In 2022 Transactive Systems UAB was second among Lithuanian electronic money and payment institutions in terms of annual turnover (€13.1 billion), with operating income amounting to almost €4mn.

In revoking its electronic money authorisation, the Bank of Lithuania said that the following “main violations and deficiencies were identified” at the regulated #fintech firm Transactive Systems UAB:
 

• failed to properly identify clients, their representatives and beneficiaries;
• did not ensure adequate monitoring of business relations and operations*;
• in opening virtual accounts for its clients, Transactive Systems UAB enabled the opening of anonymous accounts;
• had absolutely no control measures for identifying cases of terrorist financing;
• failed to ensure proper implementation of international financial sanctions restrictive measures, and its monitoring and verification systems were ineffective;
• did not identify suspicious customer transactions and did not report them to the Financial Crimes Investigation Service;
• failed to ensure that the internal control function responsible for the organisation of money laundering and the prevention of terrorist financing was independent and a conflict of interest was avoided; and
• provided incorrect, incomplete and inaccurate information to the Bank of Lithuania.

* including that institution's immediate and retrospective monitoring of transactions was ineffective, the selected monitoring model did not correspond to the volume of processed transactions, suspicious transactions were not reviewed and properly analysed.

* measures aimed at determining whether the client's funds and assets were not obtained directly or indirectly from a criminal act or by participating in such an act were of poor quality and insufficient.
 

If these are a description of the ‘main violations and deficiencies’ identified, what else was going on?  

Over the past few weeks at events like ACAMS (ACAMSAssembly ACAMSEurope) Joby Carpenter Craig Timm Natasha Powell Shelley Schachter-Cahm and I discussed the situation of fintech and financial crime controls.
 
Many others and I had great discussions about good fintech companies having their reputations impinged by a few bad fintech actors both big (yes some fintech banks who know who they are and some from China who know who they are) and small (some from the east side of the EU bloc, Israel and disturbingly some regulated fintech firms from the UK who also know who they are) whose mentality is that an authorisation is akin to a driver's licence exam. They also often say if country A doesn't jump to our demands, then we will go to country B and will whine to your ministers and FDI agencies.

While it is good to see such decisive regulatory action here, the question has to be asked "How did Transactive Systems UAB get through what is supposed to be a thorough and rigorous common EU approach to regulatory authorisation by national competent authorities (NCAs) in the first place?"

​Particularly given the lengths that many EU authorities go to verifying the existence, performance and execution of the #financialcrime business wide risk assessments, the  risk registers, the risk appetite statements, #moneylaundering policies and procedures under EBA Guideline 14 and the vetting of managers, owners and directors of #blockchain emoney and #blockchain payments. Did this company say one thing, and then do the polar opposite? Did the regular trust but not verify?

Interestingly, back in January 2023, the Bank of Lithuania restricted the activities of the company by instructions:
 

• not to establish business relations with new clients and not to provide services to existing clients who provide financial services (including brokerage, investment ( Forex , CDF), money transfers, issuance of electronic money), as well as for customers whose activities are related to virtual currencies (including operators of virtual currency exchanges, operators of depository virtual currency wallets, exchange of virtual assets, loans with virtual assets).
• not to provide a payment account service when the conditions are created for the use of such a payment account by third parties whose identity has not been determined in accordance with the Law on the Prevention of Money Laundering and Terrorist Financing.
• not to provide a payment account service when the conditions are created for the use of such a payment account by third parties whose identity has not been determined in accordance with the Law on the Prevention of Money Laundering and Terrorist Financing

The news cannot but help take us to:
 

1. discussions of regulatory arbitrage between EU NCAs and consistency in approach by the European Banking Authority’s to ensure a level playing field for NCAs.
2. if the Lithuanian regulator is identifying and responding in a hard manner (the revocation, not the fine), are other regulators in the EU doing their bit too across ALL INDUSTRIES whether a bank, emoney, insurer etc.
3. would further examples like this lead to direct rule by ESAs if there is regulatory arbitrage and indeed greater powers for AMLA?
4. should penalties be higher and should there be higher Fitness & Probity standards harmonised across the EU?

​Well run regulated fintech must be getting depressed. Banks will jump on this example as evidence that fintechs cannot be trusted to adhere AML, sanction and financial crime laws properly and some regulators might do so too, recalibrating their supervisory engagement models. Those going through authorisation will find it tougher to satisfy their future regulator compared to others who went through the process a few years ago.
 
Another telling issue in this case is the fact the Bank of Lithuania says that it “has received many complaints and inquiries from individuals and legal entities of various European Union countries and financial market supervisory authorities regarding possible fraud related to clients of Transactive Systems UAB or accounts opened there. Although the Bank of Lithuania has repeatedly drawn the institution's attention to the importance of money laundering and terrorist financing risk management and fraud prevention, gross and systematic violations of the legal acts regulating the prevention of money laundering and terrorist financing were identified during the inspection.”  This comes across really weak.

​Separately, getting really tired of hearing from people who should know better saying that "I will not apply to country A for my authorisation (recommend my client not to do so) because I hear it is easier and faster at country B".  While I am not saying that country B is Lithuania, it is news that one would have to share as a both a positive and negative when asked "Peter what are the best 3-5 EU member states you would suggest for a fintech authorisation and why?" It's a question I am asked every month.  And you know what, the answer is ‘It depends – on your business model, access to banking services, access to talent and reputation of the regulator’ to name but a few points. 

​Contact Peter Oakes at the details here or via Linkedin if you want to know more about how I help fintech businesses get authorised in Europe and the UK and my non-executive director services to regulated fintech, MiFID and banks.

Links to sources:
1) Bank of Lithuania Announcement of 2 June 2023
2) Previous restriction imposed on Transactive Systems UAB on 20 January 2023
​3) Linkedin Post HERE

Just shy of €100mn, a total amount of fines of €96.7mn, were imposed by the Central Bank of Ireland against AIB and EBS for regulatory breaches affecting tracker mortgage customers.

In the case of:

• AIB  - reprimanded and fined €83,300,000 pursuant to the Central Bank's Administrative Sanctions Procedure (“ASP”) for a series of significant and long-running failings in the treatment of its tracker mortgage customers holding 10,015 mortgage accounts between August 2004 and March 2022. AIB has admitted to 57 separate regulatory breaches.
• EBS - reprimanded and fined €13,400,000, pursuant to its ASP for a series of significant and long-running failings in the treatment of its tracker mortgage customers, holding 2,830 mortgage accounts, between August 2004 and June 2020. EBS has admitted to 36 separate regulatory breaches.

