The Central Bank has reprimanded and fined Bank of Ireland a total of €1.66m for five breaches of regulations committed by its former subsidiary, Bank of Ireland Private Banking Limited, and for misleading it.

The Central Bank has reprimanded and fined Bank of Ireland a total of €1.66m for five breaches of regulations committed by its former subsidiary, Bank of Ireland Private Banking Limited, and for misleading it. 
Bank of Ireland has admitted the breaches, which vary in length from one to ten years. 
In a statement, Bank of Ireland said it regretted the circumstances of the incident and the weaknesses in internal controls and procedures that it highlighted. 
It also said it regretted its approach to the Central Bank investigation. 
“All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities,” it added.
The Central Bank’s investigation came after a cyber-fraud incident at the bank that occurred in September 2014. 
Acting on instructions from a fraudster impersonating a client,  Bank of Ireland Private Banking Limited made two payments to a third party account totalling €106,430.
One came from a client’s personal current account, while the other from BOIPB’s own funds. BOIPB immediately reimbursed the client. 
During a full risk assessment of the lender in 2015, the Central Bank discovered a reference to the incident in an operational incident log. 
BOIPB had not reported the cyber-fraud to the Gardai and only did so at the request of the Central Bank over a year after the incident.
The Central Bank said its investigation found serious deficiencies in respect of third party payments at the bank, including inadequate systems and controls to minimise the risk of loss from fraud. 
Its investigation also discovered inadequate governance, oversight and ongoing review of the systems and control environment while it also found a lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements. 
A lack of compliance monitoring was also noted during the investigation.
The Central Bank said that BOIPB’s failure to be open and transparent had the effect of misleading it in the course of the investigation, adding that its level of cooperation was far below what is expected.
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said it has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.
“BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice. BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter,” Ms Cunningham said. 
“Reporting illegal activity is essential in the fight against financial crime,” she stressed.
Ms Cunningham said the Central Bank expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities. 
She also said the Central Bank expects pro-active engagement from regulated entities – that extends from self-reporting through remediation and full cooperation with the investigation. 
“The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case,” she added. 
The Central Bank had determined the appropriate fine to be €2.37m but it was reduced by 30% in accordance with the settlement discount scheme it provides.
In its statement, Bank of Ireland said it has apologised to the customer involved and to the Central Bank.
It also said it has learned lessons from the incident and has taken a range of actions arising from the issue.
“Policies, processes and controls have been strengthened to ensure customers are protected,” it added. 
It also said that Bank of Ireland Private Banking Ltd has been fully integrated into the Bank of Ireland Group in 2017 to further enhance the protection for customers. 
“In addition, the bank has significantly enhanced training for all colleagues on fraud prevention and customer protection. The bank’s senior management understands the fundamental importance of professional, open and transparent engagement with all regulatory authorities,” it added.