![x [OR] [PBCOM] Legal Disclaimer Banner](https://no-cache.hubspot.com/cta/default/3893111/8411b9c7-8ede-4f5f-b20e-a2c6767234a0.png)
CBS-1 Deposit & Account Services
Introduction
![[OR] [PBCOM] [E3] [CBS] [1] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/9beaea6d-89b2-41ea-893c-63c6c173b036.png)
Scenario testing is the practical validation of a bank's ability to continue delivering its critical business services within defined impact tolerances during disruption.
BCM Institute defines scenario testing as the structured execution of severe but plausible scenarios to assess resilience capabilities, identify weaknesses, and improve response and recovery effectiveness.
It goes beyond documentation by simulating real-world disruptions across people, process, technology, and third-party dependencies.
For The Philippine Bank of Communications (PBCom), this aligns with the expectations of Bangko Sentral ng Pilipinas under BSP Circular No. 1203 Series of 2024, which requires banks to conduct scenario testing of critical operations, assess their ability to remain within impact tolerance, and incorporate cyber and ICT risks into these tests.
BSP emphasises that testing should include extreme but plausible disruptions, validate recovery strategies, and produce evidence of continuous improvement.
![Banner [Table] [OR] [E3] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/a45e9708-7139-4f4e-8e0e-41179f5cacc3.png)
Table P6: Perform Scenario Testing for CBS-1
|
Sub-CBS Code |
Sub-CBS |
Recommended Scenario Test Themes |
Impact / Effect |
Evidence of Proactive Risk Management Action |
|
1.1 |
Customer Onboarding and Account Application |
Branch denial-of-access (typhoon/earthquake) + digital onboarding surge test |
Backlog in account opening; shift to digital channels |
Test results showing digital onboarding capacity scaling and alternate branch routing procedures |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
KYC system outage + cyber compromise of screening engine |
Inability to verify customers; compliance risk |
Evidence of fallback manual KYC process and alternate screening provider activation logs |
|
1.3 |
Account Approval and Opening |
Core banking workflow failure simulation |
Delayed account activation |
Documented manual approval workflow execution and recovery time validation |
|
1.4 |
Initial Funding and Deposit Booking |
Payment clearing disruption + delayed posting scenario |
Funds not credited on time; customer complaints |
Test logs showing use of suspense accounts and successful deferred posting reconciliation |
|
1.5 |
Product Setup and Account Parameter Maintenance |
Failed system change deployment (configuration error test) |
Incorrect fees/interest applied |
Change rollback test results and validation controls evidence |
|
1.6 |
Deposit Transactions Processing |
Core banking outage + ransomware simulation |
Transaction halt; severe customer impact |
DR activation reports, transaction replay logs, and recovery time within tolerance |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM network outage + cash shortage scenario |
Customers are unable to withdraw funds |
Evidence of alternate cash access procedures and branch contingency activation |
|
1.8 |
Account Servicing and Customer Maintenance |
CRM system outage + data sync failure test |
Inability to process service requests |
Manual servicing records and successful batch update reconciliation post-recovery |
|
1.9 |
Interest, Fees, and Charges Processing |
End-of-day batch failure simulation |
Incorrect or delayed charges |
Re-run batch logs and adjustment tracking reports |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Reporting system outage + data unavailability |
Customers cannot access statements |
Evidence of alternate inquiry channels and report regeneration capability |
|
1.11 |
Digital Account Access Enablement |
Telecom outage + OTP failure scenario |
Customers unable to log in |
Test results showing alternate authentication (e.g., backup OTP or branch-assisted access) |
|
1.12 |
ATM and Card-Based Access Management |
Card network failure + cyber breach simulation |
Card transactions fail; widespread disruption |
Evidence of switching to alternate networks and emergency card controls |
|
1.13 |
Account Reconciliation and Exception Handling |
Delayed data feeds + reconciliation system failure |
Unresolved breaks; inaccurate balances |
Manual reconciliation logs and backlog clearance within defined thresholds |
