The Bank of Ireland has reportedly been fined €24.5 million by the Central Bank for failing over the course of over 10 years to have a proper system in place to allow for the continuity of service to clients in the event of a major IT fault or disruption.
The regulator had been requested by the European Central Bank (ECB) to look into the matter in August 2018, nearly a year following an internal Bank of Ireland report that found several risk management and internal control failings as it pertains to Bank of Ireland’s ability to maintain IT service continuity.
That report had been released due to concerns cited in 2015 by internal audit at the Bank on the issue, according to a recent update from the Irish Times. There had also reportedly been warnings dating back to 2008 regarding serious deficiencies or shortcomings in this particular area.
The fine is notably the second-highest that has been levied by the Central Bank. It has been exceeded by the nearly €38 million fine levied on Ulster Bank earlier in 2021 for its alleged involvement in the tracker mortgage scandal.
As mentioned in the announcement, Bank of Ireland is currently being investigated in relation to the tracker-mortgage scandal.
Seána Cunningham, the Central Bank’s Director of Enforcement and AML, stated:
“From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third-party reports. However, steps to address these deficiencies only commenced in 2015,”
Cunningham added:
“The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.”
The Central Bank did not comment on whether the third-party report providers were firms that were involved in offering outsourced IT solutions to the banking institution or if they were professional services companies employed regularly to determine various risks within the firm.
The breaches reportedly cover a time-period during which the banking sector internationally had increased its focus on online banking, which is a key trend that accelerated since the Covid-19 outbreak.
The Bank of Ireland is presently at the latter end of a €1.15 billion program that began back in 2016 in an effort to replace its outdated, legacy Core banking solutions.
The Central Bank confirmed that the lender only took the first few steps back in 2015 in order to take care of the deficiencies in its IT service continuity framework as well as related internal controls. But this had not been completed until 2019, the report revealed.