Bank of Ireland has been fined €24.5m by the Central Bank for regulatory breaches related to its IT systems and related internal controls.
The regulator found that Bank of Ireland failed to have a robust framework in place to ensure continuity of service for it and its customers in the event of a significant IT disruption.
The lender also didn't have effective internal controls in place to identify such issues and ensure they were brought to the attention of senior management and the Board.
The Central Bank also found that when it came to IT service continuity, Bank of Ireland failed to properly engage and oversee the management of third party IT service providers.
The deficiencies were repeatedly identified from 2008 onwards.
However, because adequate internal controls were not in place, the bank only began to recognise and deal with them from 2015.
The problems were only fully rectified two years ago.
The Central Bank has acknowledged that no major outages occurred at Bank of Ireland during the period under investigation, but has said banks need to be prepared for such eventualities.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
"Today's banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems," said Seána Cunningham, the Central Bank's Director of Enforcement and Anti-Money Laundering.
"It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption."
"Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving."
The Central Bank said the extent and duration of these breaches were particularly serious given the 'always on' nature of the services that Bank of Ireland provides.
"The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services," Ms Cunningham said.
"Had BOI's critical services been disrupted, this could have led to adverse effects on customers and the financial system."
The Central Bank said that a 2015 internal audit at Bank of Ireland first raised concerns about the IT service continuity framework deficiencies.
This was then followed up the following year by an internally commissioned investigation into how the problems had continued from 2008 to 2015, despite being repeatedly identified in third party reports.
The report that came from that probe was sent to the European Central Bank, which acts as lead supervisor on these matters.
It identified a number of risk management and internal control failings in respect of BOI's IT service continuity as well as failings relating to the bank’s management and oversight of its third party IT vendors.
The ECB then asked the Central Bank to conduct its own investigation, which began in August of 2018 and culminated with a settlement agreement late last month.
The Central Bank has not commented on whether other similar investigations are underway into other Irish banks, or whether the role of individuals in the Bank of Ireland case is being investigated.
The Central Bank decided the appropriate fine should be €35,000,000, but this was reduced by 30% to €24,500,000 under its settlement discount scheme.
It is, however, the largest ever fine in this area of enforcement in the Central Bank’s history.
In 2019 Ulster Bank was fined €3.5m by the regulator for a breakdown in its IT systems in 2012 that left 600,000 customers without basic services for a month.
Minister for Finance Paschal Donohoe described the Central Bank's decision to fine Bank of Ireland as a "significant action".
He said it was a reminder of how fundamental information technology now is to the delivery of banking services, adding that it shows how seriously the Central Bank treats issues relating to IT systems and services.
Mr Donohoe said it reminds people that Ireland has a very strong independent regulator that is capable of levelling significant fines and sanctions when it is merited.
Bank of Ireland 'sincerely apologises' for breaches
In a statement, Bank of Ireland said it admitted five breaches to the Central Bank of Ireland, related to its IT service continuity framework and related internal controls between 2008 and 2019.
"Bank of Ireland fully acknowledges, and sincerely apologises for, each of these breaches which should not have arisen."
To "comprehensively" address these breaches, the bank said it has invested heavily in IT service continuity, completing an extensive groupwide programme of work between 2015 and 2019.
"This has included technology investment such as infrastructure and network upgrades, and enhanced testing, planning and internal procedures," the statement said.
Following the actions taken, Bank of Ireland said it has "robust" IT service continuity processes in place and continues to invest heavily in this area as technological requirements evolve.
"The bank co-operated fully, proactively and voluntarily with the CBI during this investigation," it added.