For Land Bank of the Philippines (LBP), CBS-1 Deposit and Account Services is a core banking service because disruption to deposit onboarding, account access, transaction posting, card/ATM availability, digital access, reconciliation, fraud control, complaints handling, and recovery arrangements can immediately affect depositors, public confidence, and the bank’s ability to continue delivering critical operations.
LANDBANK’s public-facing service model shows that deposit accounts, digital banking through iAccess and the Mobile Banking App, and ATM/debit-card based access are integral parts of how customers access funds and transact. (Landbank)
BSP Circular No. 1203 requires BSFIs to identify critical operations, set a tolerance for disruption for each identified critical operation, use at least a time-based metric, consider other metrics such as the number of customers affected and the volume/value of transactions affected, and test those tolerances against severe but plausible scenarios.
The Circular also requires governance review and approval, integration with BCM, and resilience expectations for third-party service arrangements.
The BCM Institute guidance on impact tolerance is consistent with this approach: impact tolerance is the maximum tolerable level of disruption to a critical business service, and it should be set by identifying impact types, setting tolerances for each type, linking them to risk appetite, considering regulatory requirements, documenting them, and reviewing them regularly.
This chapter provides an illustrative, regulator-aligned impact tolerance summary for LANDBANK’s CBS-1 Deposit and Account Services. It is not a statement of LANDBANK’s actual board-approved tolerances; rather, it is a practical benchmark to help management, operations, technology, risk, compliance, and business continuity teams decide what level of disruption would become intolerable for each detailed process.
The objective is to translate BSP Circular No. 1203 into measurable service thresholds that can later be validated through scenario testing, dependency mapping, BCM exercises, incident response reviews, and board oversight.
|
Sub-CBS Code |
Sub-CBS |
Maximum Tolerable Downtime (MTD) |
Maximum Tolerable Data Loss (MTDL) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
1.1 |
Customer Onboarding and Account Application |
1 business day |
Up to 30 minutes of non-finalized application data; no loss of submitted KYC documents |
Moderate to high inconvenience; delayed new account acquisition |
Medium; delays in servicing and onboarding controls |
Service availability, conduct, operational backlog |
Partially resilient |
Digitize intake fallback, queue management, branch/manual capture fallback |
|
1.2 |
Customer Identification and Verification |
4 hours |
Zero loss of verified identity records; max 15 minutes of in-process session data |
High if applicants cannot be verified; possible account opening delays |
High due to AML/CFT/KYC obligations |
Compliance, data integrity, fraud risk |
Partially resilient |
Strengthen identity verification fallback, document imaging redundancy, sanctions/watchlist continuity |
|
1.3 |
Account Approval and Opening |
4 hours |
Zero loss of approved account master data |
High for customers awaiting account activation and access |
High; account opening approvals must remain controlled and auditable |
Service delivery, compliance, audit trail |
Partially resilient |
Dual authorization fallback, branch-to-HO escalation, maker-checker recovery procedures |
|
1.4 |
Initial Funding and Deposit Booking |
2 hours |
Near-zero; max 5 minutes before journal/ledger replication |
Very high if opening deposits are not booked correctly |
High due to posting accuracy and reconciliation requirements |
Financial, data integrity, liquidity/customer trust |
Needs improvement |
Real-time posting resilience, suspense/recovery procedures, reconciled offline receipts |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
1 business day |
Zero loss of parameter changes after approval |
Moderate; pricing/features may be delayed but not usually immediately customer-critical |
Medium to high if terms, fees, or account rules are misapplied |
Data integrity, conduct, configuration risk |
Partially resilient |
Controlled change windows, configuration backup, rollback testing |
|
1.6 |
Deposit Transactions Processing |
1 hour |
Near-zero; max 5 minutes |
Severe customer impact; inability to deposit/post transactions across channels |
High; affects critical operations and transaction continuity |
Availability, financial, reputational |
Critical but partially resilient |
Active-active processing where feasible, queue replay, prioritized recovery for deposit posting |
|
1.7 |
Withdrawal and Funds Access Processing |
30 minutes |
Near-zero; zero loss for authorized debit postings |
Severe and immediate harm; customers unable to access funds |
Very high due to customer harm and potential systemic confidence issues |
Availability, customer harm, liquidity access |
Critical |
Prioritize channel failover, cash contingency, branch override/manual servicing with controls |
|
1.8 |
Account Servicing and Customer Maintenance |
4 hours |
