Singapore regulator slams IBM; orders DBS to choose another vendor

In a stingingly critical assessment of the failure of IBM systems at DBS, the Monetary Authority of Singapore has ordered DBS to "reduce its material outsourcing risks so that it does not overly rely on a single service provider," which effectively means it is ordering DBS to find another vendor.

In a statement to media, the Monetary Authority of Singapore said, "The agency determined that DBS Bank’s systems breakdown arose in part from the failure of the bank to put in place a robust technology risk management framework to ensure the reliability, resiliency and speedy recoverability of the bank’s IBM mainframe-storage area network (SAN) platform and architecture. DBS Bank did not exercise sufficient oversight of the maintenance, functional and operational practices and controls employed by IBM. MAS therefore finds that DBS Bank has not adequately observed Sections 5, 7 and 8 of MAS Internet Banking and Technology Risk Management Guidelines (IBTRM Guidelines)."

MAS has censured DBS Bank for the shortcomings and inadequate management oversight by the bank of its outsourced IT systems, networks, operations and infrastructure that resulted in the widespread system outage on 5 July 2010. This incident has revealed weaknesses in DBS Bank's technology and operational risk management controls. We have instructed DBS Bank to conduct an independent review of the incident.

MAS has also directed DBS Bank to adopt measures to:
a) diversify and reduce its material outsourcing risks so that it does not overly rely on a single service provider or a single vendor’s products and services;
b) conduct a thorough internal review of the SAN mainframe and open system architectures and configurations to determine whether there are any single points of failure or operational and functional fragility which should be promptly remedied;
c) redesign its online and branch banking systems platform to reduce concentration risk and allow greater flexibility and resiliency in operation and recovery capability;
d) conduct a review of outsourcing vendors' processes and functions related to services and hardware/software maintenance and upgrade to ensure the maintenance and support teams from vendors assigned to the bank have the requisite level of skill, capability and experience to meet the service and support criteria set by the bank;
e) assess the ability of outsourcing vendors to meet, at all times, the stipulated service level requirements, recovery time objectives and recovery point objectives set by the bank for all mission critical systems;
f) establish a Systems and Network Command Centre within the bank so that it can continually monitor the operation, performance and health of its systems, networks, storage platforms and hardware and software devices; and
g) strengthen the bank's capabilities and resources to be able to rapidly activate and successfully implement a disaster recovery plan when a major system failure or site catastrophe occurs.

MAS also expects the bank to take steps to improve its customer communication process and ensure timely communication with stakeholders with immediate effect.
MAS has required DBS Bank to apply a multiplier of 1.2 times to its risk-weighted assets for operational risk, which translates to the bank setting aside an additional amount of approximately S$230 million in regulatory capital on a group basis based on numbers as at 30 June 2010. The additional capital requirement will be reviewed when MAS is satisfied that the bank has put in place adequate risk control measures to address the deficiencies identified.

Ms Teo Swee Lian, Deputy Managing Director, Financial Supervision, MAS, said, “MAS takes a serious view of this incident. We expect all financial institutions to put in place a robust technology risk management framework that will ensure the reliability, resiliency and speedy recoverability of the institution's IT systems and infrastructure, whether outsourced or in-house. We have recently written to the CEOs of all financial institutions to remind them of this. MAS will not hesitate to take appropriate supervisory action against any financial institution which fails to meet the standards set in the IBTRM Guidelines.”