SINGAPORE - There have been eight disruptions to the digital banking services of four major banks since July last year, said Senior Minister and Coordinating Minister for Social Policies Tharman Shanmugaratnam.
The incidents, reported by DBS Bank, OCBC Bank, UOB and Citibank, affected between 500 and 37,000 customers, and were mostly resolved within three hours.
DBS faced the longest interruption, lasting 39 hours, said Mr Tharman, who was responding on behalf of the Prime Minister in a written parliamentary reply to Dr Tan Wu Meng (Jurong GRC).
"The root causes of these incidents lay mainly within the banks themselves - such as software misconfigurations, system malfunctions, and errors that were introduced when the banks were making system changes," he said, adding that one of the incidents was related to an outage in a third-party cloud service provider.
Mr Tharman, who is also chairman of the Monetary Authority of Singapore (MAS), said the financial regulator takes all IT incidents that affect the availability of digital banking services seriously.
MAS requires banks to be able to recover systems supporting critical banking services such as fund transfers and payment services within four hours following any disruption.
The total unscheduled downtime for each critical system must not exceed four hours within any 12-month period, he said.
Banks that breach these requirements will face "supervisory action" from MAS.
This can include requiring the bank to hold additional capital, said Mr Tharman, citing the prolonged DBS outage last November as an example.
DBS had to set aside another $930 million in capital to buffer against unexpected losses and keep itself solvent in a crisis.
Mr Tharman also said MAS directed the bank to appoint an independent expert to conduct a comprehensive review of the incident, including its controls and recovery actions and how a similar incident can be prevented in future.
It also directed DBS to rectify all shortcomings identified from the review and implement measures to ensure that any future disruption to its digital banking services is resolved quickly and adequately, he added.
"The recent incidents highlight the need for banks to continually review their IT resilience strategy, and ensure that there is sufficient redundancy and fault tolerance built into their digital banking IT infrastructure."
Mr Tharman also noted that MAS recently published a set of new Business Continuity Management Guidelines that set out measures financial institutions can take to sustain critical business services and minimise service disruptions.
The guidelines include identifying how resources such as systems and manpower depend on each other to deliver critical business services, and addressing any gaps that could hinder the effective recovery of these services during an outage.
Mr Tharman added: "Globally, financial institutions are increasingly relying on third-party services such as public cloud computing. This increases financial institutions' exposure to third-party risks."
He said MAS has been working closely with the industry, global financial regulators and leading service providers on best practices to manage third-party risks, such as collaborating with the Association of Banks in Singapore to issue guidelines on sound cloud computing practices.
"The technology landscape that banks operate in is becoming more complex. It is hence critical that banks continually maintain and uplift the security and resiliency of their IT systems so as to maintain stability and trust in the banking system."