Zero loss of approved maintenance records |
High inconvenience; profile changes, passbook/account servicing delayed |
Medium to high if customer records become inaccurate |
Data integrity, conduct, customer service |
Partially resilient |
Workflow recovery, customer-request tracking, controlled deferred update process |
|
1.9 |
Interest, Fees, and Charges Processing |
End of business day |
Zero loss of rate tables and processed accrual/billing files |
Medium initially; high if prolonged or inaccurate |
High if customers are over/under-charged or disclosures breached |
Financial accuracy, conduct, reputational |
Partially resilient |
Batch rerun capability, fee/interest adjustment controls, independent validation |
|
1.10 |
Statement, Passbook, and Balance Reporting |
1 business day for statements; 1 hour for balance inquiry availability |
Max 15 minutes for non-finalized report cache; zero loss for official statements |
High if customers cannot confirm balances; moderate for statement delay |
Medium to high depending on reporting scope and consumer rights |
Information availability, customer confidence |
Partially resilient |
Multi-channel balance inquiry fallback, report regeneration, branch-assisted servicing |
|
1.11 |
Digital Account Access Enablement |
1 hour |
Zero loss of user entitlement, credentials, and activation records |
Severe for online users if login/access fails |
High due to service continuity and security expectations |
Channel availability, cybersecurity, customer harm |
Critical |
Harden IAM, MFA/OTP continuity, alternate activation/recovery path, digital channel failover |
|
1.12 |
ATM and Card-Based Access Management |
30 minutes |
Zero loss of card status, PIN/authorization controls, and hotlist updates |
Severe and immediate customer impact on cash access and purchases |
Very high if card controls or access restrictions fail |
Availability, fraud, customer harm |
Critical |
Network redundancy, switch failover, card hotlist sync assurance, ATM outage playbooks |
|
1.13 |
Account Reconciliation and Exception Handling |
End of business day for standard items; 4 hours for high-value exceptions |
Zero loss of recon and exception records |
Usually low immediate customer impact, but high latent financial risk |
High if unresolved breaks accumulate or reporting becomes inaccurate |
Financial integrity, control effectiveness |
Partially resilient |
Automated exception queues, aged-break escalation, independent recon backup |
|
1.14 |
Dormancy, Holds, Restrictions, and Account Control Administration |
2 hours |
Zero loss of control status and legal/operational hold records |
High if customers are wrongly blocked or improperly allowed access |
Very high due to legal, compliance, and fraud implications |
Compliance, control integrity, customer harm |
Needs improvement |
Immutable control logs, rapid verification workflow, emergency override with approval trails |
|
1.15 |
Fraud Monitoring and Transaction Surveillance for Deposit Accounts |
15 minutes for alerting degradation; 1 hour max for full restoration |
Zero loss of alerts, cases, and decision logs |
Potentially severe if fraudulent transactions are not detected quickly |
Very high; AML/fraud monitoring is highly sensitive |
Fraud, compliance, financial loss, reputational |
Critical |
24/7 monitoring, SIEM/fraud-engine redundancy, manual surveillance fallback, alert backlog management |
|
1.16 |
Complaints, Disputes, and Service Recovery |
4 hours for complaint intake; 1 business day for case logging continuity |
Zero loss of complaint/dispute records |
High conduct and reputational impact if complaints cannot be logged or tracked |
High because complaint handling and redress must remain auditable |
Conduct, reputational, customer trust |
Partially resilient |
Central complaint register backup, omnichannel intake continuity, SLA tracking and escalation |
|
1.17 |
Regulatory Reporting and Compliance Support for Deposit Services |
By regulatory deadline; 4 hours for critical internal compliance data availability |
Zero loss of reportable data and evidence trail |
Low immediate retail impact, high downstream institutional impact |
Very high due to supervisory reporting and compliance obligations |
Compliance, reporting, legal risk |
Partially resilient |
Regulatory data lineage controls, reporting fallback, sign-off and evidence retention |
|
1.18 |
Business Continuity and Recovery for Deposit Services |
Recovery orchestration activated within 15 minutes; critical service restoration within the lowest applicable CBS tolerance |
Zero loss of incident logs, invocation decisions, recovery actions |
Severe if recovery governance fails during disruption |
Very high because BCM/OR capability underpins all critical operations |
Enterprise resilience, governance, recovery effectiveness |
Core control; must be continuously tested |
Maintain updated recovery playbooks, crisis roles, alternate sites/channels, scenario-based testing |
These proposed tolerances follow the BSP expectation that disruption limits should not rely only on time. The table therefore, combines downtime and data-loss metrics with customer harm, regulatory consequences, and operational impact.
