In alignment with BSP Circular No. 1203, Philippine Trust Company is required to test its resilience capabilities across people, processes, technology, and third-party dependencies—particularly for critical services such as CBS-1 Deposit and Account Services.
This chapter presents a structured set of scenario testing themes for each Sub-CBS. These scenarios incorporate cyber and ICT risk integration, reflecting increasing regulatory emphasis on cyber resilience, system availability, and third-party risk management.
The table also highlights expected impacts and evidence of proactive risk management actions, ensuring alignment with regulatory expectations for continuous improvement and resilience validation.
|
Sub-CBS Code |
Sub-CBS |
Recommended Scenario Test Themes (Including Cyber & ICT Risks) |
Impact / Effect |
Evidence of Proactive Risk Management Action |
|
1.1 |
Customer Onboarding and Account Application |
Digital onboarding platform outage; surge in applications during system degradation; cyberattack on onboarding portal |
Delayed onboarding, customer dissatisfaction, and revenue loss |
Load testing reports; alternate manual onboarding procedures; cybersecurity penetration testing results |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
Failure of e-KYC systems; third-party identity provider outage; data breach of customer records |
Compliance breaches, onboarding delays, and regulatory penalties |
KYC fallback procedures; vendor SLA monitoring; data encryption and access logs |
|
1.3 |
Account Approval and Opening |
Workflow system failure; unauthorised access to approval systems |
Unauthorised accounts; processing delays |
Segregation of duties controls, audit trails, approval matrix, and validation testing |
|
1.4 |
Initial Funding and Deposit Booking |
Core banking system downtime; failed transaction posting; payment gateway outage |
Inaccurate balances; failed deposits; reputational impact |
Transaction reconciliation logs, backup processing capability, and settlement monitoring |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
Misconfiguration of product parameters; system patch failure |
Incorrect interest/fees; customer complaints |
Change management records; system validation testing; maker-checker controls |
|
1.6 |
Deposit Transactions Processing |
Core banking outage; batch processing failure; ransomware attack on transaction servers |
Inability to process deposits; financial losses |
Disaster recovery (DR) test results; backup systems; transaction rollback procedures |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM/POS network outage; liquidity constraints; cyberattack on payment switch |
Customers unable to access funds; operational disruption |
ATM network monitoring; liquidity contingency plans; fraud detection alerts |
|
1.8 |
Account Servicing and Customer Maintenance |
CRM system downtime; unauthorised changes to customer data |
Service delays; data integrity issues |
Access control logs, customer request tracking, and periodic audits |
|
1.9 |
Interest, Fees, and Charges Processing |
Batch job failure; incorrect interest calculation due to a system error |
Financial misstatements; customer disputes |
Reconciliation reports; automated validation checks; exception reporting |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Statement generation failure; data corruption; cyberattack on the reporting system |
Inaccurate reporting; customer dissatisfaction |
Data integrity checks, backup reporting systems, and audit logs |
|
1.11 |
Digital Account Access and Channel Integration |
Mobile/online banking outage; DDoS attack; API integration failure |
Loss of digital access; customer churn |
DDoS mitigation controls; API monitoring dashboards; uptime reports |
|
1.12 |
ATM and Card-Based Access Management |
ATM network failure; card system compromise; skimming attacks |
Inability to withdraw funds; fraud losses |
ATM monitoring; card fraud detection systems; EMV controls |
|
1.13 |
Account Reconciliation and Exception Handling |
Reconciliation system failure; delayed exception resolution |
Financial discrepancies; reporting errors |
Daily reconciliation reports; exception tracking logs; escalation procedures |
|
1.14 |
Dormancy, Holds, Restrictions, and Account Control Administration |
Incorrect account restrictions; system failure in status updates |
Customer inconvenience; compliance breaches |
Audit trails; periodic account review; control validation |
|
1.15 |
Fraud Monitoring and Transaction Surveillance for Deposit Accounts |
Failure of the fraud detection system; advanced persistent cyber threats |
Increased fraud losses; regulatory scrutiny |
Real-time monitoring dashboards; incident response drills; threat intelligence integration |
|
1.16 |
Complaints, Disputes, and Service Recovery |
Contact centre outage; ticketing system failure; surge in complaints during crisis |
Poor customer experience; regulatory complaints |
Call centre DR tests, complaint resolution SLAs, service recovery plans |
|
1.17 |
Regulatory Reporting and Compliance Monitoring |
Failure of reporting systems, inaccurate regulatory submissions, and data breaches |
Regulatory sanctions; reputational damage |
Regulatory reporting validation; compliance reviews; secure data transmission controls |
|
1.18 |
Incident Response, Business Continuity, and Recovery |
Cyberattack (ransomware); data center outage; third-party service disruption |
Prolonged service outage; systemic failure |
BCP and DR test results; crisis management exercises; recovery time objective (RTO) validation |
Scenario testing provides Philippine Trust Company with a structured and forward-looking approach to validating its operational resilience posture.
By simulating severe but plausible disruptions—including cyber threats, system failures, and third-party outages—the bank can identify vulnerabilities and strengthen its response capabilities across all Sub-CBS within CBS-1 Deposit and Account Services.
In line with BSP Circular No. 1203, integrating cyber and ICT risks into scenario testing ensures that resilience is not only operational but also technology- and security-focused.
The evidence of proactive risk management demonstrates the institution’s commitment to continuous improvement, regulatory compliance, and the sustained delivery of critical services, even under adverse conditions.
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Deposit & Account Services | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|