The Monetary Authority of Singapore (MAS) has strongly criticised DBS and IBM over last month's seven-hour system-wide outage, ordering the bank to redesign its online and branch technology and reduce its reliance on Big Blue.
The 5 July glitch knocked out all consumer and business banking services and ATM and POS transactions at DBS. It was blamed on a procedural error by an employee of IBM, which has a S$1.2bn outsourcing agreement with the bank.
Singapore's central bank ordered the pair to conduct an investigation into the cause of the breakdown and, after reviewing this and carrying out its own analysis, has taken supervisory action.
MAS says the problem arose in part from the failure of the bank to put in place a robust technology risk management framework to ensure the reliability, resiliency and speedy recoverability of its IBM mainframe-storage area network platform and architecture.
DBS Bank did not exercise sufficient oversight of the maintenance, functional and operational practices and controls employed by IBM and therefore did not adequately observe parts of the MAS Internet banking and technology risk management guidelines.
The central bank has told DBS to "diversify and reduce its material outsourcing risks" so it does not rely too heavily on a single provider. It also has to review outsourcing vendors' processes and functions to ensure maintenance and support teams are up to scratch.
DBS has been ordered to redesign its online and branch banking systems platform in order to reduce concentration risk and allow greater flexibility and resiliency in operation and recovery capability.
It must establish a systems and network command centre so that it can continually monitor systems, networks, storage platforms and hardware and software devices and make sure it can implement a disaster recovery plan when a major system failure or site catastrophe occurs.
MAS has also asked the bank to set aside S$230 million additional regulatory capital for operational risk and told it to improve customer communications procedures.
Teo Swee Lian, deputy managing director, financial supervision, MAS, says: "We expect all financial institutions to put in place a robust technology risk management framework that will ensure the reliability, resiliency and speedy recoverability of the institution's IT systems and infrastructure, whether outsourced or in-house. We have recently written to the CEOs of all financial institutions to remind them of this."