Costs, Lessons and Further Safeguards Arising from Recent Disruptions to Digital Banking Services

47 Mr Desmond Choo asked the Prime Minister (a) whether the recent digital banking disruptions by large local banks on 14 October 2023 are within MAS' expectations; (b) what has been the cost to consumers and business entities reliant on such banking services due to the recent disruptions; and (c) how will MAS ensure that consumers and business entities are given early warning of such service disruptions.

48 Ms See Jinli Jean asked the Prime Minister whether MAS will consider (i) imposing user-centric accountability measures on banks such as the requirement to publish service reliability reports of digital banking services and proactively engage customers on service recovery and alternative options during outages and (ii) requiring banks to compensate their banking customers who suffer financial losses due to outages.

49 Ms Poh Li San asked the Prime Minister with regard to the disruption to the digital banking services of DBS and Citibank on 14 October 2023 (a) whether MAS has any data on how many (i) customers and (ii) businesses have been affected; and (b) whether local banks are required to maintain robust levels of redundancy in critical banking infrastructure such as the data centre that is maintained by third-party service providers.

50 Mr Ang Wei Neng asked the Prime Minister (a) what lessons can be drawn from the recent disruptions to digital banking services of DBS and Citibank, in view that these occurred despite MAS' tightened Business Continuity Management (BCM) guidelines for financial institutions to better manage such disruptions; (b) whether MAS will consider regulating data centre service providers that serve major financial institutions in Singapore; and (c) how does MAS plan to tighten the oversight of its BCM guidelines on financial institutions in Singapore.

51 Mr Leong Mun Wai asked the Prime Minister (a) whether the Monetary Authority of Singapore (i) conducts regular inspections and off-site reviews of outsourced parties to handle critical IT and infrastructure systems for the domestic systemically important banks (D-SIBs) and (ii) assesses the impact of outsourcing on the resilience of D-SIBs' IT infrastructure; and (b) if not, why.

52 Mr Desmond Choo asked the Prime Minister (a) how does Singapore's penalty framework on digital banking disruptions committed by financial institutions compare with other large financial centers overseas; and (b) how effective have the penalties been in improving such service reliability.

53 Ms Jessica Tan Soon Neo asked the Prime Minister with the greater reliance on digital services for payment and other financial services and in light of the impact on consumers due to recent disruption of banking services, whether MAS will be requiring financial institutions and their service providers to take further measures to strengthen the resilience and reliability of their digital services.

54 Mr Chua Kheng Wee Louis asked the Prime Minister whether the Government has put in place minimum redundancy requirements and monitors concentration risk in the use of data centres by key local financial institutions.

The Minister of State for Trade and Industry (Mr Alvin Tan) (for the Prime Minister): Sir, may I have your permission to answer all the Parliamentary Question (PQ) nos 47 to 54 in today's Order Paper, as well as the questions filed by Members for subsequent Sittings relating to the banking services disruption of DBS and Citibank on 14 October 2023?

Mr Speaker: Please proceed.

Mr Alvin Tan: Thank you, Sir. If Members are satisfied with the response, they may wish to withdraw their questions after my response.

Let me start with the causes and impact of the disruption on Saturday, 14 October 2023. DBS and Citibank experienced system outages in the mid-afternoon of 14 October 2023, which affected their banking as well as their payment services. These outages were caused by a malfunction of the cooling system in the data centre hosting both DBS' and Citibank's IT systems. These IT systems support the delivery of retail and corporate banking services. The temperature in the data centre rose above the optimal operating range, causing the banks' IT systems to shut down.

To restore the impacted services, DBS and Citibank immediately activated their IT disaster recovery and business continuity plans. However, both banks encountered technical issues which prevented them from fully recovering their affected systems at their respective back-up data centres: DBS due to a network misconfiguration and Citibank due to connectivity issues. Services at DBS and Citibank were progressively recovered from 8.21 pm and 7.05 pm respectively on 14 October, but only fully recovered in the early hours of 15 October.

