We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

BoI handed €24.5 million fine for IT failings
Central Bank of Ireland Pic: RollingNews.ie
02 Dec 2021 regulation Print

BoI handed €24.5 million fine for IT failings

The Central Bank has handed Bank of Ireland (BoI) a €24.5 million fine, as well as a reprimand, after finding deficiencies in how the bank dealt with potential disruption to its IT systems over several years.

The regulator said that the bank had failed to have a robust framework in place to ensure continuity of service for its customers in the event of a significant IT disruption.

“These IT service-continuity deficiencies were repeatedly identified from 2008 onwards but, due to internal control failings, only started to be appropriately recognised and addressed in 2015,” the Central Bank said.

It added that the steps taken by BoI to address the deficiencies were completed by 2019.

The regulator began the investigation in 2018 after a referral from the European Central Bank (ECB).

The ECB had received an internal BoI investigation into the failings that was commissioned after concerns were raised by an internal audit in 2015.

Dependence on IT systems

BoI has admitted to several breaches of EU rules governing financial institutions between 2008 and 2019. These include:

  • The failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption,
  • The failure to have effective internal controls to identify deficiencies in the IT service-continuity framework, and to ensure they were escalated to the senior management committees and, ultimately, the board,
  • The failure to properly engage and oversee the management of third-party IT service providers with respect to IT service continuity.

“Today’s banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems,” said Seána Cunningham (Central Bank director of enforcement and anti-money-laundering).

“It is vital that firms have a framework in place so that they can ensure continuity of critical IT services, and minimise the impact of any significant disruption,” she added.

Pivotal

Cunningham stated that the extent and duration of BoI’s breaches were “particularly serious”, given the nature of the services the bank provides, and how pivotal IT is to the entirety of its business operations.

“Had BoI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system,” she said.

The regulator had decided on a fine of €35 million, but this was reduced by 30%, in line with rules that provide for a discount for settlements.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Content related to regulation

employment
Jump in claims under whistleblowing act

Clear procedures determine status: Lewis Silkin

regulation
Former RSAII chief disqualified for 13 years

Philip Smith took part in reserves breach – Central Bank
regulation
Stronger data powers for agri-food watchdog

Regulator can compel large firms to provide info
regulation
CCPC acts after consumer-law breaches

Six traders failed to display prices and information
Copyright © 2025 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.