ORX News digests of the month: Q3 2020

The ORX News team chooses a digest from the ORX News service to share publicly each month which highlights a particularly interesting operational risk loss event. Read all the featured digests of Q4 2020.

September's story of the month

Bank pays USD 4.5 million to CFTC over design flaws in its audio preservation system

In September 2020, three Citigroup entities were ordered by the CFTC to pay $4.5m over a design flaw in their audio preservation system, which saw subpoenaed recordings deleted from the system.

The CFTC, in December 2017, subpoenaed audio recordings that were pertinent to an ongoing investigation the CFTC was carrying out in connection with Citigroup. However, the audio preservation system had a design flaw, whereby once the system had reached 95% of its storage capacity, the system would automatically begin deleting recordings from exactly two years earlier.

In December 2018, after the CFTC had again requested that Citibank produce the recordings to comply with the subpoena, Citibank informed the CFTC that the audio recordings had been deleted. The resulting CFTC investigation found that senior management at the company responsible for the audio preservation system had been aware of the design flaw since at least 2014. Management were also reportedly responsible for not adequately staffing the company with trained employees, and for not documenting changes to the system which lead to the recordings being deleted.

By failing to adequately supervise its subsidiary, the CFTC found Citibank in violation of CFTC Regulation 166.3 and fined the bank $4.5m. 

If your firm subscribes to ORX News, then you can read the full story here on the ORX News website. 

Data extract for this story

Every ORX News story is categorised to help you get the most from the data. The categories include the business line, event type and scenario category. All of this information makes it easier for you to use and analyse the loss events.

Business line: Corporate Items
Event type: Execution, Delivery & Process Management
Loss amount: USD 4,500,000.00
Country: United States
Scenario category: Vendor Failures

August's story of the month

Banks pay out fines for cyber-related breaches

In July, the Bank of Ireland was fined €1.66m by the Central Bank of Ireland for breach of the European Communities Markets in Financial Instruments (MiFID) regulations. The breaches related to the bank’s former subsidiary, Bank of Ireland Private Baking Limited (BOIPB) between November 2007 and January 2018.

The Central Bank’s investigation arose from a cyber-fraud incident in September 2014, where a fraudster impersonating a client made BOIPB make payments to a third-party account totally €106,330. BOIPB’s procedures outlined steps to verify a client’s identity before processing a third party payment instruction. However, BOIPB staff released confidential account details to the fraudster and did not ask security questions when taking transfer instructions. Nor did staff identify certain flags which could have been indicative of fraud.

The €1.66m fine was not the only fine levied over the last few months to a financial institution over inadequate controls to prevent cyber fraud. Capital One was fined $80m by the US Office of the Comptroller of the Currency (OCC) for failing to establish effective cyber risk assessment processes from 2015.

The OCC found that in or around 2015, Capital One failed to establish effective risk assessment processes before transferring its IT operations to a cloud operating environment and failed to establish appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts. The deficiencies were made evident by the data breach Capital One suffered in April 2019, affecting 100 million individuals in the United States.

These fines, as well as fines for inadequate cyber-crime controls at firms such as Equifax, show that regulators are taking a firm stand against inadequate cyber controls, which can have a large financial impact against firms.

If your firm subscribes to ORX News, then you can read the full stories and more like it on the ORX News website. You can view the Bank of Ireland story here and the Capital One story here. 

Data extract for this story

Every ORX News story is categorised to help you get the most from the data. The categories include the business line, event type and scenario category. All of this information makes it easier for you to use and analyse the loss events.

Bank of Ireland:

Business line: Private Banking 
Event type: Execution, Delivery & Process Management
Loss amount: EUR 1,660,000.00
Country: Ireland
Scenario category: Improper Business Practice

Capital One:

Business line: Retail Banking
Event type: Clients, Products & Business Practices
Loss amount: USD 80,000,000.00
Country: United States
Scenario category: Cyber-Related Data Breach

July's story of the month

Australian Banks pay out for incorrectly paying employees

Over the course of 2019 and 2020, two of Australia’s big four banks, Westpac and Commonwealth Bank (CBA), have begun the process of repaying thousands of staff who had been underpaid as a result of systems errors at both institutions.

Westpac announced in July 2020 that it would pay back AUD 8 million to around 8,000 employees. Westpac said that it did not apply the correct methodology for determining long service leave entitlements where staff had changed their working arrangements, such as moving from part-time to full-time. Westpac also said that, for long service leave entitlements, different rules applied to different employees based on their employment history and working arrangements. As a result of the error, some Westpac staff were overpaid, but these employees would not be asked to repay any money. 

CBA announced in April 2019 that it expected to pay AUD 15 million to current and former employees. CBA reportedly underpaid its staff and that of its subsidiary, BankWest, due to errors in its systems, including payroll and other human resources systems. This also resulted in problems calculating leave, superannuation and redundancy entitlements. Some of the problems reportedly dated back 10 years. In December 2019, it was reported that CBA had widened the investigation into the issues, examining the records of 250,000 current and former staff, going back as far as 2002. The average reimbursement was reportedly about AUD 220 per employee. Due to the wider investigation, CBA was reportedly expected to pay AUD 53.1 million in repayments to employees. 

You can read the press release for Westpac here: https://www.westpac.com.au/about-westpac/media/media-releases/2020/3-july/

You can read the press release for CBA here: https://www.smh.com.au/business/banking-and-finance/cba-to-pay-back-staff-53m-in-botched-pay-as-41-000-affected-20191213-p53jsi.html

If your firm subscribes to ORX News, then you can read the full stories and more like it on the ORX News website. You can view the Westpac story here and the CBA story here. 

Data extract for this story

Every ORX News story is categorised to help you get the most from the data. The categories include the business line, event type and scenario category. All of this information makes it easier for you to use and analyse the loss events.

Business line: Retail Banking
Event type: Employee Practices & Workplace Safety
Loss amount (Total combined): AUD 61,100,000.00
Country: Australia
Scenario category: Unfair Treatment of Staff