Monetary Authority of Singapore (MAS) has censured DBS Bank for the shortcomings and inadequate management oversight by the bank of its outsourced IT systems, networks, operations and infrastructure that resulted in system outage on July 5, 2010.
As directed by MAS, DBS Bank and IBM, its outsourcing vendor, have conducted an investigation into the causes of the breakdown, reported The Asian Banker.
MAS has reviewed the investigation reports and determined that DBS Bank’s systems breakdown arose in part from the failure of the bank to put in place a robust technology risk management framework to ensure the reliability, resiliency and speedy recoverability of the bank’s IBM mainframe-storage area network (SAN) platform and architecture.
According to MAS, DBS Bank did not exercise sufficient oversight of the maintenance, functional and operational practices and controls employed by IBM. MAS therefore found that DBS Bank has not adequately observed Sections 5, 7 and 8 of MAS Internet Banking and Technology Risk Management Guidelines (IBTRM Guidelines).
MAS has directed DBS Bank to adopt measures to: diversify and reduce its material outsourcing risks; conduct a thorough internal review of the SAN mainframe and open system architectures and configurations; redesign its online and branch banking systems platform; and strengthen the bank’s capabilities and resources to be able to activate and implement a disaster recovery plan when a major system failure or site catastrophe occurs.
MAS also expects the bank to take steps to improve its customer communication process and ensure timely communication with stakeholders with immediate effect.
MAS has required DBS Bank to apply a multiplier of 1.2 times to its risk-weighted assets for operational risk, which translates to the bank setting aside an additional amount of approximately S$230m in regulatory capital on a group basis based on numbers as at June 30, 2010.
Teo Swee Lian, deputy managing director of financial supervision at MAS, said: “We expect all financial institutions to put in place a robust technology risk management framework that will ensure the reliability, resiliency and speedy recoverability of the institution’s IT systems and infrastructure, whether outsourced or in-house.
“MAS will not hesitate to take appropriate supervisory action against any financial institution which fails to meet the standards set in the IBTRM Guidelines.”