The Central Bank has fined Appian Asset Management a total of €443,000 and reprimanded it for significant breaches of regulations which resulted in the loss of a client's funds due to cyber-fraud.
This is the first time the Central Bank has fined a company for the loss of client funds from cyber-fraud as a direct result of a firm's "significant regulatory breaches and failures".
The breaches across three regulatory regimes - client asset, anti-money laundering and fitness and probity - have been admitted by the company.
The Central Bank said Appian Asset Management's regulatory failures left it exposed to a cyber-fraud by a third party which resulted in the loss of €650,000 from a client's funds.
The client has since been fully reimbursed, it added.
Appian said the issue arose when in 2015 the email account of a client of the firm was hacked and used to give false instructions to Appian to transfer some of the client's funds (€650,000) to third party accounts in the UK.
Appian itself discovered what had occurred and reported the matter to the Central Bank and the Gardaí, and replaced the funds in the client's account.
Appian's chief executive Patrick Lawless said that the cyber-security breach occurred outside of Appian but the company's failure to identify certain suspicious "red flags" allowed the hacker to succeed in the fraud.
He said the company has apologised to the Central Bank and has accepted the sanction imposed on the firm.
"Following this incident, Appian has remediated its failings, complied with the Risk Mitigation Programme issued by the Central Bank, introduced new client asset and AML/CFT policies and procedures and introduced new controls in respect of the management of client assets," he added.
The Central Bank said its investigation identified that the loss of client funds was caused by the fact that Appian had defective controls to protect client assets against fraud.
The company also had inadequate policies and procedures to monitor transactions, detect and report money laundering and provide its staff with appropriate training.
It also failed to ensure that an employee, performing a role that might expose the firm to financial, consumer or regulatory risk, was fit for that role, the Central Bank said.
"Appian's failures in this case demonstrated serious deficiencies in its governance arrangements, risk management, compliance oversight, and systems of internal control," commented Seána Cunningham, the Central Bank's Director of Enforcement and Anti Money Laundering.
"These failings, combined with a culture in which clients' instructions were given primacy over security and regulatory concerns, rendered the Firm exposed to the cyber-fraud that occurred," Ms Cunningham said.
"It placed client assets at heightened risk and that risk crystallised. The Central Bank views such fundamental failings as completely unacceptable," she added.
She said the Central Bank expects the board and senior management of all firms permitted to hold client assets to take active measures to ensure they hold such assets safely and securely.
"It is imperative that the people who run firms are vigilant as to their vulnerabilities around cybercrime and should ensure that all appropriate regulatory safeguards are in place to protect their clients' assets," the Central Banker added.
This is the Central Bank's 119th settlement since 2006 under its Administrative Sanctions Procedure, bringing total fines imposed by it to over €62m.