![[OR] [BI] Legal Disclaimer Banner](https://no-cache.hubspot.com/cta/default/3893111/b78af26b-21f2-4eb5-be89-d10901d460fb.png)
CBS-2 Payments and Funds Transfer Services
Introduction
![[OR] [BI] [E3] [CBS] [2] [SuPS] Payments and Funds Transfer Services](https://no-cache.hubspot.com/cta/default/3893111/4970a79b-1480-4204-8d7d-93650ff87efe.png)
For Bank Islam Malaysia Berhad, Payments and Funds Transfer Services (CBS-2) represent a mission-critical capability underpinning customer trust, liquidity flow, and regulatory compliance. In line with operational resilience principles, identifying severe but plausible scenarios enables the Bank to test its ability to remain within defined impact tolerances even under extreme stress conditions.
These scenarios are not routine operational incidents, but high-impact events that are credible within today’s threat landscape—ranging from cyber-attacks and ICT infrastructure failure to regulatory breaches and third-party disruptions. The table below maps each Sub-CBS to representative severe but plausible scenarios, outlines their impact, and demonstrates proactive risk management actions aligned with cyber and ICT risk integration.
![Banner [Table] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/f4f3c007-e864-48cd-8bc1-0242c8b7fd86.png)
Table P5: Identify Severe but Plausible Scenarios for CBS-2
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
2-01 |
Customer Payment Initiation |
Distributed Denial-of-Service (DDoS) attack on internet/mobile banking channels during the peak period |
Customers unable to initiate payments; reputational damage |
DDoS mitigation services, traffic filtering, alternate channel routing, and customer communication protocol |
Cybersecurity operations centre (SOC) monitoring, network resilience, secure digital channel architecture |
|
2-02 |
Funds Transfer Processing (Intra-bank) |
Core banking interface failure due to database corruption |
Internal transfers delayed; account imbalance risk |
Real-time database replication, automated failover, periodic recovery testing |
ICT resilience, high-availability infrastructure, backup data integrity controls |
|
2-03 |
Interbank Transfer Processing (IBFT & RENTAS) |
National payment gateway outage affecting IBFT and RENTAS connectivity |
Interbank transfers halted; liquidity and settlement delays |
Contingency connectivity, manual fallback procedures, liquidity buffer planning |
Third-party ICT dependency management, secure network connectivity, SWIFT/network redundancy |
|
2-04 |
DuitNow & Instant Payment Services |
Malware infiltration is affecting the instant payment API gateway |
Fraudulent transactions; financial loss |
API gateway hardening, endpoint detection and response (EDR), transaction anomaly detection |
Secure API framework, cyber threat intelligence integration, and continuous vulnerability scanning |
|
2-05 |
Payment Clearing & Settlement |
Settlement file corruption before the clearing cycle |
Incorrect clearing positions; regulatory breach |
File validation controls, checksum verification, dual control approval |
Secure file transfer protocol (SFTP), encryption, and ICT integrity monitoring |
|
2-06 |
Corporate & Bulk Payment Processing |
Ransomware attack on the bulk payment processing server |
Corporate salary/vendor payments disrupted |
Network segmentation, immutable backups, ransomware response playbook |
Enterprise cybersecurity posture, backup isolation, and incident response orchestration |
|
2-07 |
Cross-Border Payment Processing |
Sanctioned country restriction update not reflected in system rules |
Regulatory non-compliance; sanctions breach |
Automated sanctions list updates, periodic rules validation testing |
AML system integration, secure data feeds, ICT change management, and governance |
|
2-08 |
Payment Authorization & Authentication |
Compromise of the multi-factor authentication (MFA) system |
Unauthorized payment approvals |
Strong MFA configuration, adaptive authentication, and credential compromise monitoring |
Identity & Access Management (IAM), privileged access management (PAM), cybersecurity monitoring |
|
2-09 |
Sanctions Screening & AML Monitoring |
Screening engine downtime during a high-volume transaction period |
Transactions processed without screening; compliance breach |
High-availability AML infrastructure, transaction queuing mechanism, and manual screening fallback |
RegTech system resilience, secure database redundancy, and monitoring of screening logs |
|
2-10 |
Transaction Posting & Core Banking Update |
Core banking batch posting is delayed due to system overload |
Customer balance discrepancies; complaints surge |
Capacity planning, stress testing, performance monitoring dashboards |
ICT capacity management, application performance monitoring (APM) |
|
2-11 |
Exception Handling & Reversal Management |
System logic error causing incorrect auto-reversals |
Financial misstatement; reconciliation backlog |
Change control testing, maker-checker validation, exception dashboards |
Secure SDLC, system audit trails, and access control governance |
|
2-12 |
Reconciliation & Nostro/Vostro Management |
Failure in the reconciliation engine due to a corrupted settlement feed |
Unreconciled items; liquidity exposure |
Automated reconciliation alerts, daily exception reporting, contingency manual recon |
Secure data exchange controls, system integrity checks |
|
2-13 |
Customer Notification & Confirmation |
SMS/email gateway outage during payment processing disruption |
Customers are unaware of payment status; complaint escalation |
Multi-channel notification redundancy, message queue monitoring |
Third-party ICT vendor resilience assessment, API failover controls |
|
2-14 |
Payment Reporting & Regulatory Submission |
Regulatory reporting file not submitted due to system integration failure |
Regulatory penalty; supervisory action |
Pre-submission validation checks, reporting automation monitoring, and escalation matrix |
Secure reporting interface, ICT integration testing, compliance system monitoring |
|
2-15 |
Payment Channel Availability & Infrastructure Support |
Data centre power failure affecting payment systems |
Full payment service outage |
Dual data centre architecture, disaster recovery (DR) site activation drills, RTO/RPO validation |
Data centre resilience, DR orchestration, cyber-physical security integration |
![Banner [Summing] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/446ccb83-e056-40d0-aae5-834d73c13f43.png)
Identifying severe but plausible scenarios for CBS-2 enables Bank Islam Malaysia Berhad to move beyond theoretical risk assessments and into practical resilience validation. By linking each Sub-CBS scenario to proactive controls and explicit cyber and ICT risk integration, the Bank strengthens its ability to withstand high-impact disruptions while maintaining customer confidence and regulatory compliance.
This structured approach ensures that operational resilience is not treated as a standalone compliance requirement, but as a dynamic capability embedded within technology governance, cybersecurity posture, third-party oversight, and enterprise risk management—positioning the Bank to operate confidently even under extreme but credible stress conditions.
![[OR] [BI] [E3] [CBS] [2] [DP] Payments and Funds Transfer Services](https://no-cache.hubspot.com/cta/default/3893111/c898ee8d-2d4d-4cf4-9b2f-e97b84d91b3b.png)
![[OR] [BI] [E3] [CBS] [2] [MD] Payments and Funds Transfer Services](https://no-cache.hubspot.com/cta/default/3893111/e444b150-6d0f-45e3-b50f-3cdbfd8e22fb.png)
![[OR] [BI] [E3] [CBS] [2] [MPR] Payments and Funds Transfer Services](https://no-cache.hubspot.com/cta/default/3893111/3446a398-dce9-49f3-bde2-cdff67689b39.png)
![[OR] [BI] [E3] [CBS] [2] [ITo] Payments and Funds Transfer Services](https://no-cache.hubspot.com/cta/default/3893111/9597f74e-1b94-4502-a538-b81ce691da68.png)
![[OR] [BI] [E3] [CBS] [2] [ST] Payments and Funds Transfer Services](https://no-cache.hubspot.com/cta/default/3893111/b941dc6b-846d-4718-9c2b-6494f06c7ba6.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