The impact of the service outage was wide. Up to 810,000 attempts to access the digital banking platforms of both banks were estimated to have failed between 2.54 pm on 14 October 2023 and 4.47 am on 15 October 2023. Approximately 2.5 million payment and ATM transactions could not be completed. DBS reopened its branches from 5.30 pm to 9.30 pm on 14 October to assist affected customers. Both banks provided updates via their social media platforms.

Let me now address the Monetary Authority of Singapore (MAS)'s requirements on: one, banks' business continuity; two, IT infrastructure resilience; three, their outsourced services involving critical IT systems. MAS requires banks to establish IT disaster recovery plans and to test these plans regularly. Banks must conduct disaster recovery exercises with their back-up data centres to validate that critical systems and services can be restored within four hours of an outage. The unscheduled downtime for a critical system affecting a bank's operations or service to customers must not exceed four hours within any 12-month period.

MAS does not oversee banks' external service providers, which are typically not financial institutions. This is similar to the approach taken by regulators in other major jurisdictions. The onus is on the banks to ensure that the external service providers they appoint to support their operations or service to customers, can meet MAS' requirements on operational resilience. MAS also requires banks to maintain close oversight of the external service providers, so that they can deliver services with minimal disruptions.

DBS and Citibank have fallen short of MAS' requirements to ensure that their critical IT systems are resilient against prolonged disruptions. While both banks conducted annual exercises to test the recovery of their IT systems at the back-up data centres, the specific issues that led to the delays in system recovery on 14 October did not surface during those tests.

I will now elaborate on the accountability and remediation measures taken to uphold the reliability and recoverability of banking services.

First, accountability and holding banks accountable. Under the Banking Act, MAS can impose a fine of up to $100,000 on financial institutions found in breach of MAS' requirements on technology risk management. With the passing of the Financial Services and Markets Act in 2022, which will progressively come into force next year, the fine quantum will be increased to a maximum of $1 million. The fine quantum is consistent with existing local penalty regimes, such as those under the Telecommunications Act and the Personal Data Protection Act.

Besides fines, MAS uses a range of regulatory tools to address lapses in banks' risk management. This includes additional capital requirements and suspension of specified businesses or activities. In May 2023, in response to repeated outages, MAS imposed a multiplier of 1.8 times to DBS' risk weighted assets for operational risk. This translated to approximately S$1.6 billion in total additional regulatory capital at the time. Holding additional regulatory capital comes with costs for the bank. It increases the cost of capital and it is a key metric that drives business decisions such as dividends and investments. It is a drag on the return on capital, which could in turn impact credit ratings as well as the stock price of the bank.

Banks are also accountable to their customers, but matters of compensation are better dealt with between the bank and its customers as it would be highly dependent on individual cases and circumstances. MAS expects banks to have a fair process to deal with this.

Second, remediation. MAS has instructed both DBS and Citibank to conduct thorough investigations into the root causes of the incidents that occurred on 14 October, as well as to put in place remediation measures to minimise future disruptions and outages and to strengthen their recoverability in the event of an outage. In addition, the banks are required to provide to MAS, regular system availability reports relating to their critical systems. MAS will also work with the financial industry to incorporate key learnings from these incidents into all banks' risk management controls, MAS' future technology risk supervisory approach as well as the next financial sector business continuity exercise, which is scheduled for 2024.

MAS has adopted a tougher stance against DBS because it experienced five disruptions to its banking services in the last eight months. This is unacceptable. As directed by MAS, DBS convened a Special Board Committee earlier this year to oversee a full review of its IT resilience by an independent external expert. The review was completed in August and DBS has set out a technology resiliency roadmap to address the findings and to improve system resilience.

To ensure that DBS keeps a sharp focus on restoring the resilience of its digital banking services, MAS has prohibited DBS from making any non-essential IT changes or acquiring any new business ventures for a six-month period. There must not be any distractions that take away the needed resources and attention by the bank to strengthen its technology risk management systems and controls. MAS has also barred DBS from reducing the size of its branch and ATM networks in Singapore until MAS is satisfied with the progress of DBS' remediation.

