The Bank of Ireland has been hit with a €1.66m (£1.5m) fine for a data breach that happened in its private banking arm in 2014.
Ireland’s financial services regulator, the Central Bank of Ireland, criticised the bank’s policies and processes and its failure to report the incident as soon as it knew about it.
The country’s central bank imposed the fine in relation to the transfer of €100,000 from a client account at Bank of Ireland Private Banking (BoIPB) to a fraudster, who had hacked a customer’s email account, gaining access to confidential information.
The bank failed to make the necessary security checks of the transaction. It repaid the client, but did not inform the police, who were alerted to it a year later.
According to the regulator, BoIPB did not cooperate with investigations appropriately. “[It] failed to provide complete and timely information and documentation in response to the Central Bank’s investigation letter and statutory request,” it said. “It also provided information to the Central Bank that was imprecise and vague. The cumulative effect was that the Central Bank’s investigation was frustrated and prolonged.”
Bank of Ireland
Failings identified by the regulator included inadequate systems and controls to minimise fraud; inadequate governance, oversight and ongoing review of the systems; a lack of appropriate staff training and a culture where fulfilling clients’ instructions was prioritised over security requirements; as well as a lack of compliance monitoring.
Bank of Ireland accepted its failings. “All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities,” it said in a statement. “The bank has learnt lessons from this incident and has taken a range of actions arising from the issue.”
It added that policies, processes and controls had been strengthened since.