Inadequate management and the lack of “a robust technology risk management framework” caused a service outage of DBS Bank’s online and branch banking systems, according to its regulator.
As directed by Monetary Authority of Singapore (MAS), DBS and its outsourcing vendor IBM conducted an investigation into the causes of the breakdown that occurred on 5 July this year. According to MAS, it reviewed the findings and conducted its own analysis.
MAS found that DBS’s systems breakdown arose in part from the failure of the bank to put in place a robust technology risk management framework to ensure the reliability, resiliency and speedy recoverability of the bank’s IBM mainframe-storage area network (SAN) platform and architecture. It also claims that DBS Bank did not exercise sufficient oversight of the maintenance, functional and operational practices and controls employed by IBM.
Therefore, MAS found that DBS Bank had not adhered to sections 5, 7 and 8 of its Internet Banking and Technology Risk Management Guidelines (IBTRM).
MAS said it has censured DBS Bank for the shortcomings and inadequate management oversight by the bank, and the incident revealed weaknesses in DBS Bank’s technology and operational risk management controls.
“MAS takes a serious view of this incident,” said Teo Swee Lian, managing director, financial supervison, MAS.
“We expect all financial institutions to put in place a robust technology risk management framework that will ensure the reliability, resiliency and speedy recoverability of the institution’s IT systems and infrastructure, whether outsourced or in-house.
“We have recently written to the CEOs of all financial institutions to remind them of this. MAS will not hesitate to take appropriate supervisory action against any financial institution which fails to meet the standards set in the IBTRM Guidelines.”
MAS has ordered DBS to adopt various measures to prevent such breakdowns in the future. They include diversifying its material outsourcing risks to combat over-reliance on one single service provider, redesigning its online and branch banking system platforms, and setting aside S$230 million in regulatory capital for operational risk.
“The system outage is of grave concern to us and we acknowledge MAS’s censure,” said Piyush Gupta, CEO of DBS.
“DBS would like to assure customers that taking into account the regulatory capital charge, our total capital adequacy ratio is still comfortably above the required levels. Measures to strengthen our technology and risk management controls are also well underway.
“Twelve months ago, DBS commenced a two-year programme to further enhance our system reliability and resilience and we are accelerating the implementation of these initiatives. DBS is deeply sorry for the outage and once again, my apologies to our customers for all the inconvenience caused.”
An investigation by DBS and IBM into the outage found that it was caused by an IBM staff member’s repeated failure to apply the correct procedure when addressing instability in the communications link of the storage subsystem.