Both fines are net of of a settlement discount procedure scheme, otherwise AIB's fine would have stood at €119,000,000 and EBS's fine at €19,143,000.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said:

• AIB - “The Central Bank has imposed a significant fine on AIB in respect of serious and long running failings in meeting its obligations to its tracker mortgage customers. The consequences of AIB’s prolonged failings were serious and included significant financial strain and distress for those affected and their families. 
• EBS - “The Central Bank has imposed a significant fine on EBS in respect of serious and long running failings in meeting its obligations to its tracker mortgage customers. Mortgage lending is the core of EBS’s business, yet this investigation identified serious deficiencies in EBS’s mortgage services and systems. These deficiencies meant that EBS did not comply with its obligations to customers and many customers lost their tracker product/interest rate margin as a result, and were overcharged for sustained periods of time

CBI Enforcement Publicity Statements:

• AIB
• EBS
• Press Release

Bank of Ireland (BOI) cops a €24.5mn fine over its information technology service for the reason that "the impact of these breaches meant that had [note: “HAD” not 'did have'] a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services."
 
Today’s announcement by the Central Bank of Ireland (CBI) falls in the week the CBI published its ‘Operational Resilience Finalised Guidance Paper’ arising from CP140 - Cross Industry Guidance on Operational Resilience.
 
Speaking of timing, last week there was a well-publicised outage at Revolut which is seeking authorisation in Ireland as an emoney firm and, as previously raised by its founder, potentially a bank/credit institution authorisation in Ireland.  It has a bank and emoney authorisations in Lithuania.

The case is well worth a read by all regulated financial technology (#fintech) firms focused on emoney and payments and not just banks operating in Ireland.  In particular, the statement should be read and digested by the large pipeline of emoney and payment services applicants.
 
A number of points to call out include:

• “Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.” says the CBI.  As noted above, the CBI is due to publish Operational Resilience Finalised Guidance Paper;
• The significance of the fine and the duration of the breaches makes one think about whether under a SEAR regime whether individuals might be in the cross-hairs.  And perhaps they may be under the current Administrative Sanction Procedures relating to a person or persons concerned in the management of a prescribed offence.  If you think that is unlikely, then consider the fact that the CBI is pursuing, via an Inquiry, a person formerly concerned in the management of permanent tsb plc.  Joe Brennan of the Irish Times reported on 10 November 2021 that the person concerned (in that case) is a former chief executive of permanent tsb; [see also SEARHub]
• The CBI found there were failings in the oft touted ‘Three Lines of Defence’ at each line of defence in relation to the bank’s IT service continuity;
• BOI failed to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
• BOI failed to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
• BOI failed to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

 
In the case of BoI, admitted five contraventions occurring between 2008 and 2019 – quite an extended period. 

• Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity.
• Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
• Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
• Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers.
• Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.

Being a INED of several regulated fintechs and financial services firms in Ireland, I thought this point in the publicity statement by the CBI was worth noting.

• "Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks."

Read the statement issued by the Central Bank of Ireland on 2nd December 2021  below.

​Posted by Peter Oakes, CompliReg. 

Linkedin Post at https://www.linkedin.com/feed/update/urn:li:activity:6872160483626029056/

On 30 November 2021, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (the Firm or BOI) €24,500,000 pursuant to its Administrative Sanctions Procedure (ASP) for failures to have a robust framework in place to ensure continuity of service for the Firm and its customers in the event of a significant IT disruption. These IT service continuity deficiencies were repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015. The steps taken by the Firm to address the deficiencies were completed by 2019.

The Central Bank has determined the appropriate fine to be €35,000,000, which has been reduced by 30% to €24,500,000 in accordance with the settlement discount scheme provided for in the Central Bank’s ASP.

The Firm has admitted five contraventions1 occurring between 2008 and 2019 including:

• The failure to demonstrate an ability to ensure continuity of service in the event of significant IT disruption;
• The failure to have effective internal controls to identify deficiencies in the IT service continuity framework and ensure they were escalated to the senior management committees and ultimately the Board; and
• The failure to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said “Today’s banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems. It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption.

"Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving.
"From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third party reports. However, steps to address these deficiencies only commenced in 2015.

"The extent and duration of these breaches were particularly serious given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations. The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system.
"This case is an example of robust enforcement action where failures expose consumers and the financial system to serious potential risk. The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability.”

BACKGROUND
BOI is authorised to carry on banking business in Ireland as a credit institution under Section 9 of the Central Bank Act 1971. BOI is one of the largest banks in Ireland with 169 branches and over 2 million customers. Its principal activities consist of retail and commercial banking. BOI reported total operating income (net of insurance claims) for the year ended 31 December 2020 of €2,645 million.

The European Central Bank (the ECB) is the prudential supervisor of BOI and works closely with the Central Bank as part of the Single Supervisory Mechanism (SSM).2

Under the SSM, the ECB has the power to ask national banking regulators to investigate issues that it has identified, and to take enforcement action where this is merited.

In 2015, BOI’s Internal Audit raised concerns about deficiencies in BOI’s IT service continuity framework. In 2016, BOI commissioned an internal investigation into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report (completed in October 2017), which was provided to the ECB, identified a number of risk management and internal control failings in respect of BOI’s IT service continuity. In addition, the report identified failings relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.

Following consideration of the report, the ECB determined that these issues merited further investigation. The Central Bank’s investigation commenced following a referral3 by the ECB in August 2018.

From 2008, BOI’s internal controls in relation to IT service continuity employed a three lines of defence model, whereby:

• the first line of defence owns and manages the risks;
• the second line of defence is responsible for oversight and challenge of the first line of defence and risk oversight; and
• the third line of defence provides independent assurance.

The Central Bank’s investigation found that there were failings in each line of defence (as detailed further below). The failures in each line of defence culminated in an overall failure of this model in relation to the Firm’s IT service continuity framework.  This is most clearly demonstrated in circumstances where IT service continuity deficiencies were not addressed, despite being repeatedly identified in third party reports, between 2008 and 2015.

The Central Bank’s investigation found that BOI had in place second and third lines of defence which were meant to challenge and oversee the first line business unit responsible for IT service continuity. However, both the second and third lines of defence failed to ensure that the first line business unit was acting on the adverse findings of reports prepared by third parties, which had reviewed BOI’s IT service continuity framework. In addition, the second and third lines of defence failed, independently, to address and escalate the IT service continuity risks to which BOI was exposed.

Ultimately, these internal control failings resulted in deficiencies in the Firm’s IT service continuity framework persisting for a prolonged period. This is particularly serious as the Firm’s reliance on IT was significantly increasing year on year, in common with the sector.

In 2015 the Firm initiated steps to address the deficiencies in both its IT service continuity framework and associated internal controls. The Central Bank acknowledges that the steps taken by the Firm have resulted in an overall improvement in its IT service continuity framework and internal controls. Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks.

PRESCRIBED CONTRAVENTIONS
The Central Bank’s investigation identified five breaches relating to the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) (the 1992 Regulations) and European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) (the Capital Requirements Regulations) as set out below.

Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity.
From June 2008 to April 2019, the Firm breached Regulation 16(4)(b) of the 1992 Regulations and Regulation 73(3) of the Capital Requirements Regulations by failing to have in place contingency and business continuity plans with regard to IT service continuity to ensure the Firm’s ability to operate on an ongoing basis and limit losses in the event of severe business disruption. In particular:

• The Firm failed to define its critical services4 or put in place IT runbooks.5
• It was unlikely that the Firm would have been able to successfully failover6 a critical service to a secondary site (in the event a serious incident occurring) within an acceptable timeframe.
• The Firm did not undertake adequate full end-to-end IT service continuity testing.7

Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms.
From June 2008 to April 2019 the Firm breached Regulation 16(3) (b) and (c) of the 1992 Regulations and Regulation 61(1) (b) and (c) of the Capital Requirements Regulations by failing to have in place and maintain robust governance arrangements including:

• effective processes to identify, manage, monitor and report IT service continuity risks the Firm was exposed to; and
• adequate internal control mechanisms concerning IT service continuity.

These governance failings led to the Firm’s failure to address the IT service continuity deficiencies as set out in Contravention 1.

The Firm failed to have in place and maintain effective governance arrangements through its three lines of defence model regarding IT service continuity. As a result, deficiencies in the Firm’s IT service continuity framework were identified by third party reports prepared for the Firm but were not managed, escalated and appropriately dealt with by the Firm. This demonstrates a recurring failure that is indicative of poor internal controls and demonstrates an overall failure of the Firm’s three lines of defence model with regard to its IT service continuity framework, which arose due to the following:

• First Line of Defence

The first line of defence (the Firm’s central IT unit responsible for IT service continuity) failed to (i) have in place effective risk management practices and processes, (ii) have in place an effective risk register, and (iii) manage and escalate findings from third party reports.

• Second Line of Defence

The second line of defence failed to provide robust oversight and challenge of the first line of defence. The second line of defence failed to ensure that the first line of defence was adequately identifying, managing and escalating risks. Furthermore, the second line of defence failed to independently (of the first line) manage or monitor IT service continuity risks to which the Firm was exposed.

• Third Line of Defence

The third line of defence failed to understand the gravity of the key IT service continuity risks within the Firm from 2008 to 2015. Additionally the third line of defence failed to provide robust oversight and challenge of the Firm’s first and second lines of defence in relation to the risk management of IT service continuity.

Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
From June 2008 to April 2019 the Firm breached Regulation 16(3)(a) of the 1992 Regulations and Regulation 61(1)(a) of the Capital Requirements Regulations by failing to have in place a clear organisational structure with well-defined, transparent and consistent lines of responsibility in relation to IT service continuity.

In this case, the first line business units were siloed, which resulted in an uncoordinated approach to IT service continuity with no consistent processes or procedures in place for managing and reporting IT service continuity requirements and risks. In addition, there was no well-defined, transparent and consistent second line function with responsibility for overseeing and challenging IT service continuity requirements and risks across the Firm to ensure that they were being adequately managed.

The first line unit responsible for IT service continuity was identifying risks, however, due to the siloed nature of this unit, stakeholders within the Firm had limited or no visibility of these IT service continuity risks. This had the effect of excluding key stakeholders in the Firm from involvement in the assessment of prioritisation decisions regarding IT service continuity, which is a key area of operational risk.

Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers.
From June 2008 to December 2019 the Firm breached Regulation 16(4)(a) of the 1992 Regulations and Regulation 61(3)(a) of the Capital Requirements Regulations by failing to adequately develop a clear understanding of the roles, responsibilities, accountabilities and interdependencies between different third party IT service providers.

Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation.
The Firm breached Regulation 64(13) of the Capital Requirements Regulations, from 31 March 2014 (when the requirement was introduced) until Q4 2015, by its failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation in respect of IT service continuity, which was a key area of operational risk. Specifically, the findings of third party reports which identified deficiencies with IT service continuity were not made available to the Firm’s management body.

SANCTIONING FACTORS
In deciding the appropriate penalty to impose, the Central Bank had regard to the Outline of the Administrative Sanctions Procedure 2018 and the ASP Sanctions Guidance November 2019.  It considered the need to impose a level of penalty proportionate to the nature, seriousness and impact of the contraventions and the size of the Firm’s operations. The Central Bank also had regard to the need for deterrence. The following particular factors are highlighted in this case:

The Nature, Seriousness and Impact of the Contravention
Duration and frequency of the contravention

• The Firm failed to have an adequate IT service continuity framework and associated internal controls in place over a sustained period from 2008 to 2019, despite the repeated reporting of these IT service continuity framework deficiencies by third parties from 2008 to 2015.

​Serious or systemic weakness of the management systems or internal controls relating to all or part of the business

• The investigation found serious weaknesses in: IT service continuity plans; internal controls; organisational structures and consistent lines of responsibility; appropriate management of the Firm’s third party IT vendors concerning IT service continuity; and reporting to management body of IT service continuity risks.

​

​The impact or potential impact of the contraventions

• IT underpins the delivery of services across the entirety of the Firm’s business operations. In the event of a significant IT disruption, the Firm could potentially have been exposed to significant risk and potentially have been unable to continue to provide critical services, such as payments. This could have caused serious financial and reputational damage to both the Firm and the wider financial system.

​The loss or detriment or risk of loss or detriment caused to consumers or other market users

• While no detriment arose in this case, had a significant IT failure or prolonged outage occurred, given the increasing dependence on online banking, this could have had a very serious impact and could have resulted in customers being denied access to the basic banking services they needed on a day to day basis.

The extent to which the contravention departs from the required standard

• The contraventions represented a serious departure from the required standards expected of the Firm to ensure that in the event of a significant IT incident the Firm could ensure continuity of critical services.

The Conduct of the Regulated Entity after the Contravention
Mitigating:
The following two mitigating factors, indicative of exemplary co-operation and self-reporting on behalf of the Firm, applied in this case:

• the regulated entity proactively and voluntarily provides the Central Bank with the output of any pre-existing internal investigation and/or third party review;
• there has been identification of other contraventions by the regulated entity.

The investigation found that, following concerns that had been raised by its Internal Audit in 2015 about deficiencies in BOI’s IT service continuity framework, BOI commissioned an internal investigation in 2016 (completed in 2017) into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report:

1. was proactively and voluntarily provided to the ECB;
2. identified a number of risk management and internal control failings in respect of BOI’s IT service continuity; and
3. identified a number of additional contraventions relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework.

This assisted the Central Bank’s investigation, facilitated the review of documentation, and reduced the time and resources required to complete the investigation.

The Previous Record of the Regulated Entity

Aggravating:

• The Firm has been the subject of four prior enforcement actions.

​
​Other Considerations

• The need to have an appropriate deterrent impact on the Firm and other regulated entities.This enforcement action against the Firm is now concluded.

1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.

2. This is the Central Bank’s 145th settlement under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €191 million.

3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts. The penalties are not included in general Central Bank revenue.

4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link.

5. A copy of the ASP Sanctions Guidance November 2019 is available here: link. This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure 2018 and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here: link). These documents should be read together.

6. In accordance with the SSM, the Firm became subject to direct supervision in prudential matters by the ECB as of 4 November 2014.

7. The European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) were in force between 1 January 1993 to 31 March 2014; a copy can be found here: link.

​These were repealed and replaced by the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) which are here: link.

