Singapore’s central bank bars DBS bank from new takeovers for 6 months, after repeated banking service disruptions

DBS and Citibank’s digital banking and payment services were disrupted for hours on October 14 due to a technical issue with the cooling system at a data centre.

DBS automated teller machines were also affected, prompting Singapore’s largest lender to reopen branches on a Saturday afternoon to assist customers.

The data centre provider, Equinix, said on October 16 an issue with the chilled water system had occurred during a planned system upgrade. It resulted in raised temperatures in some of the halls at the facility, affecting equipment and customer operations.

The MAS had ordered DBS and Citibank to conduct “a thorough investigation”, noting that the banks were not able to fully recover their systems within the required time frame.

Any unscheduled downtime for a critical service affecting a bank’s operations or service to customers must not exceed four hours within any 12-month period.

Banks are required to have backup data centres and systems in place, MAS noted on October 19 in response to the outage.

Multiple disruptions

The October 14 outage was among several DBS service disruptions this year.

In March, a day-long service outage hit online banking and payment platforms such as PayLah!, prompting MAS to issue a strongly-worded statement saying the bank had “fallen short” of expectations due to the “unacceptable” disruption.

Singapore’s Lawrence Wong succeeds Tharman at central bank, GIC wealth fund

In May, digital banking services and ATMs were down due to “human error in coding the programme that was used for system maintenance”.

In the wake of the two successive service disruptions in the space of just over a month, MAS imposed additional capital requirements on DBS.

Following the March incident, MAS had also directed DBS Bank to engage an independent third party to conduct a comprehensive review of the effectiveness and adequacy of the people, processes and technology supporting its digital banking services.

MAS noted on Wednesday that shortcomings were identified in system resilience, incident management, change management, as well as technology risk governance and oversight.

Following the independent review, DBS had set out a road map to address the shortcomings.

“The road map is being implemented in phases, with the changes affecting its system architecture design taking more time to complete,” MAS said on Wednesday.

“MAS has reviewed DBS Bank’s remediation plan under the road map and is satisfied with its scope and the planned measures to improve system resilience,” it added.

“In line with MAS’ expectations, DBS Bank will hold senior management accountable for the lapses and the board will enhance its governance approach to oversee the implementation of the road map.”

Possible disruptions

The MAS said it would review the progress made by DBS on its remediation efforts at the end of six months.

“MAS may extend the duration of the measures, vary the additional capital requirement currently imposed, or take further actions at that point,” it added.

“In the meantime, MAS will retain the multiplier of 1.8 times to DBS Bank’s risk-weighted assets for operational risk, which was imposed after the March and May 2023 incidents.”

The regulator said DBS will take up to 24 months to put in place the planned structural changes to improve the resilience of its digital banking services.

“In the meantime, it is possible that disruptions may still occur. In such situations, MAS expects DBS Bank to promptly recover its services and communicate to its customers in a clear and timely manner,” it added.

MAS previously hit the bank with capital requirements after its digital banking services were disrupted for two days in November 2021. At the time, MAS also ordered the bank to appoint an independent expert to conduct a “comprehensive review” of the incident.