Bank of Ireland fined €24.5m over IT flaws

Central Bank said IT service continuity provision was inadequate

The fine imposed on Bank of Ireland  is the second highest ever levied by the Central Bank.

The fine imposed on Bank of Ireland is the second highest ever levied by the Central Bank.

 

Bank of Ireland has been fined €24.5 million by the Central Bank for failing over the course of more than a decade to have an adequate system in place to ensure continuity of service to customers in the event of a serious IT disruption.

The regulator was asked by the European Central Bank (ECB) to investigate the matter in August 2018, almost a year after an internal Bank of Ireland report identified a number of risk management and internal control failings in respect of Bank of Ireland’s IT service continuity.

That report had been sparked by concerns raised in 2015 by internal audit at the lender on the issue, even though there had been warnings as far back as 2008 about deficiencies in this area.

The fine is the second highest levied by the Central Bank, eclipsed by an almost €38 million penalty imposed on Ulster Bank earlier this year for its role in the industry-wide tracker mortgage scandal. Bank of Ireland remains under investigation in relation to the tracker-mortgage issue.

“From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third-party reports. However, steps to address these deficiencies only commenced in 2015,” said Seána Cunningham, the Central Bank’s director of enforcement and anti-money laundering.

“The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.”

The Central Bank declined to say whether the third-party report authors were companies involved in providing outsourced IT services to the bank or professional services firms hired routinely to assess risks within the company.

Online banking

The breaches cover a period during which the banking industry globally rapidly increased its focus on online banking, a trend that has been accelerated since the onset of the Covid-19 pandemic. Bank of Ireland is currently at the latter end of a €1.15 billion programme initiated in 2016 to replace its ageing core banking systems.

The Central Bank said the lender only took initial steps in 2015 to address deficiencies in both its IT service continuity framework and associated internal controls. However, this was not completed until 2019.

Francesca McDonagh succeeded Richie Boucher as group chief executive in October 2017, the month the internal report was completed, identifying a number of risk management and control failings in respect of the bank’s IT service continuity.

For much of the decade during which the issues occurred, Bank of Ireland was seeking to conserve money, running off one of the lowest capital reserve ratios in the industry after avoiding State control as taxpayers bailed out the country’s lenders.

The regulator highlighted failings in the three lines of defence Bank of Ireland had in place to ensure IT service continuity at a time when the third-party reports between 2008 and 2015 were highlighting shortcomings. The lines of defence included the ownership and management of risks; oversight and challenge of the first line of defence; and independent assurance that risks were being managed.

“Ultimately, these internal control failings resulted in deficiencies in the firm’s IT service continuity framework persisting for a prolonged period. This is particularly serious as the firm’s reliance on IT was significantly increasing year on year, in common with the sector,” the Central Bank said.

The sanction comes seven years after Ulster Bank was fined a then-record €3.5 million by the Central Bank over the serious failings of its IT systems in June and July 2012, which resulted in about 600,000 customers being “deprived of essential and basic banking services” over a 28-day period.

Maximum fine

Law changes in 2013 hiked the maximum fine the regulator can impose on firms for rule breaches, from €5 million to €10 million, or 10 per cent of turnover. The contraventions in the Bank of Ireland case continued beyond 2013.

Bank of Ireland said in a statement on Thursday that it “fully acknowledges, and sincerely apologises for”, each of the five specific breaches identified during the investigation.

“To comprehensively address these breaches the bank has invested heavily in IT service continuity, completing an extensive groupwide programme of work between 2015 and 2019,” it said. “This has included technology investment such as infrastructure and network upgrades, and enhanced testing, planning and internal procedures.”

The bank said that it now has “robust IT service continuity processes in place and continues to invest heavily in this area”.

A spokesman for the Central Bank said in response to questions from The Irish Times that the nature of the case meant it could only start its investigation when requested by the ECB, which is ultimately responsible for the supervision of large credit institutions in the euro zone.

“The firm is subject to joint supervision under the Single Supervisory Mechanism (SSM). In the case of breaches such as the ones at hand we can only commence an investigation when requested by the European Central Bank (ECB) pursuant to their power under the SSM,” he said.

Donohoe reaction

The Minister for Finance Paschal Donohoe has meanwhile said the fines imposed by the Central Bank on Bank of Ireland represent “a very significant and substantial action”.

Reacting to the announcement, Mr Donohoe said: “It demonstrates two very important points about the retail banking system here in Ireland and how it is regulated.

“Firstly, it is a reminder of how fundamental information technology now is to the delivery of banking services in our country.

“And secondly, it shows how serious the Central Bank position is in relation to IT systems and services. It again reminds us we have a very strong independent regulator that is capable of levying significant fines and sanctions when they believe it is justified.”