Bank of Ireland hit with €24.5 million fine over IT failures

Ireland’s Central Bank has fined the Bank of Ireland €24.5 million (£20.8 million) for IT failures that took over a decade to be appropriately recognised, addressed, and fixed.

The bank was found to have a failed to implement a robust framework to ensure continuity of service for customers in the event of significant IT disruption.

These deficiencies were repeatedly identified from 2008 onwards but, due to the bank's internal control failings, only began to be appropriately recognised and addressed in 2015, before being completed in 2019.

The Bank of Ireland has admitted five contraventions that occurred between 2008 and 2019, including failing to demonstrate an ability to ensure continuity of service in the event of significant IT disruption and failing to have effective internal controls to identify deficiencies in the IT service continuity framework.

It also admitted to failing to properly engage and oversee the management of third party IT service providers with respect to IT service continuity.

Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls, said the Central Bank. These are regarded as core parts of a company's operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy.

“Today’s banks and financial services firms are wholly dependent on effective, reliable, and resilient IT systems,” said Seána Cunningham, the Central Bank’s director of Enforcement and Anti-Money Laundering. “It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption.”

Cunningham said that significant IT disruptions could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving.

She added that the extent and duration of the Bank of Ireland’s breaches were particularly serious given the ‘always-on’ nature of the services it provides and how pivotal IT is to the entirety of its business operations.

“Bank of Ireland fully acknowledges, and sincerely apologises for, each of these breaches which should not have arisen,” a spokesperson said to IT Pro. They added that to address the various issues, the bank has invested heavily in IT service continuity, including infrastructure and network upgrades, and enhanced testing, planning, and internal procedures.

The Central Bank determined the appropriate fine to be €35 million, which has been reduced by 30% to €24.5 million in accordance with a settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure.