Regulatory guidance emphasises that financial institutions must identify the people, processes, technology, facilities, and third parties necessary to deliver critical business services, including upstream and downstream dependencies. This structured mapping supports impact tolerance setting, scenario testing, outsourcing risk management, and ICT resilience oversight.
Below is the detailed mapping for each Sub-CBS under CBS-1.
|
Sub-CBF Code |
Sub-CBS |
Processes |
People |
Technology (Applications & Infrastructure) |
Third-Party Vendors |
Upstream / Downstream Dependencies |
|
1.1 |
Online Banking Login & Authentication |
Customer credential validation, MFA issuance, session management, password reset workflows |
IT Security Team, IAM Administrators, SOC Analysts |
Identity & Access Management (IAM), Single Sign-On (SSO), Authentication servers, Web application firewall (WAF), Data centres/cloud infrastructure |
OTP SMS providers, Email service providers |
Upstream: Customer master data, network connectivity; Downstream: Dashboard access, transaction services |
|
1.2 |
Account Dashboard & Balance Inquiry |
Real-time account retrieval, transaction history display, and caching management |
Application Support, Database Administrators, DevOps |
Core banking system, Middleware/API services, Database clusters, Load balancers |
Cloud hosting provider (if hybrid), Infrastructure maintenance vendors |
Upstream: Successful authentication; Downstream: Funds transfer, reporting, alerts |
|
1.3 |
Funds Transfer & Payment Services |
Payment initiation, validation, fraud screening, clearing & settlement, reconciliation |
Payments Operations Team, Fraud Monitoring Team, Compliance Officers |
Payment engine, Core banking integration, SWIFT/FAST/RTGS connectivity, Anti-fraud systems |
Clearing houses, SWIFT network, and payment gateway providers |
Upstream: Account balance confirmation; Downstream: Alerts, audit logs, regulatory reporting |
|
1.4 |
Mobile App Transaction Processing |
API request handling, mobile session control, transaction orchestration |
Mobile Development Team, IT Operations, Cybersecurity Team |
Mobile backend APIs, Microservices architecture, App servers, DDoS protection systems |
App Store/Google Play, Push notification services |
Upstream: Authentication services; Downstream: Payments engine, notification services |
|
1.5 |
Retail Digital Onboarding |
e-KYC verification, AML screening, e-signature capture, account creation workflow |
KYC/AML Officers, Digital Onboarding Team, Risk Management |
Digital onboarding platform, Biometric verification tools, Document capture systems |
Identity verification vendors, AML screening providers |
Upstream: Customer data submission; Downstream: Core banking account creation, login provisioning |
|
1.6 |
Digital Alerts & Notification Services |
Trigger-based alert generation, SMS/email/push dispatch, escalation management |
IT Messaging Team, Customer Communications Team |
Alert engine, Messaging servers, Email/SMS gateways, Telecom links |
Telcos, Email delivery vendors |
Upstream: Payment or account event triggers; Downstream: Customer devices, CRM updates |
|
1.7 |
Customer Support & Chatbot Interface |
Query routing, chatbot response management, ticket escalation |
Customer Service Officers, Chatbot Supervisors, IT Support |
CRM platform, Chatbot AI engine, Knowledge base systems, Call centre systems |
AI/NLP solution providers, Contact centre vendors |
Upstream: Customer interaction requests; Downstream: Case resolution workflows, complaints management |
|
1.8 |
API Gateway & Third-Party Integrations |
API authentication, rate limiting, traffic monitoring, partner onboarding |
API Development Team, Integration Specialists, Vendor Management |
API gateway platform, Developer portal, Encryption tools, Network firewalls |
Fintech partners, Aggregators, Open banking service providers |
Upstream: Core banking services; Downstream: External partner platforms, regulatory data interfaces |
|
1.9 |
Access Monitoring & Security Event Logging |
Log aggregation, anomaly detection, and incident escalation |
SOC Analysts, IT Risk Management, Cybersecurity Team |
SIEM platform, Log servers, Threat intelligence feeds, Intrusion detection systems |
Cybersecurity monitoring vendors |
Upstream: All digital channel activity; Downstream: Incident response, regulatory breach reporting |
|
1.10 |
Back-End Data Synchronisation & Recovery |
Real-time replication, scheduled backup, and disaster recovery (DR) activation |
Infrastructure Team, Database Administrators, BCM Team |
Data replication tools, DR site infrastructure, Backup storage systems, Cloud recovery solutions |
Cloud backup providers, DR hosting vendors |
Upstream: Core banking and transaction systems; Downstream: Recovery environment, regulatory reporting systems |
Mapping processes and resources for CBS-1: Retail & Digital Banking Access enables CIMB Bank to gain full visibility over the operational ecosystem supporting customer access and digital services. In accordance with the 2025 BNM Discussion Paper on Operational Resilience, this structured mapping identifies:
Critical internal capabilities (people and technology),
Key third-party dependencies and outsourcing risks,
Interconnected upstream and downstream systems,
Potential single points of failure.
This end-to-end view forms the foundation for impact tolerance setting, severe-but-plausible scenario design, third-party risk management, and disaster recovery planning. By continuously reviewing and validating these mapped dependencies through scenario testing, CIMB Bank strengthens its ability to maintain digital banking access even during operational, cyber, or systemic disruptions — preserving customer trust and regulatory compliance.
|
Operational Resilience in Practice: The CIMB Bank Approach |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Retail & Digital Banking Access | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|