BoI fined €1.66m over fraud it failed to disclose

Central Bank accuses bank of misleading it after cyber attack

Enforcement: Central Bank of Ireland’s Seána Cunningham

Charlie Weston Twitter Email

July 29 2020 02:30 AM

Bank of Ireland has been fined by the regulator over failings that led to a client losing money in a fraud attack and because it failed to inform the Central Bank about the incident.

The bank was also found to have failed to notify the Gardaí until the Central Bank discovered what had happened. It was fined €1.66m.

Regulators said Bank of Ireland's failure to be open and transparent had the effect of misleading the Central Bank and "materially added to the time it took to investigate this case".

The Central Bank's investigation arose from a cyber-fraud incident that occurred in September, 2014.

It discovered a reference to the incident in an operational incident log.

A fraudster impersonated a client and Bank of Ireland Private Banking responded by making two payments to a third-party account totalling €106,430.

One payment was from a client's personal current account, the other from the private bank's own funds.

According to the regulator, Bank of Ireland Private Banking immediately reimbursed the client.

During a risk assessment of the private bank in 2015, the Central Bank discovered a reference to the incident in an operational incident log.

The fraudster engaged in "email hijacking".

This is the hacking of a client's e-mail account and re-directing e-mails coming from the bank to a mirror image e-mail account secretly set up by the fraudster to intercept communications coming from Bank of Ireland Private Banking.

The fraudster also engaged in "social engineering" in communications with staff at the bank.

This involved making reference to the purchase of a property, the name of the client's solicitor, and similar terminology to that used by the client in other emails.

The bank had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank over one year after the incident.

The probe found failings including inadequate systems and controls to minimise the risk of loss from fraud, inadequate governance, oversight and ongoing review of the systems and control environment, and a lack of staff training.

The Central Bank determined the appropriate fine to be €2.3m, which was cut by 30pc in accordance with the settlement discount scheme provided for in the Central Bank's administrative sanctions procedure.

Central Bank director of enforcement and anti-money laundering Seána Cunningham said Bank of Ireland Private Banking's failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation.

Bank of Ireland apologised and said it regrets the circumstances of the incident and the weaknesses in internal controls and procedures that it highlighted.

The bank said it has learnt lessons from this incident and has taken a range of actions arising from the issue.

Bank of Ireland Private Banking Ltd was fully integrated into Bank of Ireland Group in 2017.

BoI fined €1.66m over fraud it failed to disclose

Central Bank accuses bank of misleading it after cyber attack

Business Newsletter

Most Watched

Shock at footage of 'disgusting' and 'dangerous' behaviour filmed on farms and roads

Explainer: What is causing the chaos at Dublin Airport

Westlife hold private concert at fan's house in Dublin

‘It’s not going to define me anymore’ – Young woman waives right to anonymity as brother is jailed for rape and sexual assault

Timeline: The Finglas feud that led to murder and mayhem

Latest Personal Finance

Most Read

Latest