The impact of the DBS and Citibank digital banking disruption on 14 October was wide, with up to 810,000 attempts to access the digital banking platforms of both banks failing between 2.54 pm and 4.47 am the following day. Approximately 2.5 million payment and ATM transactions were also affected.
Minister of State for Trade and Industry and Monetary Authority of Singapore (MAS) Board Member Alvin Tan said that the disruptions were caused by a malfunction of the cooling system in the data centre hosting both banks’ IT systems.
The temperature in the data centre rose above the optimal operating range, causing the banks’ IT systems to shut down.
Both banks activated their IT disaster recovery and business continuity plans, but encountered technical issues which prevented them from fully recovering their affected systems at their respective back-up data centres.
Services at DBS and Citibank were progressively recovered from 8.21 pm and 7.05 pm respectively on 14 October, but only fully recovered in the early hours of 15 October.
According to Tan,
“MAS does not oversee banks’ external service providers, which are typically not financial institutions. This is similar to the approach taken by regulators in major jurisdictions.
The onus is on the banks to ensure that the external service providers they appoint to support their operations or service to customers can meet MAS’ requirements on operational resilience. MAS also requires banks to maintain close oversight of external service providers, so that they can deliver services with minimal disruptions.”
The minister added that DBS and Citibank have fallen short of its requirements to ensure that their critical IT systems are resilient against prolonged disruptions.
MAS requires all banks to have in place back-up data centres and systems and to test them periodically to ensure that critical systems and services can be restored within 4 hours following an outage.
The unscheduled downtime for a critical system affecting a bank’s operations or service to customers must not exceed 4 hours within any 12-month period.
MAS has instructed both banks to conduct thorough investigations into the root causes of the incidents and put in place remediation measures to minimise future outages and strengthen their recoverability in the event of an outage.
The regulator has also adopted a tougher stance against DBS because it experienced five disruptions on 29 March, 5 May, 26 September, 14 and 20 October 2023 to its banking services in the last eight months.
MAS has prohibited DBS from making any non-essential IT changes or acquiring any new business ventures for a six-month period, and has barred DBS from reducing the size of its branch and ATM networks in Singapore until it is satisfied with the progress of DBS’ remediation.
DBS came forward to apologise for the repeated disruptions and outlined its comprehensive plan roadmap to improve its technology resiliency. The bank has also set aside a special budget of SGD 80 million for this purpose.
Tan advised the public,
“While our banking system is generally robust, customers too must plan and prepare for contingencies. They can benefit from having alternative payment options and not be over-reliant on one provider for time-sensitive transactions.
Indeed, during this recent service disruption, customers who were able to switch to alternative payment providers or use cash as a last resort would have been less affected.”