SINGAPORE— DBS Bank’s preliminary investigations, as disclosed by Senior Minister Tharman Shanmugaratnam, identified human error in coding the system maintenance program as the cause of a 6.5-hour disruption to the bank’s digital banking and physical ATM services on 5 May.
This was said in Mr Tharman’s written answers to Parliamentary Questions (PQ) raised by Dr Tan Wu Meng, Member of Parliament for Jurong GRC, on Wednesday (5 Jul).
Dr Tan had asked the Prime Minister what is the cause of the disruption and what is being done to strengthen the reliability and resilience of retail banks with significant market share in Singapore, especially with regard to digital banking services.
Additionally, Mr Desmond Choo, MP for Tampines GRC, also filed another related PQ on Tuesday, inquiring about MAS investigations into the root causes, the adequacy of additional capital requirements imposed on DBS Bank following the second disruption, and whether preliminary findings from the DBS Special Board Committee would be shared.
On 5 May, DBS and POSB Bank customers in Singapore experienced service disruptions, resulting in many being unable to access digibank online and mobile services, marked the second significant outage for the bank’s digital services within a two-month period.
In response, Mr Tharman acknowledged that the disruption intermittently affected customers’ access to the internet and mobile banking, electronic payments, and ATMs.
According to Tharman, who will step down as MAS chairman on 7 July tomorrow, DBS fully restored affected services after 6.5 hours.
DBS’ preliminary investigations revealed that the disruption was caused by human error in coding the maintenance program, resulting in a significant reduction in system capacity.
“The error led to a significant reduction in system capacity, which in turn affected the system’s ability to process internet and mobile banking, electronic payment, and ATM transactions.”
March disruption caused by inherent software bugs
According to DBS, the cause of the incident is unrelated to the earlier March 2023 disruption, which was caused by inherent software bugs.
Mr Tharman stated that in response to the March incident, DBS established a Special Board Committee to oversee the investigation into the root cause and conduct a comprehensive review of the bank’s IT resilience.
The Monetary Authority of Singapore (MAS) has stated publicly that it regards this second disruption within a period of two months as unacceptable and that DBS had fallen short of MAS’ expectation for banks to deliver reliable services to their customers.
“Following the May 2023 disruption, MAS has required the Special Board Committee to extend its review to cover the latest incident and to use qualified independent third parties for the review. ”
“More details on the disruptions will be provided by the bank publicly when the review is completed,” Mr Tharman added in the reply.
An additional capital requirement imposed in May
In May, MAS imposed an additional capital requirement on DBS Bank Ltd (DBS Bank), which, combined with the requirement imposed in February 2022, amounts to approximately S$1.6 billion in total additional regulatory capital.
Mr Tharman stressed that the imposition of capital requirements on DBS reflects the seriousness with which MAS views the recent disruptions and the impact that they have had on customers.
“MAS may vary the size of the additional capital requirement imposed on the bank and take other regulatory actions depending on the outcome of ongoing reviews.”
Mr Tharman said MAS requires all retail banks in Singapore to ensure that their mission-critical systems supporting digital banking are resilient. This includes having the ability to recover quickly from any system disruptions.
“Banks are subject to regular inspections and off-site reviews by MAS to ensure their adherence to regulatory requirements and expectations.”
According to Mr Thaman’s earlier parliamentary reply on 21 April, MAS mandates banks to ensure easy access to digital banking services and maintain business continuity during system malfunctions.
Banks must strengthen their IT systems, eliminate vulnerabilities, restore disruptions promptly, and validate the effectiveness of their processes.
If banks fail to meet MAS expectations, they must identify the root cause and implement remedial actions.
MAS also conducts inspections and reviews to assess compliance, communicates gaps to banks for rectification, and shares observations and lessons learned through advisories, dialogues, and industry forums.
17 major banking disruptions lasting more than an hour in the last 5 years
Since 2018, seven domestic systemically important banks (D-SIBs) in Singapore have reported a total of 17 disruptions to their digital banking services that lasted more than one hour.
While these disruptions were mostly resolved within two to four hours, the root causes of these service disruptions are varied, ranging from lapses in managing system upgrades, to software bugs and misconfigurations, in digital banking systems as well as back-end systems and components.
In the case of DBS, in addition to the digital outage on 11 May and 29 March this year, a major incident also happened in November 2021.
On top of the three disruptions, DBS also came under fire in June 2021 over a payment processing glitch that caused some customers to be charged twice on their credit and debit cards.
Meanwhile, the bank’s annual report released on 10 March shows that Gupta’s total pay for last year increased by 13.2 per cent to S$15.4 million. In 2021, his total pay was S$13.6 million, and the year before, S$9.2 million.
Ironically in the report, Gupta said that DBS needs to continue strengthening its technology in areas such as site reliability engineering.
A former IT person who worked for DBS many years ago told TOC, “In those days before outsourcing and when the IT department was handled mainly by Singaporeans, you never hear about service outages.”
He was subsequently retrenched when DBS started to outsource its IT work.