[OR] [MBT] [E3] [CR] [P4] [ITo] Establish Impact Tolerances

Sub-CBS Code

Name of Sub-CBS

Maximum Tolerable Downtime (MTD)

Maximum Tolerable Data Loss (MTDL)

Customer Impact

Regulatory Impact

Impact Type

Current Resilience Status

Action Required

1.1

Cash Deposit at Branches

4 hours

1 hour

High

High

Operational

Moderate

Enhance backup processes

1.2

Deposit via ATMs

6 hours

2 hours

High

Medium

Technology

High

Upgrade ATM systems

1.3

Online/Internet Banking Deposits

2 hours

30 mins

High

High

Technology

Moderate

Implement resilient infra

1.4

Cash Withdrawal at Branches

4 hours

1 hour

High

High

Operational

Moderate

Enhance staff training

1.5

ATM Withdrawals

4 hours

1 hour

High

Medium

Technology

High

Improve network reliability

1.6

Online/Internet Banking Withdrawals

2 hours

30 mins

High

High

Technology

Moderate

Strengthen cybersecurity

1.7

Failed Deposits or Withdrawals

1 hour

15 mins

High

High

Operational

High

Automate recovery

1.8

Fraud Detection and Prevention

1 hour

15 mins

Very High

Very High

Security

High

Strengthen algorithms

2.1

Transaction Initiation

2 hours

1% volume

Potential delays; frustration

Non-compliance risk

Operational

High

System upgrades

2.2

Transaction Validation

1 hour

0.5% volume

Minor delays

Potential fines

Compliance & Operational

Moderate

Automate validation

2.3

Transaction Authorisation

30 mins

0.2% volume

Delays/ declines

Auth protocol issues

Operational & Compliance

High

Redundancy measures

2.4

Transaction Settlement

1 hour

1% volume

Delayed transfers

Violation risk

Compliance & Operational

Moderate

Backup settlement system

2.5

Reconciliation

2 hours

0.5% volume

Balance discrepancies

Compliance risk

Operational & Compliance

Moderate

Strengthen procedures

2.6

Dispute Resolution

24 hours

1% volume

Customer dissatisfaction

Legal risk

Customer & Legal

High

Improve workflows

2.7

Compliance & Reporting

48 hours

N/A

No direct customer impact

Potential fines

Compliance & Legal

Moderate

Automate reporting

2.8

System Maintenance & Monitoring

6 hours

0.1% volume

Minor service glitches

Efficiency impact

Operational

Low

Scheduled maintenance

3.1

ATM Cash Withdrawal Services

4 hours

1 hour

High

High

Operational

Medium

Redundancy & reporting

3.2

Branch Cash Withdrawal Services

6 hours

2 hours

High

High

Operational

High

Cash management enhancements

3.3

Cash Deposit Services

8 hours

1 hour

Moderate

Moderate

Operational

Low

More deposit options

3.4

Cash Handling & Replenishment

12 hours

3 hours

High

High

Operational

High

Supply chain resilience

3.5

ATM Maintenance & Troubleshooting

24 hours

4 hours

High

Medium

Technical

Medium

Preventive maintenance

4.1

Corporate Account Setup & Onboarding

24 hours

<1 hr

Delayed onboarding

Limited regulatory exposure

Operational & Customer Trust

Strengthening required

Automate workflows

4.2

Receivables Management

4 hours

<15 mins

Liquidity delay

Std breach risk

Financial & Market Confidence

Robust

Expand backup capacity

4.3

Payables & Disbursement Integration

2 hours

<15 mins

Supplier impact

High scrutiny

Financial Stability

Moderate

Failover enhancements

4.4

Electronic Banking & Treasury Support

1 hour

<5 mins

Digital disruption

High BSP risk

Systemic & Cyber Risk

Strong

Cyber resilience upgrades

4.5

Cash Concentration & Liquidity Mgmt

2 hours

<5 mins

Liquidity strain

Possible breach

Financial System Integrity

Strong

Liquidity dashboards

4.6

Cheque Clearing & Settlement

4 hours

<30 mins

Delay settlement

Clearing timelines

Market Functioning

Moderate

Redundancy improvements

4.7

Corporate Deposits & Cash Vault Services

8 hours

<1 hr

Deposit delays

SLA risk

Customer Trust

Strengthening required

Vault logistics contingency

4.8

Collections Reconciliation & Reporting

6 hours

<1 hr

Reporting lag

Audit trail impact

Operational Accuracy

Moderate

Automated reconciliation

4.9

Complaint, Exception & Dispute Mgmt

24 hours

<4 hrs

Customer dissatisfaction

Protection scrutiny

Reputation & Compliance

Strengthening required

CRM continuity plans

4.10

Regulatory & Compliance Monitoring

2 hours

<30 mins

Compliance delay risk

Sanction risk

Compliance Critical

Robust

Continuous checks

5.1

Retail Loan Origination & Assessment

4 hours

1%

Loan delays

Reporting delay

Moderate

Resilient

Enhance automation

