[OR] [BB] [E3] [CBS] [1] [MPR] Map Processes and Resources

Written by Moh Heng Goh | Mar 6, 2026 7:22:17 AM

CBS-1 Digital Account Access & Management

Introduction

Operational Resilience regulations require financial institutions to identify their Critical Business Services (CBS) and map the processes and resources required to deliver those services within defined impact tolerances.

As explained in the operational resilience framework under Mapping of Processes and Resources, this exercise ensures that an organisation understands:

How each service is delivered end-to-end
Which internal and external resources support delivery
Where vulnerabilities and single points of failure exist
What must be tested during scenario testing
Disruption impacts customers and the wider financial system

For Boost Bank, CBS-1 Digital Account Access & Management is a core customer-facing critical service. It enables customers to onboard digitally, authenticate securely, manage account information, integrate embedded banking services, and receive alerts — all through digital channels.

The following mapping identifies the supporting Processes, People, Technology, Third-Party Vendors, and Dependencies for each Sub-CBS under CBS-1, in compliance with operational resilience expectations.

Table P3: Map Processes and Resources for CBS-1

Sub-CBF Code	Sub-CBS	Processes	People	Technology (Applications & Infrastructure)	Third-Party Vendors	Upstream / Downstream Dependencies
1.1	Account Onboarding & Registration	• Digital application submission• eKYC verification• AML/CFT screening• Customer due diligence (CDD)• Account creation in Core Banking System (CBS)• Welcome notification dispatch	• Digital Banking Team• Compliance & AML Officers• Customer Operations• IT Application Support	• Mobile App / Web Portal• Core Banking System (CBS)• eKYC platform• CRM system• API Gateway• Cloud hosting infrastructure	• eKYC provider• AML screening vendor• Cloud hosting provider• SMS/Email gateway provider	Upstream: National ID database, credit bureau Downstream: Account funding, card issuance, transaction processing
1.2	Authentication & Access Control	• User credential validation• Multi-factor authentication (MFA)• Biometric verification• Role-based access control (RBAC)• Session token issuance	• Cybersecurity Team• IAM Administrators• IT Operations	• Identity & Access Management (IAM) system• MFA engine• Biometric authentication module• Firewall & WAF• Encryption services	• MFA service provider• Biometric SDK vendor• Cloud IAM provider	Upstream: Customer registration data Downstream: All digital transactions & profile access
1.3	Profile & Account Maintenance	• Customer detail updates• Beneficiary management• Account settings configuration• Limits management• Data validation & approval workflows	• Customer Service• Operations Team• Data Governance Team	• Core Banking System• CRM platform• Mobile/Web App• Database servers	• CRM vendor• Cloud database provider	Upstream: Authentication service Downstream: Payments, transfers, compliance monitoring
1.4	Embedded Banking Integration	• API integration with partners• Consent management• Data sharing validation• Partner transaction processing	• API Management Team• Partnerships Team• IT Integration Engineers	• API Gateway• Open Banking APIs• Consent Management System• Middleware platform	• Fintech partners• API management provider• Open banking platform vendor	Upstream: IAM authentication Downstream: Partner platforms, payment rails
1.5	Security & Fraud Monitoring	• Real-time transaction monitoring• Behavioural analytics• Fraud alert generation• Suspicious Activity Reporting (SAR)• Incident escalation	• Fraud Operations Team• SOC (Security Operations Centre)• Compliance Team	• Fraud Detection System• SIEM platform• AI/ML analytics engine• Case management system	• Fraud analytics vendor• Threat intelligence provider	Upstream: Transaction data feeds Downstream: Account suspension, regulatory reporting
1.6	Password & PIN Reset / Recovery	• Identity re-verification• OTP validation• Secure credential reset• Audit logging	• Customer Support• IT Security Team	• IAM system• OTP engine• SMS gateway• Encryption services	• SMS/OTP provider• Identity verification vendor	Upstream: Customer authentication records Downstream: Restored account access
1.7	Device & Session Management	• Device registration• Device fingerprinting• Session monitoring• Auto timeout enforcement• Device deactivation	• IT Security Team• Cybersecurity Analysts	• Mobile Device Management (MDM)• Session management server• Fraud analytics tools	• Device fingerprinting vendor• Mobile SDK provider	Upstream: Authentication service Downstream: Fraud monitoring system
1.8	Alerts & Notification Services	• Transaction alerts• Security notifications• Marketing notifications (opt-in)• System outage notifications	• Customer Communications Team• IT Operations	• Notification engine• SMS gateway• Email server• Push notification service	• SMS provider• Email delivery vendor• Push notification service provider	Upstream: Core Banking eventsDownstream: Customer response / fraud escalation
1.9	Regulatory Compliance & Logging	• Activity logging• Audit trail generation• Regulatory reporting• Data retention management• Access review	• Compliance Team• Risk Management• Internal Audit• IT Security	• Log management system• SIEM• Data warehouse• Reporting tools	• Regulatory reporting software vendor• Cloud storage provider	Upstream: All system activity logs Downstream: Regulators, internal audit committees
1.10	Service Availability & Continuity Management	• System health monitoring• Incident management• Disaster recovery activation• Backup restoration• Business continuity communication	• IT Operations• Business Continuity Team• Incident Response Team• Senior Management	• Monitoring tools• Redundant cloud infrastructure• Backup systems• DR site• Network infrastructure	• Cloud infrastructure provider• DR hosting provider• Network service provider	Upstream: Infrastructure providers Downstream: All digital banking services & customer access

Operational Resilience Alignment

This mapping supports operational resilience by:

Identifying Critical Supporting Resources
Clarifies which people, systems, and vendors are essential to maintain Digital Account Access & Management.

Highlighting Single Points of Failure
Example:

Dependency on single cloud provider
Single MFA vendor
Centralised IAM system

Supporting Scenario Testing
Enables structured testing of scenarios such as:

Cyberattack on authentication system
Cloud service outage
Third-party eKYC provider failure
Fraud system malfunction
Data breach incident

Facilitating Impact Tolerance Validation
Assesses:

Maximum tolerable downtime for login access
Acceptable delay in onboarding
Maximum disruption to fraud detection

Enabling Remediation Planning
Supports decisions on:

Redundancy improvements
Vendor diversification
Backup authentication methods
Enhanced monitoring controls

The mapping of processes and resources for CBS-1 Digital Account Access & Management provides Boost Bank with a structured, end-to-end view of how its digital customer access services are delivered and sustained.

By systematically linking each Sub-CBS to its supporting:

Processes
People
Technology
Third-party providers
Upstream and downstream dependencies

Boost Bank strengthens its ability to:

Identify operational vulnerabilities
Design effective scenario testing
Validate impact tolerances
Enhance business continuity planning
Meet regulatory expectations for operational resilience

This mapping forms the foundation for subsequent scenario testing, vulnerability assessment, and resilience enhancement planning, ensuring that Boost Bank can continue delivering secure and reliable digital banking services even during severe but plausible disruptions.

Digital Banking Resilience: Strengthening Boost Bank for Tomorrow
eBook 3: Starting Your OR Implementation
CBS-1 Digital Account Access & Management
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

View full post