Bank of Ireland has been fined €1.66 million by the Central Bank for regulatory breaches, after it transferred more than €100,000 to a fraudster who hacked a client's email account six years ago.
The Central Bank said in a statement on Tuesday that the lender only alerted An Garda Síochána to the incident more than a year afterwards, and did so only at the request of supervisors. The bank also misled the Central Bank during an investigation into the matter, it said.
The investigation stemmed from the former Bank of Ireland Private Banking Ltd making payments totalling €106,430 to a UK bank account from the affected client's personal account and its own funds. It came after a cyber-fraudster hacked into the individual's email and sought the money transfers.
The bank released confidential account details without asking security questions of the fraudster or calling the client to double-check the request by using a phone number on its database.
The client notified the bank of the fraud at the end of that month after receiving an email from the bank referring to recent communications, of which the person was unaware. BOI Private Banking immediately reimbursed the client.
Regulators learned of the incident in 2015 when they spotted a reference to it in a so-called operational incident log among routine regulatory filings. The private banking unit was absorbed into Bank of Ireland’s Irish retail banking unit in 2017 under an internal reorganisation.
The Central Bank said BOI Private Banking’s level of co-operation during the investigation “was far below what is expected” and that that its failure to be open and transparent “had the effect of misleading” the authority.
“BOIPB failed to provide complete and timely information and documentation in response to the Central Bank’s investigation letter and statutory request. It also provided information to the Central Bank that was imprecise and vague. The cumulative effect was that the Central Bank’s investigation was frustrated and prolonged,” it said, adding that the bank had not taken remedial action quickly enough after the cyber-fraud incident.
“BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber fraud. That risk crystallised twice,” said Seána Cunningham, the Central Bank’s director of enforcement and anti-money-laundering.
“BOIPB then failed to report the cyber fraud to An Garda Síochána, which is a serious matter. Reporting illegal activity is essential in the fight against financial crime.”
Ms Cunningham added: “The Central Bank expects proactive engagement from regulated entities. That extends from self-reporting through remediation and full co-operation with the investigation.
“The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.”
Bank of Ireland said in a statement that it “regrets” the approach to the investigation. “All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities,” it said.
“The bank has learnt lessons from this incident and has taken a range of actions arising from the issue. Policies, processes and controls have been strengthened to ensure customers are protected.”
The company said BOIPB’s full integration into Bank of Ireland Group in 2017 had served to “further enhance” the protection of customers.
The fine brings to €105 million of financial penalties imposed by the Central Bank on regulated firms since 2006 under its administrative sanctions procedure.