Under the principles of operational resilience, identifying Severe but Plausible Scenarios (SBPS) ensures that critical business services remain within defined impact tolerances even under extreme stress conditions.
For CBS-2 Payments & Funds Transfer Services, disruptions may arise from cyber incidents, infrastructure failures, third-party outages, fraud events, or regulatory interventions. Given the systemic importance of payment services to customers, counterparties, and the financial ecosystem, scenario testing must reflect high-impact yet realistic threat conditions.
For China Construction Bank (Malaysia) Berhad, the identification of SBPS for each Sub-CBS (2.1–2.7) supports proactive resilience planning, integration of ICT and cyber risk management, and regulatory compliance.
The table below outlines recommended severe but plausible scenarios, their impact, evidence of proactive risk management, and explicit linkages to cyber and ICT risk integration.
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
2.1 |
Account-to-Account Transfers |
Core banking system outage due to data centre power failure |
Inability to process internal transfers; customer dissatisfaction; liquidity strain |
Active-active data centre setup; periodic failover testing; backup power redundancy |
ICT resilience (data centre redundancy), infrastructure monitoring, BCP testing |
|
2.2 |
Real-Time & Instructional Payments |
Ransomware attack affecting a real-time payment gateway |
Immediate disruption of instant payments; reputational damage; regulatory reporting |
Network segmentation; EDR deployment; immutable backups; cyber incident response drills |
Cyber security integration (SOC monitoring, ransomware playbooks, threat intelligence) |
|
2.3 |
Bill Payment & Provider Settlement |
Third-party biller platform compromise or API failure |
Failed bill settlements; delayed provider remittance; customer complaints |
Vendor risk assessment; API monitoring; fallback batch processing |
Third-party ICT risk management; secure API gateway; vendor cyber due diligence |
|
2.4 |
Cross-Border Remittances |
SWIFT connectivity disruption due to a cyber intrusion |
Cross-border payments halted; sanctions compliance risk; FX exposure |
SWIFT CSP compliance; alternative correspondent routing; sanctions screening redundancy |
Integration of SWIFT cyber controls, encryption, and secure network architecture |
|
2.5 |
Batch & Bulk Payments |
File upload corruption from malware in a corporate client environment |
Large-scale payroll/payment rejection; operational backlog |
File integrity validation; malware scanning; maker-checker controls; customer awareness programme |
Secure file transfer protocols (SFTP), endpoint security integration, and cyber hygiene |
|
2.6 |
Corporate e-Banking Payments Interface |
Distributed Denial-of-Service (DDoS) attack on the corporate banking portal |
Corporate clients unable to initiate payments; liquidity and market impact |
DDoS mitigation service; traffic filtering; capacity scaling; penetration testing |
Cyber resilience (DDoS protection, web application firewall, real-time monitoring) |
|
2.7 |
QR Payment & Digital Channels |
Mobile banking app compromise due to a zero-day vulnerability |
Fraudulent transactions; mass service suspension; reputational loss |
Secure SDLC; vulnerability scanning; multi-factor authentication; fraud analytics |
Integration of application security, mobile security controls, threat detection & response |
Identifying severe but plausible scenarios for CBS-2 Payments & Funds Transfer Services enables China Construction Bank (Malaysia) Berhad to rigorously test whether its payment operations can remain within defined impact tolerances during extreme disruptions.
By embedding cyber and ICT risk integration into each scenario, the Bank ensures that operational resilience is not limited to traditional business continuity planning but extends to digital, third-party, and systemic risk exposures.
Through proactive risk management actions such as redundancy, cyber defence enhancement, vendor oversight, and continuous scenario testing, the Bank strengthens its ability to prevent, adapt, respond, and recover from major disruptions. This structured scenario identification framework enhances regulatory compliance, protects customers, and sustains trust in critical payment infrastructure.
|
Building a Resilient Banking Institution: Operational Resilience Implementation at China Construction Bank (Malaysia) |
|
|
|
|
||||||
| eBook 3: Starting Your OR Implementation |
||||||||||
| CBS-2 Payments & Funds Transfer Services | ||||||||||
| CBS-2 DP | CBS-2 MD | CBS-2 MPR | CBS-2 ITo | CBS-2 SuPS | CBS-2 ST | eBook 2 | ||||
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|