Sanction

On 28 July 2020, the Central Bank of Ireland (Central Bank) published details of a settlement agreement reached between it and Bank of Ireland (BOI) for admitted breaches of five provisions of the European Communities (Markets in Financial Instruments) Regulations 2007 (MiFID). These breaches were committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB) and concerned a cyber-fraud incident that took place in 2014. 

A significant fine of €1,660,000 was imposed.  This reflects the serious nature of the breaches and the factors considered and found to be relevant by the Central Bank. The fine was calculated by reference to the Central Bank’s Sanctions Guidance, published in November 2019, five years after the incident.  The original fine of €2,370,000 was reduced by 30% to €1,660,000 in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure in the interests of early settlement.

Cyber-security Incident

The incident that gave rise to this sanction concerned a cyber-security breach as a result of a fraudster impersonating a BOIPB client, occurred in September 2014. The fraudster managed to hack a BOIPB client’s email account and using that information impersonated the client in giving instructions to withdraw funds from both the client’s account as well as the BOIPB own-funds suspense account. On a review of the facts, outlined in the Central Bank’s public statement, it appears that BOIPB missed key indicators that should have immediately alerted it to the fraudster. Also, to process the payments requested by the fraudster, BOIPB breached its own policies and procedures.

The fraud was noticed by the client later in September 2014 who then reported it to BOIPB. BOIPB could not undo the breach once it had occurred, however, BOIPB immediately reimbursed the client once the incident came to light. It also requested its internal audit function to carry out a review of the matter. That review suggested several possible fixes but these were not implemented immediately.

The incident was discovered by the Central Bank in the context of Full Risk Assessment in 2015 and it commenced an investigation in 2016. The fixes identified in the internal audit review were not implemented until later in 2016, after the Central Bank had already initiated its investigation. 

Before the Central Bank had commenced its investigation, but after the Full Risk Assessment, BOIPB commissioned another review of its third-party payments processing (TPPP) arrangements which had been the target of the fraudster. That report also contained important findings.  However, BOIPB did not supply these findings to the Central Bank until it was specifically requested to do so in September 2017.

Sanctions Guidance – Factors Considered

This is the third public statement made by the Central Bank since the publication of the Sanctions Guidance and each of those statements reflect the Central Bank’s assessment of the penalties to be imposed by reference to the Sanctions Guidance.  While considerations along these lines have always formed part of the Central Bank’s approach to the determination of sanctions, the Sanctions Guidance places it on a formal footing.

Those formalised considerations are:

• The nature, seriousness and impact of the contravention
• The conduct of the Regulated Entity after the contravention
• The previous record of the Regulated Entity
• Other general considerations

In addition to these considerations, the Central Bank has always made it clear that breaches must be remedied, and it will not engage in any settlement with a Regulated Entity until remedies are implemented; in this case, the immediate reimbursement of the client and the commissioning of internal investigations. 

The Central Bank’s view on BOIPB’s conduct after the contravention and after taking remedial action played a significant part in arriving at the sanction and this is reflected in the public statement.  Not alone did the Central Bank comment extensively on the features of the breach itself, its statement places equal importance on how the matter was handled both internally at BOIPB and its interaction with the Central Bank. Specifically, the Central Bank’s statement referred to the reluctance on the part of BOIPB to share the findings of the TPPP review with the Central Bank, only doing so 19 months after the commencement of the investigation. It cites this lack of co-operation as an aggravating factor that gave way to a “frustrated and prolonged” investigation and ultimately led to a higher sanction. 

Pro-active and Early Engagement Expected

Early engagement on known facts is expected by the Central Bank. If a breach is identified by a regulated entity, remedial action must be taken as soon as possible. The handling of the matter after the discovery of a breach is key and the extent to which a regulated entity is seen to either engage with or frustrate the Central Bank in its investigation is significant. This has always been an important factor in the assessment of the seriousness of the breach by the Central Bank however since the production of the Sanctions Guidance in November 2019 the Central Bank’s approach is all the clearer and it bears a direct impact on the penalty.

We have extensive experience advising on regulatory and enforcement matters. For a discussion or advice on this please call Lisa Carty, Hilary Rogers, Shane Kelleher or your usual William Fry contact.

Contributed by Hilary Rogers 

Follow Us @WilliamFryLaw