Here's a blueprint for inviting an enforcement action for cyber-fraud & misleading your regulator arising from Bank of Ireland's fine €1,660,000 announced today. [Linkedin Post Here]

What did Bank of Ireland do wrong?:

1) failed to implement sound administrative procedures & internal control mechanisms in respect of third party payments.

2) failed to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud.

3) failed to establish, implement & maintain systems & procedures adequate to safeguard the security, integrity & confidentiality of client bank account details.

4) failed to establish, implement & maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Sec. 19 of the Criminal Justice Act 2011.

5) failed to monitor adequacy & effectiveness of the measures & procedures put in place & the actions taken to address any deficiencies in respect of third party payments.

6) failed to be open & transparent, having the effect of misleading the Central Bank in the course of the investigation.

On 27 July 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB).  BOI has admitted the breaches, which vary in length from one to ten years.

In line with its published Sanctions Guidance, the Central Bank has determined the appropriate fine to be €2,370,000, which has been reduced by 30% in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure.

The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014 (the Incident).  Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third party account totalling €106,430: one from a client’s personal current account, the other from BOIPB’s own funds.  BOIPB immediately reimbursed the client. During a Full Risk Assessment of BOIPB in 2015, the Central Bank discovered a reference to the Incident in an operational incident log. 

BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank over one year after the Incident.
​
The Central Bank’s investigation found serious deficiencies in respect of third party payments, including:

• Inadequate systems and controls to minimise the risk of loss from fraud
• Inadequate governance, oversight and ongoing review of the systems and control environment
• Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
• Lack of compliance monitoring.

BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation.  BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments.  During that same period, BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation. BOIPB’s conduct materially added to the time it took to investigate this case.

This is one of two aggravating factors in this case; the other being the excessive amount of time it took BOIPB to fully remediate the relevant deficiencies.  Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the Central Bank’s intervention.  In August 2016, the Central Bank determined that a Risk Mitigation Programme (RMP) relating to third party payment processes was completed.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said: “The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.

This is the second time the Central Bank has imposed a sanction on a firm where a client has suffered a loss from cyber-fraud as a direct result of the firm’s regulatory failings.  BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice.  BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter.  Reporting illegal activity is essential in the fight against financial crime.

This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security.  The Central Bank expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities.

The Central Bank expects pro-active engagement from regulated entities – that extends from self-reporting through remediation and full cooperation with the investigation. The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.”

BACKGROUND
Founded in 1989, BOIPB was first authorised as a “section 10 investment business firm” under the Investment Intermediaries Act, 1995 (the 1995 Act) on 26 May 2000.  This authorisation was subsequently transferred to an authorisation under the MiFID Regulations on 1 November 2007.
At the time of the cyber-fraud, BOIPB was an independently regulated MiFID firm and its primary activity was to provide investment services to high net worth individuals who had investable assets in excess of €1,000,000. In addition, BOIPB provided a full range of banking services to its clients (lending, deposit taking and day-to-day current account banking) as a deposit agent of BOI.

Since 1 September 2017, BOIPB is no longer a MiFID firm and is now a business unit within the Retail Division of BOI. The unit retains the name Bank of Ireland Private Banking as a trading name of the Governor and Company of the Bank of Ireland. Its services are authorised by the Central Bank of Ireland under the licence of BOI, a regulated financial service provider for the purposes of the Central Bank Act 1942.  BOIPB’s audited financial statements for the year ended 31 December 2016, the last year it existed as a separate entity, reported operating income of €19,867,000.

THE CYBER-FRAUD
Third party payment instructions were processed by BOIPB with particular reference to a procedure called the Third Party Payments Procedure (the TPPP), which outlined steps to be followed to verify a client’s identity before processing a third party payment instruction. 

BOIPB processed two separate payment instructions received in September 2014, purportedly from a client (the Client), which in fact were sent by a cyber-fraudster (the Fraudster) who had hacked the Client’s e-mail account.  This led to two transfers totalling €106,430 to be transmitted to a corporate bank account at a UK bank.  The first transfer was drawn from the Client’s current account, and the second transfer was drawn, at the instigation and authorisation of BOIPB, from BOIPB’s suspense account because the payment from the Client’s deposit account was rejected due to insufficient funds.