8. On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link.

9. The Firm has been the subject of four previous settlement agreements with the Central Bank, as follows:        

• 2012: Breaches of the Assets Covered Securities Act 2001 and Regulation 16 of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992.
• 2016: Breaches of the Consumer Protection Code 2012.
• 2017: Breaches for non-compliance with the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
• 2020: Breaches of European Communities (Markets in Financial Instruments) Regulations 2007.

Footnotes
1 Breaches of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended)) and the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014).

2 The Firm became subject to direct supervision in prudential matters by the European Central Bank as of 4 November 2014.
3 Pursuant to Articles 4(1) and 18(5) of the SSM Regulation (Council Regulation (EU) No 1024/2013).

4 Critical services are business services that provide a substantial banking or operational activity and are of such importance that any weakness or failure in the provision of these activities could have a significant impact on BOI’s ability to meet its regulatory and legal obligations and/or control over, or continuity of, its services and activities. They could also adversely impact on BOI’s ability to manage risks related to these activities.

5 A runbook describes how the Firm would continue to provide a service should an incident arise. A runbook would also contain procedures to begin, stop, supervise, test and restart a service/system.

6 Failover is a procedure by which a system automatically transfers control to a duplicate system when it detects a fault or failure.

7 End-to-end testing refers to a software testing method that involves testing an application's workflow from beginning to end.

Source: AUSTRAC
Press Release 24 September 2020

Westpac and AUSTRAC have today agreed to a AUD$1.3 billion dollar proposed penalty over Westpac’s breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Westpac and AUSTRAC have agreed that the proposed penalty reflects the seriousness and magnitude of compliance failings by Westpac.

The Federal Court of Australia will now consider the proposed settlement and penalty. If the Federal Court determines the proposed penalty is appropriate, the penalty order made will represent the largest ever civil penalty in Australian history. 

In reaching today’s agreement, Westpac has admitted to contravening the AML/CTF Act on over 23 million occasions, exposing Australia’s financial system to criminal exploitation.
In summary, Westpac admitted that it failed to:

• Properly report over 19.5 million International Funds Transfer Instructions (IFTIs) amounting to over $11 billion dollars to AUSTRAC.
• Pass on information relating to the origin of some of these international funds transfers, and to pass on information about the source of funds to other banks in the transfer chain, which these banks needed to manage their own ML/TF risks.
• Keep records relating to the origin of some of these international funds transfers.
• Appropriately assess and monitor the risks associated with the movement of money into and out of Australia through its correspondent banking relationships, including with known higher risk jurisdictions.
• Carry out appropriate customer due diligence in relation to suspicious transactions associated with possible child exploitation.

In reaching the agreement, Westpac has also admitted to approximately 76,000 additional contraventions which expand the original statement of claim. These new contraventions relate to information that came to light after the civil penalty action was launched last year and relate to additional IFTI reporting failures, failures to reasonably monitor customers for transactions related to possible child exploitation, and two further failures to assess the money laundering and terrorism financing risks associated with correspondent banking relationships.

AUSTRAC’s Chief Executive Officer, Nicole Rose PSM said the settlement sends a strong message to industry that AUSTRAC will take action to ensure our financial system remains strong so it cannot be exploited by criminals.

“Our role is to harden the financial system against serious crime and terrorism financing and this penalty reflects the serious and systemic nature of Westpac’s non-compliance,” Ms Rose said.
“Westpac’s failure to implement effective transaction monitoring programs, and its failure to submit IFTI reports to AUSTRAC and apply enhanced customer due diligence in relation to suspicious transactions, meant AUSTRAC and law enforcement were missing critical intelligence to support police investigations.”

Ms Rose said such a large number of breaches over several years was unacceptable and could have been avoided with better assurance and oversight processes to identify ongoing reporting failures.
AUSTRAC works in partnership with the businesses we regulate through a comprehensive industry education program.

“We have been, and will continue to work collaboratively with Westpac and all businesses we regulate to support them to meet their compliance and reporting obligations to ensure this doesn’t happen again in the future.”

Westpac continues to partner with AUSTRAC to assist AUSTRAC and law enforcement agencies to stop financial crime, including as a member of AUSTRAC’s private-public partnership the Fintel Alliance.

About AUSTRACAUSTRAC (the Australian Transaction Reports and Analysis Centre) is the Australian Government agency responsible for detecting, deterring and disrupting criminal abuse of the financial system to protect the community from serious and organised crime.

Through strong regulation, and enhanced intelligence capabilities, AUSTRAC collects and analyses financial reports and information to generate financial intelligence.
​
Learn more about AUSTRAC: https://www.austrac.gov.au/about-us/austrac-overview 
Media contactEmail: [email protected] 
Phone: (02) 9950 0488  

Source: Central Bank of Ireland
Press release – 24 September 2020
 
Enforcement Action Notice: KBC Bank Ireland plc reprimanded and fined €18,314,000 by the Central Bank of Ireland for regulatory breaches affecting tracker mortgage customer accounts
 
On 22 September 2020, the Central Bank of Ireland (the “Central Bank”) reprimanded and fined KBC Bank Ireland plc (“KBC” or the “Firm”) €18,314,000 pursuant to its Administrative Sanctions Procedure (“ASP”) in respect of KBC’s serious failings to certain tracker mortgage customers holding 3,741 customer accounts from June 2008 to October 2019. KBC has admitted in full to 12 regulatory breaches.
 
The Central Bank has imposed a fine at the highest end of its sanctioning powers, reflecting the gravity with which the Central Bank views KBC’s failures. The impact of KBC’s failings on its customers, which related to 3,741 accounts, was devastating and included significant overcharging and the loss of 66 properties. Additionally, KBC’s engagement and co-operation with the Central Bank’s Tracker Mortgage Examination (the “TME”) was deeply unsatisfactory. KBC caused avoidable and sustained harm to impacted customers due to the Firm’s unwillingness to acknowledge its failings until December 2017 and to take immediate action to apply the protections of the TME. Had KBC adhered to the TME guidelines sooner, without the need for significant and sustained Central Bank intervention, the harm to its customers – particularly incidences of property loss - would have been significantly reduced.  The Central Bank determined that the appropriate fine was €26,162,857, which was reduced by 30% to €18,314,000 in accordance with the settlement discount scheme provided for in the Central Bank’s ASP[1]. This will be paid to the Exchequer[2].
 
This fine is in addition to the €153,524,363 that KBC has been required to pay to date in redress and compensation and account balance adjustments under the TME to its impacted tracker mortgage customers. 
 
The enforcement investigation, which was conducted in parallel with the TME, sought to determine how and why KBC failed to fulfil its obligations to their customers. The investigation also examined KBC’s failure to adhere to the Central Bank’s requirements under the TME.
 
Over the course of 2008, tracker mortgages were becoming increasingly unprofitable for KBC, resulting in the withdrawal of the product by July 2008. The Central Bank’s investigation found that in doing so, KBC failed to treat its existing tracker mortgage customers fairly and put KBC’s financial interests above the protections their customers should have been afforded. In particular, KBC’s failures resulted from:
 
(i)  A proactive strategy to convert customers off their tracker rates: In 2008, KBC devised a strategy to permanently convert certain customers from their low-cost tracker rates. This applied to customers seeking fixed rates or interest only periods at a time when KBC knew that trackers were unprofitable for them. KBC failed to adequately warn the customers concerned that such amendments would result in the permanent loss of their tracker rates. The impact of this strategy was that certain customers, some of whom were already in financial distress, were required to make higher monthly mortgage repayments over the remaining term of their mortgages. This in turn increased the profit margin KBC made on these mortgages.

