MAS imposes higher capital charge on DBS for digital outages

• MAS orders DBS to set aside SGD 930 million ($692.5 million) more in regulatory capital over digital disruption
• DBS admits outage caused by a malfunctioning access server
• Major fines and controversies for the past 10 years

The Monetary Authority of Singapore (MAS) has penalised DBS for digital disruption and ordered the bank to apply a multiplier of 1.5 times to its risk-weighted assets for operational risk, equivalent to additional SGD 930 million ($692 million) in regulatory capital.

Marcus Lim, assistant managing director for banking and insurance at MAS said, “MAS requires financial institutions to have robust controls and processes to ensure the reliability and resilience of their IT systems and the continuous delivery of essential financial services to their customers. MAS will take appropriate supervisory action against any financial institution that falls short of our regulatory expectations”.

The outage is the worst for DBS since a severe system meltdown in 2010, when all consumer and business banking services were disrupted. Customers were unable to withdraw cash from ATMs or make payments at point-of-sale. This was the second extensive disruption of DBS’ digital services and the penalty imposed was four times higher than the amount imposed in 2010. At that time, MAS applied a 1.2-fold multiplier to DBS' operational risk-weighted assets, resulting in additional regulatory capital of approximately SGD 230 million ($171 million).

On 7 February, MAS imposed the additional regulatory capital as a penalty for the disruption of its digital banking services last November. The supervisory decision was made according to Notice 644 Technology Risk Management released on 21 June 2013. This notice was issued pursuant to section 55 of the Banking Act (Cap. 19) and applied to all banks in Singapore. It set out requirements for a high level of reliability, availability and recoverability of critical IT systems and for banks to implement IT controls to protect customer information from unauthorised access or disclosure.

Under MAS regulations, a bank shall ensure that the maximum unscheduled downtime for each critical system that affects the bank’s operations or service to its customers does not exceed a total of four  hours within any period of 12 months. The bank must notify the Authority as soon as possible, but not later than an hour, upon the discovery of a relevant incident.

DBS admits outage caused by a malfunctioning access server

Piyush Gupta, CEO of DBS confirmed that the problem was a malfunctioning access control server. “We have four of such servers for redundancy and one of them malfunctioned. We’ve had two sets of reviews done by experts but they have not been able to replicate the problem as to why that server malfunctioned. Nevertheless, we’ve learned a lot from the reviews, and it’s principally around our incident management and recovery process. It took us some time to figure out what the problem was and fix it. We could have done a lot better in recovery speed.”

MAS said an independent expert needs to be appointed to conduct a comprehensive review of the incident, including the bank’s recovery actions.

“We have another independent review going on right now to validate our system architecture, the fault tolerance of our system makeup, and overall protocols and processes. We will learn from that and continue to improve and make sure our recovery process in particular, is a lot more robust than they were,” Gupta said. 

On 23 November 2021, at around 10 am, DBS and POSB customers noticed that they couldn’t access the bank’s internet and mobile banking services. DBS services weren’t the only ones that were down. NETS was also affected. DBS declared at 8:15 am. on 24 November 2021 that all of its digital services have been restored as of 2 am. Unfortunately, it appeared that this was not the case for some people.

DBS amended the Facebook post on that same day, at about 10:50 am., to address the challenges with its digital offerings. The bank announced the full restoration of its digital banking services on its Facebook page at 10:35 pm. The bank promised to monitor the situation closely.

Shee Tse Koon, country head for Singapore, DBS, explained that the disruption was caused by faulty control access servers. These servers are part of the bank’s security system and handle the verification of log-in and payments through the use of one-time password (OTP), biometrics and authentication tokens.

Gupta assured that the bank has taken the matter seriously. “We apologise to our customers, who have a right to expect more from us. But hopefully we can put this behind us and be able to get to more robust performance as we go forward”.

DBS has conducted another independent review to validate its system architecture, the fault tolerance of its system makeup, and overall protocols and processes.

DBS’ major fines in the past 10 years

The two-day disruption revealed the deficiencies in the bank’s incident management and recovery procedures. DBS has been slapped with fines and have faced controversies in the past. In 2010, DBS suffered massive IT failure that took down its computer systems for seven hours. The outage knocked DBS’ back-end computer systems offline, leaving its customers unable to withdraw cash from ATM machines similar to what happened in November.

MAS has taken supervisory action against DBS for the service outage of its online and branch banking systems on 5 July 2010 which caused significant inconvenience to its customers. The penalty imposed on DBS by MAS for the disruption in July 2010 has been lifted but DBS has to satisfy the requirement to put up an extra capital as buffer against operational risks.

In 2012, unauthorised transactions at ATMs in Malaysia caused panic among customers. DBS Group has been hit by an unauthorised withdrawal of funds via ATMs in Malaysia between 4th and 5th of January 2012. At least 400 DBS and POSB customers were affected, with about SGD 400,000 ($293,000) were stolen.

In 2016, Singapore’s central bank shut down a second Swiss bank in the city-state and fined DBS and UBS in its biggest crackdown on alleged money-laundering activities connected with Malaysia’s scandal-tainted 1MDB fund. MAS ordered Zurich-based Falcon Private Bank’s Singapore branch to cease from operating because of “a persistent and severe lack of understanding” of Singapore’s money-laundering controls. It also accused Falcon’s senior management in Switzerland and Singapore of “improper conduct”. MAS imposed a SGD 1 million ($728,067) fine on DBS and SGD 1.3 million ($952,000) million on UBS for breaches in Singapore’s anti-money laundering law.

Fines meted out by MAS on other banks

MAS imposed an SGD 11.2 million ($8.33 million) fine on Swiss bank UBS after investigations showed that its advisers had deceived its clients or were engaged in acts that would deceive them. “These actions involved the spreads and/or interbank prices for transactions in over-the-counter (OTC) bonds and structured products,” MAS said.

Singapore’s central bank has fined Credit Suisse and UOB for breaches relating to the scandal-hit Malaysian sovereign wealth fund 1Malaysia Development Berhad (1MDB). MAS has imposed SGD 700,000 ($505,000) fine on Credit Suisse and SGD 900,000 ($649,000) penalty on UOB. The two banks were found to have breached several anti-money laundering requirements.

MAS has imposed a composition penalty of SGD 1 million ($743,718) on Bank J Safra Sarasin, Singapore Branch (BJS) for failing to comply with MAS' Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) requirements. Between March 2014 and September 2018, Bank J Safra Sarasin was found to have committed serious breaches of MAS requirements.