knowledge | 5 July 2018 |
Central Bank Imposes First Cyber-Fraud Sanction
The Central Bank of Ireland (“CBI”) has for the first time imposed a sanction on a firm following a loss of client funds through cyber-fraud directly caused by significant regulatory breaches and failures by the firm.
The investigation arose following a cyber-fraud where, acting on the instructions of a fraudster impersonating a client, the firm facilitated a series of transactions resulting in the loss of €650,000 of the client’s funds.
The client had invested a sum with the firm. The cyber-fraudster having hacked the client’s web based email account, impersonated him in a protracted series of email correspondence with an employee at the firm. The employee complied with directions to liquidate a large portion of the client’s investment and pay out the proceeds. On discovering the fraud, the firm reported it to the authorities and the client was fully reimbursed. The firm did not benefit from the cyber-fraud.
The cyber-fraud unfolded over a two month period during which no one at the firm formed fraud, money laundering or terrorist financing suspicions or made appropriate reports to the relevant authorities. This was despite the fraudster’s instructions including the many red flags for fraud and/or money laundering. These included:
- Redemption requests which were inconsistent with the client’s expressed investment strategy
- Inconsistencies between the fraudster’s instructions and the client’s profile and financial disclosure
- Funds returned because of incorrect account details
- Requests that payments be split into smaller amounts to avoid UK banking controls
- The fraudster changing his own profile/payment instructions during his engagements with the firm.
The CBI identified breaches across three regulatory regimes: client asset, anti-money laundering, and fitness and probity caused by serious deficiencies in the firm’s governance arrangements, risk management, compliance oversight, and systems of internal control. For example, the firm breached the Central Bank’s Client Asset Requirements 2007 by failing to introduce adequate organisational arrangements to minimise the risk of loss of client assets as a result of fraud.
It committed four prescribed contraventions of the AML/CFT regime by:
- Failing to monitor and scrutinise client transactions
- Failing to adopt policies and procedures to prevent and detect the commission of money laundering and terrorist financing
- Failing to report suspicious transactions
- Failing to ensure staff were instructed on AML/CFT-related law and provided with ongoing training.
In relation to fitness and probity, the firm breached s21 of the Central Bank Reform Act 2010 by permitting the employee dealing with the fraudster to perform two controlled functions without satisfying itself that he complied with the Fitness and Probity Standards 2014 and without securing his agreement to abide by those standards when it hired him or thereafter. Senior management should have satisfied itself on reasonable grounds he was competent and capable to perform the two controlled functions it assigned him. This necessitated monitoring his competence and educating him to the requisite standard or removing him from his controlled functions if he failed to meet that standard. The firm did neither.
The firm remediated its failings, and complied with the Risk Mitigation Programme issued by the Central Bank following the fraud. They introduced new client asset and AML/CFT policies and procedures. The firm was also commissioned a review of its risk management framework.
Penalty Decision Factors
The Central Bank imposed a fine of €443,000 for the regulatory breaches causing the loss of client funds. In deciding on penalty the CBI took into account:
- The seriousness of the breaches
- The long duration of the breaches (varying in length between one and five years)
- The need to impose an effective and dissuasive sanction on regulated entities
- The firm’s co-operation during the investigation and in settling at an early stage in the CBI’s Administrative Sanction Procedure.
According to the Central Bank, it would have imposed a financial penalty of €825,000 had it not been for the financial position of the firm.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.