Another dimension of remediation has to do with data centres, which host the IT systems of not just the banks but also other critical sectors. The Government is studying ways to further strengthen the security and resilience of data centres, where lapses could result in a significant impact.

Finally, contingency. Contingency measures in the face of banking disruptions are key. No IT system is infallible. Disruptions can occur for a variety of reasons and can happen without warning. When they do occur, MAS expects banks to take prompt action to reduce inconvenience and costs to customers. This includes being proactive and transparent in updating affected customers on the status of service recovery and alternative services.

While our banking system is generally robust, customers too must plan and prepare for contingencies. They can benefit from having alternative payment options and not be over-reliant on one provider for time-sensitive transactions. Indeed, during the recent service disruption, customers who were able to switch to alternative payment methods or providers or use cash as a last resort would have been less affected.

Mr Speaker, the digitalisation of financial services has brought significant conveniences to the public. While some disruption from time to time is unavoidable, we expect financial institutions to build and strengthen their capabilities to safely recover from any disruption within a reasonable time period. Where financial institutions fail to do so, as with this incident, MAS will work with them to thoroughly investigate the incident, apply lessons learnt in our supervisory oversight of the financial industry and take necessary action to further strengthen the resilience of financial service delivery.

Mr Speaker: Mr Desmond Choo.

Mr Desmond Choo (Tampines): Mr Speaker, I have two clarifications for Minister of State Tan. I want to thank the Minister of State for reassuring us that there is a good plan laid out to strengthen our banking system.

The first supplementary question is, over the last eight months as the Minister of State had pointed out, there were different parts of the digital banking system that has failed. Is the regulatory regime sufficiently tough enough of a deterrence to get the bank to focus its attention on strengthening the system? Because quite certainly, the non-essential items that were proposed, for example, merger and acquisitions (M&As) really depends on whether they have any in the pipeline. If they do not, then this will be nothing short of a slap on the wrist. How do these punishments compare to what we have in regimes overseas?

The second one is, through the course of the last eight months, there were various breakdowns. Certainly, DBS would have the system to warn consumers and users of the banking system, that there was a possible disruption and they should prepare for alternative ways of conducting business. Because many consumers were caught out – some of them were in restaurants, some of them were running their businesses. But they were not warned of these until they had to start to pay. Nowadays, we get alerts quite frequently using the app or SMSes. Is this something the MAS will get DBS to consider?

Mr Alvin Tan: Sir, I thank the Member for his supplementary questions. First of all, I want to reiterate that: one, the banks have fallen short of MAS' requirements and expectations; two, that the outages and the length of time that are required to restore services are unacceptable; and three, the banks and the financial institutions involved are being held accountable. How so? First, I mentioned earlier on that DBS is required to hold regulatory capital. Members will know that this will be at great cost to the bank, as I had mentioned earlier on.

Second, they are also other measures. The bank, or DBS in this case, is not allowed to make any IT changes and also to involve themselves in any acquisitions, and the third, is that they are not to decrease the number of physical ATMs and branches.

If you look at these as a whole, there is an impact on the banks in terms of regulatory capital that is costly to the bank – that is one. Second, in the whole suite of measures, this is meant to allow for them to focus all of their attention into this – that they have the time, attention and resources to focus on this.

The third aspect of it, is to slow down the reduction of the number of ATMs and branches is also critical. Because while we want to be digital-first, in our approach to digitalisation, we cannot be digital-only. And therefore, all of these measures are, we think, at this point in time commensurate, but we will review them.

If the banks' response and mediation measures are not adequate, MAS will take further necessary actions to ensure that that is so.

Mr Speaker: Mr Ang Wei Neng.

Mr Ang Wei Neng (West Coast): Thank you, Speaker. I thank the Minister of State Tan for the very comprehensive reply. First, I would like to congratulate DBS for making record profit in the first half of this year, at more than $5 billion, which is a 45% rise compared to the same period in the previous year.

