Bank of Ireland has been fined €24.5 million by the Central Bank for failing over the course of more than a decade to have an adequate system in place to ensure continuity of service to customers in the event of a serious IT disruption.
The regulator was asked by the European Central Bank (ECB) to investigate the matter in August 2018, almost a year after an internal Bank of Ireland report identified a number of risk management and internal control failings in respect of Bank of Ireland’s IT service continuity. That report had been sparked by concerns raised in 2015 by internal audit at the lender on the issue, even though there had been warnings as far back as 2008 about deficiencies in this area.
The fine is the second highest levied by the Central Bank, eclipsed by an almost €38 million penalty imposed on Ulster Bank earlier this year for its role in the industry-wide tracker mortgage scandal. Bank of Ireland remains under investigation in relation to the tracker-mortgage issue.
“From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third-party reports. However, steps to address these deficiencies only commenced in 2015,” said Seána Cunningham, the Central Bank’s director of enforcement and anti-money laundering.
“The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.”
The Central Bank declined to say whether the third-party report authors were companies involved in providing outsourced IT services to the bank or professional services firms hired routinely to assess risks within the company.
The breaches cover a period during which the banking industry globally rapidly increased its focus on online banking, a trend that has been accelerated since the onset of the Covid-19 pandemic. Bank of Ireland is currently at the latter end of a €1.15 billion programme initiated in 2016 to replace its ageing core banking systems.
The Central Bank said the lender only took initial steps in 2015 to address deficiencies in both its IT service continuity framework and associated internal controls. However, this was not completed until 2019.
The regulator highlighted failings in the three lines of defence Bank of Ireland had in place to ensure IT service continuity at a time when the third-party reports between 2008 and 2015 were highlighting shortcomings. The lines of defence included the ownership and management of risks; oversight and challenge of the first line of defence; and independent assurance that risks were being managed.
“Ultimately, these internal control failings resulted in deficiencies in the firm’s IT service continuity framework persisting for a prolonged period. This is particularly serious as the firm’s reliance on IT was significantly increasing year on year, in common with the sector,” the Central Bank said.
The sanction comes seven years after Ulster Bank was fined a then-record €3.5 million by the Central Bank over the serious failings of its IT systems in June and July 2012, which resulted in about 600,000 customers being “deprived of essential and basic banking services” over a 28-day period.
Law changes in 2013 hiked the maximum fine the regulator can impose on firms for rule breaches, from €5 million to €10 million, or 10 per cent of turnover. The contraventions in the Bank of Ireland case continued beyond 2013.