![x [OR] [AUB] Title Banner](https://no-cache.hubspot.com/cta/default/3893111/ece32642-be56-464d-aae4-e4aa6a7f1734.png)
![[OR] [AUB] Legal Disclaimer Banner](https://no-cache.hubspot.com/cta/default/3893111/66320b0d-ae53-45f1-91bf-f3d96663dc50.png)
CBS-1 Deposit & Account Services
Introduction
![[OR] [AUB] [PH] [E3] [CBS] [1] [ITo] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/3cd097d6-6ff0-4904-8177-0932f07a9d36.png)
For Asia United Bank Corporation (AUB), CBS-1 Deposit & Account Services is a core banking service because it underpins customer onboarding, deposit placement, access to funds, account maintenance, digital access, ATM/card usage, reconciliation, fraud controls, complaint handling, and regulatory compliance across the deposit lifecycle.
AUB publicly offers savings, current, and time deposit products, supports branch and digital access, and provides customer contact and ATM card-blocking support, demonstrating that uninterrupted deposit servicing is central to customer confidence and day-to-day banking operations.
BSP Circular No. 1203 requires Philippine BSFIs to identify critical operations, set tolerance for disruption, map interconnections and interdependencies, and test those tolerances against severe but plausible scenarios.
The Circular also makes clear that tolerance for disruption must include at least a time-based metric, while other metrics may include the maximum number of customers affected and the volume and value of transactions affected.
The BCM Institute’s operational resilience guidance is consistent with this approach: impact tolerance is the maximum tolerable level of disruption or Tolerance of Disruption to a critical business service, and organisations should define it by considering downtime, data loss, financial loss, customer impact, and regulatory requirements, then document and review it regularly.
Note: The values below are recommended working tolerances for planning purposes.
They are indicative management assumptions aligned to BSP Circular No. 1203 and should be calibrated by AUB using actual transaction volumes, customer commitments, internal SLAs, legal obligations, channel architecture, and board-approved risk appetite.
![Banner [Table] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/627c33a8-714d-40af-9a2b-0d7957fb8afa.png)
Table P4: Establish Impact Tolerance for CBS-1
|
Sub-CBS Code |
Sub-CBS |
Maximum Tolerable Downtime (MTD) |
Maximum Tolerable Data Loss (MTDL) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
1.1 |
Customer Onboarding and Account Application |
8 hours |
30 minutes |
Moderate; delayed new account acquisition and branch queuing |
Low to Moderate; service availability and conduct risk |
Customer / Operational |
Partially resilient |
Formalise manual fallback intake, queue capture, and deferred processing controls |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
4 hours |
15 minutes |
Moderate to High; customer onboarding halted |
High; AML/CFT, sanctions, and customer due diligence non-compliance risk |
Regulatory / Compliance |
Partially resilient |
Tighten alternate verification procedures, document exception approval limits, and preserve audit trail |
|
1.3 |
Account Approval and Opening |
4 hours |
15 minutes |
High; customers cannot activate new accounts |
High approval controls and record integrity are regulatory-sensitive |
Customer / Regulatory |
Partially resilient |
Strengthen maker-checker fallback and post-restoration reconciliation |
|
1.4 |
Initial Funding and Deposit Booking |
2 hours |
Near-zero to 5 minutes |
High monetary value directly affected |
High booking errors may cause customer detriment and ledger inaccuracies |
Financial / Customer / Regulatory |
Needs enhancement |
Enforce dual control, real-time posting resilience, and same-day suspense clearing |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
1 business day |
30 minutes |
Low to Moderate; affects product configuration rather than immediate access |
Moderate; mis-set terms may create disclosure and conduct issues |
Operational / Compliance |
Largely resilient |
Improve change control, parameter rollback, and approval evidence |
|
1.6 |
Deposit Transactions Processing |
1 hour |
Near-zero |
Very High; customers cannot deposit, transfer, or post credits reliably |
High; widespread service disruption and financial system impact possible |
Financial / Customer / Systemic |
Critical; high priority |
Harden core processing resilience, active monitoring, and rapid failover capability |
|
1.7 |
Withdrawal and Funds Access Processing |
30 minutes |
Near-zero |
Very High; customers lose access to funds |
Very High; severe customer harm, liquidity stress, and supervisory attention |
Customer / Financial / Reputational |
Critical; high priority |