|
1.14 |
Dormancy, Holds, and Account Restrictions Management |
Unauthorised access simulation (privileged account misuse) |
Incorrect account restrictions applied |
Audit trail validation and dual-authorisation control test results |
|
1.15 |
Fraud Monitoring and Transaction Surveillance |
Advanced fraud attack simulation bypassing rules |
Undetected fraud; financial loss |
Evidence of enhanced monitoring rules, real-time alert escalation, and manual blocking actions |
|
1.16 |
Complaints, Disputes, and Service Recovery |
Surge in complaints during the system outage scenario |
Delayed response; reputational damage |
Call centre surge capacity activation reports and prioritisation logs |
|
1.17 |
Regulatory Reporting and Compliance Monitoring |
Data corruption + reporting deadline stress test |
Delayed or incorrect regulatory submission |
Backup reporting templates and regulator communication evidence |
|
1.18 |
Business Continuity and Service Recovery |
Combined cyberattack + natural disaster (compound scenario test) |
Enterprise-wide disruption across CBS |
Full crisis management activation reports, DR test results, and recovery sequencing validation |
Integration of Cyber and ICT Risks (Embedded Across Scenarios)
All scenario tests above inherently integrate cyber and ICT risks, as required by BSP Circular 1203. Examples include:
- Core banking outages and ransomware attacks affecting transaction processing (1.6)
- Telecommunications and authentication failures impacting digital access (1.11)
- Third-party network and card system disruptions affecting ATM/card services (1.12)
- Data corruption and system compromise affecting reporting and reconciliation (1.13, 1.17)
- Cyber-enabled fraud attacks testing detection and response capabilities (1.15)
This integration ensures that PBCom’s resilience testing reflects the increasing convergence of operational and cyber risks.
Regulatory Requirements and Examples (BSP Circular 1203)
Under BSP Circular No. 1203 Series of 2024, banks are required to:
- Conduct scenario testing using severe but plausible scenarios
- Assess whether critical services remain within impact tolerance
- Include cyber and ICT disruptions, third-party failures, and natural disasters
- Use testing outcomes to identify vulnerabilities and implement improvements
- Ensure board oversight and documentation of results
Examples applicable to CBS-1 include:
- A “Big One” earthquake disrupting branch operations and staff availability
- A system-wide cyberattack or ransomware incident affecting multiple banks
- A failure of a key third-party provider, such as telecom or payment networks
- A payment system disruption affecting fund transfers and deposit posting
![Banner [Summing] [OR] [E3] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/11895c06-91e9-4cec-acb6-4356741952e4.png)
Scenario testing for CBS-1 Deposit and Account Services enables PBCom to move from theoretical resilience planning to practical validation of its capabilities.
By systematically testing each Sub-CBS against realistic disruption scenarios, the bank can identify whether its processes, systems, and people can sustain operations within defined impact tolerances.
In line with Bangko Sentral ng Pilipinas expectations, these tests must be regular, evolving, and integrated into continuous improvement cycles.
The inclusion of cyber and ICT risks across all scenarios ensures that PBCom is prepared for modern, complex disruptions.
Ultimately, effective scenario testing strengthens the bank’s ability to protect customers, maintain trust, and ensure continuity of essential banking services under extreme conditions.
![[OR] [PBCOM] Title Banner](https://no-cache.hubspot.com/cta/default/3893111/97a5a5ca-090f-4ff6-88e1-74f83df74b8a.png)
![[OR] [PBCOM] [E3] [CBS] [1] [DP] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/9ce02257-0280-4ea4-a5ad-4951ba0d07fd.png)
![[OR] [PBCOM] [E3] [CBS] [1] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/f33f70bb-40b6-4baa-8100-90b2b4b5c95e.png)
![[OR] [PBCOM] [E3] [CBS] [1] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/a9cd33e1-a816-4986-bb34-1447a7f67422.png)
![[OR] [PBCOM] [E3] [CBS] [1] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/008171cf-041b-4253-89e1-cca9382c1802.png)
![[OR] [PBCOM] [E3] [CBS] [1] [SuPS] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/e7d74cf4-d2d4-42b7-91ff-4f3940baee4a.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