5.2

Corporate Credit Underwriting

6 hours

2%

Corporate loan disruption

Reporting delay

High

Partial Resilience

Review tools

5.3

SME Financing & Credit Processing

4 hours

1%

SME loan delays

Compliance risk

Moderate

Resilient

Strengthen redundancy

5.4

Credit Approval & Sanctioning

3 hours

0.5%

Minor delay

Minor regulatory risk

Low

Resilient

Data sync improvements

5.5

Loan Documentation & Contract Execution

8 hours

2%

Disbursement delays

Deadline risk

High

Partial Resilience

Digitalize docs

5.6

Collateral Mgmt & Security Registration

6 hours

1%

Collateral delay risk

Late registration

High

Resilient

Digital asset tracking

5.7

Loan Disbursement & Account Setup

4 hours

0.5%

Disbursement delay

Reporting delay

Moderate

Resilient

Automate disbursement

5.8

Loan Servicing & Customer Support

6 hours

1%

Support disruption

Service violation risk

Moderate

Resilient

Improve support

5.9

Credit Monitoring & Risk Review

8 hours

2%

Risk monitoring loss

Assessment delay

High

Partial Resilience

Strengthen analytics

5.10

Collections & Delinquency Mgmt

6 hours

1%

Collection delays

Law risk

High

Resilient

AI for collections

5.11

Regulatory Reporting & Compliance

12 hours

0%

Filing delays

Major fines risk

Severe

Resilient

Compliance infrastructure

5.12

Loan Portfolio Analytics & Strategy

4 hours

0.5%

Strategy delay risk

Minor compliance risk

Low

Resilient

Improve analytics speed

6.1

Liquidity & Cash Management

≤2 hours

Zero

Liquidity stress

High regulatory scrutiny

Operational, Financial, Reputational

Adequate

Enhance liquidity dashboards

6.2

Money Market Operations

≤4 hours

Zero

Liquidity inefficiencies

Funding ratio breach risk

Financial, Regulatory

Adequate

Early-warning triggers

6.3

FX Trading & Settlement

≤2 hours

Zero

Settlement delays

Market integrity concern

Market, Regulatory

Strong

Contingency settlement

6.4

Fixed Income & Securities Trading

≤4 hours

Zero

Missed trades

Accountability issues

Market, Financial, Reputational

Adequate

DR connectivity

6.5

Derivatives Trading & Risk Mgmt

≤2 hours

Zero

Counterparty risk

Regulatory concern

Market, Systemic

Moderate

Margin monitoring

6.6

Treasury Operations & Back-Office

≤8 hours

≤15 mins

Settlement delay

Compliance challenges

Operational, Regulatory

Adequate

Reconciliation failover

6.7

Collateral & Margin Management

≤2 hours

Zero

Margin call failures

Collateral breach

Counterparty, Regulatory

Moderate

Collateral redundancy

6.8

Treasury Risk Monitoring & Compliance

≤2 hours

Zero

Exposure monitoring issues

Regulatory failure

Regulatory, Reputational

Adequate

Real-time monitoring

6.9

Investment Portfolio Management

≤6 hours

≤15 mins

Valuation risk

Compliance risk

Financial, Strategic

Strong

Model fallback testing

6.10

Market Data & Pricing Support

≤1 hour

Zero

Pricing errors

Market integrity needs

Market, Operational

Moderate

Vendor failover

7.1

Online Banking Platform Management

2 hours

< 15 minutes

Loss of account access; service interruption

Non-compliance with BSP digital access circulars

High

Robust redundancy and DRP tested quarterly

Enhance cross-site failover automation

7.2

Mobile Banking Application Services

2 hours

< 15 minutes

Loss of mobile transactions & app login failures

Reputational and regulatory exposure

High

Stable; DR tested semi-annually

Increase real-time mobile uptime monitoring

7.3

Digital Account Access & Authentication

1 hour

< 5 minutes

Inability to authenticate; customer lockout

Breach of security/ authentication regulations

Very High

MFA in place

Implement biometric backup + secondary ID verification

7.4

Online Funds Transfer & Payment Processing

1 hour

< 5 minutes

Real-time payment failures; delayed availability

Non-compliance with BSP instant payment obligations

Very High

High availability + transaction mirroring

Introduce AI-based transaction rerouting

7.5

Digital Customer Onboarding & e-KYC

4 hours

< 30 minutes

Inability to onboard customers

Breach of e-KYC/AML obligations

Medium

KYC system integrated with central ID DB

Automate fallback offline verification

7.6

Digital Customer Support & Service Channels

4 hours

< 30 minutes

Customer inquiry resolution disruptions

Reputational impact

Medium

Chatbot + email redundancy exists

Expand IVR and agent escalation protocols

7.7

CNP & e-Commerce Transaction Processing

