There have been eight digital banking service interruptions at four major banks in Singapore since July 2021, said Senior Minister Tharman Shanmugaratnam on Tuesday (Jul 5).
The incidents at Citibank, DBS, OCBC and UOB were mostly resolved within three hours, and affected between 500 and 37,000 customers, said Mr Tharman in a written parliamentary answer.
“The root causes of these incidents lay mainly within the banks themselves – such as software misconfigurations, system malfunctions, and errors that were introduced when the banks were making system changes,” said Mr Tharman, adding that one incident was related to an outage at a third-party cloud service provider.
DBS had the longest interruption of 39 hours from Nov 23 to Nov 25 last year due to a malfunction of the bank’s access control servers.
MAS’ MEASURES AGAINST INTERRUPTIONS
Mr Tharman said that the Monetary Authority of Singapore (MAS) “takes seriously” all IT incidents that affect the availability of digital banking services.
“It requires banks to be able to recover systems supporting critical banking services such as fund transfers and payments services within four hours following any disruption.”
The total unscheduled downtime for each critical system must also not exceed four hours within any 12-month period. The authority takes supervisory action when the banks breach these requirements, said Mr Tharman.
In February 2022, MAS said it had ordered DBS to appoint an independent expert to conduct a “comprehensive review” of the incident, including the bank’s recovery actions.
The review also required DBS to assess how a similar incident could be prevented in future, said MAS then.
The bank was directed to rectify all shortcomings identified from the review and implement measures to ensure that any future disruption to its digital banking services is resolved quickly and adequately.
Additionally, MAS also required the bank to hold additional capital until all shortcomings identified in the review are rectified.
“The recent incidents highlight the need for banks to continually review their IT resilience strategy, and ensure that there is sufficient redundancy and fault tolerance built into their digital banking IT infrastructure,” said Mr Tharman on Tuesday.
“In addition, swift diagnosis and recovery of systems, coupled with robust business continuity management, are critical in minimising the impact of an IT disruption.”
Mr Tharman noted that MAS has published a set of new business continuity management guidelines that set out measures that financial institutions can employ to sustain critical business services and to minimise service disruption.
Such measures include identifying the end-to-end dependencies across business processes, systems, manpower and other resources required to deliver critical business services, and addressing any gaps that could hinder the effective recovery of these services during an outage.
Mr Tharman said that the monetary authority has highlighted third-party risks such as public cloud computing services as a key area for financial institutions to focus on.
The MAS has been working closely with the industry, global financial regulators and leading service providers, including the Association of Banks in Singapore and the Bank for International Settlements, on the best practices to manage third-party risks.
“The technology landscape that banks operate in is becoming more complex. It is hence critical that banks continually maintain and uplift the security and resiliency of their IT systems so as to maintain stability and trust in the banking system,” Mr Tharman said.
“MAS will continue to work closely with the industry in this regard.”