810,000 transactions fail, 2.5 million payments uncompleted due to DBS and Citibank service disruptions on 14 Oct

SINGAPORE: According to Minister of State for Trade and Industry Alvin Tan, the disruption to DBS and Citibank’s digital services on October 14 led to an estimated 810,000 failed attempts to access the digital banking platforms of both banks between 2.54 p.m. and 4.47 a.m. the following day.

Additionally, approximately 2.5 million payments and ATM transactions were left uncompleted.

The disruption occurred due to a “technical issue” with the cooling system at an Equinix data centre, as disclosed by Mr Tan during his parliamentary address on Monday (6 Nov).

This issue resulted in a rise in the temperature at the data centre, causing the IT systems of both banks to shut down.

In response to the incident, both DBS and Citibank promptly activated their IT disaster recovery and business continuity plans.

“However, both banks encountered technical issues which prevented them from fully recovering their affected systems at their respective back-up data centres: DBS due to a network misconfiguration and Citibank due to connectivity issues. ”

Services at DBS and Citibank progressively recovered from 8.21 pm and 7.05 pm respectively on 14 October, but only fully recovered in the early hours of 15 October.

DBS and Citibank’s IT systems found inadequate for resilience against prolonged disruptions

During the parliamentary session on Monday, 12 Members of Parliament raised concerns about the recent service outage experienced by banks and inquired about the government’s strategies to hold these financial institutions accountable for the losses incurred by customers.

In his response, Mr Tan acknowledged that both DBS and Citibank had not met the Monetary Authority of Singapore’s (MAS) requirements to ensure the resilience of their critical IT systems against extended disruptions.

“While both banks conducted annual exercises to test the recovery of their IT systems at the back-up data centres, the specific issues that led to the delays in system recovery on 14 October did not surface during those tests.”

Notably, Desmond Choo, PAP MP for Tampines GRC also asked the minister how does Singapore’s penalty framework on digital banking disruptions committed by financial institutions compare with other large financial centres overseas; and how effective have the penalties been in improving such service reliability.

MP Ang Wei Neng asked the Deputy Prime Minister and Minister for Finance to draw lessons from recent disruptions to digital banking services, considering MAS’ enhanced BCM guidelines, whether MAS will regulate data center service providers for major financial institutions, and how MAS plans to strengthen oversight of BCM guidelines for financial institutions in Singapore.

However, Mr Tan did not provide a direct response regarding the sufficiency of the penalties.

In terms of measures for ensuring banking service reliability, Mr Tan emphasized that the Banking Act grants MAS the power to impose fines of up to $100,000 on financial institutions found in breach of MAS’ technology risk management requirements.

Furthermore, with the implementation of the Financial Services and Markets Act in 2022, the maximum fine quantum is set to rise to $1 million progressively in the following year.

Although this fine quantum is relatively lower compared to penalties imposed by financial regulators in other countries like the UK, it aligns with existing local penalty frameworks, such as those under the Telecommunications Act and the Personal Data Protection Act, added Mr Tan.

Mr Tan emphasized that banks hold responsibility towards their customers, but matters of compensation should be resolved directly between the bank and its customers, considering the individual circumstances involved.

MAS expects banks to adhere to a fair process in handling such cases.

Last week, MAS announced a series of restrictions on DBS, including a six-month prohibition on non-essential IT changes, new business acquisitions, and reductions in the number of branches and the size of its ATM network.

During the parliamentary session, Members of Parliament raised questions about the effectiveness of the restriction on new business acquisitions, particularly considering DBS’s absence of any acquisition plans initially.

In reply, Mr Tan reiterated that the regulatory actions were intended to direct the banks’ focus towards restoring the resilience of their digital banking services.

This initiative involves addressing four key areas identified in a review conducted by an independent external expert in August of the current year. The identified areas include technology risk governance and oversight, incident management, strengthening systems resilience, and change management.

“The review will take place, we will look at what the banks have put in place during this period, how they are remediating… and MAS will potentially impose more measures as necessary,” he said.

Holding additional regulatory capital comes with costs for the bank, says Mr Tan

Since May 2023, DBS has been required to maintain 1.8 times its risk-weighted assets for operational risk.

In response to this, MPs sought clarification on the impact of this additional regulatory capital requirement on the bank, especially in light of the bank’s recent announcement of higher year-on-year profits.

Mr. Tan acknowledged that this requirement has imposed costs on the bank, “It increases the cost of capital and is a key metric that drives business decisions, such as dividends and investments. It is a drag on the return on capital, which could in turn impact credit ratings as well as the stock price of the bank.”

Furthermore, Mr Tan highlighted that MAS would conduct a comprehensive evaluation of supervisory actions to be taken against Citibank after completing its investigations into the disruption on October 14.

Mr Tan further stated that MAS would collaborate with the industry to integrate the key learnings from the incident into the risk management controls of all banks. These insights would also inform MAS’s future tech risk supervisory approach and serve as a crucial measure for the next financial sector business continuity exercise in 2024.

“Indeed, during the recent service disruption, customers who were able to switch to alternative payment methods or providers or use cash as a last resort, would have been less affected.”