CBS-7 Digital and Online Banking Services
![[OR] [MBT] [E3] [CBS] [7] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/7c904ed5-8d88-498a-b94e-32c80918f743.png)
Scenario testing is a critical component of Metrobank’s operational resilience framework, designed to validate the bank’s ability to remain within impact tolerances during severe but plausible disruptions.
For CBS-7 Digital and Online Banking Services, scenario testing focuses on end-to-end resilience of systems, processes, and dependencies that support online and mobile banking, authentication, digital payments, and cybersecurity controls.
Testing these scenarios not only assesses response and recovery capabilities but also ensures integration with cyber and ICT risk management practices.
These exercises simulate realistic disruptions — including system outages, cyberattacks, third-party failures, and data corruption — to verify that recovery strategies, communication protocols, and decision-making frameworks are effective under pressure.
The results guide continual improvements and demonstrate proactive risk management aligned with regulatory expectations.
![Banner [Table] [OR] [E3] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/a45e9708-7139-4f4e-8e0e-41179f5cacc3.png)
Table P6: Perform Scenario Testing for CBS-7
|
Sub-CBS Code |
Sub-CBS |
Scenario Testing Description |
Integration with Cyber & ICT Risks |
Evidence of Proactive Risk Management Action |
|
7.1 |
Online Banking Platform Management |
Simulate a major core system outage caused by database corruption or load balancer failure during peak transaction hours. |
Evaluate ICT infrastructure resilience and data recovery capabilities. |
Post-test implementation of enhanced database replication and failover testing. |
|
7.2 |
Mobile Banking Application Services |
Conduct a simulation of widespread mobile app downtime caused by a faulty version release or a DDoS attack. |
Cyber resilience validation via mobile app firewall and anti-DDoS protocols. |
Strengthened DevSecOps pipeline with pre-deployment integrity checks. |
|
7.3 |
Digital Account Access and Authentication |
Test multi-factor authentication (MFA) failure or compromise due to phishing or credential stuffing attacks. |
Integration of threat intelligence and identity protection systems. |
Deployment of adaptive authentication and user anomaly detection tools. |
|
7.4 |
Online Funds Transfer and Payment Processing |
Scenario of delayed or failed payments due to API malfunction with payment gateways or NPSA. |
ICT dependency testing of integration layers and data encryption mechanisms. |
Implementation of backup APIs and continuous monitoring of transaction queues. |
|
7.5 |
Digital Customer Onboarding and e-KYC |
Simulate the KYC verification system downtime due to a third-party data provider failure. |
Third-party ICT dependency validation and data privacy risk assessment. |
Establishment of alternate KYC provider arrangements and vendor SLA enforcement. |
|
7.6 |
Digital Customer Support and Service Channels |
Test live chat and chatbot unavailability due to cloud provider service degradation. |
Cyber risk review of third-party cloud services and API security. |
Multi-cloud fallback strategy and service continuity testing documentation. |
|
7.7 |
Card-Not-Present (CNP) and e-Commerce Transaction Processing |
Simulate a fraudulent CNP transaction surge causing false-positive blocking of legitimate users. |
Cyber fraud analytics integration and machine learning model resilience. |
Continuous tuning of fraud detection algorithms and alert escalation processes. |
|
7.8 |
ATM and Electronic Channel Management |
Test network communication loss between core banking and ATM switches due to telecom outage. |
ICT resilience assessment of connectivity layers and data transmission security. |
Deployment of redundant communication channels and enhanced network monitoring. |
|
7.9 |
Cybersecurity and Fraud Monitoring for Digital Channels |
Conduct red-team/blue-team cyberattack simulation targeting online channels. |
Directly tests cybersecurity incident response and detection systems. |
Refinement of incident playbooks, SOC escalation criteria, and forensic readiness. |
|
7.10 |
Digital Banking Data Management and Reporting |
Scenario of corrupted reporting data due to ransomware encryption or data loss. |
Cyber-incident and ICT backup-recovery capability evaluation. |
Enhanced data integrity validation, air-gapped backups, and regular restore testing. |
![Banner [Summing] [OR] [E3] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/11895c06-91e9-4cec-acb6-4356741952e4.png)
Scenario testing for Metrobank’s Treasury and Capital Markets Operations functions as a structured resilience validation mechanism to demonstrate the bank’s preparedness against multifaceted disruptions.
These exercises confirm that Treasury can preserve market integrity, fulfil settlement obligations, safeguard client and proprietary assets, and maintain regulatory compliance even under extreme stress.
By embedding cyber and ICT systemic-risk dimensions, the bank ensures comprehensive risk coverage across market, liquidity, operational, and technology domains.
Evidencing proactive response capabilities reinforces supervisory expectations and demonstrates Metrobank’s commitment to a continuously strengthened operational resilience posture.
![[OR] [MBT] [E3] [CBS] [7] [DP] Digital and Online Banking Services](https://no-cache.hubspot.com/cta/default/3893111/c47a4937-4109-4d28-9d0c-f7bc2461ba12.png)
![[OR] [MBT] [E3] [CBS] [7] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/9db4d0f4-354c-4fc8-b69d-808fea4879be.png)
![[OR] [MBT] [E3] [CBS] [7] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/0f03bf16-72a7-4d33-bf0a-03b28ed71a47.png)
![[OR] [MBT] [E3] [CBS] [7] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/6f245a6c-acf7-4aee-bf23-31eafc8e55ae.png)
![[OR] [MBT] [E3] [CBS] [7] [SuPS] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/c1993c4d-a471-4596-93e6-09c5ffc74ac5.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
