The Royal Monetary Authority of Bhutan has issued regulatory sanctions and supervisory directives to Bank of Bhutan Limited (BoBL) following an inspection into a customer incident that arose after a major technology overhaul. The RMA said the incident should not be treated as an isolated technology event or system failure, but as evidence of fundamental gaps in governance, risk oversight, internal controls and change management, including inadequate board and executive oversight of system migration risks. BoBL must commission an independent assessment to identify responsibility for oversight, execution and control failures, and the Board is directed to take proportionate disciplinary action. Immediate remediation is required for critical control failures, including transaction controls, monitoring and reconciliation, alongside a comprehensive review of affected customer accounts, restoration of access for customers not implicated in wrongdoing, compensation for direct and where applicable consequential losses, and strengthened customer redress. The bank must also conduct a comprehensive independent assessment, overseen by Druk Holding and Investments Limited (DHI), of its governance structures, IT systems, resourcing and vendor management, producing a time-bound remediation plan with assigned responsibilities. Monetary penalties include BTN 219,387,005 for failure to maintain a functional AML/CFT system and delays in filing Suspicious Transaction Reports under Section 7.3 of the AML/CFT Regulations 2025, and BTN 9,072,468.81 for failure to report systemic issues (including multiple equated monthly instalment debits) and unauthorised account reversals affecting customers; BoBL must also maintain 100% provisioning for an unrecovered BTN 149,033,895.07 and is barred from declaring or distributing dividends for 2025. With immediate effect and until further notice, BoBL is prohibited from changes, upgrades or platform migrations to critical IT systems until the RMA is satisfied that technical governance and risk mitigation protocols are sound, and it must provide advance notification of material system modifications. The RMA has also formally communicated with DHI, as BoBL’s majority shareholder, to ensure active oversight of compliance with the directives and to ensure a rigorous, independent assessment of the BoBL Board’s competency, fitness and propriety.
Royal Monetary Authority of Bhutan 2026-04-17
Royal Monetary Authority of Bhutan sanctions Bank of Bhutan with BTN 219,387,005 and BTN 9,072,468.81 penalties and restricts critical IT system changes
The Royal Monetary Authority of Bhutan has imposed sanctions and supervisory directives on Bank of Bhutan Limited after an inspection into a customer incident linked to a major technology overhaul, citing weaknesses in governance, risk oversight, internal controls and change management. The bank faces monetary penalties of BTN 228,459,473.81, must maintain 100% provisioning for an unrecovered BTN 149,033,895.07, is barred from 2025 dividends, and cannot change critical IT systems until governance and risk protocols are deemed sound. It must undertake independent assessments of governance and IT systems, remediate control failures, review and compensate affected customers, and is subject to enhanced oversight by Druk Holding and Investments Limited.