![x [OR] [PTC] Title Banner](https://no-cache.hubspot.com/cta/default/3893111/eb5b75e5-6faa-45be-b4bf-f22ddb4f8509.png)
![x [PH] [PTC] Legal Disclaimer Banner](https://no-cache.hubspot.com/cta/default/3893111/7c430549-26ff-4b42-bdb6-332f54f85759.png)
![[OR] [PTC] [PH] [E3] [CBS] [1] [SuPS] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/bc4e9089-a76b-43d2-9138-61a4c7887476.png)
Operational resilience requires financial institutions to anticipate disruptions that, while unlikely, remain credible and capable of causing significant operational impact.
In accordance with BSP Circular No. 1203 (2024), banks must identify Severe but Plausible Scenarios (SuPS) that test their ability to continue delivering Critical Business Services (CBS) within defined impact tolerances.
For the Philippine Trust Company, CBS-1 (Deposit and Account Services) is a foundational service that affects customer trust, liquidity access, and regulatory compliance.
The scenarios below incorporate operational, cyber, third-party, and systemic risks, ensuring alignment with regulatory expectations on end-to-end service resilience, including integration with Cyber and ICT risk management frameworks.
![Banner [Table] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/f4f3c007-e864-48cd-8bc1-0242c8b7fd86.png)
Table P5: Identify Severe but Plausible Scenarios for CBS-1
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
1.1 |
Customer Onboarding and Account Application |
Prolonged outage of the digital onboarding platform due to cloud service failure |
Inability to acquire new customers; reputational impact |
Multi-channel onboarding fallback (branch/manual); cloud redundancy; onboarding SLAs |
Cloud resilience, digital channel availability monitoring |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
Failure of the e-KYC/ID verification API due to a third-party outage |
Delays in onboarding; regulatory non-compliance risk |
Alternate KYC procedures; cached verification; vendor redundancy |
Third-party ICT risk management; API monitoring |
|
1.3 |
Account Approval and Opening |
Core banking approval workflow failure due to a system upgrade error |
Backlog in account openings; customer dissatisfaction |
Change management controls; rollback procedures; manual approval workflows |
Change management controls; system resilience testing |
|
1.4 |
Initial Funding and Deposit Booking |
Payment gateway disruption is preventing initial deposits |
Failed account activation; liquidity delays |
Multiple funding channels, reconciliation controls, and payment gateway redundancy |
Payment system integration resilience; transaction monitoring |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
Misconfiguration of account parameters due to a system patch error |
Incorrect interest/fees; financial loss; compliance breach |
Maker-checker controls; configuration audits; automated validation |
Configuration management; system integrity controls |
|
1.6 |
Deposit Transactions Processing |
Core banking system downtime due to database corruption |
Inability to process deposits; widespread service outage |
High-availability architecture; database replication; DR site activation |
Core banking resilience, data integrity, and backup controls |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM and teller system outage during the peak period |
Customers unable to access funds; reputational damage |
ATM network redundancy; branch fallback; cash contingency planning |
ATM network security; endpoint resilience |
|
1.8 |
Account Servicing and Customer Maintenance |
CRM system outage due to ransomware attack |
Inability to update customer details; service delays |
Cyber incident response plan; data backup; endpoint protection |
Cyber resilience (ransomware defense, SOC monitoring) |
|
1.9 |
Interest, Fees, and Charges Processing |
Batch processing failure due to job scheduler malfunction |
Incorrect balances; customer disputes |
Automated reconciliation; batch monitoring; rerun capability |
Batch processing monitoring; system job controls |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Data extraction/reporting system failure |
Customers are unable to view balances/statements |
Backup reporting tools; alternate channels (branch/mobile) |
Data warehouse resilience; reporting system redundancy |
|
1.11 |
Digital Account Access and Channel Integration |
Mobile/online banking outage due to DDoS attack |
Loss of digital access; customer complaints |
DDoS protection; traffic filtering; alternate channels |
Cybersecurity (DDoS mitigation, network security) |
|
1.12 |
ATM and Card-Based Access Management |
Card switch network failure or compromise |
ATM/POS transactions declined; fraud exposure |
Network redundancy, card controls, and fraud monitoring systems |
Card system security; network resilience |
|
1.13 |
Account Reconciliation and Exception Handling |
Reconciliation system failure, causing unresolved mismatches |
Financial misstatements; operational risk exposure |
Automated reconciliation tools; exception tracking; manual override |
Data reconciliation system integrity; audit trails |
|
1.14 |
Dormancy, Holds, Restrictions, and Account Control Administration |
Erroneous mass account freeze due to a system logic error |
Customer funds inaccessible; complaints escalation |
Segregation of duties; control validation; emergency override procedures |
Access control systems; system logic validation |
|
1.15 |
Fraud Monitoring and Transaction Surveillance |
Failure of the fraud detection system due to an AI model malfunction |
Undetected fraudulent transactions; financial losses |
Real-time monitoring fallback rules; manual review escalation |
Cyber fraud analytics; SOC integration |
|
1.16 |
Complaints, Disputes, and Service Recovery |
Contact centre system outage during service disruption |
Delayed complaint handling; reputational damage |
Multi-channel support (branch/email); crisis communication plan |
Contact center system resilience; communication systems |
|
1.17 |
Regulatory Reporting and Compliance Monitoring |
Regulatory reporting system failure near submission deadline |
Non-compliance penalties; regulatory sanctions |
Backup reporting templates; manual submission protocols |
Regulatory reporting systems; data governance controls |
|
1.18 |
Incident Response, Business Continuity, and Recovery |
Simultaneous cyberattack and data centre outage |
Prolonged service disruption; systemic impact |
Integrated BCM and cyber response; DR testing; crisis management framework |
Integration of BCM, DR, and cyber incident response |
![Banner [Summing] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/446ccb83-e056-40d0-aae5-834d73c13f43.png)
The identification of Severe but Plausible Scenarios for CBS-1 Deposit and Account Services enables Philippine Trust Company to move beyond traditional risk assessments and into forward-looking resilience planning.
These scenarios reflect realistic combinations of operational, cyber, third-party, and systemic disruptions, consistent with BSP Circular No. 1203’s expectation for end-to-end service continuity under stress conditions.
By linking each scenario to proactive risk management actions and explicitly integrating Cyber and ICT risk considerations, the bank strengthens its ability to anticipate, withstand, respond to, and recover from disruptions.
This structured approach ensures that resilience is not only documented but operationalised across people, processes, technology, and third-party dependencies—ultimately safeguarding customer trust and financial stability.
![[OR] [PTC] [PH] [E3] [CBS] [1] [DP] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/10501ea6-f700-45f9-aeab-5b1e723d7f90.png)
![[OR] [PTC] [PH] [E3] [CBS] [1] [MD] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/83b3397a-bfae-4450-94e5-5fa7a03d3629.png)
![[OR] [PTC] [PH] [E3] [CBS] [1] [MPR] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/11ced2a5-04b8-4c17-8bf2-d6cff7940beb.png)
![[OR] [PTC] [PH] [E3] [CBS] [1] [ITo] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/2a42a72f-401a-4bbf-90cc-59e68a0cf4e8.png)
![[OR] [PTC] [PH] [E3] [CBS] [1] [ST] Deposit and Account Services](https://no-cache.hubspot.com/cta/default/3893111/2ae96dd4-c876-4d1a-a255-122762fad1d1.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
