Bank of Ireland fined record €24.5m over IT failures
The Bank of Ireland (BOI) has been fined a record €24.5 million over failures to guarantee continuity of service in the event of significant IT disruptions.
The bank admitted five breaches of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 and the European Union (Capital Requirements) Regulations 2014 between 2008 and 2019.
These included a failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption; a failure to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and a failure to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.
The Central Bank of Ireland determined the appropriate fine to be €35 million, which was reduced by 30 per cent to €24.5 million in accordance with the settlement discount scheme provided for in the Central Bank’s administrative sanctions procedure (ASP).
Seána Cunningham, the Central Bank’s director of enforcement and anti-money laundering, said: “Today’s banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems. It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption.
“Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving.”
She added: “From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third party reports. However, steps to address these deficiencies only commenced in 2015.
“The extent and duration of these breaches were particularly serious given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations. The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.
“This case is an example of robust enforcement action where failures expose consumers and the financial system to serious potential risk. The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability.”