MAS says DBS digital services outage is 'serious'; analysts expect bank to be fined for 'broad and material' impact

Nov 24, 2021

THE Monetary Authority of Singapore (MAS) has called the two-day service disruption at DBS a "serious" one and expects the bank to conduct a thorough investigation to identify the root causes.

"MAS expects all financial institutions to have systems and processes to ensure the consistent availability of financial services to their customers," said Marcus Lim, MAS assistant managing director (banking and insurance), in a statement on Wednesday (Nov 24) evening.

"This is a serious disruption and MAS expects DBS to conduct a thorough investigation to identify the root causes and implement the necessary remedial measures."

The regulator will consider "appropriate supervisory actions" following the investigation.

MAS said it was informed by the bank on Tuesday (Nov 23) that a problem with its access control servers has resulted in DBS/POSB customers experiencing difficulties accessing its digital banking services.

While the disruption was initially resolved by 2 am on Wednesday, the issue recurred at around 10 am with over 700 outage reports made, data from Downdetector showed.

As at 1035 pm, DBS said its services are “returning to normal” and that it is monitoring the situation closely to ensure all services run smoothly.

Analysts said that the lender is expected to receive a serious reprimand and a fine from the regulator for the prolonged tech outage.

In an era where consumers increasingly count on "anytime, anywhere" digital banking services, especially during the pandemic, such a widespread disruption may have caused "significant financial impact" for some DBS customers, said Zennon Kapron, director of fintech research and consulting firm Kapronasia.

"The disruption certainly had a broad and likely material impact for many customers and we would expect to see at least a notice from the MAS, if not a more serious reprimand and a fine," he noted.

The duration of the outage is "unacceptable", said Acronis chief information security officer Kevin Reed, who reckoned that the issue could be with the lender's authentication systems.

"For a renowned bank like DBS to have some services down for more than 24 hours - with none of the services available at some point - is quite unacceptable. Whether it should be investigated or fined by MAS is one thing...the main player to investigate (the issue) should be DBS," he said.

In 2010, MAS had taken supervisory action against DBS for a similar outage of its online and branch banking systems. In 2011, OCBC was reprimanded for the failure of the bank’s online and branch banking systems.

Under the Banking Act, a financial institution must ensure that the maximum unscheduled downtime for each critical system that affects its service to customers does not exceed a total of 4 hours within 12 months.

While the current situation is "less severe than yesterday", many customers are still unable to gain access to the bank's services, said DBS Singapore country head Shee Tse Koon in a video update at about 4 pm on Wednesday.

DBS was named world's best digital bank in 2021 by UK-based financial publication Euromoney.

"Outages such as these show that even a bank, which is considered one of the most digitally adept in the world, can still stumble," said Kapron.

DBS is not an isolated case, as even the most digitally competent companies the likes of Google and Amazon are at risk of a service outage, said Jan Ondrus, associate professor at ESSEC Business School Asia-Pacific.

"It would be foolish to think that digital technology can never fail."

Eyes are now on DBS's recovery plan. The stakes are high for banking services as they affect consumers' money and are critical for the economy to run smoothly - even more so for the largest bank in Singapore.

"We acknowledge the gravity of the situation and as we work to resolve matters, we seek your patience and understanding," said Shee, adding that customers' deposits and monies are safe.

Acronis technology director Alex Ivanyuk flagged that this is "not the best example" of crisis handling.

"Not only were the bank services down, but customer support functions also weren’t working and there was no announcement on any public DBS channel until hours later."

That said, "no bank is much better at that". Banks are known to still use outdated legacy systems, especially if they were founded long ago, which pose a problem to both its employees and customers as well as leave them more exposed to cybersecurity threats, said Ivanyuk.

For now, DBS customers can continue with their banking needs either through the bank's branches, or through phone banking.

To facilitate this, banking services at all branches have been extended by 2 hours. DBS relationship managers and call centre customer service officers are also on standby to assist with urgent banking requests.

It is crucial to have a good plan for business continuity to avoid "irreversible reputation and material damages". Being able to react fast and restore the services without severely impacting business activities and users is vital, said Ondrus.

"Being up and running 99.9 per cent of the time is not good enough in the digital space. The real test for a company is the 0.1 per cent situation when things go wrong," he said.

Earlier in June, DBS had experienced a payments processing glitch that caused some double charges on customers' transactions made using their credit and debit cards. The bank's online banking services were also down for the day amid heavy traffic.

As companies continue to digitalise their services, they need to build up their capabilities to mitigate disruptions, said Ondrus.

"Hardware and software failures are often related to external factors that are difficult to control, not to mention the increasing threats from cybercriminals."