[OR] [EWB] [E3] [CBS] [1] [ST] Perform Scenario Testing

CBS-1 Deposit & Account Services

Introduction

Scenario testing is a core component of operational resilience, as articulated in the BSP Circular No. 1203 Series of 2024.

It enables financial institutions to validate their ability to remain within defined impact tolerances under severe but plausible disruption scenarios.

For CBS-1 Deposit and Account Services, scenario testing ensures that critical customer-facing services—such as onboarding, transactions, and account access—remain resilient amid operational, cyber, and third-party disruptions.

In alignment with the BCM Institute’s guidance in “[OR] [P2-S4] What is Scenario Testing in Operational Resilience?”, scenario testing must incorporate end-to-end process validation, interdependency stress, and realistic disruption assumptions.

The scenarios below integrate Cyber and ICT risks, reflecting regulatory expectations that banks assess vulnerabilities across digital channels, infrastructure, and third-party ecosystems.

Table P6: Perform Scenario Testing for CBS-1

Sub-CBS Code	Sub-CBS	Recommended Scenario Test Themes (incl. Cyber & ICT Risk Integration)	Impact / Effect	Evidence of Proactive Risk Management Action
1.1	Customer Onboarding and Account Application	Digital onboarding platform outage due to cloud service disruption; surge in applications during outage	Delayed onboarding, customer dissatisfaction	Redundant onboarding channels (branch/manual), load balancing, and onboarding backlog procedures
1.2	Customer Identification and Verification (KYC/CDD)	Failure of e-KYC systems due to API integration breakdown or cyberattack	Inability to verify customers, regulatory breach risk	Manual KYC fallback, secure API gateways, periodic KYC system penetration testing
1.3	Account Approval and Opening	Core banking approval workflow disruption from a system bug or a ransomware attack	Delayed account opening, operational backlog	Segregated approval workflows, offline approval procedures, and system recovery playbooks
1.4	Initial Funding and Deposit Booking	Payment gateway outage or interbank network failure	Failed or delayed initial deposits	Alternate funding channels, integration with multiple payment networks, and transaction retry mechanisms
1.5	Product Terms Setup and Account Parameter Maintenance	Configuration errors or unauthorised parameter changes due to insider threat or cyber breach	Incorrect interest/fees applied, financial loss	Maker-checker controls, audit trails, privileged access monitoring
1.6	Deposit Transactions Processing	Core banking system downtime or database corruption	Inability to process deposits, transaction backlog	Real-time replication, failover systems, transaction queuing and replay capability
1.7	Withdrawal and Funds Access Processing	ATM/POS network outage or cyberattack on card systems	Customers are unable to withdraw funds	ATM network redundancy, card switch failover, and emergency cash access procedures
1.8	Account Servicing and Customer Maintenance	CRM system outage or data breach affecting customer records	Inability to update customer data, reputational damage	Data backup, role-based access control, and customer service fallback channels
1.9	Interest, Fees, and Charges Processing	Batch processing failure or data integrity issue due to system malfunction	Incorrect charges, customer disputes	Automated reconciliation, batch rerun capability, and exception reporting
1.10	Statement, Passbook, and Balance Reporting	Reporting system outage or data extraction failure	Customers are unable to access account information	Multi-channel reporting (online, branch), cached data access, reporting redundancy
1.11	Digital Account Access and Channel Integration	Mobile/internet banking outage due to a DDoS attack or system overload	Loss of digital access, customer complaints	DDoS protection, auto-scaling infrastructure, and alternate access channels
1.12	ATM and Card-Based Access Management	Card management system compromise or ATM malware attack	Unauthorised transactions, service disruption	EMV security, fraud monitoring systems, ATM hardening and patching
1.13	Account Reconciliation and Exception Handling	Reconciliation system failure or delayed batch jobs	Unresolved discrepancies, financial reporting issues	Automated reconciliation tools, manual reconciliation fallback, and exception dashboards
1.14	Dormancy, Holds, Restrictions, and Account Control Administration	Incorrect tagging due to a system error or cyber manipulation	Improper account restrictions or access	Dual controls, audit logs, periodic review of dormant accounts
1.15	Fraud Monitoring and Transaction Surveillance	Failure of fraud detection systems or AI models due to a cyberattack	Increased fraud exposure, financial loss	Real-time monitoring, rule-based fallback detection, fraud response escalation protocols
1.16	Complaints, Disputes, and Service Recovery	Customer complaint system outage or backlog during a crisis event	Delayed dispute resolution, reputational damage	Case management backup systems, prioritisation protocols, escalation workflows
1.17	Regulatory Reporting and Compliance Monitoring	Regulatory reporting system failure or data inconsistency	Non-compliance with BSP reporting requirements	Regulatory reporting backup processes, validation controls, and compliance monitoring tools
1.18	Incident Response, Business Continuity, and Recovery	Major cyberattack (e.g. ransomware) or data centre outage affecting multiple CBS processes	Widespread service disruption, breach of impact tolerance	Tested BCP/DR plans, crisis management team activation, recovery time validation, and regular scenario testing

Regulatory Alignment and Operational Resilience Requirements

Under BSP Circular No. 1203 Series of 2024, Philippine banks are required to:

Conduct scenario testing using severe but plausible events, including cyber threats and third-party failures
Validate impact tolerances for critical business services
Ensure end-to-end mapping of dependencies, including ICT and third-party providers
Demonstrate ability to recover within tolerance thresholds
Maintain evidence of continuous improvement and testing outcomes

The above scenarios incorporate these requirements by embedding cyber resilience, third-party dependencies, and recovery validation across all Sub-CBS processes.

Banner [Summing] [OR] [E3] Perform Scenario Testing

Scenario testing for CBS-1 Deposit and Account Services provides EastWest Banking Corporation with a structured, evidence-based approach to validate its operational resilience.

By simulating disruptions across onboarding, transaction processing, digital access, and fraud monitoring, the bank can identify vulnerabilities and strengthen its ability to remain within defined impact tolerances.

Ultimately, integrating Cyber and ICT risks into scenario testing ensures that resilience is not limited to physical or process disruptions but also extends to the digital ecosystem underpinning modern banking services.

Continuous testing, learning, and improvement will enable the bank to meet regulatory expectations and sustain customer trust even in periods of severe disruption.

EWB Title Banner

eBook 3: Starting Your OR Implementation
CBS-1 Deposit & Account Services
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.