Reply to Parliamentary Question on recent interruption of digital banking services and customers affected
QUESTION NO 1912
NOTICE PAPER 1206 OF 2022
FOR WRITTEN ANSWER
Date: For Parliament Sitting on 5 July 2022
Name and Constituency of Member of Parliament
Dr Tan Wu Meng, MP, Jurong GRC
To ask the Prime Minister (a) how many banks regulated by MAS have recently experienced interruption of digital banking services and for how long; (b) how many customers are affected; (c) whether MAS has assessed the dependencies of financial institutions on third-party cloud computing networks, including the provision of digital banking services; and (d) what lessons have been drawn from the interruption of service.
Answer by Mr Tharman Shanmugaratnam, Senior Minister and Minister in charge of MAS:
1. Since July 2021, four major retail banks
2. The root causes of these incidents lay mainly within the banks themselves - such as software misconfigurations, system malfunctions, and errors that were introduced when the banks were making system changes. One of the incidents was related to an outage in a third-party cloud service provider.
3. MAS takes seriously all IT incidents that affect the availability of digital banking services. It requires banks to be able to recover systems supporting critical banking services such as fund transfers and payments services within four hours following any disruption. In addition, the total unscheduled downtime for each critical system must not exceed four hours within any 12-month period. MAS takes supervisory action when the banks breach these requirements.
4. In the case of the prolonged interruption in DBS Bank’s digital banking services in November 2021, MAS directed the bank to appoint an independent expert to conduct a comprehensive review of the incident, including the bank’s controls and recovery actions and how a similar incident can be prevented in future. The bank has also been directed to rectify all shortcomings identified from the review and implement measures to ensure that any future disruption to its digital banking services is resolved quickly and adequately. MAS has required the bank to hold additional capital
5. The recent incidents highlight the need for banks to continually review their IT resilience strategy, and ensure that there is sufficient redundancy and fault tolerance built into their digital banking IT infrastructure. In addition, swift diagnosis and recovery of systems, coupled with robust business continuity management, are critical in minimising the impact of an IT disruption.
6. MAS has recently published a set of new Business Continuity Management Guidelines (BCMG)
7. Globally, financial institutions are increasingly relying on third-party services such as public cloud computing. This increases financial institutions’ exposure to third-party risks. MAS has highlighted third-party risks as one of the key areas for financial institutions to focus on in both the BCMG and the Technology Risk Management Guidelines (TRMG)
8. MAS has been working closely with the industry, global financial regulators and leading service providers, on best practices to manage third-party risks.
i. MAS has collaborated with The Association of Banks in Singapore (ABS) to issue guidelines on sound cloud computing practices
ii. MAS has been co-leading an international subgroup on cloud monitoring and identity and access management under the Bank for International Settlements (BIS).
9. The technology landscape that banks operate in is becoming more complex. It is hence critical that banks continually maintain and uplift the security and resiliency of their IT systems so as to maintain stability and trust in the banking system. MAS will continue to work closely with the industry in this regard.