The rapid digitalisation of the banking sector in Southeast Asia has brought about unprecedented convenience for customers, allowing them to access financial services at their fingertips.

However, this increased reliance on digital platforms has also exposed the challenges financial institutions (FIs) face in maintaining reliable and uninterrupted services.

A series of service disruptions across the region has raised concerns among customers and regulators, prompting a closer examination of the root causes and potential solutions to enhance operational resilience.

Recent incidents in Malaysia, where the two largest banks faced outages highlight the importance of addressing these disruptions promptly and effectively. Bank Negara Malaysia (BNM) has taken a strict stance, ordering affected banks to deliver comprehensive accounts of the root causes behind the service outages and implement measures to prevent future disruptions.

The regulatory body has also instructed these banks to properly communicate with affected customers, address inquiries and complaints promptly, and keep them informed about the status of impacted services.

Understanding the root causes

Service disruptions in digital banking can be attributed to external factors and internal vulnerabilities.

As highlighted by EY Consulting, a global professional services firm, the increasing complexity of customer demands, such as the need for digital payment options, places more significant stress on systems and increases operational risk.

Additionally, dependencies on external vendors along the service delivery chain can lead to disruptions when those vendors experience issues.

An example of a past disruption experienced by FIs in the region was due to malfunctions in the cooling systems of their data centres, which a third-party service provider maintained.

Internally, FIs grapple with the complexity of their IT systems, often built over time with many integrations. These legacy infrastructures can increase vulnerability, complicate business continuity requirements, and hinder the ability to recover swiftly during a disruption.

Comparing regional incidents and benchmarks

When examining the frequency and impact of service outages in Southeast Asia, EY noted that Malaysia is similar to regional peers like Singapore and Japan, averaging five major banking outages in the past year, with incidents of shorter duration of around seven hours, compared to the regional average of nine hours.

However, EY Asean Financial Services Assurance Leader Chan Hooi Lam emphasised that it is critical to contextualise these figures against the backdrop of customer expectations and the nature of the affected banking services.

The spectrum of affected services is similar across the said jurisdictions, with disruptions involving digital banking platforms, payment transfer systems, ATM services, and occasionally, securities and foreign exchange trading platforms.

Specifically, the disruptions in Malaysia have predominantly impacted the retail banking sector, with notable outages in digital banking applications and ATM services.

Hooi Lam said that regulators in peer jurisdictions are also scrutinising these disruptions. For instance, the Monetary Authority of Singapore has enforced additional capital requirements and, in certain instances, imposed a temporary ban on merger and acquisition activities by banks following service outages.

The role of regulators

Southeast Asian Regulators are keenly aware of the disruptions experienced within the industry and the threats they pose to FIs and their customers.

While financial resilience remains a priority for regulators globally, operational resilience is gaining traction and is expected to become an increased focal point in the coming years.

Banking & Capital Markets Assurance Leader, Malaysia Dato’ Megat Iskandar Shah highlighted that in Malaysia, Bank Negara Malaysia has incorporated some important elements of operational resilience in the most recent version of its Business Continuity Management policy document (effective December 2023).

However, Dato’ Megat also said,

“BNM currently does not yet have a standalone policy document that holistically captures the principles of operational resilience in the country.”

In contrast, the Australian Prudential Regulation Authority (APRA) in Australia and the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) in the UK have adopted standalone operational resilience policies.

At the same time, the Financial Services Agency (JFSA) in Japan has issued a discussion paper on the matter.

Adopting industry-wide testing and resilience measures may provide a good indication of the banking ecosystem’s dependencies and the concentration of risk nationwide.

Regulators play a crucial role in setting baseline expectations for the industry, and their involvement is essential in driving the adoption of operational resilience principles and practices.

Enhancing operational resilience

To address these challenges and ensure a more stable digital banking environment, FIs in Southeast Asia are taking proactive steps to bolster their operational resilience.

“FIs are continuously upgrading their operational resilience over the years even as the threat levels are increasing across many dimensions,”

said Hooi Lam.

This process is crucial to mapping critical assets, processes, and services. EY emphasised that by understanding the end-to-end dependencies they rely on to deliver essential business services, including people, processes, technology, facilities, data, and third parties, FIs can identify potential vulnerabilities and take targeted action to mitigate risks.

In addition, embedding operational resilience principles into policies and procedures is becoming increasingly important.

These principles encompass governance, defining important business services, mapping dependencies, and conducting robust testing.

“Operational resilience as a regulation has caught the attention of global regulators, with the United Kingdom (UK) and Australia being the most advanced. While there may be slight nuances between the jurisdictions, the principles remain the same,”

said Hooi Lam.

Technological advancements also play a pivotal role in enhancing operational resilience. FIs are progressively renovating their technology infrastructure by implementing more resilient systems, adopting modern technology architecture principles (e.g., APIs, Cloud, and Microservices), and, where feasible, replacing and upgrading ageing systems and infrastructure to achieve scalability and resilience.

To handle unexpected technical disruptions during peak periods, FIs should conduct frequent scenario tests, especially during times of high activity for crucial business services.

Adopting scalable cloud-based infrastructure can help maintain services during high traffic periods. This approach also helps identify potential gaps and vulnerabilities, better preparing FIs to keep their services uninterrupted.

Maintaining trust and transparency

While taking steps to prevent disruptions is crucial, FIs must also be prepared to handle unexpected technical issues when they arise. Maintaining trust and transparency with clients during critical times is paramount.

“Having a clear crisis communication plan is a requirement in BNM’s Business Continuity Management policy,”

said Dato’ Megat.

He outlined several best practices that FIs could consider, such as ensuring the communication strategy sets out escalation paths for managing incidents, identifies vital decision-makers, and determines how key individuals, suppliers, and regulators can be contacted.

“To mitigate risks, FIs should proactively communicate potential disruption measures to customers transparently and promptly. Establishing a crisis management communication team and protocols is advisable, “

said Dato’ Megat.

In addition, FIs should consider the culture and exposure of customer profiles, as not all customer groups require the same level of communication.

For instance, retail customers who rely on personal banking services may need more immediate and clear communications on service disruptions that affect their ability to carry out daily transactions.

However, corporate customers depending on an FI for payroll processing may prefer a tailored communication strategy that provides detailed information on expected resolution times and alternative solutions.

Continuously testing communication protocols is essential to ensure they work as expected during a crisis.

The way forward

As the digital banking landscape continues to evolve, FIs in Southeast Asia must adapt their approach to risk management.

Hooi Lam suggested that “transitioning to a more proactive and forward-looking approach could be the way forward. Accepting that disruptions are a certainty rather than a possibility allows that mindset change for service resiliency.”

This shift in mindset requires strategic investments in operational resilience, including overcoming identified vulnerabilities and fostering a culture of resilience within the organisation.

Dato’ Megat advised that an immediate strategic investment FIs could consider is investing in overcoming the vulnerabilities identified through their Business Continuity Management and Operational Readiness Review (for Digital Banks) to begin fostering a culture of resiliency.

From a technological standpoint, EY recommended that FIs invest in integrated operational risk management tools and capabilities that focus on service delivery and map multiple methods and processes to restore or maintain service uptime.

As the region embraces digital banking, adapting, innovating, and prioritising operational resilience will be crucial to success in this dynamic and evolving landscape.

By working together and learning from past disruptions, Southeast Asia’s banking sector can emerge stronger, more resilient, and better equipped to meet the needs of its customers in the digital age.

Featured image credit: Edited from Freepik