MAS Reprimands Oversea-Chinese Banking Corporation Limited for Failure of Its Online and Branch Banking Systems
Singapore, 31 October 2011...The Monetary Authority of Singapore (MAS) has reprimanded Oversea-Chinese Banking Corporation Limited (OCBC Bank) for the failure of the bank’s online and branch banking systems on 13 September 2011.
2 As required by MAS, OCBC Bank has presented its findings from its investigation into the causes of the breakdown. MAS’ supervisory action on OCBC Bank took into consideration the circumstances leading to the outage, extent of the outage, and the bank’s follow-up actions to recover its systems. We note that there was timely internal escalation of the outage and the bank took necessary actions following the outage to minimize inconvenience to customers. The bank recovered its systems and services within the four hour recovery time objective set out in MAS Internet Banking and Technology Risk Management (IBTRM) Guidelines. It also took adequate steps to ensure timely communication with its stakeholders.
3 However, from our review and analysis of the investigation reports, we established that the bank did not implement sufficient measures to address single point of failure in its system and network infrastructure. OCBC Bank had therefore failed to observe the Security Practices requirement set out in the MAS IBTRM Guidelines.
4 MAS has reprimanded OCBC Bank and directed it to:
a) conduct a thorough review of all critical host and network architectures as well as configurations to determine if there are any single point of failure or operational and functional fragility;
b) review the bank's monitoring system as well as processes and implement adequate monitoring of network devices; and
c) review all support and maintenance teams from vendors that are assigned to the bank to ensure that they have the requisite level of experience and skills to achieve the level of service or support criteria set by the bank.
5 Mr Lee Boon Ngiap, Assistant Managing Director, Banking and Insurance, MAS, said, “MAS expects financial institutions to be responsible and accountable in managing and controlling technology risks as well as implementing measures to ensure the resilience of their IT systems and infrastructure. We will not hesitate to take appropriate supervisory action against any financial institution which fails to meet the standards set out in the MAS IBTRM Guidelines.”