SINGAPORE: The Monetary Authority of Singapore (MAS) has ordered DBS and Citibank to conduct “a thorough investigation” following an hours-long outage of key financial services over the weekend.
In response to CNA queries, MAS said on Thursday (Oct 19) that unscheduled downtime for a critical service affecting a bank’s operations or service to customers must not exceed four hours within any 12-month period.
It noted that the banks were not able to fully recover their systems within the required timeframe.
“MAS has instructed both banks to conduct a thorough investigation on why they were not able to do so, and will take appropriate supervisory actions after gathering the necessary facts,” a spokesperson said.
The service interruption on Saturday was caused by a technical issue with the cooling system at a data centre used by DBS and Citibank, according to data centre provider Equinix.
The issue with the chilled water system, which occurred during a planned system upgrade, raised temperatures in some of the halls in the data centre, affecting equipment and customer operations.
This caused DBS and Citibank online banking and payment services to go offline from around 3pm on Saturday, with services only fully resuming on Sunday morning.
DBS services such as DBS/POSB digibank, DBS PayLah! and ATM banking were disrupted.
Citibank services – including the use of Citi Credit Cards, PayNow and investments via the Citi mobile app or Citibank Online – were also affected.
DBS said on Thursday that its services were progressively restored from 7pm on Saturday, with corporate internet banking recovering just after 7pm and most ATMs up and running by around 8.30pm.
“We have robust business recovery plans in place and have data centres islandwide. In this instance, the rapid overheating of the data centre triggered an abrupt shutdown of our systems, which delayed the full recovery process,” a DBS spokesperson said.
In a statement issued on Wednesday, a Citibank spokesperson confirmed that all services were fully restored by Sunday morning.
“All applications have now been recovered and functionalities tested, and we continue to engage with regulators as needed.
“Citi places great importance on the resilience of our infrastructure, and we will use the lessons from this incident to continually improve. We extend our appreciation to our customers for their patience and understanding,” said the bank.
USE ALTERNATIVE PAYMENT METHODS, CARRY CASH
MAS said that it does not have oversight of data centres but instead expects banks to establish contractual agreements with data centre providers that incorporate its requirements on system availability. The authority added that it requires all banks to ensure that “their critical systems and services to customers are resilient to disruption”.
Apart from the limit on the duration of unscheduled downtime, banks are required to have back-up data centres and systems in place.
They should also test them periodically to ensure that critical systems and services can be restored within four hours following an outage, the MAS said.
MAS recognised that both DBS and Citibank had activated their back-up data centres when their primary data centres failed to perform normally on Saturday.
However, both were still unable to fully recover their systems within the required timeframe. As no IT system is infallible, both banks and customers should have contingency measures in case of service disruptions caused by IT outages, the MAS said. “The banks activated contingency measures such as extension of branch hours and alternative arrangements for credit card transactions, to reduce the impact on customers,” said MAS.
“Customers can benefit from having alternative payment providers and carrying some cash as a contingency. During this recent service disruption, many affected customers with alternative payment providers were able to switch to those or to using cash, minimising inconvenience.”