Prioritise high-availability design, cash/branch fallback, and channel continuity playbooks |
|
1.8 |
Account Servicing and Customer Maintenance |
8 hours |
30 minutes |
Moderate; profile changes, contact updates, and requests delayed |
Moderate; inaccurate records may affect compliance and notifications |
Customer / Compliance |
Partially resilient |
Standardise manual service forms and post-event validation checks |
|
1.9 |
Interest, Fees, and Charges Processing |
End of business day |
15 minutes |
Moderate; delayed or incorrect accruals and charges |
High: pricing fairness, disclosures, and restitution obligations |
Financial / Regulatory |
Partially resilient |
Add automated recalculation, exception detection, and remediation workflow |
|
1.10 |
Statement, Passbook, and Balance Reporting |
4 hours for balance inquiry; 1 business day for statement generation |
15 minutes |
High for balance visibility; Moderate for formal statements |
Moderate; inaccurate balances can trigger complaints and reporting issues |
Customer / Reputational |
Partially resilient |
Separate real-time balance resilience from batch statement resilience |
|
1.11 |
Digital Account Access and Channel Integration |
1 hour |
Near-zero |
Very High; mobile/internet access interruption affects many customers simultaneously |
High; digital service outages may breach tolerance and trigger complaints |
Customer / Operational / Reputational |
Critical; channel-sensitive |
Enhance API/channel monitoring, failover, and degraded-service mode |
|
1.12 |
ATM and Card-Based Access Management |
30 minutes |
Near-zero |
Very High; card usage, cash withdrawal, and card controls were disrupted |
High mass customer impact and potential fraud exposure |
Customer / Financial / Reputational |
Critical; channel-sensitive |
Improve switch redundancy, card hotlisting continuity, and issuer-processor coordination |
|
1.13 |
Account Reconciliation and Exception Handling |
End of business day |
15 minutes |
Indirect but High if unresolved; posting breaks and unmatched items accumulate |
High, unresolved exceptions may affect books, reports, and customer balances |
Financial / Control / Regulatory |
Partially resilient |
Increase automated reconciliations and aged-break escalation thresholds |
|
1.14 |
Dormancy, Holds, Restrictions, and Account Control Administration |
4 hours |
15 minutes |
High; improper release/blocking may deny or wrongly allow access |
High legal holds, AML flags, and consumer protection implications |
Regulatory / Customer / Control |
Partially resilient |
Strengthen rule administration, override logs, and legal/compliance escalation |
|
1.15 |
Fraud Monitoring and Transaction Surveillance for Deposit Accounts |
15 minutes for alert generation; 2 hours for analyst response |
Near-zero |
Very High; fraud losses and customer harm escalate rapidly |
Very High; AML/fraud control failure may attract regulatory action |
Financial / Regulatory / Reputational |
Critical; high priority |
Tighten monitoring uptime, alert routing, and emergency response coverage |
|
1.16 |
Complaints, Disputes, and Service Recovery |
1 business day intake; 4 hours for priority incidents |
30 minutes |
Moderate to High; unresolved complaints amplify harm from the outage |
High; complaints handling and fair treatment obligations apply |
Customer / Regulatory / Reputational |
Partially resilient |
Prioritise outage-related complaints triage and customer communication templates |
|
1.17 |
Regulatory Reporting and Compliance Monitoring |
End of regulatory deadline; internal breach trigger at 4 hours |
15 minutes |
Low direct impact initially; indirect impact if controls fail |
Very High; late/inaccurate reporting and monitoring failures |
Regulatory / Compliance |
Partially resilient |
Define hard trigger points, contingency reporting, and compliance evidence retention |
|
1.18 |
Incident Response, Business Continuity, and Recovery |
15 minutes for incident declaration; 2 hours for service recovery mobilisation |
Near-zero for incident records and recovery decisions |
Very High if delayed; prolongs harm across all sub-services |
Very High; BSP expects BCM/testing integrated with operational resilience |
Enterprise / Regulatory / Operational |
Core capability but must be continuously tested |
Maintain playbooks, command structure, crisis communications, and severe-scenario exercises |
How to Read This Table P4: Establish Impact Tolerance
The recommended tolerances above reflect a practical distinction between:
- transaction-critical activities that directly affect customer funds or service access,
- control-critical activities that protect legal, AML, fraud, and accounting integrity, and
- supporting activities that can tolerate longer disruption, provided customer harm stays below intolerable levels.
