July 29, 2020

Ireland’s Central Bank fines Bank of Ireland for cyber-fraud breaches

On July 27, 2020, the Central Bank of Ireland fined the Bank of Ireland (BOI) €1.66 million ($1.9 million) for five regulatory breaches committed by former subsidiary Bank of Ireland Private Banking Limited (BOIPB), and for the bank’s efforts to mislead the Central Bank during the course of its investigation.  BOI admitted the breaches, that took place between 2007 to 2018.  The Central Bank reduced its original fine of €2.37 million by thirty percent in accordance with settlement guidelines, and confirmed that the investigation is now closed.

The Central Bank initiated its investigation after learning of a cyber-fraud incident in 2014 from a bank client, who reported that the bank made two payments to a third party account totaling €106,430 after a cyber-fraudster hacked the client’s email account.  One payment was made from the client’s personal account, and another was made from BOIPB’s funds due to insufficient funds in the client account.  After the funds were stolen, the BOIPB immediately reimbursed the client, but failed to report the incident to An Garda Síochána until the Central Bank intervened, over a year after the incident. 

The Central Bank’s investigation uncovered serious deficiencies in BOIPB’s third party payments procedures, including a lack of systems and internal controls to minimize the risk of loss through fraud, and a culture of inadequate governance and oversite by management and a lack of staff training, in addition to BOIPB’s failure to report the 2014 cyber-fraud breach. 

The Central Bank also reported being misled by BOIPB due to a 19-month delay by the bank to disclose an internal report commissioned by the bank after the 2014 incident – a report that identified procedural shortcomings in the bank’s third party payments. The BOIPB reportedly denied the existence of any deficiencies until the report was disclosed, which extended the time it took to complete the investigation.  The bank also took an excessive amount of time to fully remediate its deficiencies after the incident, reportedly taking 17 months to implement corrective measures, and doing so only after Central Bank’s intervention.

Central Bank Press Release