SINGAPORE: The impact of the DBS and Citibank services disruptions on Oct 14 affected about 2.5 million payments and ATM transactions, and another 810,000 attempts to access both banks’ digital banking platforms failed. This was revealed in Parliament by Minister of State for Trade and Industry Alvin Tan on Monday, Nov 6.
Minister of State Tan mentioned that the outages were due to a failure of the cooling system in the data centre that hosted both banks’ IT systems. This caused the temperature to rise above the optimal operating range, which shut down the banks’ IT systems.
Video credit: MCI Singapore
“To restore the impacted services, DBS and Citibank immediately activated their IT disaster recovery and business continuity plans. However, both banks encountered technical issues which prevented them from fully recovering their affected systems at their respective backup data centres,” said the Minister of State, who was answering parliamentary questions raised by members of parliament from various political parties and Nominated Member of Parliament.
MOS Tan explained that DBS and Citibank have ‘fallen short of the Monetary Authority of Singapore’s (MAS) requirements to ensure that their critical IT systems are resilient against prolonged disruptions’. He added that while both banks conducted annual exercises to test the recovery of their IT systems at the backup data centres, the specific issues that led to the delays in system recovery on Oct 14 did not surface during those tests.
“MAS’ requirements on banks’ business continuity, IT infrastructure resilience, and their outsourced services involving critical IT systems. MAS requires banks to establish IT disaster recovery plans and test them regularly. Banks must conduct disaster recovery exercises with their backup data centres to validate that critical systems and services can be restored within 4 hours of an outage. The unscheduled downtime for a critical system affecting a bank’s operations or service to customers must not exceed 4 hours within any 12-month period,” mentioned MOS Tan.
However, MOS Tan reminded that ‘no IT systems is infallible’ and that disruptions can occur for a variety of reasons and can happen without warning, as he added, “When they do occur (banking disruptions), MAS expects banks to take prompt steps to reduce inconvenience and costs to customers. This includes being proactive and transparent in updating affected customers on the status of service recovery and alternative services.”
As a result of the banking disruptions in Oct, MAS has paused DBS from making any non-essential IT changes, acquiring new business ventures, or reducing the size of its branch or ATM networks in Singapore for six months. This is to ensure that the bank focuses on restoring the resilience of its digital banking services.
In April this year, four key shortcomings – system resilience, incident management, change management, and technology risk governance and oversight – were identified after MAS directed DBS to engage an independent third party to review the bank’s digital banking services.
Following the independent review, DBS Bank has set out a ‘technology resiliency roadmap to address the shortcomings, improve system resilience, and better position the bank to meet future digital banking needs.’ MAS mentioned that it has reviewed DBS Bank’s remediation plan under the roadmap and is satisfied with its scope and the planned measures to improve system resilience.
“DBS must put in place immediate measures to ensure service reliability while it continues to invest in the longer-term efforts to bolster its operational resilience. We have imposed this six-month pause on the bank to give it the space to take the actions needed to maintain customer trust,” said Ho Hern Shin, Deputy Managing Director (Financial Supervision), MAS.