Approximately 2,500,000 ATM & payment transactions could not be completed, and 810,000 attempts to access DBS and Citibank's digital banking platforms failed from Oct. 14, 2023 to Oct. 15, 2023, when both banks experienced system outages for over 12 hours.

About the outage

Speaking in Parliament on Nov. 6, 2023, Minister of State for Trade and Industry Alvin Tan shed light on the extent of the effect of the outages.

Multiple Members of Parliament (MPs) raised questions about the service disruptions and the government's plans on the issue.

Tan, who sits on the board of directors of the Monetary Authority of Singapore (MAS), said DBS and Citibank's outages occurred after the cooling system malfunctioned at Equinix, a data centre that hosted both banks' IT systems, specifically those that support retail and corporate banking services.

DBS and Citibank immediately activated their IT disaster recovery and business continuity plans, but both ran into technical issues which hindered their full recovery at their respective backup data centres.

The services of both banks failed from 2:54pm on Oct. 14. DBS experienced a network misconfiguration, whereas Citibank suffered connectivity issues.

Their services fully recovered at 4:47am the next day on Oct. 15.

@mothershipsg The temperature at the data centre rose above the optimal operating range, causing the IT systems of both DBS & Citibank to shut down. #sgnews #tiktoksg #parliamentsg ♬ original sound - Mothership

DBS and Citibank fell short of MAS' requirements

Tan said DBS and Citibank fell short of MAS' requirements to ensure their critical IT systems are resilient against prolonged disruptions during the outage.

The unscheduled downtime for a critical system affecting a bank's operations or service to customers must not exceed four hours within any 12-month period.

MAS requires banks to establish their disaster recovery plans and to test these plans regularly by conducting disaster recovery exercises with their backup data centres to ensure that their critical systems and services can be restored within four hours of an outage.

While MAS does not oversee the banks' external service providers, it requires banks to maintain close oversight of the external service providers so that they can deliver their financial services with minimal disruptions.

The onus is on the banks to ensure that the external service providers they appoint to support the operations or service to customers can meet MAS' requirements on operational resilience.

Tan noted that while both banks conducted annual exercises to test their IT systems' recoveries at the backup data centres, the specific issues each bank faced that hindered their full recovery did not surface during those tests.

Holding banks accountable

Fines

Tan said banks must be held accountable to uphold the reliability and recoverability of banking services.

Financial institutions in breach of MAS' requirements on technology risk management can be fined up to S$100,000.

Tan said the fine quantum will be increased to a maximum of S$1 million in 2024. He added that this is consistent with existing local penalty regimes, such as those under the Telecommunications Act and the Personal Data Protection Act.

Regulatory tools

Financial institutions can also be held accountable through various regulatory tools, such as additional capital requirements and suspension of specified businesses or activities, to address lapses in their risk management.

Tan listed DBS as an example, where in May 2023, MAS imposed a multiplier of 1.8 times to DBS' risk-weighted assets for operational risk after the bank suffered repeated outages.

This translated to approximately S$1.6 billion in total additional regulatory capital at that time, Tan said.

Holding additional regulatory capital increases the cost and return of capital and, in turn, affects business decisions on dividends and investments and negatively impacts the bank's credit rating and stock price.

Compensation and remediation

On compensation, Tan said the bank and customers should deal with these matters as they are highly dependent on individual cases and individual circumstances.

He added: "MAS expects banks to have a fair process to deal with this."

In the meantime, Tan said MAS has instructed DBS and Citibank to conduct thorough investigations into the Oct. 14 outage's root causes.

MAS has also instructed both banks to put in remediation measures to minimise future disruptions and outages and to strengthen their recoverability in the event of an outage.

Both banks must provide MAS regular system availability reports on their critical systems.

MAS will also work with the financial industry to incorporate key learnings from these incidents into all banks' risk management controls, MAS' future technology risk supervisory approach, as well as the next financial sector business continuity exercise, which is scheduled for 2024.

Tougher stance taken against DBS

Tan said MAS has adopted a tougher stance against DBS because it has experienced five disruptions to its banking services within eight months, which he remarked was unacceptable.

MAS has directed DBS to conduct a full review of its system resilience earlier in 2023.

To ensure that DBS keeps a sharp focus on restoring the resilience of its digital banking services, DBS has been barred from making any non-essential IT changes or acquiring any new business ventures for six months.

Additionally, DBS is also barred from reducing the size of its branches and ATM networks in Singapore until MAS is satisfied with the progress of DBS' remediation.

Banks must act promptly to reduce inconvenience and costs to customers

Tan noted that while no IT system is infallible, MAS expects banks to take prompt action to reduce inconvenience and costs to customers.

This includes being proactive and transparent in updating affected customers on the status of service recovery and alternative services.

On the other hand, individuals must plan and prepare for contingencies by having alternative payment options and not being over-reliant on one provider for time-sensitive transactions.

Related stories

Top image from downdetector website and by Mothership