Bank of Ireland hit with record €24.5m fine for IT failures
Bank of Ireland has been fined a record €24.5m and publicly reprimanded by the Central Bank of Ireland for IT failures dating back to 2008.
The scale of the fine will be seen as a shot across the bows of the boards of all financial institutions aimed at making technological resilience a core focus for the highest level of leadership, especially as no customers suffered any disruption of loss of service as a result of the failures identified. The fine is dramatically bigger than Ulster Bank’s €3.5m for IT failures back in 2012 that left its customers locked out of their accounts, in some cases for weeks.
That’s in large part because the fines have been levied under tougher rules in place at the end of the period under investigation and despite the fact the failures at Bank of Ireland did not impact customers, and instead related to lax internal systems including weak internal controls that meant management did not act even though issues were raised.
In a statement Bank of Ireland admitted the failures and apologised.
"Bank of Ireland fully acknowledges, and sincerely apologises for, each of these breaches which should not have arisen."
The bank said it has now invested heavily in IT service continuity.
At Bank of Ireland the lack of a robust back-up meant the bank’s IT service continuity framework would potentially not have been able to cope if the bank had suffered a major IT incident between 2008 and 2015. That could have had a devastating effect on consumers.
An investigation by the Central Bank was sparked after the bank supplied details of its own internal audit to regulators via the ECB’s single supervisory mechanism.
The IT deficiencies were repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015. That period spans much of the period of the financial crisis, when Bank of Ireland was part nationalised after suffering almost fatal losses on boom era property loans. The period also saw a consortium of US investors take a significant stake in the bank at a knock down price in 2011, notably including Wilbur Ross who joined the bank’s board after taking a 9pc stake and went on to triple his money in just three years by selling out for a €500m profit in 2014.
Former CEO Richie Boucher was at the helm of the bank for much of the period, with current head Francesca McDonagh taking over in 2017.
Steps taken to address the deficiencies were completed by 2019, the Central Bank said.
Regulators found the appropriate fine level to be €35m, which has been reduced in accordance with a settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure (ASP).
Bank of Ireland admitted five contraventions occurring between 2008 and 2019 including:
· The failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
· The failure to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the board; and
· The failure to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.
The Central Bank’s Director of Enforcement Seána Cunningham, said banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems.
“Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving.
“From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third party reports. However, steps to address these deficiencies only commenced in 2015."
“This case is an example of robust enforcement action where failures expose consumers and the financial system to serious potential risk. The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability.”
Details of the Central Bank investigation show in 2015, Bank of Ireland’s Internal Audit raised concerns about deficiencies in its IT service continuity framework. In 2016, BOI commissioned an internal investigation into how the IT service continuity deficiencies had persisted from 2008 to 2015.
The resulting report was completed in October 2017 and provided to the ECB, as banking supervisor, which identified a number of risk management and internal control failings. The report identified failings relating to management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.
The ECB referred the case back to the Central Bank of Ireland for further investigation, which began in August 2018.
The Central Bank has not announced any regulatory action against any individual related to the failures, although it is understood that is a possible option in future.
By Donal O’Donovan, December 02, 2021