[OR] [BDO] [E3] [CBS] [1] [ST] Perform Scenario Testing

CBS-1 Retail Deposit & Account Services

Introduction

Scenario testing is a critical component of operational resilience, enabling BDO Unibank to validate whether its Retail Deposit & Account Services (CBS-1) can remain within defined impact tolerances under severe but plausible disruptions.

In line with the principles outlined in BSP Circular No. 1203 (2024), financial institutions are expected to conduct forward-looking scenario testing to assess end-to-end service resilience, including interdependencies among people, processes, technology, and third parties.

This section translates those regulatory expectations into practical, process-level scenario testing for each Sub-CBS. The scenarios incorporate cyber threats, ICT disruptions, third-party failures, operational breakdowns, and fraud events, ensuring strong alignment with the integration of cyber and ICT risk management.

Each test also includes evidence of proactive risk management actions, demonstrating the bank’s ability not only to respond, but to anticipate and mitigate disruptions.

Table P6: Perform Scenario Testing for CBS-1

Sub-CBS Code	Sub-CBS	Recommended Scenario Test Themes	Impact / Effect	Evidence of Proactive Risk Management Action
1.1	Customer Onboarding & Account Opening	Digital onboarding system outage due to cyberattack (DDoS)	Inability to open accounts; customer dissatisfaction	Load testing, alternate manual onboarding, and DDoS protection tools implemented
1.2	Customer Identity Verification & Compliance Screening	Failure of the e-KYC system / third-party verification API outage	Delayed onboarding; regulatory compliance risk	Redundant KYC vendors; offline verification procedures; AML escalation protocols
1.3	Account Setup & Product Configuration	Core banking configuration error during system upgrade	Incorrect account features; financial misstatements	Pre-deployment testing, rollback procedures, maker-checker controls
1.4	Initial Funding & Deposit Acceptance	Payment gateway disruption affecting deposit channels	Failed deposit transactions; customer complaints	Multi-channel deposit options; real-time monitoring dashboards
1.5	Cash Withdrawal & Funds Access	ATM network outage due to telecom failure	Customers are unable to withdraw cash	ATM network redundancy; branch fallback; liquidity buffers
1.6	Account Maintenance & Customer Information Update	Unauthorised data change due to cyber intrusion	Data integrity compromise; reputational damage	Access controls, audit logs, anomaly detection systems
1.7	Credential Fulfilment	Card production vendor disruption	Delayed issuance of cards/credentials	Multiple vendors; inventory buffer; SLA monitoring
1.8	Digital Banking Access Management	Mobile banking platform outage (cloud failure)	Customers are unable to access accounts	Multi-region cloud deployment; failover testing
1.9	Balance Inquiry & Statements	Database performance degradation	Slow response times; poor customer experience	Database optimisation; caching; performance stress testing
1.10	Account Transfers	Real-time payment system failure (InstaPay/PESONet disruption)	Failed transfers; liquidity bottlenecks	Alternate clearing channels; transaction queuing mechanisms
1.11	Bills Payment & Scheduled Debits	Third-party biller system outage	Missed payments; customer penalties	Biller redundancy; customer notification protocols
1.12	Transaction Posting & Ledger Update	The core banking system crashed during peak hours	Transaction backlog; reconciliation issues	High availability architecture; batch recovery procedures
1.13	Interest, Fees & Charges Processing	Batch job failure due to a system bug	Incorrect interest or fees applied	Automated reconciliation checks; parallel run validation
1.14	Exception Handling & Dispute Resolution	Surge in disputes due to a fraud incident	Operational overload; delayed resolution	Scalable case management system; surge staffing plans
1.15	Fraud Monitoring & Protective Controls	Sophisticated cyber fraud bypassing detection systems	Financial loss; regulatory breach	AI-driven fraud analytics; continuous rule tuning; red team testing
1.16	Reconciliation & Financial Reporting Support	Data mismatch between systems	Financial reporting inaccuracies	Automated reconciliation tools; exception thresholds
1.17	Regulatory Reporting & Compliance Monitoring	Failure to submit regulatory reports on time due to a system outage	Regulatory penalties; compliance breach	Backup reporting systems; regulatory calendar tracking
1.18	Service Continuity & Incident Response	Data centre outage (natural disaster scenario)	Full service disruption	Disaster recovery site activation; crisis management drills
1.19	Dormancy, Restriction & Closure	Erroneous account freezing due to a system error	Customer complaints; legal exposure	Dual authorisation controls; audit review mechanisms
1.20	Third-Party & Infrastructure Dependency Management	Critical vendor (cloud/telecom) failure	System-wide disruption	Vendor risk assessments; exit strategies; multi-vendor architecture

Banner [Summing] [OR] [E3] Perform Scenario Testing

Scenario testing for CBS-1 Retail Deposit & Account Services enables BDO Unibank to move beyond theoretical resilience into demonstrated operational capability under stress.

By systematically testing each Sub-CBS against severe but plausible disruptions, the bank ensures that its services remain within the impact tolerances defined in BSP Circular 1203, even amid complex, multi-layered failures.

Importantly, integrating cyber and ICT risks into every scenario reflects the evolving threat landscape, in which operational disruptions are increasingly technology-driven.

The inclusion of evidence of proactive risk management further demonstrates maturity—showing that resilience is not only about recovery but also about anticipation, prevention, and continuous improvement.

This structured approach positions BDO Unibank to achieve a sustainable, regulator-aligned operational resilience capability.

Building Operational Resilience: A Case Study of BDO Unibank
eBook 3: Starting Your OR Implementation
CBS-1 Deposit & Account Services
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.