OCBC’s busted as MAS found out that the bank did not implement sufficient measures to address single point of failure in its system and network infrastructure.
According to a release, the Monetary Authority of Singapore or MAS has reprimanded Oversea-Chinese Banking Corporation Limited or OCBC Bank for the failure of the bank’s online and branch banking systems on 13 September 2011.
As required by MAS, OCBC Bank has presented its findings from its investigation into the causes of the breakdown. MAS’ supervisory action on OCBC Bank took into consideration the circumstances leading to the outage, extent of the outage, and the bank’s follow-up actions to recover its systems. We note that there was timely internal escalation of the outage and the bank took necessary actions following the outage to minimize inconvenience to customers. The bank recovered its systems and services within the four hour recovery time objective set out in MAS Internet Banking and Technology Risk Management (IBTRM) Guidelines. It also took adequate steps to ensure timely communication with its stakeholders.
However, from our review and analysis of the investigation reports, we established that the bank did not implement sufficient measures to address single point of failure in its system and network infrastructure. OCBC Bank had therefore failed to observe the Security Practices requirement set out in the MAS IBTRM Guidelines.
MAS has reprimanded OCBC Bank and directed it to:
a) conduct a thorough review of all critical host and network architectures as well as configurations to determine if there are any single point of failure or operational and functional fragility;
b) review the bank's monitoring system as well as processes and implement adequate monitoring of network devices; and
c) review all support and maintenance teams from vendors that are assigned to the bank to ensure that they have the requisite level of experience and skills to achieve the level of service or support criteria set by the bank.
Mr Lee Boon Ngiap, Assistant Managing Director, Banking and Insurance, MAS, said, “MAS expects financial institutions to be responsible and accountable in managing and controlling technology risks as well as implementing measures to ensure the resilience of their IT systems and infrastructure. We will not hesitate to take appropriate supervisory action against any financial institution which fails to meet the standards set out in the MAS IBTRM Guidelines.”
OCBC's CEO, Mr David Conner, said:
“We regret that the system outage of 13 September disrupted services at our branches and affected our ATMs, online banking platforms and credit card system. With numerous customers inconvenienced, we are grateful to the
many who were patient and understanding as we worked to quickly restore normal service. The cause of the service disruption was subsequently found to be the result of a faulty device that acted in combination with a parameter setting in the main banking system that triggered a suspension of the system’s network communications. The faulty device has since been replaced and the parameter setting adjusted.
Our customers expect the highest service standards from us and this system outage is unacceptable. We have learned from this event and we will comply with the directions set out by the Monetary Authority of Singapore. We remain committed to ensuring that our channels are operating for customers at all times.”
Do you know more about this story? Contact us anonymously through this link.