Beware the Processing of Third Party Payments: BOI Fined €1.6 M in €106 K Cyber Fraud & for misleading the CBIAugust 2020
On the 28th of July the Central Bank of Ireland reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations). The offender, BOI’s former subsidiary, Bank of Ireland Private Banking Limited (BOIPB) was found to have serious deficiencies which occurred over a decade around third- party payments including:
- Inadequate systems and controls to minimise the risk of loss from fraud
- Inadequate governance, oversight and ongoing review of the systems and control environment
- Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
- Lack of compliance monitoring.
By hijacking the client’s account and using social engineering techniques such as using similar terminology to the client, the Cyberfraudster issued two separate payment instructions to BOI’s subsidiary totalling €106,430. BOI’s subsidiary nevertheless processed these payments, despite the instruction being signed off with an entirely different name than the name of the client. In addition, the following red flags should have been picked up:
- incorrect telephone details;
- the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the Client’s account;
- and the remittance of funds to a jurisdiction other than the jurisdiction in which the Client resided.
Aggravating factors include a very serious matter of not reporting the fraud to An Garda Siochana and the Revenue Commissioners and for failing to be open and transparent with the Central Bank in the course of the investigation. BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments.
For more on this read the CBI’s full press release HERE
By Judy de Castro - Regulatory Consultant