Response to parliamentary question on the recent disruption of digital banking services and the customers affected

QUESTION NO. 1912

NOTICE 1206 OF 2022

FOR WRITTEN RESPONSE

Date: For Parliament sitting on July 5, 2022

Member’s name and constituency

Dr. Tan Wu Meng, MP, Jurong RCMP

Question:

Ask the Prime Minister (a) how many MAS-regulated banks have recently experienced digital banking disruption and for how long; b) how many customers are affected; c) whether MAS has assessed financial institutions’ dependencies on third-party cloud computing networks, including the provision of digital banking services; and (d) what lessons have been learned from the service disruption.

Response from Mr. Tharman Shanmugaratnam, Minister of State and Minister in charge of MAS:

1. Since July 2021, four major retail banksCitibank Singapore Limited, DBS Bank Limited, Oversea-Chinese Banking Corporation Limited, United Overseas Bank Limited. reported a total of eight interruptions to their digital banking services. Most incidents were resolved within three hours. They affected an average of around 12,000 customers, with numbers ranging from 500 to 37,000. bank access.

2. The root causes of these incidents lay mostly within the banks themselves – such as incorrect software configurations, system malfunctions, and errors introduced when the banks made changes to the system. One of the incidents was related to an outage at a third-party cloud service provider.

3. MAS takes all IT incidents that affect the availability of digital banking services seriously. It requires banks to be able to recover systems supporting critical banking services such as funds transfers and payment services within four hours of any disruption. Additionally, the total unscheduled downtime of each critical system must not exceed four hours in any 12 month period. MAS takes supervisory action when banks do not comply with these requirements.

4. In the event of DBS Bank’s extended digital banking disruption in November 2021, MAS ordered the bank to appoint an independent expert to carry out a full review of the incident, including checks and recovery actions. the bank and how a similar incident can be avoided. in the future. The bank has also been instructed to correct any shortcomings identified during the review and to implement measures to ensure that any future disruptions to its digital banking services are resolved quickly and adequately. MAS demanded that the bank hold additional capitalIn February 2022, MAS required DBS Bank to apply a 1.5x multiplier to its risk-weighted assets for operational risk. This translates into an additional amount of approximately S$930 million in regulatory capital (based on published financial statements as of September 30, 2021). The additional capital requirement will be reviewed once MAS is satisfied that DBS Bank has addressed the deficiencies identified. until all deficiencies identified during the review are satisfactorily corrected.

5. Recent incidents highlight the need for banks to continually review their IT resiliency strategy and ensure there is sufficient redundancy and fault tolerance built into their digital banking IT infrastructure. In addition, rapid system diagnosis and recovery, coupled with robust business continuity management, are critical to minimizing the impact of an IT disruption.

6. MAS recently released a set of new Business Continuity Management Guidelines (BCMG)The revised BCMG was published on June 6, 2022. which set out measures that financial institutions can use to maintain essential business services and minimize service disruptions. They include identifying end-to-end dependencies between business processes, systems, labor, and other resources needed to deliver critical business services, and resolving any gaps that may impede effective recovery. of these services during an outage.

seven. Globally, financial institutions are increasingly relying on third-party services such as public cloud computing. This increases financial institutions’ exposure to third-party risk. MAS has highlighted third party risk as one of the key areas for financial institutions to focus on in both the BCMG and the Technology Risk Management Guidelines (TRMG)The revised TRMG was released on January 18, 2021..

8. MAS works closely with industry, global financial regulators and major service providers, on best practices for managing third party risk.

I. MAS collaborated with the Association of Banks of Singapore (ABS) to publish guidelines on cloud computing best practicesThe Singapore Banking Association, in collaboration with MAS and the industry, published a Cloud Computing Implementation Guide in 2016, with a second revision in 2019. . It has also published an opinion on risk management related to the use of public cloud computing services.

ii. MAS co-leads an international subgroup on cloud monitoring and identity and access management within the Bank for International Settlements (BIS).

9. The technological landscape in which banks operate is becoming increasingly complex. It is therefore essential that banks maintain and continuously improve the security and resilience of their IT systems in order to maintain stability and confidence in the banking system. MAS will continue to work closely with industry in this regard.

***