The Client made contact with BOIPB and notified it of the fraud on 30 September 2014, on receipt of an e-mail from BOIPB indicating recent communications (which were unfamiliar to the Client).  The Client was immediately reimbursed by BOIPB.

To facilitate the instructions received from the Fraudster, BOIPB staff, in breach of BOIPB’s policies and procedures:

• Released confidential account details to the Fraudster in response to an email request
• Did not ask security questions of the Fraudster when taking transfer instructions and responding to requests for account balances over the telephone
• Did not use the telephone number held for the Client on BOIPB’s database, instead speaking to the Fraudster on a telephone number provided in a fraudulent e-mail instruction
• Did not have a second staff member complete a call-back to verify the request.

The Fraudster used the following tactics:

• “Email hijacking”: hacking the Client’s e-mail account and re-directing e-mails coming from BOIPB to a mirror image e-mail account secretly set up by the Fraudster to intercept communications coming from BOIPB in relation to the fraudulent payment requests
• “Social engineering”:  in communications with BOIPB staff, making reference to the purchase of a property, the name of the Client’s solicitor, and similar terminology to that used by the Client in other emails.
• BOIPB did not identify certain flags which could have been indicative of fraud.
• The Fraudster used the expression “Ireland Account” when referring to the Client’s current account
• One email sent by the Fraudster from the Client’s email account to BOIPB staff was signed off with an entirely different name than the name of the Client.  The name used was that of an unrelated client of BOIPB.  The BOIPB recipient of the email did not pick up this discrepancy, or if he did, did not query it
• The fraudulent instructions were suspicious in nature. They included: incorrect telephone details; the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the Client’s account; and the remittance of funds to a jurisdiction other than the jurisdiction in which the Client resided.

 
PRESCRIBED CONTRAVENTIONS
The Central Bank investigation identified the following contraventions:

Contravention 1
BOIPB breached Regulation 33(1)(f)(i) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to implement sound administrative procedures and internal control mechanisms in respect of third party payments.

The Central Bank’s investigation found that the TPPP was wholly inadequate for the purposes of safeguarding client deposits when processing third party payments.  In particular, key procedural, security and authorisation steps were not outlined in the document. Staff did not receive adequate training on the processing of third party payments to ensure they were fully aware of how to safely process these payments.

Contravention 2
BOIPB breached Regulation 160(2)(f) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud.

The serious weaknesses in the process around third party payments, which had existed for some time, should have been known to management through proper governance, oversight and monitoring. There was no monitoring of third party payments by the first or second lines of defence. Furthermore, the recommendations of the first internal report commissioned by BOIPB in relation to this matter, dated December 2014, were not acted on. Similar weaknesses were identified in a second internal report in January 2016. Remediation of the issues identified in both reports did not take place until February 2016. 

Contravention 3
BOIPB breached Regulation 34(3)(a) of the MiFID Regulations between 1 November 2007 and 2 January 2018 by failing to establish, implement and maintain systems and procedures adequate to safeguard the security, integrity and confidentiality of client bank account details.

The investigation found that for the purposes of customer service, BOIPB staff frequently engaged with private clients through e-mail.  E-mail communication, because it is more vulnerable to infiltration by fraudsters than other forms of communication, needs to incorporate additional checks before being acted upon. By failing to identify and provide for this, BOIPB failed to safeguard the security, integrity and confidentiality of information relating to client bank accounts.

Contravention 4
BOIPB breached Regulation 34(1)(c) of the MiFID Regulations between 30 September 2014 and 16 December 2015 by failing to establish, implement and maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Section 19 of the Criminal Justice Act 2011.  

BOIPB reported the Incident to its Group Financial Crime Unit (GFCU) on 1 October 2014. GFCU, on behalf of BOIPB, did not report the Incident to An Garda Síochána until December 2015, on the instigation of the Central Bank.

Contravention 5
BOIPB breached Regulation 35(2)(c) of the MiFID Regulations by failing to comply with Regulation 34(4) between November 2013 and December 2016 because, for that period, BOIPB’s Compliance function failed to monitor, and on a regular basis to assess the adequacy and effectiveness of the measures and procedures put in place and the actions taken to address any deficiencies in respect of third party payments.

