On the 30th of November 2021, the Central Bank reprimanded and fined the Governor and Company of the Bank of Ireland regarding IT service continuity deficiencies that were initially raised in 2008 but were only recognised in 2015.
The Central Bank of Ireland commenced their investigation in 2018 after the matter was referred to them by the European Central Bank (ECB). The investigation highlighted the following failures:
- Failure to have in place contingency and business continuity plans in relation to IT service continuity.
- Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor, and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
- Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent, and consistent lines of responsibility.
- Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities, and clear interdependencies between third party IT service providers.
- Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said:
“The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability
For the full enforcement notice please see below: Enforcement Action: Central Bank of Ireland and The Governor of the Bank of Ireland
By: Eilish Larkin - Regulatory Consultant