(ii)  Failure to adequately warn customers entering interest only or fixed rate periods that they would be unable to return to their tracker rates:  At a time when KBC was withdrawing tracker products, it failed to provide customers with clear documentation and/or to provide customers with vital information that their request to fix their interest rate or move to an interest only period would lead to the permanent loss of their tracker interest rate.  KBC also failed to warn customers seeking an interest only arrangement that they stood to pay more interest over the lifetime of their loan.

(iii) Failure to adequately comply with the Central Bank’s Framework for the TME: KBC failed to adhere to the guidelines set out in the Central Bank’s TME Framework, requiring significant intervention from the Central Bank to ensure that all impacted customers were identified, redressed and compensated. 

(iv) Failure to adequately comply with the Stop the Harm Principles of the TME: From the outset of the TME in December 2015, KBC failed to take adequate steps to prevent customers from suffering any further harm or detriment pending the outcome of the TME review. This included failing to stop charging higher, incorrect rates of interest and failing to halt legal activity and loss of ownership of customers’ properties.  Of the 66 properties referenced above that were lost as a result of KBC’s tracker mortgage failures, 39 of these could have been avoided had KBC implemented the Stop the Harm Principles immediately and as required. The Firm’s approach to, and implementation of, these protections was grossly inadequate.

(v) Provided incorrect information to the Financial Regulator[3] in respect of KBC’s treatment of certain tracker customers: In 2009, KBC advised the Central Bank that customers who sought interest only arrangements did not lose their tracker rates for the remaining term of their loans. This was incorrect. As a result, certain interest only customers were denied redress and compensation and an account balance adjustment until identified as having wrongfully lost their tracker through the TME 8 years later.  KBC only acknowledged that it had not treated these customers fairly following robust and sustained intervention by the Central Bank during the TME.              

(vi) Operational and systems failings: In addition, the investigation found that KBC had inadequate mortgage systems and/or operational controls in place to enable them to meet their regulatory and contractual obligations to certain customers. In total there were 12 separate regulatory breaches of the European Communities (Unfair Terms in Consumer Contracts) Regulations 1995 (“1995 Regulations”), the Consumer Protection Codes 2006 and 2012 (“2006 Code” and “2012 Code” respectively). 
 
The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said:
 
“The Central Bank’s investigation into KBC has revealed a stark example of the very real harm caused to people when financial service providers fail to treat their customers fairly. By placing their own financial interests ahead of their customers’ best interests, KBC failed to adequately consider their obligations under the Consumer Protection Codes, which were put in place in order to protect customers in their dealings with financial service providers.
 
The impact of KBC’s actions on their customers was devastating and avoidable. By overcharging customers over extended periods, KBC forced people into arrears, including certain customers whom KBC knew were already facing financial difficulties. Some customers suffered the most severe impact with 66 properties being lost by customers, 11 of which were family homes.
 
Our investigation found KBC persistently refused to accept its failings despite having multiple opportunities to remedy the detriment that it was causing to its customers over an extended period. KBC’s actions in this regard, including the failure to adequately comply with the Stop the Harm Principles of the TME, were simply unconscionable.  KBC’s initial review of their mortgage loan book during the TME identified only 93 impacted customer accounts. The total number of impacted customer accounts has since increased to over 3,700 but only following the sustained challenge and intervention of the Central Bank. 
We expect firms to engage in an open, timely and constructive manner with the Central Bank and to do the right thing by their customers, not because they are told to but because it is the right thing to do. KBC’s failures reinforce the Central Bank’s view that the financial services industry has a long way to go in breaking down the deep-set cultures that cause such terrible damage to people’s lives.
Our message today is clear, and goes beyond the tracker mortgage related issues to all regulated firms: Firms should act in the best interest of their customers and consider their Consumer Protection Code obligations when making decisions that impact their customers.  Where firms fail to do so, our response will be robust and the consequences will be serious.”
 
 
Background to the investigation into KBC
KBC Mortgage Bank (formerly IIB Homeloans Limited) is a credit institution and a regulated financial service provider.  IIB Homeloans Limited applied for authorisation as a retail credit firm by the Central Bank in May 2008 following the enactment of legislation introducing the retail credit firm regime, thereby becoming subject to the Consumer Protection Codes from 1 June 2008.  IIB Homeloans Limited subsequently obtained a banking licence from the Central Bank on 24 October 2008, at which time it officially renamed its operations in Ireland ‘KBC Mortgage Bank.’  In or around June 2009, KBC Mortgage Bank transferred its business to KBC Bank Ireland plc, amalgamating the businesses formerly conducted by IIB Bank plc and IIB Homeloans Limited/KBC Mortgage Bank.
 
KBC introduced tracker mortgages to its range of products in 2003, ultimately withdrawing them from the market on 4 July 2008, as KBC viewed them as no longer profitable. 
In September 2015, the Central Bank notified lenders that it was developing the Framework for the TME, which was to be grounded on consumer legislation, including both the 2006 Code and the 2012 Code. In December 2015, the TME was established. Lenders were required to determine whether or not in all circumstances it had complied with its consumer protection regulatory obligations.
 
The TME was designed to ensure that lenders met their consumer protection obligations by requiring lenders to:

1.       Conduct a complete review of their tracker mortgage loan book to identify customers who may not have been treated fairly.
2.       Take steps - pending the determination of impact under the TME - to (i) stop charging the incorrect rate of interest at the earliest possible time, (ii) halt all legal activity and (iii) ensure that customers did not lose ownership of their properties.  The objective of this requirement was for lenders to take early steps to Stop the Harm, thus shielding potentially impacted customers from further harm and detriment. 
3.       Return impacted customers to the position they would have been in but for the tracker mortgage failings, which included, rate rectification or the option to return to a tracker rate. Furthermore, lenders were required to pay compensation commensurate to the harm caused to each customer given their specific circumstances.

In early 2016, as part of its early engagement on the TME, the Central Bank notified KBC that it should consider whether the documentation provided to customers entering into an interest only or a fixed rate period may have led to an expectation that they could return to a tracker rate on expiry.  When KBC failed to include those customers in the TME in September 2016, the Central Bank continued to challenge KBC’s assessment of whether particular groups of customers were impacted under the TME and therefore entitled to redress and compensation and have their account balance adjusted.  KBC persistently refused to accept its tracker mortgage failings until December 2017, further evidencing KBC’s failure to put its customers first.  KBC’s failings uncovered as part of the TME led to the commencement of the Central Bank’s enforcement investigation.
 