1 hour

< 5 minutes

Online payment failures

Reputational and financial exposure

Very High

Strong payment gateway redundancy

Improve the acquisition of network coordination

7.8

ATM & Electronic Channel Management

2 hours

< 10 minutes

ATM withdrawal & card service disruption

BSP consumer protection compliance impact

High

Multiple ATM networks supported

Upgrade real-time ATM monitoring

7.9

Cybersecurity & Fraud Monitoring for Digital Channels

30 minutes

< 1 minute

Delayed/failing fraud detection

Severe regulatory breach; data privacy risk

Critical

24/7 SOC & analytics active

Deploy AI anomaly detection

7.10

Digital Banking Data Mgmt & Reporting

4 hours

< 30 minutes

Delay in reporting & analytics

Regulatory reporting breach risk

Medium

Centralised data warehouse in place

Real-time replication across DR site

8.1

Client Onboarding & Profiling

4 hours

0.5%

High

High

Service Disruption

In-progress

Enhance system redundancy

8.2

Investment Advisory & Portfolio Mgmt

3 hours

1%

High

High

Data Integrity

Satisfactory

Strengthen backup protocols

8.3

Trust Account Establishment & Admin

2 hours

0.2%

Medium

High

Service Delay

Needs Improvement

Increase account automation

8.4

Fund & Asset Mgmt Operations

1 hour

0.1%

High

High

Operational Failure

Fully Resilient

No action required

8.5

Wealth & Estate Planning Services

2 hours

0.3%

Medium

Medium

Service Disruption

Satisfactory

Upgrade client data encryption

8.6

Regulatory & Fiduciary Compliance Mgmt

1 hour

0%

Critical

Critical

Compliance Breach

Fully Resilient

Monitor regulatory changes

8.7

Client Reporting & Relationship Mgmt

3 hours

0.5%

High

Medium

Service Delay

In-progress

Improve data synchronisation

8.8

Custodial & Safekeeping Services

4 hours

0.5%

High

High

Service Disruption

Needs Improvement

Enhance DR processes

9.1

Credit Card Application & Onboarding

48 hours

24 hours

Delay in card issuance

SLA breach under BSP consumer guidelines

Service & Cust. Impact

Moderate manual processing

Automate data sync & backup validation

9.2

Card Issuance & Fulfilment

24 hours

12 hours

Card delivery delays

Potential record-keeping non-compliance

Operational & Compliance

High resilience

Maintain alternate vendor agreements

9.3

Transaction Authorisation & Processing

15 mins

Near-zero

Major transaction disruption

Network standards / BSP reporting breach

Systemic & Fin’l Impact

Strong redundancy

Continuous failover latency testing

9.4

Merchant Acquiring & Onboarding

24 hours

12 hours

Delayed merchant onboarding

Onboarding verification SLA breach

Business & Reg. Impact

Moderate

Strengthen eKYC automation

9.5

Merchant Transaction & Settlement Services

1 hour

15 mins

Settlement delays; merchant liquidity issues

BSP timely settlement breach

Fin’l & Reputational Impact

Good

Test batch recovery & reconciliation

9.6

Cardholder Servicing & Collections

12 hours

4 hours

Unresolved complaints; higher delinquency risk

Consumer protection risk

Cust. & Reputational Impact

Moderate

Enhance CRM continuity & remote access

9.7

Fraud Detection & Security Monitoring

30 mins

5 mins

Increased fraud losses; trust erosion

BSP cybersecurity & AMLC reporting breach

Security & Reg. Impact

High

Periodic red-teaming & model review

9.8

Compliance & Regulatory Management

4 hours

2 hours

Delayed reporting; compliance breaches

BSP/AMLC/PCI DSS non-compliance risk

Reg. & Compliance

Strong

Maintain compliance dashboard resilience

10.1

International Remittance Processing

2 hours

0.5%

Remittance delays; dissatisfaction

Regulatory reporting timing risk

Operational Impact

Moderate

Improve redundancy & system monitoring

10.2

Remittance Partner & Correspondent Bank Mgmt

4 hours

1%

Partner communication delays

Int’l remittance regulation risk

Operational & Reg. Impact

Low

Enhance partner comms response times

10.3

FX Conversion & Rate Mgmt

1 hour

0%

FX rate fluctuation impact

Exchange reporting compliance risk

Financial Impact

High

Add rate stability & automated alerts

10.4

OFW Remittance Facilitation

3 hours

2%

OFW remittance delays

Labour-related remittance requirement risk

Operational & Reg. Impact

Moderate

Improve system capacity

10.5

Cross-Border Compliance & Sanctions Screening

2 hours

0%

Screening delays, financial risks

AML/reg compliance risk

Regulatory Impact

High

Strengthen compliance automation

