Finance f irm f ined for missing ‘red f lags’ leading to cyber theft
A FINANCIAL management company which missed a series of ‘red flags’ that a client’s money was being siphoned off by a cyber fraudster has been hit with a €443,000 fine.
The Central Bank announced yesterday it had fined Appian Asset Management €443,000 for significant ‘breaches of regulations’ over the fraud.
The con took place after an experienced businessman invested €1million in two Appian-managed funds. A month later, a cyber fraudster hacked into the businessman’s email account and impersonated him over a lengthy series of emails.
The fraudster eventually instructed Appian to pay €650,000 of the businessman’s money into UK accounts controlled by the hacker.
The Central Bank said Appian missed a number of ‘red flags’ that should have indicated a fraud was taking place.
These included the fact that the money was taken out of the account only two months after it was first invested, even though the businessman had indicated he intended to hold the money with Appian for a long time.
Similarly, the signatures on some of the bogus transactions bore ‘questionable resemblance’ to the businessman’s real signature – which Appian had on file.
There were also a series of grammatical and spelling errors, in the fraudster’s emails which were not consistent with the businessman’s normal articulate correspondence. In addition, the fraudster’s UK bank returned one tranche of funds on three occasions to Appian because the fraudster had given Appian the incorrect account names twice and incorrect SWIFT details once.
The businessman has since been repaid, but despite reporting the theft to gardaí the money has not been recovered.
Appian chief executive Patrick Lawless said: ‘The cyber-security breach occurred outside of Appian but our failure to identify certain suspicious “red flags” allowed the hacker to succeed in the fraud.
‘We have apologised to the Central Bank of Ireland for this matter and accept the sanction imposed on the firm.’
The €443,000 fine is the first time the Central Bank has imposed a sanction on a firm where there has been a loss of client funds from cyber fraud as a direct result of the firm’s significant regulatory breaches and failures, it said.
The victim has not been named, but he has been repaid.
The Central Bank’s director of Enforcement and Anti-Money Laundering Seána Cunningham said the it viewed Appian’s ‘fundamental failings as completely unacceptable’.
She added: ‘These failings, combined with a culture in which clients’ instructions were given primacy over security and regulatory concerns, rendered the firm exposed to the cyber fraud that occurred. It placed client assets at heightened risk and that risk crystallised.
‘The level of fine reflects the seriousness of Appian’s governance, operational, compliance and risk failures. It also reflects the importance the Central Bank places on investor protection.
‘Regulatory failures of this nature, especially where the failures result in financial losses to clients, will result in vigorous investigation and action by the Central Bank,’ she said.