DBS Bank has rolled out a roadmap to improve its technology resiliency after its banking services experienced repeated and prolonged outages in 2023, announced the bank in a press release on Nov. 1, 2023.

According to DBS, the roadmap encompasses both immediate and longer-term measures to strengthen its technology governance, people/leadership, systems, and processes.

Customers will see "improved service reliability" when the roadmap is completed, the bank added.

Roadmap to address weaknesses identified

According to DBS, the roadmap was formulated after a review by Accenture identified gaps and deficiencies in four main areas: technology risk governance and oversight, incident management, system resilience, and change management.

Accenture was appointed as an independent third party to carry out a root cause investigation of the Mar. 29 incident, during which customers were unable to access DBS and POSB ibanking apps as well as PayLah!.

The company was also tasked to conduct a comprehensive review of DBS' digital banking services, including its control processes and technology stack.

The findings of the Accenture review, which was completed in August 2023, were also corroborated against recent disruptions, including the Oct. 14 data centre incident and the Oct. 20 incident, where customers faced intermittent access to DBS PayLah!.

Summary of key actions taken

To address the areas of weakness identified, DBS said it is taking a series of actions with the goal of improving governance, people and leadership, as well as oversight and management of technology operations and incidents.

Below is a summary of key actions being taken:

Technology risk governance and oversight

DBS has established a new sub-committee under the Board Risk Management Committee, titled the BRMC Technology Risk Committee (BTRC).

The BTRC will provide "dedicated oversight" of technology risk and oversee the implementation of the remedial measures that the bank will carry out based on the findings by Accenture.

Separately, DBS has also transferred the Technology Risk Management team to the Risk Management Group, reporting to the Chief Risk Officer, to "enhance independent checks and balances".

Technology organisation leadership and management

From Nov. 1, DBS has split its technology and operations (T&O) function into two separate units to allow for dedicated management oversight of each, given the function's "increased complexity and scale".

Concurrently, the bank has made several leadership changes.

They include appointing a dedicated Group Head of Operations, and bringing in a technology veteran with 40 years of experience to be its new Head of Enterprise Architecture Site Reliability Engineering (EASRE).

Incident management

DBS added that it has commenced work to establish "clearer ownership and management" of incidents within the bank, as well as between the bank and its service providers and vendors.

The bank will also improve proactive problem management through active review of early warning indicators, identification of other possibly affected areas, and taking preventive actions.

Technology operations

Following the mandatory pause on non-essential IT activities imposed by the Monetary Authority of Singapore, DBS said that it can "single-mindedly focus on improving technology resiliency".

Improving system resilience & change management

According to DBS, in addition to the measures above, it is also in the process of strengthening system resilience and tightening processes around change management.

These improvements are expected to be fully implemented in 12 to 24 months as they are "more structural in nature", added the bank.

Specifically, a S$80 million special budget has been set aside to enhance system resiliency, said DBS' Chief Executive Officer Piyush Gupta.

With these changes, the bank said customers can expect "concrete improvements" in both service availability and service recovery in the coming months and over the longer term.

Service availability

DBS will introduce new service availability targets for three key digital banking services, namely balance enquiry, overseas payment, and domestic payments, in addition to complying with the regulatory requirements at a system level.

To meet regulatory requirements, banks in Singapore must ensure that each critical system can be recovered within four hours and that the unscheduled downtime for each critical system does not exceed four hours within any 12-month period.

Currently, the three key digital banking services outlined by DBS can be performed through different digital channels:

Should one of the services become temporarily unavailable on a particular digital channel, DBS will ensure the service is available on an alternative digital channel.

The bank also pledged to limit downtime where a service is completely unavailable across all digital channels.

It set a target of limiting such incidents to no more than an average of 1.5 hours per month over a three-month period.

DBS aims to deliver this commitment within the next six months and will improve on this front continuously, said the bank.

Service recovery

If any of the three services above experiences a disruption in the next six months, DBS will seek to recover them on either digibank online, digibank mobile, or PayLah! within three hours.

Its 24-month target is to improve recovery time to two hours or less, added the bank.

Background

DBS' roadmap was announced around the same time when the Monetary Authority of Singapore (MAS) announced that it would be imposing a six-month pause on all non-essential IT changes on the bank.

This pause is imposed to ensure DBS will keep a "sharp focus" on restoring the resilience of its digital banking services, said MAS.

Concurrently, MAS had also barred the bank from acquiring new business ventures or reducing the size of its branch and ATM networks in Singapore during this period.

At the end of the six months, MAS will review the progress made by DBS on its remediation efforts.

According to MAS, it may extend the duration of the measures, vary the additional capital requirement currently imposed, or take further actions at that point.

Top image by Winnie Li/Mothership