The Central Bank has slapped a €1.66m fine on Bank of Ireland for a cyber-fraud case at the bank's private clients unit that involved the bank's failure to notify Gardaí and the regulator.
In its reprimand, the regulator said the 2014 incident involved the Bank of Ireland Private Banking (BoIPB) paying over €106,430 from the client's account and the bank's own funds on the instructions of a fraudster.
The bank reimbursed the funds but the Central Bank only became aware of the case a year later during a risk audit when it came across a log held by BoIPB.
The Central Bank said the bank failed to report the fraud case to Gradái "and only did so at the request of the Central Bank over one year after the incident". It said: "Reporting illegal activity is essential in the fight against financial crime."
Moreover, the Central Bank found the Bank of Ireland unit had effectively misled the Central Bank during its investigation and found it had inadequate systems, inadequate governance, poor staff training, "and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements".
"BoIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the incident, which identified ongoing systemic control failings in the processing of third party payments. During that same period, BoIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation," it said.
"The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014. Acting on instructions from a fraudster impersonating a client, BoIPB made two payments to a third party account totalling €106,430: One from a client’s personal current account, the other from BoIPB’s own funds," the regulator said.
Its fine of €2.37m was reduced to €1.66m
Bank of Ireland said it regretted the incident.
"All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities," it said. "The bank has learned lessons from this incident and has taken a range of actions arising from the issue. Policies, processes, and controls have been strengthened to ensure customers are protected," it said.