Oral reply to Parliamentary Questions on banking services disruption of DBS and Citibank on 14 October 2023
Date: For Parliament Sitting on 6 November 2023
Names and Constituencies of Members of Parliament
Mr Yip Hon Weng, MP for Yio Chu Kang SMC
Mr Desmond Choo, MP for Tampines GRC
Ms See Jinli Jean, NMP
Ms Poh Li San, MP for Sembawang GRC
Mr Ang Wei Neng, MP for West Coast GRC
Ms Jessica Tan Soon Neo, MP for East Coast GRC
Mr Leong Mun Wai, NCMP
Mr Chua Kheng Wee Louis, MP for Sengkang GRC
Mr Dennis Tan Lip Fong, MP for Hougang SMC
Dr Tan Wu Meng, MP for Jurong GRC
Mr Zhulkarnain Abdul Rahim, MP for Chua Chu Kang GRC
Mr Don Wee, MP for Chua Chu Kang GRC
Mr Yip Hon Weng: To ask the Deputy Prime Minister and Minister for Finance regarding the recent service outage by banks caused by data centre failures (a) whether MAS will have more oversight over the banks and mandate that there should be built-in redundancy systems to prevent outages at data centres; and (b) what are MAS’ plans to ensure similar situations do not occur in the future.
Mr Desmond Choo: To ask the Prime Minister (a) whether the recent digital banking disruptions by large local banks on 14 October 2023 are within MAS's expectations; (b) what has been the cost to consumers and business entities reliant on such banking services due to the recent disruptions; and (c) how will MAS ensure that consumers and business entities are given early warning of such service disruptions.
Ms See Jinli Jean: To ask the Deputy Prime Minister and Minister for Finance whether MAS will consider (i) imposing user-centric accountability measures on banks such as the requirement to publish service reliability reports of digital banking services and proactively engage customers on service recovery and alternative options during outages and (ii) requiring banks to compensate their banking customers who suffer financial losses due to outages.
Ms Poh Li San: To ask the Prime Minister with regard to the disruption to the digital banking services of DBS and Citibank on 14 October 2023 (a) whether MAS has any data on how many (i) customers and (ii) businesses have been affected; and (b) whether local banks are required to maintain robust levels of redundancy in critical banking infrastructure such as the data centre that is maintained by third-party service providers.
Mr Ang Wei Neng: To ask the Deputy Prime Minister and Minister for Finance (a) what lessons can be drawn from the recent disruptions to digital banking services of DBS and Citibank, in view that these occurred despite MAS’ tightened Business Continuity Management (BCM) guidelines for financial institutions to better manage such disruptions; (b) whether MAS will consider regulating data centre service providers that serve major financial institutions in Singapore; and (c) how does MAS plan to tighten the oversight of its BCM guidelines on financial institutions in Singapore.
Mr Desmond Choo: To ask the Prime Minister (a) how does Singapore's penalty framework on digital banking disruptions committed by financial institutions compare with other large financial centres overseas; and (b) how effective have the penalties been in improving such service reliability.
Ms Jessica Tan Soon Neo: To ask the Prime Minister with the greater reliance on digital services for payment and other financial services and in light of the impact on consumers due to recent disruption of banking services, whether MAS will be requiring financial institutions and their service providers to take further measures to strengthen the resilience and reliability of their digital services.
Mr Leong Mun Wai: To ask the Prime Minister (a) whether the Monetary Authority of Singapore (i) conducts regular inspections and off-site reviews of outsourced parties to handle critical IT and infrastructure systems for the domestic systemically important banks (D-SIBs) and (ii) assesses the impact of outsourcing on the resilience of D-SIBs' IT infrastructure; and (b) if not, why.
Mr Chua Kheng Wee Louis: To ask the Prime Minister whether the Government has put in place minimum redundancy requirements and monitors concentration risk in the use of data centres by key local financial institutions.
Mr Dennis Tan Lip Fong: To ask the Prime Minister in light of the recent disruption to banking digital services for DBS and Citibank on 14 October 2023 (a) what are the lessons which can be learned from the outage; and (b) whether the Government will be taking any action to ensure that similar disruptions will not recur or will be minimised in the future.
