Ireland’s central bank has fined Bank of ireland €24.5 million over IT deficieincies that the lender took over a decade to fix.
The failures related to defects in the Irish bank’s IT continuity framework, which the central bank says were repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015.
An internal investigation commissioned by Bank of Ireland identified failings relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.
The steps taken by the firm to address the deficiencies were completed by 2019.
The Central Bank of Ireland’s director of enforcement and anti-money laundering, Seána Cunningham, says: “The extent and duration of these breaches were particularly serious given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations. The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.”
It’s not the first time Bank of Ireland has fallen foul of the regulator. In July last year, Ireland’s Central Bank imposed a €1.66m fine on BoI for a regulatory breach that saw one of its subsidiaries transfer more than €100,000 to a hacker that had illegally accessed a client’s email account.
Furthermore, the Central Bank also stated that BoI took more than a year to alert the police following the breach and misled the regulator during the subsequent investigation.