MAS says DBS service outage is 'serious'; analysts expect bank to be fined for 'broad and material' impact
DBS's digital banking services outage has affected customer access since Tuesday morning, 23 November.
The Monetary Authority of Singapore (MAS) has called the 2-day service disruption at DBS a "serious" one and expects the bank to conduct a thorough investigation to identify the root causes.
"MAS expects all financial institutions to have systems and processes to ensure the consistent availability of financial services to their customers," said Marcus Lim, MAS assistant managing director (banking and insurance), in a statement on Wednesday (Nov 24) evening. "This is a serious disruption and MAS expects DBS to conduct a thorough investigation to identify the root causes and implement the necessary remedial measures."
The regulator will consider "appropriate supervisory actions" following the investigation.
MAS said it was informed by the bank on Tuesday that a problem with its access control servers has resulted in DBS/POSB customers experiencing difficulties accessing its digital banking services.
While the disruption was initially resolved by 2 am on Wednesday, the issue recurred at around 10 am with over 700 outage reports made, data from Downdetector showed.
As at 10.35 pm, DBS said its services are "returning to normal" and that it is monitoring the situation closely to ensure all services run smoothly. Analysts told The Business Times that the lender is expected to receive a serious reprimand and a fine from the regulator for the prolonged tech outage.
In an era where consumers increasingly count on "anytime, anywhere" digital banking services, especially during the pandemic, such a widespread disruption may have caused "significant financial impact" for some DBS customers, said Zennon Kapron, director of fintech research and consulting firm Kapronasia.
"The disruption certainly had a broad and likely material impact for many customers and we would expect to see at least a notice from the MAS, if not a more serious reprimand and a fine," he noted.
The duration of the outage is "unacceptable", said Acronis chief information security officer Kevin Reed, who reckoned that the issue could be with the lender's authentication systems.
"For a renowned bank like DBS to have some services down for more than 24 hours - with none of the services available at some point - is quite unacceptable. Whether it should be investigated or fined by MAS is one thing... the main player to investigate (the issue) should be DBS," Reed added.
In 2010, MAS had taken supervisory action against DBS for a similar outage of its online and branch banking systems. In 2011, OCBC was reprimanded for the failure of the bank's online and branch banking systems.
Under the Banking Act, a financial institution must ensure that the maximum unscheduled downtime for each critical system that affects its service to customers does not exceed a total of 4 hours within 12 months.
While DBS' current situation is "less severe" than Tuesday, many customers are still unable to gain access to its services, said DBS Singapore country head Shee Tse Koon in a video update at about 4 pm on Wednesday.
DBS was named world's best digital bank in 2021 by UK-based financial publication Euromoney.
"Outages such as these show that even a bank, which is considered one of the most digitally adept in the world, can still stumble," said Kapron.
DBS is not an isolated case, as even the most digitally competent companies the likes of Google and Amazon are at risk of a service outage, said Jan Ondrus, associate professor at ESSEC Business School Asia-Pacific. "It would be foolish to think that digital technology can never fail."
Eyes are now on DBS' recovery plan. The stakes are high for banking services as they affect consumers' money and are critical for the economy to run smoothly - even more so for the largest bank in Singapore.
"We acknowledge the gravity of the situation and as we work to resolve matters, we seek your patience and understanding," said Shee, adding that customers' deposits and monies are safe.
Acronis technology director Alex Ivanyuk flagged that this is "not the best example" of crisis handling.
"Not only were the bank services down, but customer support functions also weren't working and there was no announcement on any public DBS channel until hours later."
That said, "no bank is much better at that". Banks are known to still use outdated legacy systems, especially if they were founded long ago, which pose a problem to both its employees and customers as well as leave them more exposed to cybersecurity threats, said Ivanyuk.
For now, DBS customers can continue with their banking needs either through the bank's branches, or through phone banking.
To facilitate this, banking services at all branches have been extended by 2 hours. DBS relationship managers and call centre customer service officers are also on standby to assist with urgent banking requests.
It is crucial to have a good plan for business continuity to avoid "irreversible reputation and material damages". Being able to react fast and restore the services without severely impacting business activities and users is vital, according to Ondrus.
"Being up and running 99.9 per cent of the time is not good enough in the digital space. The real test for a company is the 0.1 per cent situation when things go wrong," he told BT.
As companies continue to digitalise their services, they need to build up their capabilities to mitigate disruptions.
"Hardware and software failures are often related to external factors that are difficult to control, not to mention the increasing threats from cyber criminals," added Ondrus.
Source: Business Times © Singapore Press Holdings Ltd. Permission required for reproduction.