Bank of Ireland fined €1.6m for cyber security breaches

The Central Bank of Ireland has reprimanded and fined the Bank of Ireland for five breaches of the MiFID regulations committed by its former subsidiary Bank of Ireland Private Banking.

The central bank determined the appropriate fine to be €2.37 million, which has been reduced by 30 per cent to €1.6 million for early payment.

The investigation arose from a cyber fraud incident that occurred in September 2014. Acting on instructions from a fraudster impersonating a client, Bank of Ireland Private Banking made two payments to a third party account totalling €106,430 - one from a client’s personal current account, the other from its own funds.

It immediately reimbursed the client, but had not reported the cyber fraud to the police, and only did so at the request of the central bank over a year after the Incident.

The Central Bank of Ireland found serious deficiencies in respect of third party payments, including: inadequate systems and controls to minimise the risk of loss from fraud; inadequate governance, oversight and ongoing review of the systems and control environment; and a lack of staff training or compliance monitoring.

Bank of Ireland Private Banking's failure to be open and transparent had the effect of misleading the course of the investigation - failing for a period of 19 months to disclose internal reports commissioned following the incident, which identified ongoing systemic control failings in the processing of third party payments.

Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the central bank’s intervention. In August 2016, the Central Bank of Ireland determined that a Risk Mitigation Programme relating to third party payment processes was completed.

The central bank’s director of enforcement and anti-money laundering Seána Cunningham said: “We have a clear expectation that firms are alert to the real and increasing risks from cyber fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.

"This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security."

    Share Story:

Recent Stories


Safeguarding economies: DNFBPs' role in AML and CTF compliance explained
Join FStech editor Jonathan Easton, NICE Actimize's Adam McLaughlin and Graham Mackenzie of the Law Society of Scotland as they look at the role Designated Non-Financial Businesses and Professions (DNFBPs) play in the financial sector, and the challenges they face in complying with anti-money laundering and counter-terrorist financing regulations.

Ransomware and beyond: Enhancing cyber threat awareness in the financial sector
Join FStech editor Jonathan Easton and Proofpoint cybersecurity strategist Matt Cooke as they discuss the findings of the State of the Phish 2023 report, diving into key topics such as awareness of cyber threats, the sophisticated techniques being used by criminals to target the financial sector, and how financial institutions can take a proactive approach to educating both their employees and their customers.

Click here to read the 2023 State of the Phish report from Proofpoint.

Cracking down on fraud
In this webinar a panel of expert speakers explored the ways in which high-volume PSPs and FinTechs are preventing fraud while providing a seamless customer experience.

Future of Planning, Budgeting, Forecasting, and Reporting
Sage Intacct is excited to present FSN The Modern Finance Forum’s “Future of Planning, Budgeting, Forecasting, and Reporting Global Survey 2022” results. With participation from 450 companies around the globe, the survey results highlight how organisations are developing their core financial processes by 2030.