CBS-7 Digital and Online Banking Services
![[OR] [MBT] [E3] [CBS] [7] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/6f245a6c-acf7-4aee-bf23-31eafc8e55ae.png)
In line with operational resilience requirements, establishing impact tolerances for Metrobank’s Critical Business Service (CBS-7): Digital and Online Banking Services is essential to ensure that the bank can withstand, respond to, and recover from disruptions within acceptable levels.
Impact tolerance refers to the maximum level of disruption a critical service can withstand before intolerable harm occurs to customers, the financial market, or regulatory compliance.
Given that digital banking services form the backbone of Metrobank’s customer interactions and transactions, understanding and quantifying acceptable disruption thresholds—measured in Maximum Tolerable Downtime (MTD) and Maximum Tolerable Data Loss (MTDL)—is vital.
These tolerances are established through scenario testing, impact analysis, and stakeholder engagement, aligning with the principles outlined in the Bangko Sentral ng Pilipinas (BSP) Operational Resilience Framework and the broader financial industry’s resilience expectations.
The following table outlines the impact tolerances for each sub-component of CBS-7, detailing operational limits, customer and regulatory implications, and required improvement actions.
![Banner [Table] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/627c33a8-714d-40af-9a2b-0d7957fb8afa.png)
Table P4: Establish Impact Tolerance for CBS-7
|
Sub-CBS Code |
Sub-CBS |
Maximum Tolerable Downtime (MTD) |
Maximum Tolerable Data Loss (MTDL) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
7.1 |
Online Banking Platform Management |
2 hours |
< 15 minutes |
Loss of account access; service interruption to retail and corporate users |
Non-compliance with BSP circulars on digital access |
High |
Robust redundancy and DRP are tested quarterly |
Enhance cross-site failover automation |
|
7.2 |
Mobile Banking Application Services |
2 hours |
< 15 minutes |
Loss of mobile transactions and app login failures |
Reputational and regulatory exposure due to service unavailability |
High |
Stable, with mobile DR tested semi-annually |
Increase mobile app uptime monitoring to real-time |
|
7.3 |
Digital Account Access and Authentication |
1 hour |
< 5 minutes |
Inability to authenticate; customer lockout |
Breach of security and authentication regulations |
Very High |
Multi-factor auth system in place |
Implement biometric backup and secondary ID verification |
|
7.4 |
Online Funds Transfer and Payment Processing |
1 hour |
< 5 minutes |
Failure of real-time payments; delay in fund availability |
Non-compliance with BSP instant payment obligations |
Very High |
High availability and transaction mirroring |
Introduce AI-based transaction rerouting |
|
7.5 |
Digital Customer Onboarding and e-KYC |
4 hours |
< 30 minutes |
Inability to onboard new customers digitally |
Breach of e-KYC and AML obligations |
Medium |
KYC system integrated with the central ID database |
Automate the fallback offline verification process |
|
7.6 |
Digital Customer Support and Service Channels |
4 hours |
< 30 minutes |
Disruption to customer inquiry resolution |
Reputational and customer confidence impact |
Medium |
Chatbot and email redundancy exist |
Expand IVR fallback and agent escalation protocols |
|
7.7 |
Card-Not-Present (CNP) and e-Commerce Transaction Processing |
1 hour |
< 5 minutes |
Payment failures on online purchases |
Reputational and financial loss exposure |
Very High |
Strong payment gateway redundancy |
Improve coordination with acquiring network partners |
|
7.8 |
ATM and Electronic Channel Management |
2 hours |
< 10 minutes |
ATM withdrawal failures; disruption in card services |
BSP consumer protection compliance impact |
High |
Multiple ATM networks supported |
Upgrade real-time ATM transaction monitoring |
|
7.9 |
Cybersecurity and Fraud Monitoring for Digital Channels |
30 minutes |
< 1 minute |
Unmonitored fraud activity; delayed detection of attacks |
Severe regulatory breach; data privacy violation |
Critical |
24/7 SOC and threat analytics are active |
Deploy AI anomaly-based fraud detection |
|
7.10 |
Digital Banking Data Management and Reporting |
4 hours |
< 30 minutes |
Delay in reporting and analytics for digital ops |
Regulatory reporting breach; delayed decision-making |
Medium |
Centralized data warehouse in place |
Implement real-time data replication across the DR site |
![Banner [Summing] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/5e80e50f-5e3e-44ea-8c43-16bf42d4f3b5.png)
Setting impact tolerances for Metrobank’s Digital and Online Banking Services (CBS-7) ensures that critical digital operations remain within acceptable disruption thresholds to maintain customer trust, market stability, and regulatory compliance.
These tolerances serve as measurable benchmarks for testing resilience and guiding investment in infrastructure, cybersecurity, and recovery capabilities.
By defining clear operational limits (MTD/MTDL) for each sub-service, Metrobank can prioritize resilience enhancements based on service criticality.
The continuous monitoring, scenario testing, and improvement of these tolerances will strengthen Metrobank’s ability to respond swiftly to cyber incidents, system outages, and third-party disruptions, ensuring sustainable digital banking continuity and customer confidence in a highly connected financial ecosystem.
![[OR] [MBT] [E3] [CBS] [7] [DP] Digital and Online Banking Services](https://no-cache.hubspot.com/cta/default/3893111/c47a4937-4109-4d28-9d0c-f7bc2461ba12.png)
![[OR] [MBT] [E3] [CBS] [7] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/9db4d0f4-354c-4fc8-b69d-808fea4879be.png)
![[OR] [MBT] [E3] [CBS] [7] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/0f03bf16-72a7-4d33-bf0a-03b28ed71a47.png)
![[OR] [MBT] [E3] [CBS] [7] [SuPS] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/c1993c4d-a471-4596-93e6-09c5ffc74ac5.png)
![[OR] [MBT] [E3] [CBS] [7] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/7c904ed5-8d88-498a-b94e-32c80918f743.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
