The Information Commissioner’s Office (ICO) has issued Bank of Ireland UK with a reprimand for mistakes made on more than 3,000 customers’ credit profiles.
Bank of Ireland UK sent incorrect outstanding balances on 3,284 customers’ loan accounts to credit reference agencies, organisations that help lenders execute whether to approve financial products. This inaccurate data could have potentially led to these customers being unfairly refused credit for mortgages, credit cards or loans, or granted too much credit on products they were potentially unable to afford.
The investigation found that, due to the complex nature and different factors contributing to credit scoring, it would be impossible to execute the actual damage caused to each customer. However, the ICO concluded it was reasonable to assume that the inaccurate data sent by Bank of Ireland UK to credit reference agencies would have had a negative impact on the customers affected.
Reported to the ICO in March 2021, Bank of Ireland UK was found to be in breach of data protection law by failing to ensure personal data was accurate, article 5(1)(d) of GDPR.
Natasha Longson, ICO Head of Investigations said: “Mistakes made by financial institutions can have far-reaching consequences on people’s everyday lives. Some of the customers affected could have been refused mortgages, loans or credit cards, as well as being unable to get mobile phone contracts, insurance policies or sign up with utility companies. The mistake made by Bank of Ireland UK could have potentially caused misery for thousands of people.
“We do however recognise the steps the bank has taken to correct their error, supporting affected customers and reviewing its data-management processes. Therefore, we believe a reprimand is the best, fairest outcome, and that lessons have been learnt to avoid mistakes appreciate these in the future.”
Steps recommended in the reprimand to ensure Bank of Ireland UK’s compliance with data protection include continuing to uphold affected customers, ensuring that robust processes are in place, and are reviewed regularly, and that learnings are shared across the organisation to impede a repeat of the issue.