SINGAPORE: The Monetary Authority of Singapore (MAS) has barred DBS from any new business acquisitions for six months, in response to the bank’s multiple service disruptions this year.
DBS, Singapore’s largest lender, is also required to pause non-essential IT changes for six months.
“This is to ensure that the bank dedicates the needed resources and attention to strengthen its technology risk management systems and controls,” MAS announced in a media release on Wednesday (Nov 1).
The bank will not be allowed to reduce the size of its branch and ATM networks in Singapore for now.
“This is to ensure there are adequate alternative channels for its customers in the event of further disruptions while the bank works to enhance the operational resilience of its digital channels,” said MAS.
“This direction will be in force until MAS is satisfied with the progress of DBS Bank’s remediation plan.”
DBS and Citibank’s digital banking and payment services were disrupted for hours on Oct 14 due to a technical issue with the cooling system at a data centre operated by Equinix.
DBS automated teller machines (ATMs) were also affected, prompting Singapore’s largest lender to reopen branches on a Saturday afternoon to assist customers.
MAS had ordered DBS and Citibank to conduct “a thorough investigation”, noting that the banks were not able to fully recover their systems within the required timeframe.
Any unscheduled downtime for a critical service affecting a bank’s operations or service to customers must not exceed four hours within any 12-month period.
Banks are required to have backup data centres and systems in place, MAS noted on Oct 19 in response to the outage.
MULTIPLE DISRUPTIONS
The Oct 14 outage was among several DBS service disruptions this year.
In March, a day-long service outage hit online banking and payment platforms such as PayLah!, prompting MAS to issue a strongly-worded statement saying the bank had “fallen short” of expectations due to the “unacceptable” disruption.
In May, digital banking services and ATMs were down due to “human error in coding the programme that was used for system maintenance”.
In the wake of the two successive service disruptions in the space of just over a month, MAS imposed additional capital requirements on DBS.
Following the March incident, MAS had also directed DBS Bank to engage an independent third party to conduct a comprehensive review of the effectiveness and adequacy of the people, processes and technology supporting its digital banking services.
MAS noted on Wednesday that shortcomings were identified in system resilience, incident management, change management, as well as technology risk governance and oversight.
Following the independent review, DBS had set out a roadmap to address the shortcomings.
“The roadmap is being implemented in phases, with the changes affecting its system architecture design taking more time to complete,” MAS said on Wednesday.
“MAS has reviewed DBS Bank’s remediation plan under the roadmap and is satisfied with its scope and the planned measures to improve system resilience,” it added.
“In line with MAS’ expectations, DBS Bank will hold senior management accountable for the lapses and the board will enhance its governance approach to oversee the implementation of the roadmap.”
POSSIBLE DISRUPTIONS
MAS said it will review the progress made by DBS on its remediation efforts at the end of six months.
“MAS may extend the duration of the measures, vary the additional capital requirement currently imposed, or take further actions at that point,” it added.
“In the meantime, MAS will retain the multiplier of 1.8 times to DBS Bank’s risk-weighted assets for operational risk, which was imposed after the March and May 2023 incidents.”
The regulator said DBS will take up to 24 months to put in place the planned structural changes to improve the resilience of its digital banking services.
“In the meantime, it is possible that disruptions may still occur. In such situations, MAS expects DBS Bank to promptly recover its services and communicate to its customers in a clear and timely manner,” it added.
MAS previously hit the bank with capital requirements after its digital banking services were disrupted for two days in November 2021. At the time, MAS also ordered the bank to appoint an independent expert to conduct a “comprehensive review” of the incident.