DBS, Singapore’s largest lender, is also required to pause all non-essential IT changes for six months.
- DBS will not be allowed to reduce the size of its branch and ATM networks in Singapore for now, to ensure there are adequate alternative channels for customers in the event of further disruptions
- MAS says it is possible that disruptions may still occur while DBS takes up to 24 months to implement structural changes to improve the resilience of its digital banking services
- DBS chairman Peter Seah acknowledges that the bank has failed to live up to customers’ expectations, saying senior management will be held accountable and that this will be reflected in their compensation
SINGAPORE: The Monetary Authority of Singapore (MAS) has barred DBS from any acquisitions of new business ventures for six months, in response to the bank’s multiple service disruptions this year.
DBS, Singapore’s largest lender, is also required to pause non-essential IT changes for six months.
“This is to ensure that the bank dedicates the needed resources and attention to strengthen its technology risk management systems and controls,” MAS announced in a media release on Wednesday (Nov 1).
The bank will not be allowed to reduce the size of its branch and ATM networks in Singapore for now.
“This is to ensure there are adequate alternative channels for its customers in the event of further disruptions while the bank works to enhance the operational resilience of its digital channels,” said MAS.
“This direction will be in force until MAS is satisfied with the progress of DBS Bank’s remediation plan.”
DBS and Citibank’s digital banking and payment services were disrupted for hours on Oct 14 due to a technical issue with the cooling system at a data centre operated by Equinix.
DBS automated teller machines (ATMs) were also affected, prompting Singapore’s largest lender to reopen branches on a Saturday afternoon to assist customers.
MAS had ordered DBS and Citibank to conduct “a thorough investigation”, noting that the banks were not able to fully recover their systems within the required timeframe.
Any unscheduled downtime for a critical service affecting a bank’s operations or service to customers must not exceed four hours within any 12-month period.
Banks are required to have backup data centres and systems in place, MAS noted on Oct 19 in response to the outage.
ROADMAP TO ADDRESS ISSUES
The Oct 14 outage was among several DBS service disruptions this year.
In March, a day-long service outage hit online banking and payment platforms such as PayLah!, prompting MAS to issue a strongly worded statement saying the bank had “fallen short” of expectations due to the “unacceptable” disruption.
In May, digital banking services and ATMs were down due to “human error in coding the programme that was used for system maintenance”.
In the wake of the two successive service disruptions in the space of just over a month, MAS imposed additional capital requirements on DBS.
Following the March incident, MAS had also directed DBS to engage an independent third party to conduct a comprehensive review of the effectiveness and adequacy of the people, processes and technology supporting its digital banking services.
MAS noted on Wednesday that shortcomings were identified in system resilience, incident management, change management, as well as technology risk governance and oversight.
Following the independent review by consultancy firm Accenture, DBS had set out a roadmap to address the shortcomings.
“The roadmap is being implemented in phases, with the changes affecting its system architecture design taking more time to complete,” MAS said on Wednesday.
“MAS has reviewed DBS Bank’s remediation plan under the roadmap and is satisfied with its scope and the planned measures to improve system resilience,” it added.
“In line with MAS’ expectations, DBS Bank will hold senior management accountable for the lapses and the board will enhance its governance approach to oversee the implementation of the roadmap.”
MAS said DBS will take up to 24 months to put in place the planned structural changes to improve the resilience of its digital banking services.
“In the meantime, it is possible that disruptions may still occur. In such situations, MAS expects DBS Bank to promptly recover its services and communicate to its customers in a clear and timely manner,” it added.
The regulator will review the progress made by DBS on its remediation efforts at the end of six months.
“MAS may extend the duration of the measures, vary the additional capital requirement currently imposed, or take further actions at that point,” it added.
“In the meantime, MAS will retain the multiplier of 1.8 times to DBS Bank’s risk-weighted assets for operational risk, which was imposed after the March and May 2023 incidents.”
MAS previously hit the bank with capital requirements after its digital banking services were disrupted for two days in November 2021. At the time, MAS also ordered the bank to appoint an independent expert to conduct a “comprehensive review” of the incident.
The DBS board and management apologised on Wednesday for the series of digital disruptions this year and said that the bank is addressing the issues with “utmost priority”.
DBS chairman Peter Seah acknowledged that the bank has failed to live up to customers’ expectations.
“As an acknowledgement that the bank could have done better, senior management will be held accountable, and this will be reflected in their compensation,” he added.
Laying out details of the key measures it is taking, the bank pledged to improve service availability and service recovery in the coming months and more.
For instance, in the event of disruptions in the next six months to three key digital banking services – balance enquiry, overseas payments and domestic payments – DBS said it will aim to recover them on either digibank online, digibank mobile or PayLah! within three hours.
The bank’s 24-month target is to improve recovery time to two hours or less.
Apologising for the disruptions, DBS CEO Piyush Gupta said the bank will set aside a special budget of S$80 million (US$58 million) to enhance system resiliency.
“Our assurance to customers is that they can expect these actions to deliver concrete improvements in the near term and over time,” he added.