However, we note that DBS' IT and banking system has continued to have a lot of disruptions, despite the additional measures imposed by MAS, including the increase in capital requirement. So, that does not have a big impact on them. I would like to ask the Minister of State, will MAS consider asking banks with these sort of disruptions to compensate directly to the bank customer, as that may have more impact than what MAS has imposed?

Mr Alvin Tan: I thank Mr Ang Wei Neng for his supplementary questions. As I mentioned earlier on, the banks are and will be held accountable. First, through MAS' actions – which I mentioned and went into detail on – how imposition of regulatory capital will impact the banks; in addition, it will be a drag on the return of capital, it could impact their credit ratings and it could impact their stock price. That is one.

DBS, on its own, also has acknowledged that the bank had fallen short of expectations and that senior management will be held accountable. This is in line with MAS' expectation for incentive structure, the bank's incentive structure to promote accountability. The bank will reflect this in its year-end compensation process.

So, all of these in concert is meant to send a very strong message that this is unacceptable and that we are holding banks accountable. But it does not stop there.

The review will take place. We will look at what the banks have put in place during this period, how they are remediating, how they are fixing, how they are restoring this and, if necessary, we will have more – MAS will impose, potentially, more measures as necessary.

Thirdly, consumers also will hold banks accountable. If I am unable to pay using one of the financial services providers, then I go to the other one; and if I lose confidence in one, I go to the other one.

So, I think number one, MAS will and is holding the banks accountable; two, the bank is holding itself accountable; and three, consumers can also hold the financial institutions accountable.

Mr Speaker: Ms Jessica Tan.

Ms Jessica Tan Soon Neo (East Coast): Thank you, Mr Speaker. I just have one clarification for Minister of State. He mentioned in his reply that the two banks had done their testing – they had the plans, they had done their testing. But despite the testing, which was done annually, these errors did still occur and these errors were impactful to users.

So, is there a need to review the kind of testings and the requirements for the reporting of those testings, or further measures to be taken to ensure reliability?

I must thank the Minister of State for the earlier reply also, because I thought it was quite comprehensive. But it still requires the banks to adhere and also to ensure that the level of adherence is done.

Mr Alvin Tan: Sir, I thank Ms Jessica Tan for her question. I think she raises a very important point. Let me take this in some detail.

First, DBS' review; second, Citibank's review and then what MAS expects of all financial institutions, learning particularly from this incident, but also learning from the disruptions by financial institutions over the course of the last year or so.

First, DBS' review, which was completed just a couple of months ago in 2023, has four pillars: first, technology risks, governance and oversight; second, incident management; third, how do you strengthen your system's resilience; and fourth, change management. So, DBS is undertaking this and they will look into this in detail.

Second, for Citibank, MAS will assess the supervisory actions to be taken against Citibank following the conclusions of the investigations in the 14 October incident.

But if you take a step back and look at the whole financial system as a whole, MAS expects all financial institutions to implement the adequate risk controls. MAS will work with financial industry to incorporate the key learnings from this incident into all banks' risk management controls and include it into the MAS' future tech supervisory approach and also discuss it and it will be a key measure for the next financial sector business continuity exercise in 2024.

But Mr Speaker, Sir, if you allow me to just take one step back and to answer the Member's question also.

We will accept that all forms of technology are not infallible. They will fail from time to time. They are not foolproof. They are not watertight. You see that happen in your smartphones; you see that in laptops; you also see that in your light bulbs.

Our approach to digitalisation is being digital first but not digital only.

Recently, when I had a dinner, I was unable to pay using my credit card that was not available to me. However, then I had to use my PayNow, for example.

So, on a whole level, if you look at it, the service providers, the systems need to be accountable, they need to do their part. Consumers themselves also have agencies. All of us also have agencies. We can make sure that we have contingency, the different ways to pay. But, ultimately, I think it is important that in the age of digitalisation both financial institutions as well as consumers – have to be aware that some people may not be adept at technology. And the banks and financial institutions and, in fact, companies, service providers must acknowledge that and must be able to provide other forms of payment approaches, so that others who are not so adept can still participate in the economy.

