MAS bolsters security of digital banking

Imposes additional capital requirement on DBS Bank for disruption of digital banking services.

The Monetary Authority of Singapore (MAS) has imposed on DBS Bank Ltd (DBS Bank) an additional capital requirement following the widespread unavailability of DBS Bank’s digital banking services during 23-25 November 2021. MAS has required DBS Bank to apply a multiplier of 1.5 times to its risk-weighted assets for operational risk. This translates to an additional amount of approximately $US930 million in regulatory capital (based on reported financial statements as of 30 September 2021).

MAS noted deficiencies in DBS Bank’s incident management and recovery procedures to restore its digital banking services to a normal state, resulting in the prolonged duration of the disruption.

MAS has directed DBS Bank to appoint an independent expert to conduct a comprehensive review of the incident, including the bank’s recovery actions. The independent review is also required to assess how a similar incident can be prevented in future. DBS Bank must rectify all shortcomings identified from the review and implement measures to ensure that any future disruption to its digital banking services is resolved quickly and adequately. The additional capital requirement will be reviewed when MAS is satisfied that DBS Bank has addressed the identified shortcomings.

Marcus Lim, Assistant Managing Director (Banking and Insurance), MAS, said, “MAS requires financial institutions to have robust controls and processes to ensure the reliability and resilience of their IT systems and the continuous delivery of essential financial services to their customers. MAS will take appropriate supervisory action against any financial institution that falls short of our regulatory expectations.”

DBS’ response to MAS’ actions on digital disruption

According to DBS CEO Piyush Gupta in a digital era, customers rightly expect to have seamless and uninterrupted access to online banking services 24/7. Since the November incident, DBS has taken a series of actions to improve the resilience of our services and incident response. These actions are but a starting point.

“Over the course of the next few months, together with an independent expert, we will continue to review our systems and processes to ensure that we do better going forward,” he said.

MAS’ supervisory action requires DBS to set aside additional capital amounting to 1.5 times risk-weighted assets for operational risk. This translates to approximately SGD 930 million in regulatory capital as of 30 September 2021 and will have a 0.4 per cent point impact on DBS Group’s capital ratios till remedial actions are completed. Inclusive of the capital impact arising from the Citibank Taiwan consumer banking acquisition, DBS’ pro-forma CET-1 ratio as of 30 September 2021 would be 13.4 per cent. The pro-forma ratio is at the upper end of our target CET-1 range, and hence will have no impact on dividend policy.

A Framework for Equitable Sharing of Losses Arising from Scams

Off of the back of the incident MAS has updated that banks in Singapore have substantially implemented the additional measures to bolster the security of digital banking announced on 19 January 2022. The measures, taken together, provide a significant added layer of security to protect customers’ funds.  MAS is working with the industry to evaluate longer-term measures to be implemented in the coming months, as well as to develop a framework for equitable sharing of losses arising from scams.

The Payments Council2, chaired by MAS, has been working since July 2021 on a framework that aims to provide clarity on how losses arising from scams are to be shared among consumers and financial institutions.

Under the framework, all parties have responsibilities to be vigilant and to take precautions against scams.

  • Financial institutions have the responsibility to protect their customers, such as through robust controls to safeguard customer accounts, and effective measures to detect and respond to suspicious transactions.
  • Customers have the responsibility to take necessary precautions, especially by never giving away personal or banking credentials to anyone, never clicking on links in SMSs or emails which are claimed to be sent by a bank and transacting only through the bank’s official website or mobile application.

The proportion of losses each party bears will depend on whether and how the party has fallen short of its responsibilities. MAS expects financial institutions to treat their customers fairly and bear an appropriate proportion of losses arising from scams.  At the same time, care must be taken to ensure that compensation paid to customers does not weaken their incentive for all to be vigilant. OCBC’s recent goodwill payouts to fully cover customer losses were a one-off gesture by the bank in the circumstances, which included the bank’s consideration of how it had not met its own expectations of customer service and response. They do not set a general precedent for future cases.

MAS aims to publish the framework for public consultation within the next three months. Other than the sharing of losses, the consultation will also cover the responsibilities of other key parties in the ecosystem.

Customers are urged to exercise greater vigilance and adhere to the following digital safety practices:

  • Never click on links provided in SMSs or emails claimed to be sent by banks.
  • Never disclose internet banking credentials or passwords to anyone, including persons claiming to be from banks or government agencies.
  • Verify SMSs or emails received by calling the bank directly on the hotline listed on its official website.
  • Transact only on the bank’s official website, or through the bank’s official mobile application.
  • Closely monitor transaction notifications received from the bank so that any unauthorised payments are reported as soon as possible to increase the chances of recovery.
  • Keep your devices updated with the latest security patches and anti-virus software.



Leave a Comment

Related posts