Scenario testing is a critical component of operational resilience, as emphasised in the Bangko Sentral ng Pilipinas BSP Circular No. 1203 Series of 2024.
It enables financial institutions such as the Development Bank of the Philippines (DBP) to validate their ability to continue delivering Critical Business Services (CBS) under severe but plausible disruptions.
For CBS-1 Deposit and Account Services, scenario testing assesses the resilience of end-to-end processes—from onboarding to recovery—by simulating disruptions such as cyberattacks, system failures, third-party outages, and operational errors.
In alignment with regulatory expectations, scenario testing must incorporate cyber and ICT risks, demonstrate interdependency awareness, and produce evidence of continuous improvement and proactive risk management.
|
Sub-CBS Code |
Sub-CBS |
Recommended Scenario Test Themes (incl. Cyber & ICT Risk Integration) |
Impact / Effect |
Evidence of Proactive Risk Management Action |
|
1.1 |
Customer Onboarding and Account Application |
Digital onboarding platform outage; identity fraud attempt via compromised credentials |
Inability to onboard customers; reputational damage |
Alternate onboarding channels activated; fraud detection alerts triggered; onboarding backlog recovery plan |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
KYC system downtime; API failure with government ID verification systems |
Delayed account opening; compliance breaches |
Manual KYC fallback procedures; SLA monitoring with third-party KYC providers |
|
1.3 |
Account Approval and Opening |
Core banking approval workflow failure; unauthorized approval due to an access breach |
Incorrect account creation; regulatory exposure |
Dual authorization controls tested; audit trail validation; access recertification |
|
1.4 |
Initial Funding and Deposit Booking |
Payment gateway disruption; incorrect fund posting due to a system error |
Customer funds not credited; reconciliation breaks |
Real-time reconciliation triggers, suspense account monitoring, and customer notification protocols |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
Misconfiguration of interest rates or fees due to a system patch error |
Financial loss; customer disputes |
Configuration change controls; automated validation scripts; rollback procedures |
|
1.6 |
Deposit Transactions Processing |
Core banking outage; cyberattack (e.g., ransomware) on transaction engine |
Transaction failure; systemic service disruption |
DR site activation; transaction queue recovery; cybersecurity incident response execution |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM network outage; unauthorized withdrawal attempts via card compromise |
Customer unable to access funds; fraud losses |
ATM failover network tested; fraud detection rules triggered; card blocking procedures |
|
1.8 |
Account Servicing and Customer Maintenance |
CRM system outage; data integrity issue from system sync failure |
Delayed servicing; incorrect customer data updates |
Data reconciliation routines; customer service fallback scripts; data correction workflows |
|
1.9 |
Interest, Fees, and Charges Processing |
Batch job failure; incorrect computation due to a system bug |
Financial misstatement; customer dissatisfaction |
Batch rerun procedures; reconciliation checks; exception reporting dashboards |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Reporting system downtime; data corruption in the reporting database |
Inaccurate statements; regulatory non-compliance |
Backup reporting systems; data integrity checks; customer communication templates |
|
1.11 |
Digital Account Access and Channel Integration |
Internet/mobile banking outage; DDoS attack on digital channels |
Customers unable to access accounts; reputational damage |
DDoS mitigation controls, channel failover, and customer advisory alerts |
|
1.12 |
ATM and Card-Based Access Management |
Card management system breach; ATM switch failure |
Card transaction failure; fraud incidents |
Card lifecycle controls tested; network redundancy; fraud monitoring escalation |
|
1.13 |
Account Reconciliation and Exception Handling |
Reconciliation engine failure; delayed batch processing |
Unresolved discrepancies; financial reporting risks |
Manual reconciliation fallback; exception aging monitoring; escalation protocols |
|
1.14 |
Dormancy, Holds, Restrictions, and Account Control Administration |
Erroneous account freezing due to system error; delayed release of holds |
Customer complaints; regulatory scrutiny |
Override controls; audit logs review; timely exception handling procedures |
|
1.15 |
Fraud Monitoring and Transaction Surveillance |
Failure of the fraud detection system; advanced persistent threat (APT) attack |
Undetected fraud; financial losses |
SIEM alerts tested; fraud rule tuning; integration with cybersecurity monitoring |
|
1.16 |
Complaints, Disputes, and Service Recovery |
Contact center outage; complaint management system failure |
Delayed resolution; customer dissatisfaction |
Alternate service channels, complaint tracking logs, and service recovery KPIs |
|
1.17 |
Regulatory Reporting and Compliance Monitoring |
Regulatory reporting system failure; incorrect data submission |
Non-compliance penalties; supervisory action |
Regulatory reporting validation checks; submission contingency procedures |
|
1.18 |
Incident Response, Business Continuity, and Recovery |
Major cyberattack; data center outage; pandemic scenario affecting staff availability |
Prolonged service disruption; inability to recover within impact tolerance |
End-to-end BCP/DR test results; crisis management activation; recovery time validation |
Scenario testing for CBS-1 Deposit and Account Services at the Development Bank of the Philippines provides a structured approach to validating operational resilience against a wide range of disruptions. By integrating cyber and ICT risks, DBP ensures that both digital and operational vulnerabilities are comprehensively assessed, in line with the expectations of BSP Circular No. 1203.
The outcomes of these scenario tests—such as validated recovery strategies, strengthened controls, and documented response effectiveness—serve as tangible evidence of proactive risk management. Ultimately, continuous scenario testing enables DBP to enhance its resilience posture, safeguard customer trust, and ensure the sustained delivery of critical deposit and account services even under adverse conditions.
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Deposit & Account Services | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|