2.5 million payments, ATM transactions failed in DBS, Citi disruptions on Oct 14
IN THE Oct 14 disruption to DBS and Citibank’s digital services, an estimated 810,000 attempts to access the digital platforms of both banks failed, and about 2.5 million payments and ATM transactions could not be completed, Minister of State for Trade and Industry Alvin Tan said in Parliament on Monday (Nov 6).
This was between Oct 14, 2.54 pm and Oct 15, 4.47 am, said Tan, who was fielding questions from Members of Parliament (MPs) about a recent spate of digital banking disruptions.
Asked if the Monetary Authority of Singapore’s (MAS) regulatory approach was sufficient to get banks to improve their digital resilience, Tan did not respond directly. He reiterated earlier regulatory moves and stressed that further measures would be taken if needed.
On Nov 1, MAS imposed restrictions on DBS after the local bank had five digital banking disruptions in the past eight months. Among other things, for six months, DBS can neither make non-essential IT changes, acquire new business ventures, nor reduce the number of its branches and size of its ATM network.
In Parliament, MPs asked if the restriction on new business acquisitions was effective if DBS did not have any acquisition plans to begin with. They also asked how MAS’ punishments compare to those of regimes overseas.
In response, Tan reiterated that the regulatory moves are meant to focus the bank’s attention on restoring the resilience of its digital banking services.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
This includes addressing four areas identified in a review by an independent external expert, concluded in August this year: technology risk governance and oversight; incident management; strengthening systems resilience; and change management.
“The review will take place, we will look at what the banks have put in place during this period, how they are remediating... and MAS will potentially impose more measures as necessary,” he said.
Another requirement, in place since May 2023, is for DBS to hold 1.8 times its risk weighted assets for operational risk. MPs asked if this additional regulatory capital requirement has had an impact on the bank, considering that it announced higher year-on-year profits on Monday.
Tan replied that this requirement does come with costs for the bank. “It increases the cost of capital and is a key metric that drives business decisions, such as dividends and investments. It is a drag on the return on capital, which could in turn impact credit ratings as well as the stock price of the bank,” he said.
He reiterated that MAS will further assess supervisory actions to be taken against Citibank after it concludes its investigations into the Oct 14 disruption.
The Oct 14 disruptions to Citibank and DBS’ digital services occurred when some data halls at an Equinix data centre overheated as a result of a technical issue.
Tan noted that DBS and Citibank also faced network misconfiguration issues and connectivity issues respectively, which prevented them from recovering their services within the four-hour timeframe expected of them by MAS.
“While both banks conducted annual exercises to test the recovery of the IT systems at the backup data centres, the specific issues that led to the delays in system recovery on Oct 14 did not surface during those tests,” he said.
Tan added that MAS will work with the industry to incorporate key learnings from the incident into the risk management controls at all banks. The learnings will also be incorporated into MAS’ future tech risk supervisory approach and be a key measure for the next financial sector business continuity exercise in 2024.
Asked if MAS would require banks to compensate customers directly for the disruptions, Tan replied that customers can hold banks accountable by shifting to other financial institutions’ services when they are disrupted.
MAS’ approach towards digitalisation is being “digital first, but not digital only”, he added.
“While our banking system is generally robust, customers, too, must plan and prepare for contingencies,” he said.
“Indeed, during the recent service disruption, customers who were able to switch to alternative payment methods or providers or use cash as a last resort, would have been less affected.”
Data centre regulation
On Monday, MPs also asked if there are plans to regulate the data centre industry to ensure their resiliency.
In written responses that evening to Parliamentary questions, Minister for Communications and Information Josephine Teo noted that there is existing regulation in place to ensure security and resilience of critical information infrastructure.
Such infrastructure may reside in data centres and are necessary for the provision of essential services in sectors such as government, infocomm, as well as banking and finance.
“With more of our economic activity moving online and the growing interconnectedness of our systems, the government recognises the need to further study our reliance on different components of digital infrastructure, the risks and impact of disruptions, and the need for more interventions,” she said.
Teo added that the government is studying how best to strengthen the security and resilience of data centres as a category of digital infrastructure with significant impact.
“This may include risk-calibrated regulation for data centres, taking reference from international standards and best practices,” she said.
Copyright SPH Media. All rights reserved.
