BoI fined €24.5m for serious IT failures that could have affected millions of customers
The Bank of Ireland sanction again throws light onto failures of Irish banking and senior managers and their boards and the risks that customers face should things go wrong in the oversight of their IT systems. Picture: Denis Minihane.
The Central Bank has slapped a fine of €24.5m on Bank of Ireland after the lender failed over many years to safeguard its IT systems from a disaster that would have affected millions of customers.
The fine has been imposed under the regulator’s so-called administrative sanctions procedure and is designed to reflect the seriousness of the disruption Bank of Ireland customers would have faced and the knock-on effect to Ireland’s entire banking system if the lender’s IT systems had failed.
The failures were both serious and longstanding and cover the period between 2008 and 2019.
However, an internal investigation into its IT issues only got underway in 2015 and the ECB was subsequently given an internal report into the matters by the Bank of Ireland. That in turn led to the Central Bank investigation.
The issues were well known in the bank up to 2015 but the lender only belatedly started to try to address the failures to repair its defences and mend the breakdown of internal controls designed to prevent any IT disaster.
In the event, no such IT disaster occurred but regulators expect banks to keep tabs on all their IT systems even if the computer services are provided by external service providers.
The fine is designed to send a message to senior bankers and their boards that they must take ownership of the management of key IT systems on which millions of customers depend.
The Central Bank said the fine had initially been assessed at €35m but had been reduced as part of a settlement to take into account the bank’s actions to remedy its failures.
It had been well known that many Irish banks, and Bank of Ireland in particular, had for many decades had creaking banking technology systems.
Customers of Ulster Bank faced serious disruption in the summer of 2012 over a breakdown of its IT services and the lender was subsequently fined €3.5m by the Central Bank.
However, the Bank of Ireland sanction again throws light onto the failures of Irish banking and senior managers and their boards and the risks that customers face should things go wrong in the oversight of their IT systems.
The massive fine relates to breaches over failures, including Bank of Ireland’s failure to show it could continue to provide customer services under a significant hit to its IT systems, the failure of internal controls, and its failure to oversee third-party providers “with respect to IT service continuity”.
“Today’s banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems. It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption,” said Seána Cunningham, who is the director of enforcement and anti-money laundering at the Central Bank.
Millions of customers would be affected if IT systems at banks were to fail, Ms Cunningham said.
“The extent and duration of these breaches were particularly serious given the always-on nature of the services BoI provides and how pivotal IT is to the entirety of its business operations,” she said.
The failures over such a long period “meant that had a severe disruption event occurred, BoI may not have been able to ensure continuity of critical services, such as payment services”, Ms Cunningham said.
The Central Bank found “that there were failings in each line of defence” at the bank.
The regulator said the fine and its reprimand reflected “the duration and frequency” of the failures, “the serious” nature of the failures, the disruption that could have resulted, as well as the potential loss to customers.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