Dr Tan Wu Meng: To ask the Prime Minister (a) what were the root causes of the disruption to the digital banking services of DBS and Citibank on 14 October 2023; (b) how many customers were affected; (c) how long was the downtime; and (d) given the growing dependency of banks on data centre services, what is being done to ensure the reliability and resilience of banks’ operations given Singapore’s status as a financial centre.
Mr Zhulkarnain Abdul Rahim: To ask the Deputy Prime Minister and Minister for Finance in view that the recent disruptions of DBS and Citibank digital banking and payment services were reportedly caused by data centre failure, how does MAS plan to ensure that the banks’ IT infrastructure which are critical to banking operations have fail-safe and redundancy measures to meet with any surge in demand.
Mr Don Wee: To ask the Prime Minister regarding the recent technical issues disrupting the banking services of two Domestic Systemically Important Banks on 14 October 2023 (a) what are the reasons for having issues in information technology to continue to arise in the banking sector despite lessons from earlier incidents; and (b) what are the lessons that MAS has discovered from this outage.
Answer by Mr Alvin Tan, Minister of State, Ministry of Trade and Industry and Ministry of Culture, Community and Youth, and Board member of MAS, on behalf of Mr Lawrence Wong, Deputy Prime Minister and Minister for Finance, and Chairman of MAS:
1. Mr Speaker, Sir, may I have your permission to answer all the Parliamentary Questions 47 to 54 in today’s Order Paper, as well as the questions filed by Members Mr Yip Hon Weng, Mr Zhulkarnain Abdul Rahim, Dr Tan Wu Meng, Mr Don Wee and Mr Dennis Tan Lip Fong for subsequent Sittings relating to the banking services disruption of DBS and Citibank on 14 October 2023? If Members are satisfied with the response, they may wish to withdraw their questions after this session.
2. Let me start with the causes and impact of the disruption on 14 October 2023. DBS and Citibank experienced system outages in the mid-afternoon of 14 October 2023 which affected their banking and payment services. These outages were caused by a malfunction of the cooling system in the data centre hosting both DBS’ and Citibank’s IT systems. These IT systems support the delivery of retail and corporate banking services. The temperature in the data centre rose above the optimal operating range, causing the banks’ IT systems to shut down.
3. To restore the impacted services, DBS and Citibank immediately activated their IT disaster recovery and business continuity plans. However, both banks encountered technical issues which prevented them from fully recovering their affected systems at their respective back-up data centres: DBS due to a network misconfiguration and Citibank due to connectivity issues. Services at DBS and Citibank were progressively recovered from 8.21pm and 7.05pm respectively on 14 October, but only fully recovered in the early hours of 15 October.
4. The impact of the service outage was wide. Up to 810,000 attempts to access the digital banking platforms of both banks were estimated to have failed between 2.54pm on 14 Oct 2023 and 4.47am on 15 Oct 2023. Approximately 2.5 million payment and ATM transactions could not be completed. DBS reopened its branches from 5.30 pm to 9.30 pm on 14 October to assist affected customers. Both banks provided updates via social media platforms.
5. Let me now address MAS’ requirements on banks’ business continuity, IT infrastructure resilience, and their outsourced services involving critical IT systems. MAS requires banks to establish IT disaster recovery plans and test them regularly. Banks must conduct disaster recovery exercises with their back-up data centres to validate that critical systems and services can be restored within 4 hours of an outage. The unscheduled downtime for a critical system affecting a bank’s operations or service to customers must not exceed 4 hours within any 12-month period.
6. MAS does not oversee banks’ external service providers, which are typically not financial institutions. This is similar to the approach taken by regulators in major jurisdictions. The onus is on the banks to ensure that the external service providers they appoint to support their operations or service to customers can meet MAS’ requirements on operational resilience. MAS also requires banks to maintain close oversight of external service providers, so that they can deliver services with minimal disruptions.
