eBook OR

[OR] [PNB] [E3] [CBS] [1] [ST] Perform Scenario Testing

Written by Moh Heng Goh | Apr 2, 2026 9:43:52 AM

CBS-1 Retail Deposit & Account Services

Introduction

Scenario testing is a core requirement under the BSP Circular No. 1203, which mandates banks to validate their ability to remain within defined impact tolerances during severe but plausible disruptions.

For CBS-1 Retail Deposit and Account Services, scenario testing enables the Philippine National Bank to assess its operational resilience across end-to-end customer journeys—from onboarding to transaction processing and recovery.

This chapter applies structured scenario testing principles aligned with industry guidance, such as the BCM Institute’s “[OR] [P2-S4] What is Scenario Testing in Operational Resilience?” and integrates Cyber and ICT Risk considerations, ensuring alignment with regulatory expectations on technology resilience, third-party risk, and cyber threats.

 

Table P6: Perform Scenario Testing for CBS-1  

Sub-CBS Code

Sub-CBS

Recommended Scenario Test Themes

Impact / Effect

Evidence of Proactive Risk Management Action

1.1

Customer Onboarding and Account Application

Digital onboarding platform outage; surge in onboarding requests during crisis

Inability to onboard new customers; reputational damage

Load testing reports; alternate manual onboarding procedures; onboarding SLA monitoring

1.2

Customer Identification and Verification (KYC/CDD)

Failure of KYC systems; third-party identity verification outage

Delayed or non-compliant onboarding; regulatory breaches

KYC fallback procedures; vendor SLA monitoring; periodic compliance audits

1.3

Account Approval and Opening

Core banking approval system downtime; data validation errors

Delayed account activation; customer dissatisfaction

Dual approval workflows; system redundancy testing; audit trails

1.4

Initial Funding and Deposit Booking

Payment gateway failure; reconciliation mismatch during funding

Failed or delayed deposits; financial discrepancies

Automated reconciliation controls; contingency funding channels

1.5

Product Terms Setup and Account Parameter Maintenance

Configuration errors; unauthorized parameter changes (cyber breach scenario)

Incorrect interest/fees applied; customer disputes

Change management controls; access monitoring; periodic configuration audits

1.6

Deposit Transactions Processing

Core banking system outage; batch processing failure

Inability to process deposits; financial impact on customers

System failover testing, transaction queuing mechanisms, and DR drills

1.7

Withdrawal and Funds Access Processing

ATM/POS network outage; liquidity shortage scenario

Customers unable to access funds; systemic trust issues

ATM network resilience tests; liquidity contingency planning

1.8

Account Servicing and Customer Maintenance

CRM system outage; unauthorised account changes

Delayed servicing; fraud risk exposure

Access control reviews; customer service continuity plans

1.9

Interest, Fees, and Charges Processing

Interest calculation engine failure; incorrect fee application

Financial misstatements; customer complaints

Automated validation checks; reconciliation reports; periodic testing

1.10

Statement, Passbook, and Balance Reporting

Statement generation failure; data corruption scenario

Customers are unable to access account information

Backup data validation; alternate reporting channels (e.g., e-statements)

1.11

Digital Account Access and Channel Integration

Mobile/online banking outage due to cyberattack (e.g., DDoS)

Loss of digital access; high customer impact

Cyber resilience testing (DDoS simulation); multi-channel fallback (branch/ATM)

1.12

Reconciliation and Exception Management

Failure in reconciliation systems; delayed exception handling

Financial discrepancies; audit findings

Daily reconciliation controls; exception tracking dashboards

1.13

Fraud Detection and Transaction Monitoring

Fraud monitoring system outage; AI model failure

Increased fraud losses; regulatory penalties

Fraud scenario simulations; manual monitoring fallback; model validation testing

1.14

Regulatory Reporting and Compliance Monitoring

Regulatory reporting system failure; inaccurate submissions

Non-compliance penalties; supervisory actions

Regulatory reporting validation checks; backup submission procedures

1.15

Incident Response, Business Continuity, and Recovery

Data centre outage; ransomware attack; third-party service disruption

Service disruption beyond tolerance; recovery delays

BCP/DR testing results; crisis management exercises; cyber incident response drills
 

Integration of Cyber and ICT Risks

Across all Sub-CBS processes, scenario testing incorporates Cyber and ICT Risk integration, as required by BSP regulations. This includes:

  • Cyberattack simulations (e.g., ransomware, phishing, DDoS)
  • ICT infrastructure failure (data centre, network, cloud outages)
  • Third-party service provider disruptions (e.g., payment gateways, KYC utilities)
  • Data integrity and confidentiality breaches

These scenarios validate the bank’s cyber resilience posture, ensuring that critical services remain available, secure, and recoverable within defined tolerances.

 

 

Scenario testing for CBS-1 Retail Deposit and Account Services enables the Philippine National Bank to move beyond theoretical resilience planning into practical validation of its operational capabilities.

By simulating severe but plausible disruptions across people, processes, technology, and third-party dependencies, the bank can identify vulnerabilities, validate recovery strategies, and strengthen its ability to maintain critical services.

Aligned with BSP Circular No. 1203, this structured approach ensures that resilience is not only designed but tested, evidenced, and continuously improved, reinforcing customer trust and regulatory compliance in an increasingly complex risk environment.

 

Building Operational Resilience: Implementation Methodology for the Philippine National Bank

eBook 3: Starting Your OR Implementation
CBS-1 Retail Deposit & Account Services
CBS-1 DP CBS-1 MD CBS-1 MPR CBS-1 ITo CBS-1 SuPS CBS-1 ST


Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

 

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

 
View full post