The Financial Supervisory Authority (FIN-FSA) has imposed a combined penalty payment of EUR 7,670,000 on S-Bank Plc for omissions in the bank’s operational risk management, said FIN-FSA in a press release on Friday.
The FIN-FSA also issued a public warning to S-Bank Plc for omissions regarding strong customer authentication and the payer consent required for executing payment transactions.
The omissions related to a programming error was in S-Bank Plc’s IT system between 20 April 2022 and 5 August 2022.
The omissions in operational risk management were omissions in information system security and in effective incident management procedures.
The bank also did not have adequate policies and processes for identifying, assessing and managing operational risks in these areas.
Furthermore, in regard to these areas, the bank was not adequately prepared for the realisation of risks pertaining to outsourcing.
The omissions were revealed in an inspection performed by the FIN-FSA in 2022–2023 and in a programming error investigation by the FIN-FSA. The inspection aimed to ascertain whether the management of the bank’s ICT and information security risks was appropriately organised.
“The importance of digital security in banking services is pronounced in Finland, as customer service has moved almost entirely to mobile and online banking. The geopolitical situation highlights the importance of digital services management in supervised entities. The supervision of ICT, cyber and outsourcing risks remains an operational priority for the FIN-FSA in 2025,” said FIN-FSA Director General Tero Kurenmaa.
The FIN-FSA’s decision is not yet legally binding. S-Bank Plc has the right to appeal the decision to the Helsinki Administrative Court within 30 days of receipt of notice of the decision.
Meanwhile, S-Bank said that the penalties concern an exceptional and very difficult-to-detect malfunction generated in a software update of S-Bank’s system provider in 2022.
Suspected criminals exploited the system malfunction, which resulted in financial losses to a small number of S-Bank’s customers, said the bank in a press release on Friday.
The system malfunction was corrected as soon as it was detected. S-Bank has compensated all direct damage caused to customers. The Financial Supervisory Authority’s decision will have no impact on S-Bank’s customers.
S-Bank has cooperated closely with the authorities to investigate the case and has implemented comprehensive measures to prevent a similar occurrence, which the Financial Supervisory Authority has taken into account in its decision.
S-Bank is improving its operating practices and risk management continuously to ensure the security of its services in the changing operating environment.
S-Bank takes the Financial Supervisory Authority’s decision seriously but considers the penalty payment to be severe.
S-Bank will examine the Financial Supervisory Authority’s decision and will consider possible further action.
- S-Bank
- Fined
- €7.7m
Source: www.dailyfinland.fi