The TPPP included a requirement that ad-hoc monitoring of third party payments be carried out by the Compliance function. The investigation found that throughout the period November 2013 to May 2016, no ad-hoc monitoring of third party payments was in fact carried out.
This failure persisted despite two internal reports highlighting the absence of monitoring and the systemic non-adherence to the TPPP.

BOIPB’S RESPONSE TO THE CYBER-FRAUD AND REMEDIATION
The Central Bank expects firms to promptly remediate known deficiencies in their procedures and internal control mechanisms.  BOIPB failed to do so.

Following the Incident, BOI Group Internal Audit function (GIA) investigated how it had occurred. GIA produced their findings in a report in December 2014, which pointed to systemic failings in the processing of third party payments. GIA strongly recommended that BOIPB carry out sampling to verify the authenticity of other “high-value interpays”. BOIPB failed to do this. GIA further recommended, that, at a minimum, the procedure in place relating to third party payments should be enhanced to clarify roles and responsibilities for authenticating and approving third party payments. Again, BOIPB failed to do this. The procedure remained unchanged until February 2016.
In March 2015, BOIPB commissioned a further internal review, this time by BOI Retail Business Assurance (RBA) centred on BOIPB’s procedures for processing third party payments.

Separately, following the Full Risk Assessment (the FRA) conducted in 2015, the Central Bank informed BOIPB that improvements in relation to third party payment processes would be part of the subsequent RMP arising from the FRA as the process in place was “not robust enough”.  The RMP was issued in February 2016, which set out the Central Bank’s expectations in relation to the actions needed to improve the third party payment process.

RBA issued its findings in draft to BOIPB in January 2016 (the RBA Report).  Following an assessment of a sample of third party payment records, RBA concluded that the same issues identified in December 2014 persisted, namely that client identification questions were not consistently being asked of clients as well as other deficiencies in the third party payment process.

BOIPB updated and revised the TPPP in February 2016. The RBA Report was signed-off in June 2016.  In August 2016, the Central Bank determined that the full RMP was completed.

BOIPB’S COOPERATION WITH THE CENTRAL BANK
The Central Bank expects regulated entities to cooperate in an open manner at all times and to respond to requests promptly, effectively and accurately.

When the Central Bank’s investigation commenced in February 2016, BOIPB possessed the RBA Report which contained highly critical findings in relation to the processing of third party payments. As such, it was highly probative to the Central Bank’s investigation.

The Central Bank issued a request for records in February 2016.  BOIPB should have provided a copy of the RBA Report when it responded to this request in April 2016. BOIPB failed to do so, instead it included one vague narrative reference to a risk assessment of banking activities (making no reference to a “report” or the fact that it related to third party payments specifically) within a document accompanying the records it supplied in response to the Central Bank’s request.
BOIPB disclosed the RBA Report to the Central Bank 19 months after the commencement of its investigation in response to a Central Bank statutory request explicitly requiring production of the record BOIPB had described as a “risk assessment”.  It was only when the document was disclosed and reviewed that its true nature and content became apparent to the Central Bank. 

The Central Bank conducted lengthy enquiries as to the circumstances around BOIPB’s failure to promptly disclose the RBA Report and the following arose:

• BOIPB held the RBA Report back as it was in “draft format”
• BOIPB decided not to proactively provide the RBA Report to the Central Bank following its signing-off in June 2016.  Instead, it would provide the signed-off report to the Central Bank only if specifically requested to do so
• Notwithstanding BOIPB’s acceptance of the recommendations of the RBA Report, in the course of the Central Bank’s investigation:
• BOIPB made no reference to the existence of the RBA Report or its highly critical findings until after it was provided to the Central Bank in September 2017; and
• Until May 2018, BOIPB denied that there were any deficiencies whatsoever in its third party payment processes, despite the manifestly contrary findings of the RBA Report, available since January 2016.

SANCTIONING FACTORS
In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019. The following particular factors are highlighted in this case.

The Nature, Seriousness and Impact of the Contravention

• The contraventions revealed serious weaknesses of the management systems and internal controls relating to the processing of third party payments. The Central Bank, at a minimum, expects that firms ensure that there are comprehensive written procedures and robust internal controls, with effective and appropriate oversight and governance afforded to these. BOIPB had a responsibility to have adequate controls in place to protect  its clients’ deposits, and those controls were not sound 
• There was an actual loss of client deposits and the continued exposure of those deposits to potential loss
• The breaches spanned the lengthy period from November 2007 to January 2018.

