More than two days after they were first locked out of their mobile banking app in DBS’ largest outage in a decade, customers are still reporting that they are unable to access some of the bank’s services.
The bank said on Wednesday evening that digital services were returning to normal, but by the next morning on Thursday, some users still could not get into their accounts, reported The Straits Times.
The debacle is a black eye for DBS, the largest bank in Southeast Asia and one often held up as a forerunner in the way banks can harness technology to transform themselves into nimble competitors.
Just in September, it was named the world’s best bank as well as best digital bank by Euromoney, a Britain-based financial publication. Humbling as this episode is now to DBS, it also presents several lessons.
First, the risks involved in going digital. There will be downtime in any online service – even for companies such as Google that are involved in the plumbing of the Internet – but the question is how much that risk was mitigated before the outage happened.
As to the cause, the bank would only say so far that its access control servers were faulty, but have offered few other details.
These servers, responsible for letting users log in via, say, their biometrics or two-factor authentication methods, are critical to any access to one’s bank accounts. As you’d imagine, if they went down, users can’t log in at all.
Right now, you’d imagine DBS executives are explaining to the government regulator how and why that happened.
For starters, what caused the outage – was it a cyber attack, a wrong configuration or simply a server being overloaded? Where was the oversight for this?
Why was the outage so long, given that these digital banking services are critical to everyday life, from merchants getting paid to users simply transferring money between accounts?
Yesterday, the Monetary Authority of Singapore (MAS) said it would consider “appropriate supervisory action”, pending an investigation into the outage.
Under the central bank’s rules, a financial institution should not have unscheduled downtime for critical systems that affect customer services that exceed four hours within any 12-month period. For some users, the outage has easily stretched past that.
A second and related point is how DBS responded to the downtime. It did the right thing yesterday by assuring customers that their money is safe. However, you wonder how the extension of opening hours at its branches might alleviate some of the headaches for users.
Merchants who have their PayNow payments stuck or unavailable can’t ask a customer to head to the bank to make a payment for an online purchase, for example.
It is also unclear what type of disclosures banks are required to make to the public following such an outage.
In fairness, the bank is busy investigating the issue and it must have security concerns about revealing too much, but DBS doesn’t help its cause this way with angry customers, either.
The uncomfortable details, however, should come to light when MAS completes its investigation. It should not rely just on DBS’ submissions but conduct its own checks to find important lessons to be learnt from this.
Some details may be redacted for security reasons but they should not be spared out of embarrassment, just like how investigations are carried out for outages in the infocomm industry.
The Infocomm and Media Development Authority regularly chastises and fines telecom operators for mistakes that cause downtime on their infrastructure.
Operating part of the nation’s critical infrastructure, banks such as DBS should be held to a high standard. If this outage makes for a good lesson to other banks also jumping on the digital bandwagon, the details should be out in the open.