How DBS became ‘001’ in Data Protection Trustmark Certification

Senior management buy-in was key to achieving Singapore’s first Data Protection Trustmark Certification

DBS Singapore Country Head Mr Shee Tse Koon
Singapore Country Head of DBS Bank, Mr Shee Tse Koon, believes that the Data Protection Trustmark (DPTM) certificate will take customers’ trust in the bank to the next level. PHOTO: DBS BANK

The number on the Data Protection Trustmark (DPTM) certificate reads “001”.

DBS Bank may have been the largest company amongst the pioneering batch of organisations to apply for Singapore’s DPTM certification, but that did not stop the financial services giant from becoming the first to cross the finish line

DBS is one of the leading financial services groups in Asia with a presence in 18 markets globally. It is no stranger to accolades, having been awarded the Global Bank of the Year by The Banker and World’s Best Digital Bank by Euromoney in 2018, and World’s Best Bank by Euromoney in 2019.

It was also recognised as the Safest Bank in Asia by New York-based trade publication Global Finance for 10 consecutive years.

But, as Mr Shee Tse Koon, Singapore Country Head, DBS Bank, pointed out, “Trust is not something that we can take for granted.”

Next level

Mr Shee noted that a lot of trust has been built on the bank’s financial strength – its capital base, liquidity position and performance – as well as the fact that it is headquartered in Singapore.

But the scope of trust has expanded in recent years. “In this age where data is a key asset to business success, we want to build upon the strength of our trust to take it to the next level,” said Mr Shee.

As a bank, DBS is required to collect data from all its customers, from mass retail to private banking customers.

For example, when customers open a bank account, the bank has to collect enough data to determine who they are dealing with in order to meet regulatory requirements, and carry out regular reviews to ensure that all the information remains valid.

When giving wealth advice, the bank must assess the customers and their risk appetite. To do this, it needs to have data on the customer’s financial standing and past investment behaviour.

In addition to transactional data, the bank also registers the preferences of customers as part of an ongoing process to better understand them in order to provide a better customer experience. 

Responsible use

The bank created a set of guiding principles dubbed PURE (Purposeful, Unsurprising, Respectful, Explainable) to oversee responsible use of data. For example, when the bank uses third-party data, it will keep customers informed that it is doing so. “Whichever form of data we have, we apply the PURE principles to make sure we use it for the right purpose,” said Mr Shee.

When the DPTM was announced, DBS saw this as an opportunity to seek external validation for its guiding principles, as well as its other personal data protection policies and practices.

When the bank’s Group Legal, Compliance and Secretariat team presented the DPTM framework to its senior management, they received approval immediately. “It was a no-brainer for us. Trust is very integral to banking,” said Mr Shee.

Concerted effort

A core certification work group of 10 employees was formed to engage various internal stakeholders during the preparatory stage and coordinate the onsite certification visits by external assessors. The preparation included gathering necessary evidence such as policy documents and training records to demonstrate the bank’s data protection practices. The entire certification process took about four months from the time an external assessor was appointed to when DBS received the certification notification from the DPTM certification body.

Management endorsement was critical to the success of the bank’s DPTM application. It enabled the bank to put together cross-business and cross-functional teams very quickly, and mobilised them in a concerted effort to efficiently manage the anticipated intense certification process.

Close scrutiny

The assessment for the bank’s consumer banking franchise involved a detailed review of its data protection practices with product managers and operational teams dealing with secured lending, unsecured lending, investments, deposits and insurance products and services. The assessor even visited several DBS branches to check if frontline staff were aware of personal data protection requirements, and to evaluate their handling of personal data.

For Human Resource, the assessors scrutinised teams that handled sourcing, onboarding and employee benefits. For Procurement, the assessors examined processes, involving vendors’ due diligence and practices in ensuring protection of data. The Information Security team was also engaged to facilitate the assessment of the bank’s technical controls for personal data protection.


On 9 January 2019, it was announced that DBS was amongst the first of six companies to be awarded the DPTM certification.

“It is a great honour to be the first bank to be certified with the DPTM. It speaks of our commitment to personal data protection,” said Mr Shee.

“There is huge value in how we can use data to fulfill the needs and wants of customers and employees,” he added. “With a robust framework in place, we’re able to properly utilise our data to the benefit of the communities we serve.”

Sharing his views on why it is important for financial institutions to work towards DPTM certification, Mr Shee said, “The financial industry is one where trust is of utmost importance, and the DPTM will provide consumers with that element of trust.”

Brought to you by