knowledge | 4 September 2020 |
Central Bank Enforcement Action into Cyber Frauds Highlights Mandatory Reporting
Ireland’s mandatory reporting obligations have broad reach and failure to comply with them is a criminal offence. Section 19 of the Criminal Justice Act 2011 imposes a requirement on organisations and individuals to report information relating to possible frauds which might either prevent the fraud being committed or secure the apprehension prosecution or conviction of a person involved in fraudulent activity. Any failure to comply with mandatory obligations uncovered in a subsequent regulatory investigation is likely to be viewed as an aggravating factor in the assessment of penalties.
Importance of Reporting as part of any Cyber Fraud Response
On 27 July 2020 an Irish bank was fined €1,660,000 and reprimanded by the Central Bank of Ireland (the "Central Bank") for regulatory breaches stemming from a cyber-fraud in 2014 involving one of its subsidiaries. The subsidiary had made two payments to a bogus third party account, acting on the instructions of a fraudster impersonating a client, who had hacked the client’s email account, resulting in two transfers totalling €106,430 being transmitted to a UK corporate bank account. The failure to report the frauds pursuant to mandatory reporting obligations was regarded as an aggravating factor in the assessment of the penalty that should apply.
The Central Bank identified five regulatory breaches arising from the cyber-fraud incident, including a breach by the subsidiary of Regulation 34(1)(c) of the MiFID Regulations by failing to, “establish, implement and maintain adequate internal control mechanisms designed to secure compliance with the subsidiary’s reporting obligations under section 19 of the Criminal Justice Act 2011.” The subsidiary failed to report the incident and only did so over a year later at the request of the Central Bank.
Section 19 of the Criminal Justice Act 2011 provides that a “person” (which includes a corporate body) is guilty of an offence if he or she withholds information which may be of material assistance in the prevention, apprehension, prosecution or conviction of any other person for certain prescribed “relevant offences”. Although primarily introduced to assist in the apprehension and prosecution of white collar crimes, the section is broadly drafted and applies to a whole range of offences including company law offences, money laundering and terrorism, competition law and more recently, cyber-crime and hacking.
The consequences of failing to adhere to these reporting obligations were in a holding pattern for some time due to questions as to the constitutionality of section 19. However, the Supreme Court upheld the constitutionality of an almost identical reporting obligation in 2019 and the Central Bank’s action very much brings the question of ensuring compliance with section 19 back into focus.
To whom does section 19 apply?
The obligation to report information which may be of assistance in the prevention, apprehension or prosecution of a “relevant offence” is wide ranging and applies to any “person”. As a result, both natural persons and corporate bodies can be held criminally liable for withholding information and not complying with their obligations under this section. In addition, where an offence is committed by a body corporate and the offence was orchestrated by, or was facilitated by the wilful neglect, of a director, manager, secretary or other officer of that body corporate, or any other person purporting to act in that capacity, that person will also be guilty of an offence.
What is a “relevant offence”?
A list of “relevant offences” is outlined in the schedule to the Criminal Justice Act 2011. These include a wide variety of offences in the areas of banking, investment funds and other financial activities, company law, money laundering and terrorism, theft and fraud, bribery and corruption, consumer protection, criminal damage to property and competition offences.
In addition, the Criminal Justice (Offences Relating to Information Systems) Act 2017 introduced five new cyber-fraud offences, all of which must be reported under section 19 of the Criminal Justice Act 2011.
These cyber-fraud offences include:
- Accessing an information system without lawful authority
- Interfering with an information system without lawful authority
- Interfering with data without lawful authority
- Intercepting the transmission of data without lawful authority
- Using a computer programme, password, code or data for any of the above
This means that corporates and regulated entities should not only consider their data protection or other regulatory requirements in response to an incidence of cyber crime, but also should whether any reporting obligations arise under section 19.
The reporting obligation also extends to knowledge in respect of aiding, abetting, counselling or procuring the commission of a prescribed relevant offence, as well as conspiring to commit, or inciting the commission of an offence.
To whom must the notification be made?
A notification may be made to any member of An Garda Síochána and is usually done in writing although verbal reports may be accepted as compliance with Section 19. More serious offences are usually reported directly to the Garda National Economic Crime Bureau, which has a team of specialist officers highly experienced in dealing with complex frauds.
What is the penalty for failing to make a notification?
The maximum penalty that can be imposed for failing to make a notification is an unlimited fine and imprisonment for up to 5 years or both.
This recent enforcement action by the Central Bank is a timely reminder of the importance of the reporting obligations under section 19 and in particular the significance placed on those obligations by the Central Bank. Corporate bodies and regulated entities should ensure that personnel are trained in their obligations under the section and that internal reporting mechanisms are in place to take account of the obligation in the context of any regulatory breach or as part of the entity’s incident management plan.
Also contributed to by Sean Kehoe
- Sweeney v Ireland  IESC 39
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.