Repeated disruptions and single-point failures challenge the presumed resilience of Singapore’s digital banking system

Recently, Singapore’s banking sector has faced several disruptions, notably with DBS Bank, eroding public confidence significantly.

Social media platforms are abuzz with customers, especially those using DBS/POSB, expressing dismay over the inconveniences caused by these digital banking setbacks. Their reliance on digital wallets, having moved away from cash, amplifies their frustration. For instance, even from Taiwan, I experienced a direct impact — my cab fare payment via POSB was denied due to the recent Saturday disruption.

Singapore’s goal isn’t a cashless society, primarily to accommodate the elderly. However, the dream may remain distant not because of slow merchant adoption or demographic challenges, but due to dwindling trust in digital banking systems stemming from recurrent service lapses.

Highlighting this issue was the recent 12-hour outage at DBS and Citibank, precipitated by a single point of failure at an Equinix data centre—In this case, a cooling failure. This incident underscores the urgent need for comprehensive redundancy safeguards within digital banking infrastructures.

To grasp the severity of these concerns, it’s essential to revisit the commitments and assurances provided by the authorities, especially those articulated by Mr Tharman Shanmugaratnam, the current Singapore President and former Senior Minister and Chairman of the Monetary Authority of Singapore (MAS), in response to specific queries raised by Members of Parliament.

In April 2023, addressing Parliamentary Questions (PQ) raised by Mr Ang Wei Neng, MP for West Coast GRC, regarding the DBS disruption in March, it was said that the disruption on 29 March 2023, was caused by inherent software bugs.

Mr Tharman then assured, “DBS has since undertaken measures to mitigate the identified gaps. The bank is committed to enhancing the resilience of its digital banking system, focusing on enhancing its access control architecture, building in more redundancy, monitoring its key system components more closely, and improving its system restoration processes.”

Following the subsequent disruption on 5 May 2023, which lasted 6.5 hours, it was conveyed that the disruption resulted from human error during system maintenance programming.

Furthermore, in addressing questions from Dr Tan Wu Meng, MP for Jurong GRC and Mr Desmond Choo, MP for Tampines GRC, Mr Tharman underscored the urgency with which these incidents were being treated.

He stated that the MAS found the frequency of disruptions unacceptable and emphasized that banks must quickly identify problems, restore services, and communicate transparently with affected customers.

Mr Tharman pointed out that MAS requires all retail banks in Singapore to ensure that their mission-critical systems supporting digital banking are resilient, including having the ability to recover quickly from any system disruptions.

“Banks are subject to regular inspections and off-site reviews by MAS to ensure their adherence to regulatory requirements and expectations,” said Mr Tharman.

However, the incident on Saturday (14 Oct), casts a stark light on the effectiveness of these assurances.

Despite prior incidents, specifically the significant disruptions on 29 March 2023 due to software bugs, 5 May 2023 due to human coding error, and a notable case in November 2021, the recent outage suggests that the measures taken by DBS and the standards enforced by MAS may not be sufficient.

Customers are justifiably frustrated, as the promises of improved redundancy, better monitoring, and expedited restoration processes appear glaringly inconsistent with the reality of another major disruption.

Particularly troubling is the promise to eliminate single points of failure, a commitment now cast in doubt following the Equinix data centre debacle. This incident, which disrupted multiple banks, signals a systemic vulnerability. The prolonged 12-hour outage further implies a glaring absence of adequate redundancy systems designed to assume control during such points of failure.

Furthermore, the precise questions raised by MPs—such as the number of banking disruptions lasting more than one hour in the past five years, the banks involved, and the lessons learned from these disruptions—remain pertinent. They underscore the necessity for continuous scrutiny and accountability in ensuring that both financial institutions and regulators uphold the highest standards of operational reliability.

So far, MAS has not issued any statement regarding the disruption that occurred last Saturday.

In light of DBS’s six-hour disruption in May, Ms Ho Hern Shin, Deputy Managing Director (Financial Supervision) of MAS, issued a stern statement: “DBS Bank has fallen short of MAS’s expectations for banks to provide reliable services to their customers. The repeated inconvenience caused to the public is unacceptable. The additional capital requirement imposed at this time underscores the seriousness with which MAS views this matter. DBS Bank must spare no effort in addressing the underlying issues leading to these disruptions.”

Now, despite the disruption lasting over 12 hours, the silence from MAS is particularly concerning. Is MAS implying that since many companies other than DBS were affected, it cannot fault DBS for its service lapse?

Stakeholders expected a proactive response, consistent with the authority’s prior commitments to maintaining stability and trust in the banking system, as explicitly stated by Mr Tharman in his various replies.

This lack of communication, especially when compared with the detailed promises and measures outlined previously, not only erodes public confidence but also raises doubts about the preparedness of major financial institutions against unforeseen threats, including potential cyber-attacks.

In considering these disruptions, it is perhaps a small mercy that the recent incident emerged as an unforeseen mishap rather than a calculated act of sabotage intended to destabilize Singapore’s digital economy.

Nevertheless, the revelation is deeply troubling; the apparent lack of effective redundancy systems exposes a critical vulnerability. This deficiency suggests that, in the event of a targeted cyberattack, malefactors could exploit this single point of failure with ease, potentially crippling the nation’s digital infrastructure.

The ease of triggering such a widespread disruption points to an alarming reality: our current defences, or lack thereof, could inadvertently be laying out a welcome mat for those seeking to harm Singapore’s digital economy.

This glaring gap in systemic protection underscores the urgent need for comprehensive strategies, ensuring that fail-safes are in place to counteract the ramifications of any single data centre’s failure.

While MAS imposed an additional capital requirement on DBS in May, which, combined with the requirement imposed in February 2022, amounts to approximately S$1.6 billion in total additional regulatory capital, one must question its effectiveness.

Frankly, what repercussions does it hold for the bank if these actions do not impact its profit margins? Are any imposed penalties less consequential than the costs saved by the bank if it had not embarked on ensuring redundancy in its digital banking system?

The repeated incidents of service disruption call for a re-evaluation of the strategies employed by banks like DBS in safeguarding their digital banking systems, particularly in light of the bank’s proud announcement of the S$8.19 billion annual net profit it achieved in 2022 and DBS CEO Piyush Gupta’s staggering S$15.4 million salary in 2022.

It also underscores the need for MAS to reinforce its regulatory role, ensuring that these institutions not only make promises but also implement tangible, effective measures that withstand the demands of the evolving digital banking landscape.

The recent disruptions, the ensuing commitments, and the continued vulnerabilities indicate a gap between what is assured and what is delivered—a gap that requires urgent bridging to maintain the reputation of Singapore’s banking sector.