Regulatory breaches
KBC has admitted 12 regulatory breaches of the 1995 Regulations, the 2006 Code and the 2012 Code, which were identified during the Central Bank’s investigation.  These breaches occurred as a result of the following:

1. A proactive strategy to convert customers off their tracker rates;
2. Failure to adequately warn customers entering into interest only or fixed rate periods that they would be unable to return to their tracker rates, at a time when KBC was withdrawing tracker products;
   
3. Failure to adequately comply with the Central Bank’s Framework for the TME;
4. Failure to adequately comply with  the Stop the Harm Principles of the TME;
5. Provision of incorrect information to the Financial Regulator in respect of KBC’s treatment of certain tracker customers; and
6. Operational & Systems failings.  

Further detail of these failings is set out below.    

1.  A proactive strategy to convert customers off their tracker rate In 2008, KBC devised a strategy to permanently convert customers from their low-cost tracker rates, with the result that they were required to make higher monthly mortgage repayments over the remaining term of their mortgages and in turn increased the profit margin KBC made on the mortgage.

At a time when KBC knew trackers were unprofitable, KBC implemented this strategy of seeking to permanently convert customers from their tracker rates through two separate direct mailings to customers in August and September 2008 (the “direct mailings”).  KBC’s strategy was to convert its customers from their tracker rates to fixed rates, immediately increasing their margin, while ensuring that those mortgages would revert to standard variable rates and not a tracker on the expiry of the fixed rate period. Once this occurred, KBC could control the interest rate being charged. KBC failed to adequately warn those customers that they would not return to their tracker at the expiry of the fixed rate period. Following intervention by the Financial Regulator in 2008, KBC agreed to give the option to direct mailings customers who had switched from a tracker rate to a fixed to return to their tracker rates.

Furthermore, during the course of 2008 and early 2009, KBC took the opportunity to move certain customers, some of whom were in arrears, from their pre-existing tracker rate when the customer requested to enter into or  extended an existing interest only period. For example, in some circumstances, KBC required customers to switch to a standard variable rate to avail of the break in capital payments arising from the interest only arrangement, whereas in other instances, customers were required as a condition of approval for the interest only period to first enter into a fixed rate period that would not revert to their tracker on its expiry. In doing so, KBC failed to adequately warn those customers that they would not return to their tracker on the expiry of the interest only period.  The resulting loss of the tracker rate invalidated the benefit to customers of availing of a temporary repayment break with the customers then making higher monthly mortgage repayments over the remaining term of their mortgages and increasing the profit margin KBC made on the mortgage.

This practice continued into early 2009 in respect of certain interest only customers. Due to the fact that KBC provided incorrect information to the Financial Regulator in 2009 when challenged on this matter and failed to properly engage with the TME, the position of interest only customers was not fully rectified until late 2017, as explained in more detail below. This failure to rectify was despite the fact that KBC reviewed the position of some of their interest only customers’ accounts and customer documentation in 2011 as part of an internal review.

KBC failed to adequately consider the impact of the strategy on their customers and their obligations under the 2006 Code. KBC has admitted that this strategy did not meet its obligation to act honestly, fairly and professionally in the best interests of its customers.
 
The Central Bank also found that KBC failed to have and/or effectively employ necessary and/or adequate resources, procedures, and systems and control checks in place to ensure that it adequately considered its consumer protection focused obligations when taking strategic and financial decisions in relation to its tracker book.
 
KBC has admitted breaches of the 2006 Code in respect of this behaviour, as follows:

•          KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it acted honestly, fairly and professionally in the best interests of its customers and the integrity of the market;

•          KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it acted with due skill, care and diligence in the best interests of its customers; and
•          KBC failed to ensure that in all its dealings with customers and within the context of its authorisation, it had and employed effectively the resources and procedures, systems and control checks that are necessary for compliance with the 2006 Code.

2.  Failure to adequately warn certain customers entering into interest only or fixed rate periods that they would be unable to return to their tracker rates The Central Bank found that KBC failed to comply with the requirements of the 2006 Code, the 2012 Code and the 1995 Regulations with regard to its obligation to ensure that documentation provided to customers at key points was clear and comprehensible and that key information was brought to their attention. These failures manifested in three distinct scenarios:

Interest Only Customers
Certain customers who sought forbearance on their mortgages through an interest only arrangement were impacted over the period from 19 June 2008 to 3 October 2018, many of whom were in financial distress and thus particularly vulnerable. The Central Bank found that contractual documentation that issued to certain interest only customers did not specifically refer to the rate that those customers would default to on maturity of the interest only period and thus it was not clear that those customers would lose their tracker rate for the remaining term of their mortgage. Certain customers lost their low cost tracker rates for the remaining term of their mortgage when they took up an interest only facility.

Customers entering into a fixed rate using a Fixed Rate Instruction Form (“FRIF”)
Certain customers were impacted when they sought to enter into a fixed rate period on their mortgage and completed a FRIF. Certain FRIF documents, when read in conjunction with other loan documentation, were unclear as to the rate to which the mortgage would default to at the end of the fixed rate period. These customers were therefore not clearly informed that they would not be able to return to their pre-existing tracker rate as a consequence of entering into the fixed rate period.
Customers entering into a fixed rate after trackers were withdrawn
Certain tracker mortgage customers who sought to enter into a fixed rate period after KBC had withdrawn tracker mortgages as a product offering were impacted. KBC failed to inform these customers in advance of fixing that they would no longer be able to avail of their tracker rate at the end of the fixed rate period, as trackers had been withdrawn from KBC’s product offering. 
KBC has admitted breaches in relation to its failures to warn customers as follows: 
        

• KBC failed to ensure that, in all of its dealings with customers, it made full disclosure of all relevant material information in a way that sought to inform the customer;     
• KBC failed to ensure that all information it provided to its customers was clear and comprehensible and that key items were brought to customers’ attention;        
• KBC failed to act with due skill, care and diligence in the best interests of its customers;        
• KBC failed to ensure that contractual terms were drafted in plain, intelligible language;        
• KBC failed to have or did not effectively employ adequate resources, policies and procedures and systems and controls.

Certain of these breaches continued until the end of 2018, when KBC corrected the interest rates, paid redress and compensation and adjusted their account balances as part of the TME. 

3)  KBC’s failure to adequately comply with the Central Bank’s Framework for the TME  
The Central Bank’s Framework for the TME required lenders to conduct the TME and determine whether or not in all circumstances they had complied with their consumer protection obligations arising from a number of pieces of consumer legislation including the 2006 and 2012 Codes.  The Framework also specified the manner in which lenders were required to conduct the TME, as follows:
 
“When completing the Examination and when assessing compliance with regulatory requirements, the lender is to demonstrate that it is ensuring that customers’ interests are protected, that customers are being treated fairly and that it has considered customers’ reasonable expectations with regard to their entitlement to a Tracker Interest Rate, in the context of the information provided and the disclosures made by the lender to customers.”
 
