Why DBS Bank's woes is a forewarning to bankers on a digital dope
The narrative around DBS Bank, hailed as the poster boy of digital banking among Singaporean banks, has taken an ironic twist. The very element that catapulted it to the forefront of the banking industry—its digital prowess—is now revealing itself as the Achilles' heel. Piyush Gupta, the CEO of Singapore's most-favoured bank since 2009, is now looking to further fortify the bank’s guardrails following the bank's near-decade digital rendezvous.
To be fair when Gupta took over in 2009, DBS had the lowest customer satisfaction scores of any bank in Singapore. But today, it's recognised as one the world's best digital banks and is enjoying the accolade of being the "Safest Bank in Asia" by Global Finance for 15 consecutive years from 2009 to 2023. Over the past decade, as per DBS' 2022 annual report, it has invested around SGD 1 billion ($730 million) every year in technology, developing solutions and exploring use cases in areas such as artificial intelligence and machine learning (AI/ML), cloud, and blockchain. Since starting its digital transformation journey in 2014, the bank has developed over 600 AI/ML models and 300 use cases, which gave it a competitive advantage over traditional banking competitors and fintech rivals. In 2022 alone, the bank claims their AI/ML use cases delivered an economic value of SGD 180 million, comprising a revenue gain of SGD 150 million and SGD 30 million from cost savings and productivity gains. Not surprising the transformation has widened its return on equity from 11.7% vs peer average of 11.2% in 2015 to the current highest at 15% (2022) vs 11.5% peer average.
But the digital blitzkrieg is now increasingly showing signs of vulnerability.
Also Read: DBS Bank India enters the big league
Owned in part (29%) by Singapore sovereign fund Temasek, DBS is now under pressure from its financial regulator to clean up its digital act following a spate of five glitches in less than a year. The Monetary Authority of Singapore (MAS) has imposed a six-month freeze on the lender, barring it from acquiring new business ventures or reducing branches and ATM networks in Singapore. Besides, the regulator has ordered the bank to retain a multiplier of 1.8 times to its risk weighted assets for operational risk, an increase from the earlier 1.5 times slapped in February 2022, translating into nearly $1.2 billion (S$1.6 billion) in additional regulatory capital. While the financial ramifications is not as severe, it's the reputational risk that matters the most. In 2021, CEO Piyush Gupta had apologised to customers for a "degradation" in its access control server that resulted in customers unable to access their bank account for two days. But the current spate of glitches just goes on to reveal that there is a chink too many in the bank’s digital framework with Gupta acknowledging that four of the bank’s five major disruptions during the year were bug- or software-related.
Over an analyst call in November, Gupta said the need for rigorous change management, a process that has become increasingly complex with the integration of multiple systems and third-party software. "While change management is about minimising the challenges we have, system recovery is about how quickly we can recover when challenges arise. The recent incidents showed we are not as quick as we need to be in terms of recovery…we rely on external partners if the bugs are deeply embedded inside the system. We need to acquire more engineering capability to deal with such problems on our own. We are in the process of getting the talent, which will take a bit of time," Gupta told analysts.
But Gupta's observation contrasts to what David Gledhill, chief information officer and head of group technology and operations at DBS Bank, had mentioned in an interview in 2019. "Ten years ago, when I joined the company, we were 85% outsourced to managed services vendors … The company turned to insourcing technology and building its own technical muscle. It is now 90% insourced. We run, build, and manage our own. We're now a technology company,” Gledhill had then stated.
But it now appears that the talent pool lacks depth. "We need to improve the depth of our engineering talent because the bugs that happened were deeply embedded. Having to go back to the vendor to put a team together to figure out what the problem was took time," admitted Gupta.
When Aakash Rawat, an analyst at UBS, inquired about the reason behind DBS's increased technical issues compared to other banks, Gupta attributed it to DBS' advanced integration of micro-services architecture, more so than most banks. Gupta explained, "This approach involves integrating our self-developed services with those from third parties, increasing our dependency on various software vendors. While this architecture offers agility and adaptability – a reason why major tech firms adopt it – it also heightens our service vulnerability."
The reliance on an intricate micro-services architecture seems to have stretched the bank's operational resilience thin, leading to a butterfly effect where a small issue in one area can cascade into larger problems. "As you know, we have a microservice architecture, which means taking a lot of different systems and packaging them together. It is the architecture most tech companies have. But one challenge it poses is the butterfly effect – a bug in one part of that ecosystem could result in problems elsewhere," Gupta told analysts over an earnings call.
In response, DBS is not just firefighting these immediate concerns but also restructuring its approach. The bank is setting new targets for service availability and recovery, focusing on creating robust recovery pathways and improving passive recovery processes. This strategic shift is indicative of a broader realization that while digital innovation propels growth, it also demands a fortified and resilient infrastructure capable of withstanding the pressures of rapid technological evolution.
Gupta has acknowledged the need for improvements in two critical areas: incident management and technology risk governance. This involves enhancing communications within incident management and strengthening the capabilities of both the second and third lines in technology risk governance. Gupta has mentioned the recruitment of new talent, which is expected to join in the next few months, as a significant step in this direction.
Besides, the bank is looking at new benchmarks for service availability and recovery that go beyond the requirements stipulated by the MAS. Unlike MAS regulations that focus on individual technology systems, Gupta's wants to now ensure the resilience of entire services. For instance, in the context of the payments system, if one channel experiences a failure, alternative pathways should be available for prompt resumption of services. This is exemplified in the decision to decouple three channels – PayLah, mobile, and web browser – to ensure that the failure of one does not impact the others. If one of these services becomes temporarily unavailable on a particular digital channel, the bank hopes to ensure the service is available on an alternative digital channel.
Also Read: Digital Agility Will Decide Bank Winners
Gupta candidly admitted that the shortcomings in handling disruptions, acknowledging that customers expect and deserve better. "We have developed a comprehensive roadmap and are enhancing our rigor in change control and operations management."
Along with leadership changes, DBS has split its technology and operations (T&O) function into two separate units to allow for dedicated management oversight of each, due to the function's "increased complexity and scale". DBS said it has commenced work to establish "clearer ownership and management" of incidents within the bank, as well as between the bank and its service providers and vendors.
Interestingly, a McKinsey report early this year mentioned that banks often operate with a distinct separation between business operations and technology developments. This segregation can lead to a lack of understanding and alignment, exacerbating the difficulty of implementing successful digital transformations. “The business side is often removed from technology developments, business processes are assumed to be fixed, and the IT architecture landscape is particularly complex,” mentions the April 2023 article, “Why most digital banking transformations fail—and how to flip the odds.”
Incidentally, to scale up its digital capabilities, McKinsey had aided DBS in building its new operating model around platforms. DBS created 33 platforms aligned to business segments and products. Each platform had a “2-in-a-box” leadership model, which meant each one was jointly led by one leader from the business and one from IT. McKinsey’s case study states that making the transformation successful required a significant shift in leadership mindsets and behaviours. With support from McKinsey, DBS scaled T-Sprints (Transformation Sprints) to build top team alignment and new leadership skills across both the top of the house as well as different business, support, platform, and geographic units within the bank.
But it seems that is not working.
Accenture, an independent third party appointed to carry out a root cause investigation of a disruption incident, has identified gaps and deficiencies in the bank's technology risk governance and oversight, incident management, system resilience, and change management.
The paradox just shows that challenges DBS faced were complex and multifaceted, extending beyond what could be addressed by any single approach or partnership.
Now the bank is investing another $58 million to improve its technology resilience and expects the implementations to be completed in 12-24 months.
DBS Chairman Peter Seah has warned that the senior management would be held accountable for the tech lapses, including on pay. While it’s not clear how long Gupta will continue to lead the bank, it seems Gupta is done with banking as he told Breakingviews in an interview that he is more interested in becoming a naturalist than taking up another banking assignment whenever he exits DBS.
As DBS endeavours to recalibrate its strategy, it remains to be seen how it will navigate this complex terrain and whether it can emerge stronger, having addressed its digital Achilles' heel. The saga of the bank could well serve as a case study for the banking sector at large, offering lessons on the need to balance between digital evangelism and operational resilience. At its heart, banking is about managing financial risks and fostering economic growth through lending and safeguarding deposits.
While digitalization enhances efficiency and customer experience, it should augment rather than redefine the inherent nature of banking. DBS’ 2021 annual report, for instance, states that “it would be apt to identify DBS as a technology company that holds a banking licence!” Now, the next time you hear a bank CEO riff on aspiring to become 'a tech company which also does banking,' you know what’s coming!