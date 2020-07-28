Bank of Ireland has been fined €1.66 million by the Central Bank for failing alert An Garda Síochána and financial regulators when it was caught out six years’ ago by a fraudster, who managed to get the lender to transfer more than €100,000 from a client’s account.

The bank’s former Bank of Ireland Private Banking Ltd (BOIPB) made two payments totalling €106,430 from a client’s personal current account to a UK bank account in September 2014, after a cyber-fraudster hacked into the individual’s e-mail and sought the money transfers.

The bank released confidential account details without asking security questions of the fraudster or calling the client to double-check the request by using a phone number on its database, the Central Bank said in a statement on Tuesday.

The client notified BOIPB of the fraud at the end of that month after receiving an e-mail from the bank referring to recent communications, of which the person was unaware. BOIPB immediately reimbursed the client.

However, the bank did not report the cyber-fraud to An Garda Síochána and only referred it to the Central Bank a year later on foot of a request from financial supervisors after they discovered a reference to it in a so-called operational incident log among routine regulatory filings. BOIPB was absorbed into Bank of Ireland’s Irish retail banking unit in 2017 under an internal reorganisation.

Safeguards failure

“BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice,” said Seána Cunningham, the Central Bank’s director of enforcement and anti-money laundering. “BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter. Reporting illegal activity is essential in the fight against financial crime.”

Ms Cunningham added: “The Central Bank expects pro-active engagement from regulated entities - that extends from self-reporting through remediation and full cooperation with the investigation. The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.”

The Central Bank said that BOIPB’s level of cooperation during the investigation “was far below what is expected”.

“BOIPB failed to provide complete and timely information and documentation in response to the Central Bank’s investigation letter and statutory request. It also provided information to the Central Bank that was imprecise and vague. The cumulative effect was that the Central Bank’s investigation was frustrated and prolonged,” it said, adding that the bank did not take remedial action quickly enough after the cyber-fraud incident.

Strengthened controls

Bank of Ireland said in a statement that it “regrets” the approach to the investigation. “All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities,” it said. “The Bank has learnt lessons from this incident and has taken a range of actions arising from the issue. Policies, processes and controls have been strengthened to ensure customers are protected.”

The company said that BOIPB’s full integration into Bank of Ireland Group in 2017 has served to “further enhance” the protection of customers.

The fine brings to €105 million of financial penalties imposed by the Central Bank on regulated firms since 2006 under its administrative sanctions procedure.