Key Takeaways
- We believe a pandemic-driven surge in demand for online banking services is causing regulators in South and Southeast Asia to increase their scrutiny of banks' digital infrastructure and response to service disruptions.
- S&P Global Ratings anticipates banks' spending on technology could rise by up to 20% a year in the next two to three years. This is to ensure system stability and robust disaster-recovery planning.
- Regulators may impose stricter penalties or embargos for recurring issues. Banks face higher reputational risk on imposition of regulatory actions.
The banking sector in South and Southeast is on notice. Address tech outages or expect firmer penalties. That's the message from the region's regulators, and S&P Global Ratings see signs of this trend gaining traction. Recent actions in Malaysia underline the regulators' intentions to improve operational resilience and ensure smooth customer service and essential financial services.
We see banks in the region continuing to invest in technology to ensure system stability and robust disaster-recovery planning. In our view, they understand it is an expensive yet essential step to prevent harsher regulatory actions. Technology costs formed about 12% of operating expenses on average.
Banks' Spending On Technology To Climb
We believe technology expenses could continue to increase at 15%-20% a year over the next two to three years. In Malaysia and Singapore, technology costs grew by an average 13% and 20% respectively over 2023 and 2022 for our sample of rated banks.
For all our rated Malaysian banks, the share of technology expenses as a portion of their total operating expenses has risen in the past two years (see chart 1).
Chart 1
Banks To Face Closer Scrutiny
The Malaysian regulator is the latest to take action against banks following similar moves in Singapore and India. The fines imposed in Malaysia, while relatively meagre, highlight what regulators expect: a more resilient digital infrastructure for banking services and better accounting and ownership of service disruptions by banks. We anticipate the regulator will keep a close eye on the ability of banks to prevent recurrences and to enforce stricter penalties or embargos if they don't. Such regulatory actions also increase reputational risk for the banks.
In the past year, we have seen various regulatory actions in the region against service disruptions, ranging from monetary penalties to bans on new businesses and additional capital requirements.
Regulatory Actions In The Region
In November 2023, the Monetary Authority of Singapore banned DBS Bank Ltd. from making new acquisitions for six months, or closing branches or ATMs, following several service disruptions. In May 2023, it had already imposed an additional capital requirement via a multiplier of 1.8x to the bank's risk-weighted assets for operational risk, in response to prior outages.
The Reserve Bank of India (RBI) announced on April 24, 2024 that Kotak Mahindra Bank Ltd. would not be allowed to (1) onboard new customers through online and mobile banking channels; or (2) issue new credit cards. This followed several outages of the bank's core banking systems as well as online and digital banking channels, and deficiencies identified through the RBI's IT examinations in 2022 and 2023.
In 2020, HDFC Bank Ltd. was temporarily banned from issuing new credit cards because of problems with its core banking systems and online channels. It took the bank more than a year to meet the RBI's requirements and have these restrictions lifted.
On Aug. 14, 2024, Malaysia's central bank fined the two largest banks in the country for multiple episodes of prolonged disruption in services during 2023 and 2024. In the case of Malayan Banking Bhd. the fine amounted to US$973,851, representing 0.05% of 2023 net profit. For CIMB Bank Bhd., the fine was US$171,326, representing 0.01% of 2023 net profit. The fines are very small relative to the banks' annual net profit and are unlikely to have any material impact on financial performance.
We believe the rapid scale-up in digital transactions, precipitated by the pandemic, has added to the motivations of regulators to pursue tougher actions aimed at improving banks' technology infrastructure and reducing downtime faced by customers.
The pandemic has led to a massive increase in digital transaction volumes via multiple channels, including online banking, mobile applications, or other payment service providers. As a consequence, service outages are having a two-pronged effect. On the one hand, they are creating more frequent problems for customers. On the other, they are creating elevated operational and reputational risks for banks.
Pandemic-Led Rise In Transaction Volume Adds To Costs
The pandemic-led boost in digital transactions is likely to keep tech spending elevated over the next two to three years. This is because of sustained demand for online services and the fact that technology investments take time to bear results.
Although costly, such investments are necessary. Otherwise, banks face stricter actions--such as bans on new businesses or additional capital requirements. Such actions could have a material impact on growth and profitability. This could in turn affect ratings.
For example, the Indian regulator's recent ban on Kotak Mahindra Bank for issuing fresh credit cards affected growth as well as margins, given this product was a higher-yielding, target growth segment for the bank. The bank estimates a 2.5% impact on profit before tax, including additional technology spending to address the regulator's concerns.
More Drills To Identify Problems Before They Occur
We see simulations becoming a more frequent occurrence. These exercises could help identify emerging risks and prompt banks to plug gaps in their digital infrastructure. A key area of focus is third-party service providers, particularly in Malaysia. The country's central bank, Bank Negara Malaysia (BNM), has zeroed in on this following disruptions at some of these providers, which led to recent outages of banking services.
In November 2023, BNM led a simulation with banks that have large branch and ATM networks. The aim was to test the industry's controls and response to potential disruptions in third-party services affecting cash operations. The exercise provided insights on how to strengthen existing arrangements with alternate service providers to ensure continuity of businesses and services.
Regulators in the region will stay vigilant of system outages by being vocal and working closely with banks on remedial action plans. This should strengthen banks' ability to effectively recover from system disruptions, including those at third-party service providers. Regulators will calibrate their actions so that the nature of penalties matches the severity of the issue.
Time will tell how effective such actions are. But it's becoming apparent that inaction could have implications for reputations and ratings. And customers will demand nothing less.
Related Research
- Regulatory Action Could Restrain Kotak Mahindra Bank's Credit Growth, Profitability, April 26, 2024
- India's Regulatory Clampdown May Raise The Cost Of Capital, March 26, 2024
- DBS' Strong Third-Quarter Results Reflect Higher Margins; Regulatory Penalties Won't Undermine Its Financial Profile, Nov. 8, 2023
This report does not constitute a rating action.
| Primary Credit Analyst: | Nikita Anand, Singapore + 65 6216 1050; nikita.anand@spglobal.com |
| Secondary Contacts: | Ivan Tan, Singapore + 65 6239 6335; ivan.tan@spglobal.com |
| Geeta Chugh, Mumbai + 912233421910; geeta.chugh@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.