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB).  BOI has admitted the breaches, which vary in length from one to ten years.

The Central Bank fine amounts to €2,370,000, reduced by 30% in a settlement discount scheme.

The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014.

Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third-party account totalling €106,430, one from a client’s personal current account, the other from BOIPB’s own funds.

BOIPB immediately reimbursed the client.

Risk assessment

During a full risk assessment of BOIPB in 2015, the Central Bank discovered a reference to the incident in an operational log.

BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank, over one year after the incident.

The Central Bank’s investigation found serious deficiencies in respect of third party payments, including:

  • inadequate systems and controls to minimise the risk of loss from fraud,
  • inadequate governance, oversight and ongoing review of the systems and control environment,
  • lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements,
  • lack of compliance monitoring.

BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation. 

Failed to disclose

BOIPB failed to disclose an internal report on the incident, to the Central Bank for 19 months.

The internal report identified ongoing systemic control failings in the processing of third party payments.

During that same period, BOIPB “strenuously denied the existence of any such failings in response to the investigation”, the Central Bank says.

BOIPB’s conduct materially added to the time it took to investigate this case, it continues. 

Clear expectation

Central Bank’s director of enforcement and anti-money laundering, Seána Cunningham, said: “The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.”

The Central Bank said it expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities.



Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland