As lenders increasingly nudge their customers toward online services, the frequency and scale of bank outages raises serious questions about the resilience and reliability of those services.
On Oct.1, I reported on NC that banks around the world are suffering big outages, leaving millions of customers in the lurch. In the less than two months that have passed since then just about every high street lender in the UK has suffered an outage to their online banking platform and/or mobile app; Ecuador’s biggest bank has been targeted by hackers, resulting in a four-day suspension of its online services; Mexico’s largest lender has suffered its third nationwide outage of 2021, and the online banking platform of Pakistan’s third largest lender has been taken down by a cyber attack.
This week was the turn of one of Asia’s largest lenders, Singapore-based DBS, which suffered its worst system outage in 11 years. This is a bank that has won multiple “best bank” awards, from publications such as Euromoney, The Banker, and Global Finance, and is considered a pioneer in embedding digitization across the full range of banking processes and services.
DBS began suffering disruptions to its website and mobile app services on Tuesday morning. As reports came flooding in from customers that they were unable to access the bank’s mobile app or online platform, the bank released the following message on social media:
“Some of our customers are facing intermittent slowness when accessing our banking services, and we are currently working to resolve this. We apologise for the inconvenience caused during this time, and please try again later.”
Some customers understandably took umbrage with the statement, as there was clearly nothing “intermittent” or “slow” about the disruption; the system for many customers just wasn’t working.
“Slowness implies there is some speed no matter how low,” wrote Facebook user Zhaohan Chua. “It is simply not working. Is DBS into gaslighting their customers now?”
The service outage continued through the day of Tuesday and well into the night. At 2 a.m. Wednesday morning (local time) the bank announced that all digital services had been restored, only to receive a fresh torrent of complaints from customers on social media who were still unable to access their online account or mobile app. This prompted the bank to admit that the “digital banking issue ha[d] recurred.”
An outage of length of time is extremely disruptive given the growing number of users who depend on digital banking transactions and other services. The lender has been at pains to stress that the outage was not the result of a cyber-attack and that customer accounts and data have not been compromised. On Wednesday afternoon, the bank’s country manager, Shee Tse Koon, issued a statement blaming the issue on a problem with “access control servers”, which are used to authenticate usernames, passwords and other identifiers such as biometrics and one-time passwords (OTPs).
“We identified a problem with our access control servers and this is why many of you have been unable to log in. We have since been working round the clock, together with our third-party engineering providers, to fix the problem and recover our digital banking services. In the meantime, please be assured that your deposits and monies are safe and that you can continue with your banking needs either through our branches or through phone banking.”
The last sentence may not have been overly reassuring given that DBS, like most large lenders in advanced economies, has spent the past decade closing down many of its branches, even in highly populous areas and key business districts.
The bank’s IT issues appear to have persisted into Thursday. “Although customers said they could log in to its digibank online platforms on Thursday morning, many still could not make transactions or view past ones;” reported The Strait Times. By Friday the issues appear to have been resolved.
It was the bank’s worst outage since 2010, when an internal failure knocked DBS Bank’s back-end computer systems offline, leaving customers unable to withdraw cash from ATM machines for seven hours. On Wednesday evening Singapore’s central bank and financial regulatory authority, the Monetary Authority of Singapore (MAS), said it would consider taking “supervisory action”.
“This is a serious disruption and MAS expects DBS to conduct a thorough investigation to identify the root causes and implement the necessary remedial measures,” said Mr Marcus Lim, MAS’ assistant managing director of banking and insurance. “MAS will consider appropriate supervisory actions following the investigation. MAS expects all financial institutions to have systems and processes to ensure the consistent availability of financial services to their customers.”
The central bank’s regulations stipulate that the total unscheduled downtime for critical systems affecting services for customers should not exceed four hours within any 12-month period. DBS has exceeded that limit with abandon. That said, the punishment is unlikely to be too harsh given that DBS’s controlling shareholder, with 29% of the bank’s shares, is Temasek Holdings, the country’s second-largest sovereign wealth fund. In other words, the Government of Singapore, which indirectly controls MAS, is also DBS’s most important shareholder.
Blushes All Round
But the outage is nonetheless a serious embarrassment for a bank that prides itself on its digital smarts as well as for the city of Singapore, which has topped the global Smart City Index for the past three consecutive years.
“Embracing the digital world is a strategic imperative for DBS,” wrote the bank’s Head of Global Transaction Services, John Laurens, in 2015. “We have invested in hardware – in addition to the SGD 600 million we spend every year, we will invest a further SGD 200 million over the next two years – to ensure DBS offers our customers the very latest in digital solutions. But, more importantly, we have also invested in our people. For example, over 400 of our staff have been involved in ‘hackathons’ that expose them to the digital world and give a first-hand experience of what can be achieved with new forms of rapid product development.”
Five years later, DBS’ Chief Financial Officer Chng Sok Hui, explained in a gushing interview with everyone’s favourite management consultancy firm, Mckinsey & Company, how DBS had essentially morphed from being a traditional bank to “becoming a technology company”:
I think we needed to learn how it is that we can become digital to the core, but I think that we also need to learn how to change in terms of our own mindsets and in terms of the organization culture. And we remind ourselves that it’s not only the executives at the top, that it’s not just the IT folks, that it’s not just the business folks, it’s everyone.
So, we started with a lot of change agenda items. I remember we had human-centered design thinking. In fact, almost everyone had to go through a process of coming up with an app. The other thing we did very well I thought was customer-journey thinking, and thinking about the customer.
So not so much an inward process, but how the customer would actually experience the app that we wanted to put out. So today when I look back I actually see an awesome culture change that has actually happened.
That app stopped working for many of DBS’ customers this week. “The disruption certainly had a broad and likely material impact for many customers, and we would expect to see at least a notice from the Monetary Authority of Singapore (MAS)” or a fine, Business Times reported, quoting analysts.
Roy Kee, managing director of cleaning products manufacturer JRW International: “As a new convert to e-banking, this will shake my confidence a bit. The bank could have also communicated with clients better by sending us SMS messages about the disruption.”
DBS is not the only large Asian lender to have suffered outages in its digital banking services this year. Mizuho, one of Japan’s three mega-lenders, has had so many IT system glitches — eight so far this year — that they could end up triggering the resignation of the bank’s CEO Tatsufumi Sakai. Nikkei, Kyodo and NHK all reported that the CEO is likely to step down, without naming their sources.
Pakistan’s third largest lender, National Bank of Pakistan (NBP), suffered a cyber attack in early November, which brought down its IT system over an entire weekend.
Beyond Asia, banks in many other parts of the world have suffered from widespread outages and cyber attacks in recent months. Here’s a quick rundown:
- In the last five weeks, just about all of the UK’s large commercial lenders have suffered an IT outage of one form or another. Santander’s app and online services went down for a number of hours on Nov 22. A week earlier, the mobile apps and internet banking services of three large banks, Lloyds, Halifax and Bank of Scotland, which all belong to the Lloyds Banking Group, went down, leaving thousands of customers in the lurch. Two weeks earlier, another high street behemoth, Barclays, suffered a nationwide outage. A week before that, it was the turn of HSBC and NatWest.
- In Mexico the largest lender, BBVA, has so far suffered three system outages in 2021, two of which took place on a Sunday. As such, the bank’s 24 million customers were not only unable to use the bank’s ATMs, its mobile app or in-store payments; they could not even avail of its branch services.
- In October, the IT system of Ecuador’s largest lender, Banco Pichincha, was brought down by a ransomware attack for a number of days.
- In September, Venezuela’s largest lender, Banco de Venezuela, suffered a massive cyber-attack that left its 16 million customers without access to digital banking services for five days. The Venezuelan government blamed the attack on the United States government.
- Two of South Africa’s four biggest banks, Standard Bank and Absa, have suffered a number of interruptions of their online banking services.
- Kiwibank, one of New Zealand’s largest lenders and ANZ Bank, Australia’s third largest lender, both suffered distributed denial-of-service (DDoS) attacks in 2021, leading to a spate of IT system outages. In its latest Financial Stability Review, released in early October, the Reserve Bank of Australia warned that a successful cyber attack on a major financial institution is all but inevitable.
This is all happening at a time when customers and businesses are increasingly dependent on digital payment systems, for a whole host of reasons including: the recent spectacular growth in e-commerce, fuelled in part by the Covid-19 lockdowns; the greater speed, convenience and perceived lower risk of Covid-19 transmission from using contactless payments instead of cash*; and the increasing difficulty of accessing or using cash, in large part due to banks’ widespread closure of branches, ATMs and withdrawal of cash services.
At my own bank in Spain, Caixabank, most customers will now have to pay two euros for the privilege of visiting a branch for a service they could access online. The bank had already limited cash services in its branches to less than three hours a day, from 8:15 am to 11 am. Yet as lenders increasingly nudge their customers away from the branch and physical currency and toward online services, the frequency and scale of bank outages, even at highly sophisticated lenders such as DBS, raises serious questions about the resilience and reliability of those services.