Mr Speaker: Mr Yip Hong Weng.

Mr Yip Hon Weng (Yip Chu Kang): Thank you, Mr Speaker. I thank the Minister of State for his response. I note that MAS does not oversee external service providers like data centres. But I am heartened to note that the Government will study strengthening the security of data centres.

My supplementary question is this: will MAS consider working with the Ministry of Communications and Information (MCI) and, perhaps, even the Cyber Security Agency (CSA) for a whole-of-Government approach to ensure that for data centres, there are build-in redundancy systems as well as robust plans to deter cyber attacks?

Mr Alvin Tan: Sir, I thank Mr Yip for his supplementary questions. The short answer to that is yes.

Please let me explain why MAS does not require banks to operate their own data centres. Because not all banks possess the relevant expertise and the skills to do so. Therefore, banks are given the option to tap on data centre operators' specialised know-how as well as the state-of-the-art data centre technologies. But, of course, as I mentioned earlier on, these things fail from time to time and, even if they have their exercises and their testing, some other parts of the system may fail. And, therefore, the lessons learnt will be incorporated into reviews and as well as exercises.

To the Member's point about the whole-of-Government's approach to data centres, because it is not just confined to the financial services, the questions about the regulation of data centres have been addressed in response to Parliamentary Questions in this House. As we know, data centres serve multiple industries, not just the financial sector, MAS will, indeed, work with the relevant authorities on the Government's policy over data centre reliance.

But let me also assure Members that although MAS does not directly regulate data centres, MAS expects all financial institutions to implement adequate risk controls to ensure data centre resilience such as conducting a threat and vulnerability risk assessment to identify potential vulnerabilities and weaknesses and the protection that they should establish to safeguard data centres against physical and environmental threats.

Financial institutions are also expected to conduct due diligence and exercise adequate oversight of outsourced data centre service providers. These expectations are spelt out in MAS' Technology Risk Management Guidelines and Outsourcing Guidelines.

Mr Speaker: I see three more Members wanting to ask supplementary questions and I am conscious that Question Time is coming to an end. So, to all three, I will allow it and, likewise, for Minister of State Tan, if you can all keep your questions and your answers short. Ms Jean See.

Ms See Jinli Jean (Nominated Member): Yes. I thank the Minister of State. For the consumers who were affected, the assurance that consumers would want is reliability of service. So, I do understand that Minister of State mentioned about a review that the MAS will be taking. Could we understand what will be the steps that MAS is looking into, to ensure that consumers' voices are heard in the review and that their assurance is actually reflected in the metrics of the review?

Mr Alvin Tan: Sir, the short answer is, we will do so.

Mr Speaker: Mr Don Wee.

Mr Don Wee (Chua Chu Kang): Thank you, Speaker. Many average Singaporeans and small and medium enterprises (SMEs), especially the smaller merchants like hawkers do not have spare cash and maintain only one operating account with a particular Singaporean bank. Neither do they have the means to seek legal recourse against the bank for the loss of business opportunities as well as the inconvenience caused. So, my question to MAS is, how does MAS decide when to impose a mortarium on new business venture or to impose a higher regulatory capital or to impose a larger network of ATMs?

Mr Alvin Tan: Sir, I can understand the Member's concerns and I share those concerns as well. I mentioned that earlier on with regard to how we are and must be digital first but not digital only.

To Ms Jean's point also, for customers who incurred late charges due to the outrage, DBS and Citibank will waive these charges.

To Mr Don Wee's question, in fact, I had already explained that the point of restricting some of these activities, either acquisitions or reduce the scale-back of ATMs and branches and restricting the IT changes, these are all meant for this particular period for the bank, for DBS, to focus on remediating and fixing the issues that led to 14 October and, in fact, other issues that have related to the multiple disruptions over the course of a year.

Mr Speaker: Mr Leong Mun Wai, did you want to ask a question? No, okay.

Any other supplementary questions for the Minister of State? If not, Mr Lim Biow Chuan.

Mr Lim Biow Chuan (Mountbatten): Question No 55, Sir.