 
The Central Bank found that KBC’s approach to the TME evidenced a failure to comply with the consumer protection principles at the heart of the TME requirements that the Central Bank put in place in order to protect customers. KBC did not give adequate consideration to its regulatory obligations, to customer fairness or to the transparency of communications with customers, as required. Instead, KBC’s decision-making during the TME resulted in the identification of only a fraction of the customers rightly entitled to redress and compensation and have their account balance adjusted. In this regard, KBC did not deem interest only customers or customers who had received the FRIF as being impacted. KBC initially concluded that interest only customers had no entitlement to inclusion and that the Fixed Rate Instruction Form was clear. KBC took this position despite the Central Bank having raised concerns regarding both interest only and fixed rate customers at the outset of the TME.  KBC ultimately conceded that these customers should be included in the TME in late 2017, following prolonged and consistent challenge from the Central Bank on these and other matters.
 
From the commencement of the TME in 22 December 2015 to April 2019, KBC failed to:  

• adequately consider whether, in all the circumstances, it had complied with its regulatory obligations arising pursuant to the 2006 Code; 
•  adequately consider all influencing factors when determining whether detriment had arisen or may have arisen; and
• adequately consider, in the context of the transparency of documentation provided to customers, whether there was potential to confuse or mislead customers

 
each of which is contrary to the TME Framework which was designed to ensure the protection of impacted customers. KBC’s failure to adhere to the guidelines set out within the TME Framework resulted in the continued overcharging of certain customers’ accounts until KBC customers were put on the correct interest rates and paid redress and compensation and had their account balance adjusted. 
 
KBC has admitted breaches in respect of its failure to protect customers and apply the Central Bank’s Framework for the TME, as follows:

• KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it acted, fairly and professionally in the best interests of its customers and the integrity of the market;
• KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it acted with due skill, care and diligence in the best interests of its customers;
• KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it had and employed effectively the resources, policies and procedures, systems and control checks, including compliance checks, and staff training that are necessary for compliance with the 2012 Code.

These breaches continued until KBC customers were put on the correct interest rates, paid redress and compensation and had their account balance adjusted. 

4) Failure to adequately comply with the Stop the Harm Principles of the TME
In June 2015, the Central Bank issued a letter to industry which set out the Central Bank’s regulatory expectations in respect of mortgage lenders, including those in respect of customers in financial difficulty. These regulatory expectations were grounded upon the 2006 and 2012 Codes. The purpose of this letter was to set out the outcomes and feedback from a themed inspection of mortgage lenders in respect of compliance with the Code of Conduct on Mortgage Arrears. The letter set out the regulatory expectations on mortgage lenders in respect of “Customer Impacting Issues for Borrowers in Financial Difficulty”.  These regulatory expectations were the Stop the Harm Principles, which lenders were required to comply with to stop further detriment to potentially impacted customers. 
 
The Central Bank subsequently reiterated the Stop the Harm Principles specifically with regard to accounts within the scope of the TME, again grounded upon the 2006 Code and the 2012 Code.
 
The core objective of the Central Bank’s work in the TME was to require lenders to seek to address the impact their actions had on impacted customers. To help achieve this aim, the Principles of Redress, including the ‘Stop the Harm’ Principles, required lenders to put in place, amongst other things, controls and measures to ensure that potentially impacted or impacted customers did not suffer any further detriment. 
These measures were designed to ring-fence and protect customers until such time as the lender could either satisfy themselves that the relevant customers were not affected or until such time as the lender had paid them redress and compensation and had their account balance adjusted. The ‘Stop the Harm’ Principles were designed to ensure that lenders ceased charging the incorrect rate at the earliest possible time, that lenders did not take steps in the legal process in relation to potentially impacted and impacted customers and that potentially impacted and impacted customers did not lose ownership of their properties.

The Central Bank found that between December 2015 and September 2016, KBC failed to adequately implement the Central Bank’s Stop the Harm Principles with the procedures adopted failing to prevent further detriment from occurring to customers. KBC’s ‘Stop the Harm’ policy allowed it to take steps in the legal process, up to and including obtaining orders for possession in the Courts and appointing receivers over properties. This included instances whereby KBC authorised the progression of legal activities before they had made a final determination on the cohorts of customers that it considered ‘impacted’ under the TME.

In September 2016, KBC incorrectly deemed customers who lost their tracker rates on taking up interest only arrangements as ‘not-impacted’ under the TME.  Consequently, KBC removed the Stop the Harm protections for these customers. As of result of this action, 11 properties were unnecessarily lost by these customers.  

Finally, during the course of the TME, KBC failed to inform many customers seeking to sell, or otherwise dispose of their properties, including by way of assisted voluntary sale or surrender, that they may be impacted under the TME and may be entitled to redress and compensation and to have their account balance adjusted. Therefore, in some instances, the customer’s decision to dispose of their property was not fully informed.

These failures resulted in additional and avoidable harm to certain customers and in some cases legal proceedings were progressed, up to and including loss of ownership.

KBC has admitted breaches in respect of its failure to apply the Stop the Harm Principles, as follows

• KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it acts fairly and professionally in the best interests of their customers and the integrity of the market;        
• KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it acts with due skill, care and diligence in the best interests of their customers;        
• KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it has and employs effectively the resources, policies and procedures, systems and control checks, including compliance checks, and staff training that are necessary for compliance with the 2012 Code;    
• KBC failed to ensure that, in all of its dealings with customers, it made full disclosure of all relevant material information in a way that sought to inform the customer; and        
• KBC failed to supply information to consumers on a timely basis.  KBC failed to have regard to the urgency of the situation and the time necessary for consumers to absorb and react to the information provided.

 
5) Provided incorrect information to the Financial Regulator
Following media reports in 2009, which referenced that KBC were allegedly exploiting interest only customers by requiring them to move to a standard variable rate as a condition of taking up an interest only facility, the Financial Regulator sought clarification regarding the manner in which KBC treated those customers. 

KBC confirmed to the Financial Regulator that it did not remove tracker interest rates from both arrears and non-arrears customers who entered into interest only arrangements for the remaining term of their mortgages.  This was not in fact the case as certain arrears and non-arrears customers had lost their tracker rates at the time.

This investigation found that, through KBC’s failures to undertake proper due diligence and care in the gathering of information, KBC provided incorrect information thus misleading the Financial Regulator in 2009 in respect of the treatment of KBC’s interest only customers. This had far-reaching consequences for these customers.  Having assured the Financial Regulator that these customers returned to their tracker rates on the expiry of the interest only facility, no further regulatory action was taken at that time.  Consequently, customers who sought forbearance on their mortgage repayments continued to be charged higher rates of interest for the remaining term of their mortgages. The provision of this incorrect information to the Financial Regulator facilitated the persistent and ongoing breaches of the Consumer Protection Codes by KBC in relation to these customers until this issue was later identified and ultimately rectified under the TME.

The Central Bank examined KBC’s treatment of interest only customers again in the context of the TME.  At that point, the Central Bank became aware that KBC had provided incorrect information to the Financial Regulator in 2009. 

KBC ultimately conceded that interest only customers were impacted for the purpose of the TME in October 2017.  This came only after robust challenge from the Central Bank regarding KBC’s initial decision in September 2016 to exclude these customers from the TME.  Interest only customers finally received redress and compensation and had their account balance adjusted in late 2017, approximately 8 years following the incorrect information that had been provided by KBC to the Financial Regulator on the same issue.