10.6

Customer Enrollment & KYC for Remittances

4 hours

1%

Onboarding delays

KYC regulatory breach risk

Reg. & Cust. Impact

Moderate

Review/enhance KYC processes

10.7

Dispute Resolution & Trace Requests

12 hours

2%

Complaint handling delays; reputational risk

Dispute resolution compliance risk

Operational Impact

Moderate

Implement faster workflows B

10.8

FX Transaction Settlement & Reporting

6 hours

1%

Settlement delays; incorrect balances

FX reporting standards breach

Fin’l & Reg. Impact

High

Improve reconciliation & settlement timeframes

11.1

Regulatory Reporting Framework

4 hours

1 day

Moderate disruption to service continuity for customers relying on accurate regulatory information

Non-compliance with regulatory reporting timelines can lead to fines or penalties

Operational, Regulatory

Resilient, but requires monitoring

Enhance the reporting system resilience and ensure failover procedures are in place

11.2

Compliance Monitoring and Auditing

6 hours

1 day

Low disruption to customer services, but reduced assurance of compliance

Regulatory breach due to delayed monitoring or auditing processes

Operational, Regulatory

Satisfactory, but periodic testing is required

Implement real-time monitoring capabilities and ensure automated alerts for potential failures

11.3

Submission of Regulatory Reports

2 hours

12 hours

No direct customer impact, but delayed reporting could affect service timelines

Regulatory non-compliance due to the late submission of mandatory reports

Regulatory

Resilient, with regular system checks

Optimise the submission process with contingency procedures and alternative methods

11.4

Risk Assessment and Mitigation in Reporting

8 hours

1 day

Potential indirect impact on customer trust and business reputation

Regulatory failure in assessing and mitigating risks may result in penalties or forced shutdowns

Operational, Regulatory

Needs improvement: Incident response protocols are not fully defined

Strengthen risk mitigation strategies, review risk assessment timelines

11.5

Reporting Systems and Technology

4 hours

6 hours

Low customer impact, but delays may affect internal compliance processes

System failure may prevent timely reporting, leading to regulatory fines or sanctions

Operational, Regulatory

Stable, though dependent on external technology vendors

Build system redundancies and conduct regular stress tests to validate technology resilience

12.1

Vendor Risk Management

72 hours

No data loss tolerated

Indirect service degradation due to delayed risk assessments and onboarding

Potential non-compliance with BSP third-party risk management guidelines

Operational / Regulatory

Generally adequate, periodic reviews in place

Enhance automation of vendor risk assessments and increase frequency for critical vendors

12.2

Third-Party Contract Management

48 hours

Minimal loss (≤ 4 hours of contract updates)

Delays in enforcing SLAs and contractual protections

Risk of contractual and regulatory breaches

Legal / Regulatory

Moderate, reliant on manual processes

Digitise contract repositories and improve version control

12.3

Outsourced Service Monitoring

24 hours

No data loss tolerated

Delayed detection of service degradation affecting customer-facing services

Heightened supervisory concern if issues go undetected

Operational / Reputational

Strong for key vendors, weaker for non-critical ones

Expand real-time monitoring coverage to all material outsourced services

12.4

Service Continuity Planning

24 hours

No data loss tolerated

Prolonged service disruption during third-party incidents

Breach of operational resilience and outsourcing requirements

Operational / Systemic

Partially mature, uneven across vendors

Standardise continuity requirements and conduct joint resilience testing

12.5

Compliance and Regulatory Assurance

48 hours

No data loss tolerated

Limited immediate customer impact

High risk of regulatory findings or penalties

Regulatory

Adequate but resource-dependent

Strengthen compliance tracking tools and independent assurance reviews

12.6

Incident Management and Response

12 hours

No data loss tolerated

Rapid escalation of customer harm if incidents are not managed promptly

Immediate regulatory scrutiny for major incidents

Operational / Reputational

Strong for critical incidents, improving for minor ones

Enhance third-party incident reporting timelines and escalation protocols