05 September 2018
The Central Bank of Ireland (CBI) has for the first time imposed a sanction on a firm following a loss of client funds through cyber-fraud directly caused by significant regulatory breaches and failures by the firm.
The investigation arose following a cyber-fraud where, acting on the instructions of a fraudster impersonating a client, the firm facilitated a series of transactions resulting in the loss of €650,000 of the client’s funds.
The client had invested a sum with the firm. The cyber-fraudster having hacked the client’s web-based email account, impersonated him in a protracted series of email correspondence with an employee at the firm. The employee complied with directions to liquidate a large portion of the client’s investment and pay out the proceeds. On discovering the fraud, the firm reported it to the authorities and the client was fully reimbursed. The firm did not benefit from the cyber-fraud.
The cyber-fraud unfolded over a two month period during which no one at the firm formed fraud, money laundering or terrorist financing suspicions or made appropriate reports to the relevant authorities. This was despite the fraudster’s instructions including the many red flags for fraud and/or money laundering. These included:
The CBI identified breaches across three regulatory regimes: client asset, anti-money laundering, and fitness and probity; caused by serious deficiencies in the firm’s governance arrangements, risk management, compliance oversight and systems of internal control. For example, the firm breached the Central Bank’s Client Asset Requirements 2007 by failing to introduce adequate organisational arrangements to minimise the risk of loss of client assets as a result of fraud.
It committed four prescribed contraventions of the AML/CFT regime by:
In relation to fitness and probity, the firm breached s 21 of the Central Bank Reform Act 2010 by permitting the employee dealing with the fraudster to perform two controlled functions without satisfying itself that he complied with the Fitness and Probity Standards 2014 and without securing his agreement to abide by those standards when it hired him or thereafter. Senior management should have satisfied itself on reasonable grounds he was competent and capable to perform the two controlled functions it assigned him. This necessitated monitoring his competence and educating him to the requisite standard or removing him from his controlled functions if he failed to meet that standard. The firm did neither.
The firm remediated its failings, and complied with the risk mitigation programme issued by the Central Bank following the fraud. They introduced new client asset and AML/CFT policies and procedures. The firm was also commissioned a review of its risk management framework.
The Central Bank imposed a fine of €443,000 for the regulatory breaches causing the loss of client funds. In deciding on penalty the CBI took into account:
According to the Central Bank, it would have imposed a financial penalty of €825,000 had it not been for the financial position of the firm.