The Central Bank has fined Appian Asset Management €443,000 after the company left a client open to a cyberfraud by a third party resulting in the loss of €650,000 of a client's funds.
While the client was fully reimbursed, the Central Bank said in a statement on Friday that it had reprimanded Dublin-based fund management company for “significant breaches across three regulatory regimes: client asset, anti-money laundering, and fitness and probity”.
The Central Bank added that “had it not been for the financial position of the firm, the Central Bank would have imposed a financial penalty of €825,000”.
“This is the first time the Central Bank has imposed a sanction on a firm where there has been a loss of client funds from cyberfraud as a direct result of the firm’s significant regulatory breaches and failures,” said Seána Cunningham, the Central Bank’s director of enforcement and anti-money laundering.
The victim of the fraud was an experienced businessperson who invested €1 million in two Appian managed sub-funds in March 2005, according to the Central Bank.
In April 2015, a cyberfraudster, having hacked a real client’s web-based email account, impersonated him in a protracted series of email correspondence with an Appian employee.
It ultimately resulted in the asset management firm acting on instructions from the fake client to liquidate €650,000 of the real client’s investments, with the funds ultimately ending up in the UK bank accounts controlled by the fraudster. This happened despite a series of red flags including the fact the redemption requests came less than two months after the real client had invested in the funds.
Serious deficiencies
“Appian’s failures in this case demonstrated serious deficiencies in its governance arrangements, risk management, compliance oversight, and systems of internal control,” Ms Cunningham said.
“These failings, combined with a culture in which clients’ instructions were given primacy over security and regulatory concerns, rendered the firm exposed to the cyberfraud that occurred. It placed client assets at heightened risk and that risk crystallised. The Central Bank views such fundamental failings as completely unacceptable.”
Over the course of the two-month period during which the fraud unfolded, Appian failed to submit fraud reports to the Garda or suspicious transaction reports to the Garda and the Revenue Commissioners, the Central Bank said.
In a statement, Appian said it discovered what had occurred and reported the matter to the Central Bank and the Garda, and replaced the funds in the client’s account.
Patrick Lawless, Appian’s chief executive, said: “We have apologised to the Central Bank of Ireland for this matter and accept the sanction imposed on the firm. Following this incident, Appian has remediated its failings, complied with the risk mitigation programme issued by the CBI, introduced new . . . policies and procedures, and introduced new controls in respect of the management of client assets.”
Recently filed accounts for the asset management company show it created a provision in 2016 in relation to the matter. Appian recorded a pre-tax profit of €425,900 for the year ended December 31st, 2017 on an income of €3.5 million.