Parliamentary Replies
Published Date: 05 July 2022

Reply to Parliamentary Question on recent interruption of digital banking services and customers affected

QUESTION NO 1912

NOTICE PAPER 1206 OF 2022

FOR WRITTEN ANSWER

Date: For Parliament Sitting on 5 July 2022

Name and Constituency of Member of Parliament

Dr Tan Wu Meng, MP, Jurong GRC

Question:

To ask the Prime Minister (a) how many banks regulated by MAS have recently experienced interruption of digital banking services and for how long; (b) how many customers are affected; (c) whether MAS has assessed the dependencies of financial institutions on third-party cloud computing networks, including the provision of digital banking services; and (d) what lessons have been drawn from the interruption of service.

Answer by Mr Tharman Shanmugaratnam, Senior Minister and Minister in charge of MAS:

1. Since July 2021, four major retail banksCitibank Singapore Limited, DBS Bank Limited, Oversea-Chinese Banking Corporation Limited, United Overseas Bank Limited. have reported a total number of eight interruptions to their digital banking services. The incidents were mostly resolved within three hours. They affected on average about 12,000 customers, with the numbers ranging from 500 to 37,000. The longest interruption of 39 hours was experienced by DBS Bank from 23 to 25 November 2021, arising from a malfunction of the bank’s access control servers. 

2. The root causes of these incidents lay mainly within the banks themselves - such as software misconfigurations, system malfunctions, and errors that were introduced when the banks were making system changes. One of the incidents was related to an outage in a third-party cloud service provider.  

3. MAS takes seriously all IT incidents that affect the availability of digital banking services. It requires banks to be able to recover systems supporting critical banking services such as fund transfers and payments services within four hours following any disruption. In addition, the total unscheduled downtime for each critical system must not exceed four hours within any 12-month period. MAS takes supervisory action when the banks breach these requirements. 

4. In the case of the prolonged interruption in DBS Bank’s digital banking services in November 2021, MAS directed the bank to appoint an independent expert to conduct a comprehensive review of the incident, including the bank’s controls and recovery actions and how a similar incident can be prevented in future. The bank has also been directed to rectify all shortcomings identified from the review and implement measures to ensure that any future disruption to its digital banking services is resolved quickly and adequately. MAS has required the bank to hold additional capitalIn February 2022, MAS has required DBS Bank to apply a multiplier of 1.5 times to its risk-weighted assets for operational risk. This translates to an additional amount of approximately S$930 million in regulatory capital (based on reported financial statements as at 30 September 2021). The additional capital requirement will be reviewed when MAS is satisfied that DBS Bank has addressed the identified shortcomings. until all shortcomings identified from the review are satisfactorily rectified. 

5. The recent incidents highlight the need for banks to continually review their IT resilience strategy, and ensure that there is sufficient redundancy and fault tolerance built into their digital banking IT infrastructure.  In addition, swift diagnosis and recovery of systems, coupled with robust business continuity management, are critical in minimising the impact of an IT disruption.

6. MAS has recently published a set of new Business Continuity Management Guidelines (BCMG)The revised BCMG was issued on 6 June 2022. that set out measures that financial institutions can employ to sustain critical business services and to minimise service disruption. They include identifying the end-to-end dependencies across business processes, systems, manpower and other resources required to deliver critical business services, and addressing any gaps that could hinder the effective recovery of these services during an outage.

7. Globally, financial institutions are increasingly relying on third-party services such as public cloud computing.    This increases financial institutions’ exposure to third-party risks.  MAS has highlighted third-party risks as one of the key areas for financial institutions to focus on in both the BCMG and the Technology Risk Management Guidelines (TRMG)The revised TRMG was issued on 18 January 2021.

8. MAS has been working closely with the industry, global financial regulators and leading service providers, on best practices to manage third-party risks. 

i. MAS has collaborated with The Association of Banks in Singapore (ABS) to issue guidelines on sound cloud computing practicesThe Association of Banks in Singapore, in collaboration with MAS and the industry, has published a Cloud Computing Implementation Guide in 2016, with a second revision in 2019. . It has also issued an advisory on managing the risks of using public cloud computing services.

ii. MAS has been co-leading an international subgroup on cloud monitoring and identity and access management under the Bank for International Settlements (BIS).  

9. The technology landscape that banks operate in is becoming more complex. It is hence critical that banks continually maintain and uplift the security and resiliency of their IT systems so as to maintain stability and trust in the banking system.  MAS will continue to work closely with the industry in this regard.

***