​
The Conduct of the Regulated Entity after the Contravention

Aggravating

• BOIPB’s level of cooperation was far below what is expected.  BOIPB failed to provide complete and timely information and documentation in response to the Central Bank’s investigation letter and statutory request.  It also provided information to the Central Bank that was imprecise and vague.  The cumulative effect was that the Central Bank’s investigation was frustrated and prolonged.
• BOIPB did not take remedial action in a timely manner to address the contraventions despite knowledge of the severity of the deficiencies and the attendant risk of further loss to client deposits.

Other Considerations

• The financial position of BOIPB (prior to being merged into BOI on 1 September 2017) and the need to impose a proportionate level of penalty.

The Central Bank confirms that the investigation is now closed.
 
NOTES

1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.
2. This is the Central Bank’s 137th settlement since 2006 under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €105 million.
3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts.  The penalties are not included in general Central Bank revenue.
4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link. 
5. A copy of the ASP Sanctions Guidance November 2019 is available here: link This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure (see link above) and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here:  link.   These documents should be read together.
6. The European Communities (Markets in Financial Instruments) Regulations 2007 (S.I. No. 60 of 2007) were repealed and replaced by the European Union (Markets in Financial Instruments) Regulations 2017 (S.I. No. 375 of 2017) which are available link and the European Union (Markets in Financial Instruments) (Amendment) Regulations 2017 (S.I. No 614 of 2017) which are available here: link
7. Bank of Ireland Private Banking Limited  merged into The Governor and Company of the Bank of Ireland on 1 September 2017.
8. On 22 September 2015, the Central Bank sent a Dear CEO letter following its review of the management of operational risk around cyber-security within the investment firm and funds industry that is here: link On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link
9. On 10 March 2020, the Central Bank issued an industry letter for the attention for the attention of all Board members and Senior Management of asset management firms and published findings of a Thematic Inspection into the cybersecurity risk management practices in Asset Management firms: link

​Further information:
Media Relations: [email protected] / 01 224 6299
Ewan Kelly: [email protected] / 086 463 9652

Download Westpac's Report released 17 July 2020 - Reassessment of the Culture, Governance and Accountability Remediation Plan

Linkedin Post at ​https://www.linkedin.com/posts/peteroakes_riskculture-riskmanagement-regtech-activity-6689803983407628288-ynbv


Here's a good 5 point list of root causes of non-financial risk issues at large systemically important banks & institutions (anywhere in the world). In this case Westpac, arising from a report ordered by the Australian prudential regulator.

Applicable to non banks and non systemically important institutions:

1. an organisational construct that creates complexity;
2. an "immature and reactive" #riskculture in non‑financial risk management;
3. a 'three lines of defence model' that is not well understood or embedded among bank staff;
4. the lack of sufficient non-financial #riskmanagement capability; and
5. challenges in execution and staying the course.

With Westpac's CEO responsible for its new initiative "customer outcomes and risk excellence" or CORE, #regtech will need to feature heavily in execution, tracking & learnings.

Professor Elizabeth Sheedy, a #riskculture expert saying that the latest report shows too often risk is seen as a handbrake by banks rather than an enabler for long-term success.
Westpac "admitted the "culture, governance and accountability program", set up in January 2019 to implement the reforms, "has not delivered sufficient momentum", with many in the bank still do not "fully appreciate the cumulative impact of the issues". Paul McCarthy

Copyright with Australian Financial Review and James Eyers

Westpac Banking Corp has been forced to launch a new program to attempt to fix its broad risk-management failings, after a reassessment of its culture demanded by Australian Prudential Regulation Authority identified ongoing concerns, including that its non-financial risk culture is still "immature and reactive".

The new report identifies a lack of urgency and clarity in Westpac's response to problems it identified in a 2018 self-assessment of governance, which were exacerbated when AUSTRAC dropped a bombshell case last November that triggered the departures of the bank's CEO and chairman.

