For Asia United Bank Corporation, identifying Severe but Plausible Scenarios (SBPS) is a critical requirement under BSP Circular No. 1203 Series of 2024.
These scenarios represent high-impact but realistic disruption events that could impair the delivery of CBS-1 Deposit and Account Services, affecting customers, financial stability, and regulatory compliance.
In line with guidance from the BCM Institute’s Operational Resilience methodology and regulatory expectations, these scenarios incorporate cyber, ICT, third-party, and operational risks to ensure a holistic resilience assessment.
The table below outlines the recommended Severe but Plausible Scenarios mapped to each Sub-CBS, including their potential impacts, proactive risk management actions, and explicit linkages to Cyber and ICT risk integration, as required by regulators.
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
1.1 |
Customer Onboarding and Account Application |
Prolonged outage of the digital onboarding platform due to cloud service disruption |
Inability to onboard customers; revenue loss; reputational damage |
Multi-channel onboarding (branch fallback), cloud redundancy, and DR testing |
Cloud outage, API failure, digital channel disruption |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
Failure of the KYC verification system due to a third-party data provider outage |
Regulatory breach (AML/KYC), onboarding delays |
Alternate KYC providers, manual verification procedures, and SLA monitoring |
Third-party API failure, data integrity risks |
|
1.3 |
Account Approval and Opening |
Core banking system (CBS) approval module failure due to database corruption |
Delayed account opening; operational backlog |
Database replication, failover mechanisms, and approval workflow backup |
Core banking outage, database integrity compromise |
|
1.4 |
Initial Funding and Deposit Booking |
Payment gateway failure is preventing initial funding transactions |
Failed account activation; customer dissatisfaction |
Multiple payment channels, transaction retry mechanisms |
Payment system outage, integration failure |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
Incorrect product configuration due to a system patch error |
Financial misstatements; compliance issues |
Change management controls, pre-production testing, and rollback capability |
Configuration errors, system patch vulnerabilities |
|
1.6 |
Deposit Transactions Processing |
Cyberattack (e.g., ransomware) impacting transaction processing systems |
Transaction halt; liquidity impact; financial loss |
Endpoint security, network segmentation, and ransomware recovery drills |
Malware/ransomware attack, system unavailability |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM/POS network outage due to telecom failure |
Customers unable to withdraw funds; reputational damage |
Telecom redundancy, alternate channels (branch/online), failover routing |
Network outage, telecom dependency risk |
|
1.8 |
Account Servicing and Customer Maintenance |
Unauthorised access due to compromised credentials (phishing attack) |
Data breach, fraud, and regulatory penalties |
MFA implementation, customer awareness, and fraud monitoring systems |
Identity compromise, cyber fraud risk |
|
1.9 |
Interest, Fees, and Charges Processing |
Batch processing failure during end-of-day (EOD) processing |
Incorrect balances; financial reporting errors |
Automated reconciliation, batch monitoring, recovery scripts |
Batch job failure, system processing errors |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Data warehouse failure affecting statement generation |
Customers unable to access statements; compliance issues |
Data replication, alternate reporting channels, backup systems |
Data storage failure, reporting system outage |
|
1.11 |
Digital Account Access and Channel Integration |
Mobile banking app outage due to application deployment failure |
Customers unable to access accounts; service disruption |
DevOps controls, rollback mechanisms, and app monitoring |
Application failure, CI/CD deployment risks |
|
1.12 |
ATM and Card-Based Access Management |
Card management system breach leading to card cloning fraud |
Financial losses; customer trust erosion |
EMV controls, transaction monitoring, and card blocking mechanisms |
Card system breach, fraud analytics failure |
|
1.13 |
Account Reconciliation and Exception Handling |
Failure of the reconciliation system due to corrupted transaction files |
Unreconciled accounts; financial discrepancies |
Reconciliation automation, exception management workflows |
Data corruption, file transfer failures |
|
1.14 |
Dormancy, Holds, Restrictions, and Account Control Administration |
Erroneous account restrictions due to a system logic error |
Customer complaints; legal disputes |
Validation rules, audit controls, and exception overrides |
System logic flaws, control breakdown |
|
1.15 |
Fraud Monitoring and Transaction Surveillance |
The AI-based fraud detection system failed due to a model malfunction |
Undetected fraudulent transactions |
Model validation, fallback rules-based detection |
AI model failure, analytics disruption |
|
1.16 |
Complaints, Disputes, and Service Recovery |
CRM system outage during a high-complaint-volume incident |
Delayed resolution; regulatory escalation |
Manual case handling, CRM redundancy, escalation protocols |
CRM system outage, service platform disruption |
|
1.17 |
Regulatory Reporting and Compliance Monitoring |
Failure to submit regulatory reports due to a system outage |
Regulatory penalties; compliance breach |
Regulatory reporting backup processes, submission tracking |
Reporting system failure, data aggregation issues |
|
1.18 |
Incident Response, Business Continuity, and Recovery |
Failure of the disaster recovery site during a major system outage |
Prolonged service disruption; systemic risk |
Regular DR testing, secondary DR site, and crisis management activation |
DR failure, infrastructure resilience weakness |
In accordance with BSP Circular No. 1203 Series of 2024, the above scenarios demonstrate:
These align with regulatory expectations for banks to anticipate, withstand, and recover from disruptions affecting critical business services.
The identification of Severe but Plausible Scenarios for CBS-1 Deposit and Account Services enables Asia United Bank Corporation to move beyond theoretical risk assessments toward practical resilience validation.
By systematically linking each Sub-CBS to realistic disruption scenarios and embedding cyber and ICT risk considerations, the bank ensures that vulnerabilities across people, processes, technology, and third parties are comprehensively addressed.
Ultimately, this structured approach supports the bank’s compliance with BSP Circular No. 1203 Series of 2024 while strengthening its capability to deliver uninterrupted deposit and account services under stress conditions, safeguarding customer trust and financial stability.
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Deposit & Account Services | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|