The Central Bank of Ireland has reprimanded and fined the Governor and Company of the Bank of Ireland because its former subsidiary, Bank of Ireland Private Banking Ltd, caused loss to a client and misled the regulator in the course of its investigation of a cyber-fraud incident in 2014.
The regulator says that the Governor and Company of the BoI broke the European Communities (Markets in Financial Instruments) Regulations 2007 (known generally as the MiFID Regulations) in five different places. It says that the BoI has admitted guilt.
The regulator set the fine at €2,370,000 but then gave the recalcitrant bank a 30% discount because it capitulated quickly.
The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014. Acting on instructions from a fraudster who impersonated a HNW client, Bank of Ireland Private Banking made two payments totalling €106,430 to someone. One came from a client’s personal current account, the other came from the private bank’s own funds. BoI Private Banking immediately reimbursed the client. During a 'full' risk assessment of the private bank in 2015, the Central Bank discovered a reference to the incident in an operational incident log.
The private bank had not reported the cyber-fraud to the police and only did so then, at the request of the Central Bank.
The Central Bank’s investigation found the following deficiencies in respect of "third party payments," as it calls them.
- The systems and controls that the bank employed to minimise the risk of loss from fraud were inadequate.
- The governance, oversight and ongoing review of the systems and controls and their 'environment' were inadequate.
- The bank did not train staff on the subject and possessed a culture in which the fulfilment of clients’ instructions took precedence over the observance of regulatory rules that called for 'security.'
- There was no compliance monitoring.
The private bank was not "open and transparent," thereby misleading the Central Bank in the course of the investigation. For a period of 19 months, it failed to show it an internal report, which it had commissioned after the incident, which revealed failures in control systems that were supposed to make the processing of "third-party payments" (the Central Bank's phrase) safe. During that same period, the private bank strenuously denied the existence of any such failings. Its conduct materially added to the time it took to investigate this case.
This is one of two aggravating factors in this case, the other being the excessive amount of time it took the private bank to mend its ways. 'Remediation' in relation to third party payment processes took place in February 2016, 17 months after the incident, and then only because the Central Bank intervened. In August 2016, the Central Bank decided that a so-called risk-mitigation programme (presumably at the private bank) relating to third-party payment processes was complete.
This is the second time the Central Bank has punished a firm whose client has suffered a loss from cyber-fraud as a direct result of the firm’s regulatory failings. The Central Bank describes the bank's failure to report the cyber-fraud to the police "a serious matter." It rankles with the regulator that "full cooperation with the investigation" did not occur.
Founded in 1989, BoI Private Bank was first authorised as a “section 10 investment business firm” under the Investment Intermediaries Act 1995 on 26 May 2000. This authorisation was subsequently transferred to an authorisation under the MiFID Regulations on 1 November 2007.
At the time of the cyber-fraud, the private bank was an independently-regulated MiFID firm and its primary activity was to provide investment services to HNW individuals who had investable assets in excess of €1 million. In addition, it provided a full range of banking services to its clients (lending, deposit taking and day-to-day current account banking) as a deposit agent of BOI.
Since 1 September 2017, the private bank is no longer a MiFID firm and is now a business unit that sits in the retail division of the Bank of Ireland. The unit retains the name Bank of Ireland Private Banking as a trading name of the Governor and Company of the Bank of Ireland. Its audited financial statements for the year ending 31 December 2016, the last year it existed as a separate entity, reported operating income of €19,867,000.
The private bank processed two separate payment instructions in September 2014, purportedly from a client, which in fact were sent by a cyber-fraudster who had hacked the client’s e-mail account. This led to two transfers to the value of €106,430 being transmitted to a corporate bank account at a British bank. The first transfer was drawn from the client’s current account and the second transfer was drawn, at the instigation and authorisation of the private bank, from the private bank’s suspense account because the payment from the client’s deposit account was rejected because it contained insufficient funds.
To facilitate the instructions that they received from the fraudster, the private bank's staff, in breach of its policies and procedures:
- released confidential account details to the fraudster in response to an email request;
- did not ask the fraudster security-related questions when taking transfer instructions and responding to requests for account balances over the telephone;
- did not use the telephone number held for the client on the private bank’s database, speaking instead to the fraudster on a telephone number provided in a fraudulent e-mail instruction; and
- did not make sure that a second staff member completed a call-back to verify the request.
The fraudster used the following tactics:
- He hacked the client’s e-mail account and re-directed e-mails coming from the bank to a mirror-image e-mail account that he had set up for the purpose of intercepting communications coming from the bank in relation to the fraudulent requests for payment.
- In communications with bank staff, making reference to the purchase of a property, he mentioned the name of the client’s solicitor and used terminology similar to that used by the client in other emails.
The bank failed to spot certain things that could have indicated fraud.
- The Fraudster used the expression “Ireland Account” when referring to the client’s current account.
- One email sent by the fraudster from the client’s email account to bank staff was signed off with a name entirely different from the client's. The name used was that of an unrelated client of the bank's. On recipient of the email the bank was oblivious.
- The fraudulent instructions were suspicious in nature. They included: incorrect telephone details; the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the client’s account; and the remittance of funds to a jurisdiction other than the jurisdiction in which the client resided.
The bank flouted Regulation 33(1)(f)(i) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to set up sound administrative procedures in respect of third-party payments. Members of staff did not receive good enough training on that subject.
The bank also contravened Regulation 160(2)(f) between 1 November 2007 and August 2016 by failing to control third-party payments to protect the client from the loss of assets as a result of fraud. There was no monitoring of third party payments by the "first or second lines of defence," i.e. the front office and compliance staff. The bank also failed to act on the recommendations of its first internal report on the matter, dated December 2014. Similar weaknesses were identified in a second internal report in January 2016, with remediation taking place in February.
The bank also flouted Regulation 34(3)(a) between 1 November 2007 and 2 January 2018 by failing to take good enough steps to safeguard the security, integrity and confidentiality of clients' bank account details.
Bank staff frequently communicated with private clients through e-mail, but this is more vulnerable to infiltration by fraudsters than other forms of communication, so additional checks are called for. The bank did not employ them.
The bank also breached Regulation 34(1)(c) between 30 September 2014 and 16 December 2015 by failing to do enough to set up internal control mechanisms to meet its reporting obligations in line with s19 Criminal Justice Act 2011. The bank reported the incident to its Group Financial Crime Unit on 1 October 2014 but the unit, on the bank's behalf, did not report it to the police until December 2015, at the instigation of the Central Bank.
Lastly, the private bank flouted Regulation 35(2)(c) by failing to comply with Regulation 34(4) between November 2013 and December 2016 because, for that period, its compliance function failed to gauge the effectiveness of efforts to remove problems in respect of third party payments.
The bank's so-called "third-party payments procedure" included a requirement that the compliance department should monitor third-party payments on ad hoc basis. Throughout the period of November 2013 to May 2016, this never happened.
This failure persisted despite two internal reports highlighting the absence of monitoring and the systematic neglect of internal policies.
This is the Central Bank’s 137th settlement since 2006 in accordance with its Administrative Sanctions Procedure, bringing the total amount fines that it has levied up to more than €105 million. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, so it is not included in general Central Bank revenue.