This mirrors BSP Circular No. 1203, which says BSFIs should use at least a time-based metric and also consider other measures such as customers affected and transaction volumes/values affected.
The most stringent tolerances are assigned to processes directly tied to customer access to funds, transaction processing, digital/channel access, ATM/card access, and fraud monitoring, because these are the points where disruption is most likely to create immediate customer harm or broader confidence issues.
That outcome-based approach is also consistent with BCM Institute’s explanation that impact tolerance marks the point beyond which harm becomes intolerable and should focus on “how much, when, and for how long,” not just on a technical recovery clock.
The table also assumes that LANDBANK’s operating model includes branch deposit products, digital banking, and card/ATM-enabled access.
That assumption is grounded in LANDBANK’s public-facing service offerings for deposit accounts, iAccess, the Mobile Banking App, and ATM/debit card services.
For complaints and service recovery, LANDBANK publicly provides customer care channels and complaint routes, which support treating complaint intake and case logging as resilience-relevant supporting processes for deposit services.
Third-party dependencies should be validated against these tolerances as well.
BSP Circular No. 1203 says BSFIs should conduct due diligence on service providers, ensure they support the established tolerance for disruption, and avoid arrangements where the provider cannot comply with those tolerances.
For a Philippine bank, BSP Circular No. 1203 creates several practical requirements relevant to this chapter:
A practical example for LANDBANK would be this: if 1.7 Withdrawal and Funds Access Processing or 1.12 ATM and Card-Based Access Management is disrupted beyond 30 minutes during payday or a disaster event, the breach may already cross the bank’s impact tolerance because it would create immediate depositor harm, complaints, and potential reputational escalation.
Likewise, if 1.15 Fraud Monitoring and Transaction Surveillance loses alerts or operates blindly for an extended period, the bank may face intolerable fraud, AML, and supervisory risk even before customers visibly complain.
Those examples reflect the BSP’s expectation that tolerances be calibrated around the actual harm caused by disruption to critical operations.
Establishing impact tolerance for CBS-1 Deposit and Account Services helps convert operational resilience from a broad policy requirement into measurable service protection thresholds.
For LANDBANK, the most important tolerances are those that preserve customer access to funds, maintain posting integrity, protect digital and ATM/card channels, sustain fraud surveillance, and ensure that recovery actions are activated quickly and effectively.
These are the areas where disruption is most likely to produce intolerable customer harm or supervisory concern.
The next step is to validate these illustrative tolerances through dependency mapping, process-and-resource mapping, scenario testing, and board review.
In BSP Circular No. 1203 terms, the tolerances must be actionable, tested, and supported by recovery options, third-party arrangements, and BCM capabilities so that critical deposit services can continue through severe but plausible disruptions.
|
Strengthening Operational Resilience in Land Bank of the Philippines: A Practical Implementation Guide |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Deposit & Account Services | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
| |
|
||||
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|