KBC has admitted breaches in relation to providing inaccurate information to the Financial Regulator, as follows: 

• KBC failed to provide information, which is full, fair and accurate in all respects and not misleading, and to do so in any reasonable period of time or format that may be specified by the Financial Regulator.

 
6)  Operational and systems failings During the course of KBC’s review of its tracker mortgage book and also within the TME, KBC identified a number of operational and systems failings which affected customers and resulted in, amongst other things, customers being placed on the incorrect interest rate; placed on the incorrect product type; provided with incomplete, inaccurate and unclear documentation; offered the incorrect tracker rate or not receiving appropriate information in relation to their entitlement or loss of entitlement to a tracker rate.  In addition, due to operational and systems failings, KBC failed to comply with an undertaking given to the Central Bank in 2009 to return all of the direct mailing customers to their previous tracker rates.

The investigation found that KBC had inadequate operational and systems controls in place to enable them to meet their regulatory obligations to certain tracker mortgage customers. Procedural and systems weaknesses, deficient processes, administrative errors including the failure to implement amendments to customer accounts in a timely manner, operational errors, reliance on standard documentation not tailored to the particular customers’ circumstances and reliance on manual interventions were all factors which contributed to KBC’s failings which occurred over an extended period of time. 

KBC has admitted breaches in relation to these operational and systems failings, as follows

• KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it acted with due skill, care and diligence in the best interests of their customers;
  
• KBC failed to have adequate systems and controls in place to ensure compliance with the 2006 Code and the 2012 Code;        
• KBC failed to ensure that in all its dealings with customers and within the context of its authorisation it had and employed effectively the resources, policies and procedures, systems and control checks, including compliance checks, and staff training that are necessary for compliance with the 2012 Code.

 
Impacted numbers
In summary, our investigation found that a total of 3,741 customer accounts were impacted as a result of KBC’s numerous failures over an extended period of time, with some customers being affected by more than one of the above issues.
 
Penalty Decision Factors
In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019. The following particular factors are highlighted in this case:
 
The Nature, Seriousness and Impact of the Contraventions

1.        KBC proactively devised and implemented a strategy to permanently convert customers off their tracker rate resulting in KBC’s financial interests being prioritised over the best interests of customers;
2.        The duration and frequency of the breaches, with 3,741 impacted customer accounts identified during the course of the investigation, the earliest breach having commenced on 1 June 2008 and the latest breach being 2 October 2019, resulting in customers being overcharged interest for extended periods. The duration is particularly serious given the historic intervention by the Regulator, a pattern of intervention which was repeated throughout the TME;
3.        66 properties were lost as a direct result of KBC failing their customers, which is particularly serious when 39 of those losses arose from KBC’s failures to Stop the Harm to its customers during the conduct of the TME;
4.        The contraventions represent  a serious departure from required standards under the Consumer Protection Codes and the Principles of the TME;
5.        The failure by KBC to include all impacted customer accounts in the TME quickly and without intervention by the Central Bank, leaving over 3,600 customer accounts without redress and compensation and to have their account balance adjusted for a period of up to 2 years;
6.        The negative impact on consumer confidence in the market as a result of KBC’s failings; and
7.        The operational and system weaknesses that led to failures to protect customers.

 
Aggravating factors

1.        The failure to take adequate remedial steps after the breaches were identified, including a failure to adequately identify whether customers were impacted and attempting to exclude potentially impacted customers from the protections of the TME;
2.        KBC provided incorrect information to the Regulator with the result that sustained harm was suffered by certain customers. If KBC had provided correct information that customers had in fact lost their trackers, harm could have been stopped in 2009 and customers remediated then rather than 8 years later when KBC’s failure was discovered;
3.        KBC’s failure to meet the Central Bank’s expectations of adequate cooperation  in the context of the investigation by failing to adequately respond to a number of statutory requests for information in a comprehensive and timely manner, necessitating significant challenge and intervention by the Central Bank, which wasted investigatory resources and caused delay in the Central Bank’s ability to progress the investigation;
4.        The Previous Record of the Regulated Entity: KBC has been subject to one prior Enforcement Action; and
5.        The need for a credible deterrent in respect of these serious regulatory failings on KBC and other regulated entities.

 
This enforcement action against the Firm is now concluded. This marks the completion of the second in a series of ongoing investigations which were commenced, and will therefore conclude, at different times.

Notes to Editors
 
1.       The Central Bank imposed a fine of €18,314,000 on KBC, which represents the maximum applicable penalty of €26,162,857 with a settlement discount of 30%. This fine is at the highest end of its sanctioning powers. The Central Bank’s ‘Outline of the Administrative Sanctions Procedure’ provides for an early settlement discount of up to 30% in order to promote early resolution of matters, which in turn leads to better utilisation of the resources of the Central Bank.  For further information on the discount scheme, see the Central Bank’s ‘Outline of the Administrative Sanctions Procedure’, which is here.
 
In October 2016, the Central Bank fined KBC €1,400,000 and reprimanded it for breaches of the Code of Practice on Lending to Related Parties 2010 and the Code of Practice on Lending to Related Parties 2013. Details of the Enforcement Action can be found here.
 
2.       The Central Bank’s sanctioning powers were increased in 2013, pursuant to Section 68(b) of the Central Bank (Supervision and Enforcement) Act 2013. The maximum penalty which the Central Bank may now impose is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.
 
3.       This is the Central Bank’s 139th settlement since 2006 under its Administrative Sanctions Procedure, bringing total fines imposed by the Central Bank to over €123m, which total includes the fine imposed against Springboard Mortgages in 2016 and Permanent TSB plc in 2019 in respect of breaches of its obligations to tracker mortgage customers. This settlement also marks the 32nd outcome in respect of Consumer Protection Code breaches.
 
4.       Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts. The penalties are not included in general Central Bank revenue.

5. The Consumer Protection Codes 2006 and 2012 are available on the Central Bank’s website www.centralbank.ie or to download here and here. The 2006 Code ceased to have effect on 31 December 2011 and the 2012 Code came into effect on 1 January 2012. 

6.       The Tracker Mortgage Examination commenced in December 2015. The Examination required all lenders to review their loan book to ensure compliance with both regulatory and contractual requirements in relation to tracker mortgages. Where impacted customer accounts are identified, the Central Bank expects that those customers will receive redress and compensation commensurate with the detriment suffered and to have their account balance adjusted accordingly. Information on the Examination is available on the Central Bank’s website www.centralbank.ie or to download here.
 
Further information:
Media Relations: [email protected] / 01 224 6299
Ewan Kelly: [email protected] / 086 463 9652


[1] The Central Bank’s ‘Outline of the Administrative Sanctions Procedure’ provides for an early settlement discount of up to 30% in order to promote early resolution of matters, which in turn leads to better utilisation of the resources of the Central Bank. 

[2] All fines collected by the Central Bank are returned to the Exchequer.

[3] The Financial Regulator was re-unified with the Central Bank on 1 October 2010.