On 27 July 2020, the Central Bank of Ireland ("Central Bank") fined The Governor and Company of the Bank of Ireland ("BOI") €1,660,000 for a range of regulatory breaches in connection with cyber security failings at its former subsidiary, Bank of Ireland Private Banking Limited ("BOIPB")1.
The regulatory investigation arose from a 2014 cyber fraud incident perpetrated on BOIPB resulting in a finding that BOIPB had not applied adequate cyber security arrangements.
Administrative Sanctions Procedure
Under the Central Bank Act 1942, the Central Bank has the power to sanction regulated financial service providers for committing prescribed contraventions under its Administrative Sanctions Procedure ("ASP")2.
It can impose various sanctions (by way of settlement or on foot of findings at an inquiry), ranging from reprimands to financial penalties of up to €10 million or 10% of turnover on a regulated financial service provider (whichever is the greater), and fines of up to €1 million on individuals involved in that firm's management.
The Central Bank investigation identified five contraventions of the client asset rules and organisational requirements in the MiFID Regulations3 by BOIPB. It found that BOIPB failed:
- to implement sound administrative procedures and internal control mechanisms for third party payments;
- to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud;
- to establish, implement and maintain systems and procedures adequate to safeguard the security, integrity and confidentiality of client bank account details;
- to establish, implement and maintain adequate internal control mechanisms to comply with its obligations in relation to reporting of offences under section 19 of the Criminal Justice Act 2011; and
- to monitor and regularly assess the adequacy and effectiveness of the procedures and the actions taken to address deficiencies in respect of third party payments.
Conduct and Transparency
In determining the sanction, the Central Bank considered its 2019 ASP Sanctions Guidance4. This focuses on the nature, seriousness and impact of the underlying contraventions as well as the conduct of the regulated entity after the contraventions and during the regulatory investigation phase.
The Central Bank expects proactive engagement from regulated entities, from self-reporting through remediation and full cooperation with the investigation. The excessive time taken to remediate the identified deficiencies, the delay in reporting the incident and the failure to be fully transparent and open in the investigation were deemed aggravating features in this case.
The Central Bank determined the fine to be €2,370,000, which was then reduced by 30% in accordance with the ASP's early settlement discount scheme.
The headline sanction of €2,370,000 represented approximately 12% of BOIPB's reported operating income for the last year that it existed as an independent entity (y/e 31 December 2016), notably exceeding the lower 10% threshold under the ASP.
This is the second time the Central Bank has imposed a sanction where a client has suffered a loss from cyber fraud as a result of a firm's regulatory failings and its 137th settlement since 2006, bringing the total fines imposed by it to over €105 million.
Cyber Security in Focus
This case closely follows the publication of an industry letter by the Central Bank on 10 March 2020 to asset management firms relating to thematic inspection findings into the cybersecurity risk management practices in asset management firms.
This letter states that "concerns still exist for the Central Bank regarding the arrangements that are in place to adequately oversee all cybersecurity risks."
Coupled with the decision in this case, it highlights the Central Bank's continued focus on cyber security risk management and the importance of having proper policies and procedures in place.
In addition, it is important for regulated entities to be mindful of their obligations under data protection law, which can give rise to separate liability to individual data subjects, and to potential regulatory sanction by the Data Protection Commission, or equivalent.
3. The European Union (Markets in Financial Instruments) Regulations 2007, since replaced by the European Union (Markets in Financial Instruments) Regulations 2017
Originally published July 27, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.