The recent computer glitch at Barclays Bank in the UK prevented customers from withdrawing money from cash machines and brought down telephone and internet banking services. While the reasons for this glitch are yet unknown, this case is not an isolated incident in the banking industry. Just a month before the system failure at Barclays Bank, DBS Bank in Singapore encountered a system failure resulting in a 7 hour downtime in cash machine, internet and mobile banking services. An investigation revealed that this was largely a human error. IBM engineers did not abide by correct procedures in changing a faulty cable to the bank’s storage system four times. The system shut down to protect data, resulting in a disruption of banking services. IBM is DBS’ network vendor since 2002. While outsourcing of IT services is nothing new and allows for financial institutions to focus on their core functions, some financial institutions may need to be reminded that outsourcing is not a strategy to transfer their risks to a third party. Outsourcing does not negate their responsibility in meeting regulatory requirements. The Monetary Authority of Singapore (MAS), Singapore’s central bank and financial regulatory body rebuked DBS for not putting in place a technology risk management framework of its mainframe storage network and imposed an additional $230 million of regulatory capital for operational risks. MAS also requested DBS to conduct an internal review of its system, to diversify its risk exposure so that it does not become overly reliant on a single service provider and to assess the ability of service providers in meeting the banks’ service level standards. The MAS, in a strongly worded press release, said “MAS takes a serious view of this incident. We expect all financial institutions to put in place a robust technology risk management framework that will ensure the reliability, resiliency and speedy recoverability of the institution’s IT systems and infrastructure, whether outsourced or in-house. We have recently written to the CEOs of all financial institutions to remind them of this. MAS will not hesitate to take appropriate supervisory action against any financial institution which fails to meet the standards set in the Internet Banking and Technology Risk Management Guidelines.” The bottom line: it pays for financial institutions to keep a close eye on technology risk as in addition to business losses from system outages, there can be regulatory fines.
Elaine Goh, CiFER Research Team