7. DBS and Citibank have fallen short of MAS’ requirements to ensure that their critical IT systems are resilient against prolonged disruptions. While both banks conducted annual exercises to test the recovery of their IT systems at the back-up data centres, the specific issues that led to the delays in system recovery on 14 October did not surface during those tests.
8. I will now elaborate on the accountability and remediation measures taken to uphold the reliability and recoverability of banking services.
9. First, holding banks accountable. Under the Banking Act, MAS can impose a fine of up to $100,000 on financial institutions found in breach of MAS’ requirements on technology risk management. With the passing of the Financial Services and Markets Act in 2022, which will progressively come into force next year, this fine quantum will be increased to a maximum of $1 million. While the fine quantum is relatively lower compared to those imposed by financial regulators in countries such as UK, it is consistent with existing local penalty regimes such as those under the Telecommunications Act and the Personal Data Protection Act.
10. Besides fines, MAS uses a range of regulatory tools to address lapses in banks’ risk management. This includes additional capital requirements and suspension of specified businesses or activities. In May 2023, in response to repeated outages, MAS imposed a multiplier of 1.8 times to DBS’ risk weighted assets for operational risk. This translated to approximately S$1.6 billion in total additional regulatory capital at the time. Holding additional regulatory capital comes with costs for the bank. It increases cost of capital, a key metric that drives business decisions such as dividends and investments. It is a drag on the return on capital which could in turn impact credit ratings and stock price of the bank.
11. Banks are also accountable to their customers, but matters of compensation are better dealt with between the bank and its customers as it would be highly dependent on individual circumstances. MAS expects banks to have a fair process to deal with this.
12. Second, remediation. MAS has instructed both DBS and Citibank to conduct thorough investigations into the root causes of the incidents that occurred on 14 October, put in place remediation measures to minimise future outages and strengthen their recoverability in the event of an outage. In addition, they are required to provide to MAS regular system availability reports relating to their critical systems. MAS will also work with the financial industry to incorporate key learnings from these incidents into all banks’ risk management controls, MAS’ future technology risk supervisory approach, and the next financial sector business continuity exercise scheduled for 2024.
13. MAS has adopted a tougher stance against DBS because it experienced five disruptions to its banking services in the last 8 months. This is unacceptable. As directed by MAS, DBS convened a Special Board Committee earlier this year to oversee a full review of its IT resilience by an independent external expert. The review has been completed and DBS has set out a technology resiliency roadmap to address the findings and improve system resilience.
14. To ensure that DBS keeps a sharp focus on restoring the resilience of its digital banking services, MAS has prohibited DBS from making any non-essential IT changes or acquiring any new business ventures for a six-month period. There must not be distractions that take away the needed resources and attention by the bank to strengthen its technology risk management systems and controls. MAS has also barred DBS from reducing the size of its branch and ATM networks in Singapore until MAS is satisfied with the progress of DBS’ remediation.
15. Another dimension of remediation has to do with data centres, which host the IT systems of not just the banks but also other critical sectors. The Government is studying how best to further strengthen the security and resilience of data centres where lapses could result in a significant impact.
16. Finally, contingency measures in the face of banking disruptions. No IT system is infallible. Disruptions can occur for a variety of reasons and can happen without warning. When they do occur, MAS expects banks to take prompt steps to reduce inconvenience and costs to customers. This includes being proactive and transparent in updating affected customers on the status of service recovery and alternative services.
17. While our banking system is generally robust, customers too must plan and prepare for contingencies. They can benefit from having alternative payment options and not be over-reliant on one provider for time-sensitive transactions. Indeed, during this recent service disruption, customers who were able to switch to alternative payment providers or use cash as a last resort would have been less affected.
18. The digitalisation of financial services has brought significant convenience to the public. While some disruption from time to time is unavoidable, we expect financial institutions to build capabilities to safely recover from any disruption within a reasonable time period. Where financial institutions fail to do so, as with this incident, MAS will work with them to thoroughly investigate the incident, apply lessons learnt in our supervisory oversight of the financial industry, and take necessary action to further strengthen the resilience of financial service delivery.