2.5 million transactions affected by recent DBS, Citibank outages; 810,000 login attempts failed, Latest Singapore News - The New Paper

2.5 million transactions affected by recent DBS, Citibank outages; 810,000 login attempts failed

Some 2.5 million payment and ATM transactions could not be completed during the banking outages that hit DBS and Citibank on Oct 14, causing widespread disruption to businesses and consumers, said Minister of State for Trade and Industry Alvin Tan on Monday.

Customers also made up to 810,000 failed attempts to access the digital banking platforms of both banks between 2.54pm that day and 4.47am the following day.

Providing the estimates on the impact of the outages in Parliament, Mr Tan said that both banks have fallen short of regulatory requirements to ensure that their critical IT systems are resilient against prolonged disruptions.

The outages were caused by a fault in the cooling system of an Equinix data centre used by DBS and Citibank. While both activated disaster recovery and contingency plans, services were only fully restored in the early hours of Oct 15.

“While both banks conducted annual exercises to test the recovery of the IT systems at the backup data centres, the specific issues that led to the delays in system recovery on Oct 14 did not surface during those tests,” he added. 

Mr Tan noted that the Monetary Authority of Singapore (MAS) has measures in place to uphold the “reliability and recoverability” of banking services.

Under the Banking Act, banks that are found to have breached MAS’s requirements on technology risk management can be fined up to $100,000. This will be increased to a maximum of $1 million next year, Mr Tan said.

MAS also uses other regulatory tools to address lapses in banks’ risk management, Mr Tan said. This includes imposing additional capital requirements and suspending certain bank activities.

He cited DBS as an example, and said the string of five disruptions to banking services in the last eight months was “unacceptable”. 

MPs questioned whether the punitive measures imposed on DBS were enough.

Tampines GRC MP Desmond Choo said it is “nothing short of a slap on the wrist”.

Mr Tan noted that MAS took a tougher stance on DBS, by requiring it to hold additional regulatory capital.

Higher capital requirements mean DBS must hold more liquid capital, which could leave the bank with less money for dividends or investments.

“It is a drag on the return of capital which could in turn impact credit ratings, as well as the stock price of the bank,” Mr Tan said.

DBS also cannot undertake new acquisitions and has to pause non-essential IT changes for six months.

Mr Tan noted that the measures do not stop here. DBS and Citibank have to conduct thorough investigations and come up with a plan that will minimise future disruptions and outages.

He added that the banks will need to test their plans regularly to ensure they are able to recover within four hours in the event of another outage.

West Coast GRC MP Ang Wei Neng asked if MAS will consider asking banks that have been hit by outages to compensate customers directly.

Adding to his earlier point that “matters of compensation are better dealt with between the bank and its customers”, Mr Tan noted that consumers can hold financial institutions accountable for such incidents.

“If I am unable to pay using one of the financial services providers, then I go to the other one. I lose confidence in one, I go to the other one.” 

Mr Tan added that consumers can also consider using different ways to pay, so they are not overly reliant on one financial provider for time-sensitive transactions.

During the Oct 14 disruption, some customers were able to switch to alternative payment methods or providers, or use cash.

The disruption also highlighted the importance of data centres to a bank’s operations.

Mr Tan said the Government is looking into ways to further strengthen the security and resilience of data centres.

Like other major jurisdictions, MAS currently does not regulate external data service providers, which are typically not financial institutions.

It is the bank’s duty to implement adequate risk controls and oversight over their data centre providers so they can deliver on their financial services with minimal disruptions, he added.