The Australian Prudential Regulation Authority insisted on the reassessment because it was concerned Westpac was not tackling the root causes of its failings when it read AUSTRAC's statement of claim. The latest investigation found Westpac is still "overly complex, which results in confusion around accountability and challenges in execution".

The shortcomings identified in the report, which was sent to all of Westpac's 35,000 staff on Friday morning, found Westpac's organisational structure created complexity, and its 'three lines defence' model, which is supposed to prevent risks materialising, "is not well understood or embedded".
The report highlights a "shortfall in sufficient non-financial risk-management capability" and says that even though Westpac has made various changes to respond to issues, "what is required is a program of deeper change".

It criticised an ongoing blame game, stating a priority for its work on culture "will be to strengthen psychological safety" for staff after the reassessment found "in some situations leaders had reacted to incidents with a focus on who is to blame rather than what to learn".
Many of the same failings were identified in the bank's self-assessment for APRA in 2018, after all banks were asked to audit themselves against the prudential regulator's expectations for fixing widespread cultural problems at Commonwealth Bank of Australia. The Hayne royal commission should also have emphasised the urgency of repairing culture to meet community expectations and restore trust.

But Westpac recognised on Friday the changes it has been making to respond to the 45 recommendations set out in its 2018 self-assessment had been "incremental". It admitted the "culture, governance and accountability program", set up in January 2019 to implement the reforms, "has not delivered sufficient momentum". It said many in the bank still do not "fully appreciate the cumulative impact of the issues".

“Our reassessment confirms that our management of non-financial risk is currently not at the standard we set for ourselves," said Westpac CEO, Peter King, releasing the 50-page report to the ASX.
“It is clear we have more to do to address these shortcomings, including improving our risk management capability and risk culture which is not where we want it to be."

APRA is continuing to investigate possible breaches of the Banking Act by Westpac, including the speed at which it has rectified issues identified by AUSTRAC. APRA has already imposed a $1 billion capital penalty on the bank to reflect its "heightened operational risk profile".

At the CORE

Westpac on Friday announced it would initiate a multi-year, multi-million dollar program, which it is calling "customer outcomes and risk excellence" (CORE). Mr King said he would be accountable for its delivery.

The reassessment said Mr King, who replaced Brian Hartzer as CEO, and the Westpac board, now led by John McFarlane who took the reins from Lindsay Maxsted, need to take more responsibility and set a proper "direction and tone" about the importance of the measures.

The report – which was conducted by Westpac management and a team from consultants Oliver Wyman together with assurance oversight by another consulting firm, Promontory – pointed to five ongoing "root causes" of Westpac's travails.

These are: an organisational construct that creates complexity; an "immature and reactive" risk culture in non‑financial risk management; a 'three lines of defence model' that is not well understood or embedded among bank staff; the lack of sufficient non-financial risk management capability; and challenges in execution and staying the course.

"Westpac does not underestimate both the magnitude of the changes that are required and the effort involved."

Professor Elizabeth Sheedy, a risk culture expert from Macquarie University, said the latest report shows too often risk is seen as a handbrake by banks rather than an enabler for long-term success.

"For me it all comes back to excessive focus on short-term profits which is driven by short-term cash bonuses," she said. "There is also a massive shortage of qualified and experienced risk and compliance executives across the industry. Institutions tend to want to keep budgets very tight when it comes to resourcing risk and compliance, which sends a message about organisational priorities."

It is expected that Westpac will look to make additional cost savings in order to pay for additional investment that will be required to improve risk systems.

The report was released after Mr McFarlane warned in an interview with the Financial Review on Friday that excessive financial regulation could make it more difficult for banks to lend and hamstring the economic recovery.

Westpac has been negotiating with AUSTRAC over a potential settlement of the anti-money laundering case, with the financial crimes regulator due to file an amended statement of claim next month to incorporate broader allegations that the bank should have suspected another 270 customers were paedophiles.

It is also waiting for a decision from the Australian Securities and Investments Commission on whether it will appeal the bank's responsible lending victory in the full Federal Court last month to the High Court.


James Eyers writes on banking, fintech and technology. Based in our Sydney newsroom, James is a former Legal Affairs and Capital editor for the Financial Review Connect with James on Twitter. Email James at [email protected]

Source: https://www.afr.com/companies/financial-services/westpac-culture-still-immature-and-reactive-20200717-p55cxa