Irish c-bank imposes €24.5M fine on Bank of Ireland
The Central Bank of Ireland has reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) €24,500,000 pursuant to its Administrative Sanctions Procedure (ASP) for failures to have a robust framework in place to ensure continuity of service for the firm and its customers in the event of a significant IT disruption.
These IT service continuity deficiencies were repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015. The steps taken by BOI to address the deficiencies were completed by 2019.
The Central Bank has determined the appropriate fine to be €35,000,000, which has been reduced by 30% to €24,500,000 in accordance with the settlement discount scheme provided for in the Central Bank’s ASP.
BOI has admitted five contraventions occurring between 2008 and 2019 including:
- The failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
- The failure to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
- The failure to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.
The regulator explains that firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.