Banks pay out fines for cyber-related breaches

  • 15 September 2020

ORX News story of the month: August 2020

Each month, we share a free operational risk loss event story from ORX News. The story is handpicked by the team as one of the most interesting stories reported by the service in the previous month. This story was published by the service in August 2020.

Banks pay out fines for cyber-related breaches

In July, the Bank of Ireland was fined €1.66m by the Central Bank of Ireland for breach of the European Communities Markets in Financial Instruments (MiFID) regulations. The breaches related to the bank’s former subsidiary, Bank of Ireland Private Baking Limited (BOIPB) between November 2007 and January 2018.

The Central Bank’s investigation arose from a cyber-fraud incident in September 2014, where a fraudster impersonating a client made BOIPB make payments to a third-party account totally €106,330. BOIPB’s procedures outlined steps to verify a client’s identity before processing a third party payment instruction. However, BOIPB staff released confidential account details to the fraudster and did not ask security questions when taking transfer instructions. Nor did staff identify certain flags which could have been indicative of fraud.

The €1.66m fine was not the only fine levied over the last few months to a financial institution over inadequate controls to prevent cyber fraud. Capital One was fined $80m by the US Office of the Comptroller of the Currency (OCC) for failing to establish effective cyber risk assessment processes from 2015.

The OCC found that in or around 2015, Capital One failed to establish effective risk assessment processes before transferring its IT operations to a cloud operating environment and failed to establish appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts. The deficiencies were made evident by the data breach Capital One suffered in April 2019, affecting 100 million individuals in the United States.

These fines, as well as fines for inadequate cyber-crime controls at firms such as Equifax, show that regulators are taking a firm stand against inadequate cyber controls, which can have a large financial impact against firms.

If your firm subscribes to ORX News, then you can read the full stories and more like it on the ORX News website. You can view the Bank of Ireland story here and the Capital One story here

Op risk losses categorised for easy analysis

Every single ORX News story is categorised to help you get the most from the data. The categories include the business line, event type, scenario category. All of this information makes it easier for you to use and analyse the loss events.

Extract of the data for these stories from ORX News:

Bank of Ireland:

Business line: Private Banking 
Event type: Execution, Delivery & Process Management
Loss amount: EUR 1,660,000.00
Country: Ireland
Scenario category: Improper Business Practice

Capital One:

Business line: Retail Banking
Event type: Clients, Products & Business Practices
Loss amount: USD 80,000,000.00
Country: United States
Scenario category: Cyber-Related Data Breach

Looking for the latest op risk loss events?

Request a free demonstration to see how ORX News can help you.

Book a demo