Under BSP Circular No. 1203, that distinction is appropriate because banks are expected to set tolerances by considering not only time, but also the number of customers affected, transaction values, and the point at which disruption creates material risk to the BSFI and external stakeholders. That is why withdrawal processing, digital access, ATM/card access, deposit posting, fraud monitoring, and recovery mobilisation are assigned the most stringent tolerances in this chapter.
Regulatory Requirements and Examples for AUB
For a Philippine bank such as AUB, the main operational resilience requirements visible in BSP Circular No. 1203 include the following:
- The board and senior management must oversee and implement the operational resilience framework, with the board responsible for oversight and approval.
- The bank must identify critical operations in proportion to its size, nature, and complexity, and this identification drives the later steps of setting tolerances and mapping dependencies.
- The bank must set a clearly defined tolerance for disruption for each critical operation, including at least a time-based metric, along with other metrics such as the maximum number of customers affected and the volume/value of affected transactions.
- The bank must map interconnections and interdependencies, including dependencies on service providers and infrastructure, to identify vulnerabilities in the delivery chain.
- The bank must test tolerance levels and the delivery of critical operations using severe but plausible scenarios, including natural calamities, key service provider failures, and major cyber incidents.
- The bank’s BCM, BCP, incident recovery, communication, and testing must be integrated into the operational resilience framework and designed to keep services within the defined tolerance level.
A practical example for AUB would be Sub-CBS 1.7 Withdrawal and Funds Access Processing.
Because AUB offers ATM-based savings products and after-hours ATM card-blocking support, a prolonged outage here could quickly escalate from inconvenience to intolerable customer harm; therefore, tolerance should be tight, recovery mobilisation should be immediate, and manual/channel alternatives should be predefined.
A second example is Sub-CBS 1.2 KYC/CDD. Even where customer harm is initially “delay” rather than “loss of funds,” the regulatory harm can become severe because customer due diligence, identity verification, and auditability are compliance-sensitive activities; accordingly, the time tolerance can be somewhat longer than cash access, but the data-loss tolerance must remain tight, and compensating controls must be explicit.
![Banner [Summing] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/5e80e50f-5e3e-44ea-8c43-16bf42d4f3b5.png)
Establishing impact tolerance for CBS-1 Deposit & Account Services enables AUB to translate operational resilience from a broad principle into measurable limits on disruption, customer harm, control failures, and recovery performance.
In line with BSP Circular No. 1203, the tolerances should not be treated as static recovery targets only; they should serve as decision thresholds for investment, escalation, testing, third-party management, and service design improvement.
For AUB, the highest-priority tolerances should remain focused on the sub-services that affect access to funds, transaction posting, digital channels, ATM/card services, fraud response, and incident recovery coordination, because these are the areas where customer harm, reputational damage, and supervisory concern are likely to accumulate fastest.
The next step after this chapter is to validate these recommended tolerances against real operating data, the board-approved risk appetite, and scenario testing results, so that each threshold is demonstrably achievable under severe but plausible disruption.
![[OR] [AUB] [PH] [E3] [CBS] [1] [DP] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/ad189b59-9714-422a-8f70-20f125f2cafa.png)
![[OR] [AUB] [PH] [E3] [CBS] [1] [MD] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/c4b0a569-fbce-4bc0-a1d6-6707a9e2a306.png)
![[OR] [AUB] [PH] [E3] [CBS] [1] [MPR] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/7f4f751f-3ddd-432e-8de9-03b9907dadfe.png)
![[OR] [AUB] [PH] [E3] [CBS] [1] [SuPS] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/12b25a4b-3be3-4c87-a750-db91e0872c64.png)
![[OR] [AUB] [PH] [E3] [CBS] [1] [ST] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/0e4c1f75-8c29-40b7-8747-92ccb947a8d2.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
