Bank of Ireland fined €24m for inadequate IT systems

How much would it have cost them to put adequate systems to ensure continuity in place, I wonder? €5m or €10m maybe?
 
RetirementPlan said:
How much would it have cost them to put adequate systems to ensure continuity in place, I wonder? €5m or €10m maybe?
Click to expand...
I seem to remember there was a lot of talk over the last year or so from BOI management about improving their technology. No smoke without fire clearly.

I'm sure KBC customers can't wait.
 
"IT flaws"? Management flaws more like. Business continuity planning is a pretty fundamental exercise in any professional organisation. You'd also have to wonder how it took so long to be picked up, who was receiving those third party reports?
 
RetirementPlan said:
How much would it have cost them to put adequate systems to ensure continuity in place, I wonder? €5m or €10m maybe?
Click to expand...
Probably £50+m, maybe more… €10m is chump change in this area. No doubt it was a deliberate decision and the savings must be very significant versus the potential fines.
 

it's not, it's an absolute bargain. In effect, and reading between the lines, BoI had totally inadequate IT Disaster Recovery processes, plans and procedures and thus it was another UB technology issue waiting to happen. Throw in the €3m they are having to repay to customers for failing to put the new authentication rules in place and on time and it suggests something has been very wrong with their IT management over the last number of years.
 
I'd echo your sentiments but I don't see criticism by the regulator of BoI's IT disaster recovery plans, which cover how to restore systems if they go down. It's their continuity plans, how BoI conducts its business while the IT disaster recovery operation is in progress. They're complementary, but fundamentally this isn't an IT issue, it's a basic management falling.
 
Last edited:
The Central Bank's press release makes very interesting reading, and contains a lot more factual information. (The press release is quite accessible when compared to many of CBI's press releases which are necessarily technical and dense reading).


In simple terms, there were five contraventions.
Contravention 1 contains failures in relation to both DR (Disaster Recovery) and BCP (Business Continuity Planning)
Contravention 4 relates to the failure to properly manage IT Outsourcing
Contraventions 2, 3 and 5 are Governance failures

The extent of the period that fine relates to (2008-2019) is horrific. The failure in relation to DR and BCP probably relates to the decrepit and dilapidate state of BOI's IT systems, years of underinvestment, poor IT management, treatment of IT as plumbing rather than understanding it's role as a substantial business enabler, asset and risk. These issues are well known inside and outside the bank. However the governance failures are the real worry. Reading these is like reading some of what emerged about Anglo under Fitzpatrick and Drumm.

This also shines a light on the curious timing of the CBI's issuing of the Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks which appeared out of nowhere in September 2016. I remember wondering at the time what unspoken fear or event had jerked the CBI into action on that front. Now we know !
 
MrEarl said:
Why did the CBI take so long to act on this?
Click to expand...
Your hitting a raw nerve here, based on the length's the CBI Press Release goes to to explain that it was nothing to do with them for most of the period in question (2008 when the issues were first raised internally in BOI to 30th November 2021 when the report was issued, a thirteen year span). To answer your question in brief:

2008-2015 - BOI kept its dirty laundry under wraps
2016-2017 - BOI conducted an internal investigation, which produced a report
2017 - BOI passed the report on to the ECB (It's prudential supervisor)
2018 - "Following consideration of the report, the ECB determined that these issues merited further investigation. The Central Bank’s investigation commenced following a referral by the ECB in August 2018"
2018-2021 - CBI took 40 months to investigate and finalise the matter.

So the CBI are only responsible for three and a half years of the thirteen year window.
 
Too Big To Fix...

There is not one bank across the world that does not suffer from IT issues, but the governance issues is the real shocking part in my opinion.
 
I can see why BOI are in such a hurry to return to private ownership and the normalisation of bonus payments...... Got to love banks.

BOI have a history of completely outsourcing their entire IT function going back to the early 2000's to HP and then IBM. It sounds like they completely outsourced their governance as well and just didn't care since the CBI is pulling them up on their failure to manage it.

BOI then outsourced a number of senior IT roles to Accenture in 2014/15 including the Head of Group Technology and Change. Doubt it is a co-incidence that this is when this came to light internally at a senior level.

Not having BCP's in place is completely unacceptable. By all accounts it wasn't just on the retail side either. They were heavily exposed on the wholesale side as well.

I presume none of the individuals identified are still involved in controlled functions but it would be good if the CBI confirmed this in their reports.
 
It would have been cheaper to have maintained the old paper system instead of making the system more efficient and laying off staff
 
As a graduate in the mid to late noughties I worked for a major Irish bank and I was shocked at how bad the systems were, it was a disaster waiting to happen. There were three separate systems and none of them spoke to each other. When I was being trained in, they had basically devised a jerry rigged way of inputting customer data where in order to get the different systems to line up you had to put the name in the phone number box and the phone number in the comment section and so on, thus making any future searching of the system pretty much impossible. If someone had an account using their first name and last name and then they opened a new account with their name including a middle initial it wouldn’t link the two together as one customer. As a naive grad I asked a manager why cant we fix this and was quickly told to shut up and stop causing trouble. Looks like it never got much better..
 
roker said:
It would have been cheaper to have maintained the old paper system instead of making the system more efficient and laying off staff
Click to expand...
It may well have been; https://www.thejournal.ie/bank-of-ireland-fine-2-5617844-Dec2021/

"Last year, BOI concluded that certain aspects of its digital transformation had “not matured sufficiently”, according to a note in the bank’s 2020 annual report.

As a consequence, BOI had to write off €136 million of the money spent on this process."
 
I don't get the logic behind giving discounts to penalty fines - you either did wrong and deserve to be fines, or you don't.
 
MrEarl said:
I don't get the logic behind giving discounts to penalty fines - you either did wrong and deserve to be fines, or you don't.
Click to expand...
It is to encourage the entity to co-operate.

Supervisors don't have police powers and rely to some extent on the entity becoming clean.
 
I was in a well know private hospital a couple of months ago and noted that every thing regarding patients details where on paper records and forms, and were filled in manual, to which I commented that they will not be hacked
 
You must log in or register to reply here.
Menu
Log in
Register