CBS-1 Retail Deposit & Account Services
Introduction
![[OR] [RCBC] [PH] [E3] [CBS] [1] [SuPS] Retail Deposit & Account Services](https://no-cache.hubspot.com/cta/default/3893111/601bf7aa-c458-4c81-8b22-e5319b8c2b35.png)
Identifying Severe but Plausible Scenarios (SuPS) is a critical component of operational resilience, enabling Rizal Commercial Banking Corporation (RCBC) to assess how its critical business services may be disrupted under extreme yet realistic conditions.
As highlighted in BCM Institute guidance, these scenarios should go beyond routine incidents and reflect high-impact events such as cyberattacks, infrastructure failures, third-party disruptions, and natural disasters.
In line with BSP Circular No. 1203 Series of 2024, Philippine banks are required to test their ability to remain within defined impact tolerances under severe but plausible scenarios.
These scenarios must incorporate cyber and ICT risks, third-party dependencies, and external systemic shocks. For CBS-1 Deposit and Account Services, this ensures that RCBC can maintain customer access to funds and essential banking services even during major disruptions.
![Banner [Table] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/f4f3c007-e864-48cd-8bc1-0242c8b7fd86.png)
Table P5: Identify Severe but Plausible Scenarios for CBS-1
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
1.1 |
Customer Onboarding and Account Application |
Digital onboarding platform outage due to cloud failure |
Inability to onboard new customers |
Implement an alternate manual onboarding and multi-cloud redundancy |
Cloud resilience, system redundancy |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
Failure of the AML screening system or the third-party watchlist provider |
Non-compliance risk, onboarding delays |
Establish backup screening tools and offline verification procedures |
Third-party risk, data integrity controls |
|
1.3 |
Account Approval and Opening |
Core banking system downtime |
Delay in account activation |
Implement high-availability architecture and failover systems |
Core banking resilience, infrastructure redundancy |
|
1.4 |
Initial Funding and Deposit Booking |
Payment gateway or clearing system outage |
Delayed or failed deposit postings |
Enable alternative channels and deferred posting mechanisms |
Payment system resilience, network redundancy |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
System misconfiguration or deployment failure |
Incorrect fees or interest applied |
Strengthen change management and automated validation controls |
IT change management, configuration control |
|
1.6 |
Deposit Transactions Processing |
Cyberattack (e.g., ransomware) on transaction systems |
Inability to process deposits, financial disruption |
Implement real-time monitoring, backup systems, and cyber incident response plans |
Cybersecurity, data recovery, system isolation |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM network outage or telecom failure |
Customers are unable to access funds |
Provide branch fallback, increase cash availability, and diversify network providers |
Telecom resilience, ATM network redundancy |
|
1.8 |
Account Servicing and Customer Maintenance |
CRM system outage or data corruption |
Inability to process service requests |
Implement backup CRM systems and data recovery procedures |
Data integrity, system backup |
|
1.9 |
Interest, Fees, and Charges Processing |
Batch processing failure due to a system error |
Incorrect financial postings |
Introduce reconciliation checks and automated rerun capabilities |
Batch processing resilience, system monitoring |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Reporting system failure or data inconsistency |
Delayed or inaccurate customer statements |
Implement parallel reporting systems and data validation checks |
Data consistency, reporting system resilience |
|
1.11 |
Digital Account Access Enablement |
Distributed Denial-of-Service (DDoS) attack on digital banking platforms |
Customers are unable to access their accounts |
Deploy DDoS protection, traffic filtering, and scalable infrastructure |
Cyber defense, network resilience |
|
1.12 |
ATM and Card-Based Access Management |
Card network (e.g., Visa/Mastercard) outage |
Transaction failures at ATMs and POS |
Establish fallback routing and multi-network support |
Third-party network resilience |
|
1.13 |
Account Reconciliation and Exception Handling |
Data mismatch due to system integration failure |
Financial discrepancies and reporting issues |
Automate reconciliation and implement exception management tools |
Data reconciliation systems, integration controls |
|
1.14 |
Dormancy, Holds, Restrictions, and Account Control Administration |
Failure to enforce account restrictions due to a system error |
Regulatory breach, fraud risk |
Implement automated controls and audit trails |
Compliance systems, control monitoring |
|
1.15 |
Fraud Monitoring and Transaction Surveillance |
Failure of the fraud detection system during a cyber incident |
Increased fraud losses and undetected suspicious activity |
Deploy real-time analytics, AI-based monitoring, and backup systems |
Cybersecurity analytics, fraud systems resilience |
| 1.16 |
Complaints, Disputes, and Service Recovery |
Call centre or case management system outage |
Inability to resolve customer issues |
Implement alternate communication channels and manual processes |
Communication systems resilience |
Regulatory Alignment and Practical Considerations
Under BSP Circular No. 1203 Series of 2024, RCBC must:
- Identify severe but plausible scenarios that reflect real-world threats, including cyber incidents, natural disasters, and third-party failures
- Ensure that these scenarios are used in scenario testing exercises to validate the Bank’s ability to remain within impact tolerances
- Integrate cyber and ICT risks into all resilience assessments, particularly for digital banking, payment systems, and core infrastructure
- Demonstrate proactive risk management, including preventive controls, monitoring, and recovery capabilities
For Example
- Cyberattacks such as ransomware or DDoS directly affect Sub-CBS processes like deposit transactions (1.6) and digital access (1.11).
- Telecom and infrastructure failures impact ATM and digital services (1.7, 1.11, 1.12), highlighting reliance on external providers.
- Third-party failures (e.g., payment networks, AML providers) demonstrate the importance of vendor resilience and fallback arrangements.
![Banner [Summing] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/446ccb83-e056-40d0-aae5-834d73c13f43.png)
The identification of severe but plausible scenarios for CBS-1 Deposit and Account Services provides Rizal Commercial Banking Corporation (RCBC) with a forward-looking view of potential disruptions that could threaten its most critical services.
By linking each Sub-CBS to realistic high-impact scenarios, the Bank can better understand vulnerabilities and prepare targeted mitigation strategies.
Aligned with BSP Circular No. 1203 Series of 2024, this structured approach ensures that RCBC is not only reactive but proactive—anticipating risks, strengthening controls, and validating resilience through rigorous testing.
Ultimately, this enables the Bank to maintain continuity of essential deposit services and uphold customer trust even in the face of severe disruptions.
![[OR] [RCBC] [PH] [E3] [CBS] [1] [ITo] Retail Deposit & Account Services](https://no-cache.hubspot.com/cta/default/3893111/15c8b31b-2fdd-4927-814a-f2e201998327.png)
![[OR] [RCBC] [PH] [E3] [CBS] [1] [MD] Retail Deposit & Account Services](https://no-cache.hubspot.com/cta/default/3893111/9a389c5d-0a68-450e-b95b-aa3c94786857.png)
![[OR] [RCBC] [PH] [E3] [CBS] [1] [MPR] Retail Deposit & Account Services](https://no-cache.hubspot.com/cta/default/3893111/a16cbec5-5101-427d-bd35-b12b94a2b3a8.png)
![[OR] [RCBC] [PH] [E3] [CBS] [1] [ITo] Retail Deposit & Account Services](https://no-cache.hubspot.com/cta/default/3893111/c83b75bd-4873-4d35-9933-3971ee2e6219.png)
![[OR] [RCBC] [PH] [E3] [CBS] [1] [ST] Retail Deposit & Account Services](https://no-cache.hubspot.com/cta/default/3893111/01639fba-f1d9-4ea9-8d8e-cb4f852be0d4.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
