In alignment with the expectations of Bangko Sentral ng Pilipinas under Circular No. 1203 Series of 2024, financial institutions are required to identify Severe but Plausible Scenarios (SbPS) that could disrupt the delivery of Critical Business Services (CBS).
For the Philippine National Bank (PNB), CBS-1 Retail Deposit and Account Services represents a core customer-facing service, making it essential to assess scenarios that, while unlikely, could significantly impact operations, customers, and financial stability.
Drawing from BCM Institute’s guidance on SBPS, these scenarios combine extreme conditions with realistic likelihood, incorporating operational, cyber, third-party, and environmental risks.
The objective is to enable PNB to test resilience capabilities, validate impact tolerances, and ensure preparedness across people, processes, technology, and external dependencies.
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
1.1 |
Customer Onboarding and Account Application |
Prolonged outage of the digital onboarding platform due to cloud service failure |
Inability to onboard new customers; revenue loss; reputational damage |
Implement multi-region cloud redundancy; fallback to branch/manual onboarding |
Cyber resilience (cloud outage, SaaS dependency) |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
Failure of the national ID verification API or the third-party KYC provider |
Delayed onboarding; regulatory non-compliance risk |
Establish alternative KYC verification channels; maintain offline verification procedures |
Third-party ICT risk: API dependency failure |
|
1.3 |
Account Approval and Opening |
Internal system corruption due to a cyberattack is affecting the account approval workflow |
Incorrect approvals or rejection of accounts; compliance breach |
Deploy strong access controls, system validation checks, and segregation of duties |
Cyberattack (data integrity compromise) |
|
1.4 |
Initial Funding and Deposit Booking |
Core banking system failure during deposit posting |
Funds not credited; customer complaints; liquidity mismatch |
Implement real-time replication and transaction queuing mechanisms |
Core banking system failure (ICT resilience) |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
Misconfiguration of interest rates due to a system update error |
Financial loss; customer disputes; regulatory penalties |
Introduce maker-checker controls and automated configuration validation |
System change risk; configuration management failure |
|
1.6 |
Deposit Transactions Processing |
A Distributed Denial-of-Service (DDoS) attack is disrupting transaction processing |
Inability to process deposits; service downtime |
Deploy DDoS protection, traffic filtering, and network redundancy |
Cyberattack (availability disruption) |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM/POS network outage due to telecom provider failure |
Customers unable to access funds; reputational damage |
Diversify telecom providers; enable offline withdrawal limits |
Third-party ICT dependency (telco outage) |
|
1.8 |
Account Servicing and Customer Maintenance |
Insider threat leading to unauthorised account modifications |
Fraud losses, regulatory breaches, loss of customer trust |
Strengthen user access monitoring; implement behavioural analytics |
Cyber risk (insider threat, privileged access misuse) |
|
1.9 |
Interest, Fees, and Charges Processing |
Batch processing failure, causing incorrect interest calculation |
Financial misstatements; customer disputes |
Automate reconciliation checks and exception reporting |
System processing failure; data integrity risk |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Data warehouse failure affecting statement generation |
Customers unable to access account statements; compliance breach |
Implement backup reporting systems and data redundancy |
ICT risk (data warehouse failure) |
|
1.11 |
Digital Account Access and Channel Integration |
Mobile banking app outage due to a software deployment error |
Customers unable to access accounts; high complaint volume |
Adopt DevSecOps practices, rollback mechanisms, and staged deployment |
Cyber/ICT risk (application failure) |
|
1.12 |
Reconciliation and Exception Management |
Failure in the reconciliation engine, leading to unmatched transactions |
Financial discrepancies; delayed issue resolution |
Implement automated reconciliation tools and escalation workflows |
ICT risk (reconciliation system failure) |
|
1.13 |
Fraud Detection and Transaction Monitoring |
Advanced persistent threat (APT) bypassing fraud detection systems |
Undetected fraudulent transactions; financial loss |
Enhance AI-driven fraud detection, continuous monitoring, and threat intelligence |
Cyber risk (fraud system evasion) |
|
1.14 |
Regulatory Reporting and Compliance Monitoring |
Data breach exposing regulatory reports or customer data |
Regulatory sanctions; reputational damage |
Strengthen encryption, data masking, and secure reporting channels |
Cybersecurity risk (data breach) |
|
1.15 |
Incident Response, Business Continuity, and Recovery |
Simultaneous cyberattack and natural disaster affecting primary and backup sites |
Prolonged service disruption; inability to recover within tolerance |
Establish geographically separated DR sites; conduct regular scenario testing |
Cyber + physical risk convergence (extreme scenario) |
The identification of Severe but Plausible Scenarios for CBS-1 Retail Deposit and Account Services enables the Philippine National Bank to proactively address vulnerabilities across its operational ecosystem.
These scenarios reflect regulatory expectations under BSP Circular No. 1203, particularly in demonstrating the institution’s ability to anticipate, withstand, and recover from disruptive events while maintaining critical service delivery.
By integrating cyber and ICT risks into each scenario, PNB reinforces a holistic operational resilience approach, ensuring that digital dependencies, third-party risks, and emerging threats are adequately addressed.
This structured identification of scenarios forms the foundation for subsequent scenario testing, resilience validation, and continuous improvement, ultimately strengthening the bank’s ability to safeguard customer trust and financial system stability.
|
Building Operational Resilience: Implementation Methodology for the Philippine National Bank |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Retail Deposit & Account Services | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|