Tharman Shanmugaratnam, chairman of the Monetary Authority of Singapore (MAS), who is also senior minister and minister in charge of MAS in the Singapore government responds in writing to parliamentary questions from two members of parliament. He was asked about the number of major banking disruptions of more than one hour, number of banks involved and lessons learned from them in the last five years, including the recent DBS outage.
1. Mr Ang Wei Neng asked about major banking disruptions in the last five years and the lessons learned from these disruptions. Mr Desmond Choo raised a related question on DBS’ recent second major disruption to its digital banking services and asked how MAS has been working with the bank to identify and remedy its problems for the next Sitting . This response will cover the questions raised by both Mr Ang Wei Neng and Mr Desmond Choo.
2. There are seven domestic systemically important banks (D-SIBs) in Singapore serving the bulk of our retail banking customers. Disruptions to services provided by these banks can cause considerable inconvenience to the public. Since 2018, these seven banks have reported a total of 17 disruptions to their digital banking services that lasted more than one hour. The disruptions were mostly resolved within two to four hours. The root causes of these service disruptions are varied, ranging from lapses in managing system upgrades, to software bugs and misconfigurations, in digital banking systems as well as back-end systems and components.
3. MAS requires banks to make every effort to ensure that customers have a high degree of access to their digital banking services and to maintain business continuity when systems malfunction. This means banks must ensure that their relevant IT systems are robust, identify and remove single points of failure in their systems, put in place processes to promptly restore their systems following any IT disruption, and regularly validate the effectiveness of these processes.
4. When banks fall short of MAS’ expectations, they are required to identify the root cause of such lapses and take effective remedial actions.
5. MAS also assesses the adequacy of banks’ compliance with these requirements through regular on-site inspections and off-site reviews and any gaps are conveyed to the banks for immediate rectification. Relevant observations as well as lessons learnt from IT incidents are also shared through MAS advisories, regular dialogues and industry forums.
6. In the case of DBS, there were two major disruptions over a period of 16 months, the first in November 2021 and the latest one in March 2023. Following the November 2021 incident, MAS directed DBS to appoint an independent expert to conduct a comprehensive review of the incident. The expert had conducted a thorough assessment of DBS’ digital banking system resilience and the effectiveness and speed of its recovery actions.
7.DBS has since undertaken measures to mitigate the identified gaps. The bank has committed to enhance the resilience of its digital banking system. It is focused on enhancing its access control architecture, by building in more redundancy, monitoring its key system components more closely and improving its system restoration processes. DBS has also committed to strengthen its in-house technical expertise to facilitate faster response to system issues. DBS was to complete the validation of these remediation actions, and report its progress to MAS by July 2023.
8. Despite these ongoing efforts, there was another prolonged and widespread disruption to DBS’ digital banking services on 29 March 2023. In early April 2023, MAS directed DBS to conduct a fundamental assessment of the effectiveness and adequacy of the people, processes, and technology supporting its digital banking services. DBS has since established a Special Independent Board Committee to oversee the investigation by qualified independent experts. While the cause of the March 2023 incident appears to be software bugs that are unrelated to the issues leading to the November 2021 disruption, the Special Independent Board Committee is overseeing a thorough investigation to determine if there are common underlying weaknesses that prevented a prompt recovery in both incidents. MAS will take the necessary supervisory actions against DBS following the completion of the independent review.
9. Given the growing scale and complexity of banks’ IT systems, we can nevertheless expect brief disruptions from time to time. When these disruptions do occur, banks must quickly identify the problem, swiftly restore access to their services, and communicate effectively, clearly and transparently to affected customers. MAS will continue to work closely with the industry to ensure the resilience of banks’ IT infrastructure to maintain stability and trust in the banking system.
Re-disseminated by The Asian Banker