![[OR] [BB] Legal Disclaimer Banner](https://no-cache.hubspot.com/cta/default/3893111/bbedab3d-a991-4956-b3f1-f5d4aa873c6e.png)
CBS-1 Digital Account Access & Management
Introduction
Operational resilience requires financial institutions such as Boost Bank to identify their Critical Business Services (CBS) and define clear impact tolerances — the maximum tolerable level of disruption to important services before causing intolerable harm to customers, market integrity, or regulatory compliance.
In line with regulatory expectations on operational resilience, impact tolerance for CBS-1 Digital Account Access & Management is defined in terms of:
- Maximum Tolerable Downtime (MTD) – the longest acceptable service disruption
- Maximum Tolerable Data Loss (MTDL) – the maximum acceptable data loss measured in time (Recovery Point Objective)
- Customer Impact – financial, reputational, or service-access consequences
- Regulatory Impact – breach of legal, compliance, or supervisory obligations
- Impact Type – financial, operational, reputational, regulatory, or systemic
CBS-1 is foundational to Boost Bank’s digital operating model. It underpins customer onboarding, secure access, profile management, fraud monitoring, and overall digital engagement. Any prolonged disruption would significantly affect customer trust, financial safety, and regulatory compliance.
The table below summarises the proposed impact tolerances for each Sub-CBS under CBS-1.
![Banner [Table] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/627c33a8-714d-40af-9a2b-0d7957fb8afa.png)
Table P4: Establish Impact Tolerance for CBS-1
|
Sub-CBS Code |
Sub-CBS |
Maximum Tolerable Downtime (MTD) |
Maximum Tolerable Data Loss (MTDL) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
1.1 |
Account Onboarding & Registration |
4 hours |
≤ 15 minutes |
New customers unable to open accounts; onboarding delays |
Breach of digital banking service commitments |
Operational / Reputational |
Partially Resilient |
Strengthen onboarding system redundancy & third-party KYC failover |
|
1.2 |
Authentication & Access Control |
1 hour |
Near zero (< 5 minutes) |
Customers unable to log in; loss of trust |
High – risk of non-compliance with access security regulations |
Operational / Regulatory / Security |
Moderate |
Implement multi-region authentication redundancy & enhanced IAM monitoring |
|
1.3 |
Profile & Account Maintenance |
8 hours |
≤ 30 minutes |
Customers unable to update details; service inconvenience |
Moderate – data integrity obligations |
Operational |
Acceptable |
Improve database replication & change validation controls |
|
1.4 |
Embedded Banking Integration |
6 hours |
≤ 30 minutes |
Disruption to partner ecosystem integrations |
Potential breach of partnership SLAs |
Operational / Reputational |
Developing |
Enhance API gateway failover & third-party resilience testing |
|
1.5 |
Security & Fraud Monitoring |
30 minutes |
Zero data loss |
Increased fraud exposure; financial loss risk |
Severe – AML/CFT & fraud monitoring obligations |
Regulatory / Financial / Reputational |
Needs Strengthening |
Deploy real-time monitoring redundancy & automated escalation workflows |
|
1.6 |
Password & PIN Reset / Recovery |
2 hours |
≤ 5 minutes |
Customers locked out of accounts |
Moderate – customer protection obligations |
Operational / Reputational |
Moderate |
Introduce automated failover for self-service recovery systems |
|
1.7 |
Device & Session Management |
2 hours |
≤ 5 minutes |
Session failures; potential security exposure |
High – cyber risk exposure |
Security / Regulatory |
Moderate |
Strengthen session token replication & real-time anomaly detection |
|
1.8 |
Alerts & Notification Services |
4 hours |
≤ 15 minutes |
Customers not informed of transactions; anxiety & reduced trust |
High – transaction notification requirements |
Operational / Regulatory |
Needs Improvement |
Implement multi-channel notification redundancy (SMS, push, email) |
|
1.9 |
Regulatory Compliance & Logging |
1 hour |
Zero data loss |
No immediate visible impact to customers |
Severe – inability to evidence compliance |
Regulatory |
Needs Strengthening |
Ensure immutable logging, offsite replication & SIEM failover |
|
1.10 |
Service Availability & Continuity Management |
30 minutes (for full outage) |
≤ 5 minutes |
Widespread service unavailability |
Severe – systemic & supervisory impact |
Systemic / Regulatory / Operational |
Developing |
Conduct regular scenario testing & strengthen active-active infrastructure |
Key Observations
- Most time-critical functions: Security & Fraud Monitoring (1.5) and Service Availability (1.10)
- Zero data loss tolerance areas: Fraud Monitoring and Regulatory Logging
- Highest regulatory exposure: Authentication, Fraud Monitoring, Compliance Logging
- Highest customer trust risk: Authentication failure, login issues, and missing alerts
![Banner [Summing] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/5e80e50f-5e3e-44ea-8c43-16bf42d4f3b5.png)
Establishing impact tolerances for CBS-1 Digital Account Access & Management enables Boost Bank to clearly define the threshold at which disruption becomes intolerable from a customer, regulatory, and systemic perspective.
The analysis shows that:
- Security, authentication, and fraud monitoring functions carry the lowest downtime tolerance and require near-zero data loss.
- Customer-facing digital access services require strong availability, redundancy, and real-time recovery capabilities.
- Regulatory logging and compliance functions must maintain continuous integrity and auditability, even during disruption.
- Third-party integrations and embedded banking channels introduce concentration and dependency risks that must be actively managed.
By defining measurable impact tolerances, Boost Bank can:
- Prioritise investment in resilience capabilities.
- Conduct scenario testing against defined thresholds.
- Strengthen third-party oversight.
- Align recovery strategies (RTO/RPO) with regulatory expectations.
- Enhance board-level oversight of operational resilience.
Ultimately, clear impact tolerances transform operational resilience from a compliance exercise into a structured risk management discipline — ensuring that even during severe but plausible disruptions, Boost Bank continues to protect customers, maintain trust, and meet regulatory obligations.
For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
