Written Answer

Recent Interruption of Digital Banking Services and Affected Customers

5 July 2022 · Prime Minister's Office

Speakers

Tan Wu Meng Tharman Shanmugaratnam (Senior Minister and Coordinating Minister for Social Policies)

Summary

This question concerns the frequency and impact of digital banking interruptions and the oversight of third-party cloud dependencies, as raised by Dr Tan Wu Meng. Senior Minister Tharman Shanmugaratnam stated that four major retail banks reported eight interruptions since July 2021, affecting an average of 12,000 customers per incident due to internal malfunctions or software errors. He highlighted MAS’s requirement for banks to recover critical services within four hours and noted supervisory actions taken against DBS Bank, including a mandate for additional capital reserves. The Senior Minister also detailed the introduction of new Business Continuity Management Guidelines to address end-to-end dependencies and risks from third-party cloud services. Finally, MAS is working with global regulators and the industry to establish best practices for cloud monitoring and technology risk management to ensure banking stability.

Transcript

2 Dr Tan Wu Meng asked the Prime Minister (a) how many banks regulated by MAS have recently experienced interruption of digital banking services and for how long; (b) how many customers are affected; (c) whether MAS has assessed the dependencies of financial institutions on third-party cloud computing networks, including the provision of digital banking services; and (d) what lessons have been drawn from the interruption of service.

Mr Tharman Shanmugaratnam (for the Prime Minister): Since July 2021, four major retail banks1 have reported a total number of eight interruptions to their digital banking services. The incidents were mostly resolved within three hours. They affected, on average, about 12,000 customers, with the numbers ranging from 500 to 37,000. The longest interruption of 39 hours was experienced by DBS Bank from 23 to 25 November 2021, arising from a malfunction of the bank's access control servers.

The root causes of these incidents lay mainly within the banks themselves, such as software misconfigurations, system malfunctions and errors that were introduced when the banks were making system changes. One of the incidents was related to an outage in a third-party cloud service provider.

MAS takes seriously all IT incidents that affect the availability of digital banking services. It requires banks to be able to recover systems supporting critical banking services, such as fund transfers and payments services, within four hours following any disruption. In addition, the total unscheduled downtime for each critical system must not exceed four hours within any 12-month period. MAS takes supervisory action when the banks breach these requirements.

In the case of the prolonged interruption in DBS Bank's digital banking services in November 2021, MAS directed the bank to appoint an independent expert to conduct a comprehensive review of the incident, including the bank's controls and recovery actions and how a similar incident can be prevented in future. The bank has also been directed to rectify all shortcomings identified from the review and implement measures to ensure that any future disruption to its digital banking services is resolved quickly and adequately. MAS has required the bank to hold additional capital2 until all shortcomings identified from the review are satisfactorily rectified.

The recent incidents highlight the need for banks to continually review their IT resilience strategy and ensure that there is sufficient redundancy and fault tolerance built into their digital banking IT infrastructure. In addition, swift diagnosis and recovery of systems, coupled with robust business continuity management, are critical in minimising the impact of an IT disruption.

MAS has recently published a set of new Business Continuity Management Guidelines (BCMG)3 that set out measures that financial institutions can employ to sustain critical business services and to minimise service disruption. They include identifying the end-to-end dependencies across business processes, systems, manpower and other resources required to deliver critical business services and addressing any gaps that could hinder the effective recovery of these services during an outage.

Globally, financial institutions are increasingly relying on third-party services, such as public cloud computing. This increases financial institutions' exposure to third-party risks. MAS has highlighted third-party risks as one of the key areas for financial institutions to focus on in both BCMG and the Technology Risk Management Guidelines (TRMG)4.

MAS has been working closely with the industry, global financial regulators and leading service providers, on best practices to manage third-party risks.

One, MAS has collaborated with the Association of Banks in Singapore (ABS) to issue guidelines on sound cloud computing practices5. It has also issued an advisory on managing the risks of using public cloud computing services.

Two, MAS has been co-leading an international subgroup on cloud monitoring and identity and access management under the Bank for International Settlements (BIS).

The technology landscape that banks operate in is becoming more complex. It is, hence, critical that banks continually maintain and uplift the security and resiliency of their IT systems so as to maintain stability and trust in the banking system. MAS will continue to work closely with the industry in this regard.