For Security Bank Corporation, scenario testing for CBS-1 Retail Deposit and Account Services ensures that essential customer-facing services—such as account access, deposits, withdrawals, and reporting—can continue or be recovered within acceptable thresholds despite disruptions involving cyber threats, ICT failures, third-party outages, or operational breakdowns.
This chapter presents recommended scenario testing themes aligned with regulatory expectations and industry practices, including integration with cyber resilience, ICT risk management, and third-party risk considerations.
It also highlights evidence of proactive risk management, demonstrating the bank’s preparedness and commitment to continuous improvement.
|
Sub-CBS Code |
Sub-CBS |
Recommended Scenario Test Themes |
Impact / Effect |
Evidence of Proactive Risk Management Action |
|
1.1 |
Customer Onboarding and Account Application |
Digital onboarding platform outage due to cloud service failure (Cyber/ICT) |
Customers unable to submit applications; onboarding delays |
Regular failover testing to the backup onboarding platform; alternate manual onboarding procedures documented |
|
1.2 |
Customer Identification and Verification (KYC/ CDD) |
Third-party KYC utility service disruption (Third-party + ICT risk) |
Inability to verify customer identity; compliance breach risk |
Periodic vendor resilience testing; fallback to manual KYC verification procedures |
|
1.3 |
Account Approval and Opening |
Core banking approval workflow system failure (ICT system failure) |
Delayed account activation; customer dissatisfaction |
DR site activation testing; automated workflow recovery drills |
|
1.4 |
Initial Funding and Deposit Booking |
Payment gateway failure during initial funding (Cyber/ICT + external dependency) |
Failed or delayed funding transactions |
Integration testing with alternate payment channels; reconciliation controls for failed transactions |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
Configuration errors or system patch failure (ICT change risk) |
Incorrect account settings are impacting interest/fees |
Pre-deployment testing and rollback procedures; configuration audit controls |
|
1.6 |
Deposit Transactions Processing |
Core banking system outage or batch processing failure (ICT failure) |
Deposits not processed or delayed posting |
High-availability architecture testing; batch recovery and replay testing |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM network outage or cyberattack (Cyber resilience) |
Customers unable to withdraw funds; reputational impact |
ATM network resilience testing; cyberattack simulation exercises; cash contingency planning |
|
1.8 |
Account Servicing and Customer Maintenance |
CRM system outage or data corruption (ICT/data risk) |
Inability to update customer records; service delays |
Data backup restoration testing; alternate servicing channels (branch/manual) |
|
1.9 |
Interest, Fees, and Charges Processing |
End-of-day processing failure (ICT batch processing risk) |
Incorrect interest/fee calculations; financial impact |
Recalculation and adjustment procedures tested; automated reconciliation checks |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Statement generation system failure (ICT system failure) |
Customers are unable to access account statements |
Alternate digital statement channels tested; manual statement generation procedures |
|
1.11 |
Digital Account Access and Channel Integration |
Mobile/online banking outage due to DDoS attack (Cyber risk) |
Customers are unable to access accounts digitally |
DDoS simulation testing, traffic rerouting and WAF activation drills |
|
1.12 |
Reconciliation and Exception Management |
Reconciliation system failure or data mismatch (ICT/data integrity risk) |
Unresolved discrepancies; financial reporting inaccuracies |
Automated reconciliation fallback procedures; exception handling drills |
|
1.13 |
Fraud Detection and Transaction Monitoring |
Fraud monitoring system downtime (Cyber/ICT risk) |
Increased fraud exposure; delayed alerts |
Manual monitoring procedures tested; AI/ML model fallback and alert escalation drills |
|
1.14 |
Regulatory Reporting and Compliance Monitoring |
Regulatory reporting system outage (ICT + compliance risk) |
Delayed or inaccurate regulatory submissions |
Regulatory reporting contingency procedures; manual reporting capability tested |
|
1.15 |
Incident Response, Business Continuity, and Recovery |
Major data centre outage or ransomware attack (Cyber + ICT + BCP) |
Multiple service disruptions across CBS-1 |
Full-scale BCP and DR simulation exercises; crisis management and communication drills |
Scenario testing for CBS-1 Retail Deposit and Account Services enables Security Bank Corporation to validate its resilience capabilities against a wide range of severe but plausible disruptions.
By integrating cyber resilience, ICT risk management, and third-party dependencies into testing scenarios, the bank ensures alignment with the expectations of BSP Circular No. 1203 Series of 2024.
The structured approach to testing—supported by documented evidence, including failover exercises, cyberattack simulations, and manual fallback procedures—demonstrates proactive risk management.
Ultimately, these efforts strengthen the bank’s ability to maintain critical services within defined impact tolerances, safeguard customer trust, and ensure regulatory compliance in an increasingly complex risk environment.
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Retail Deposit & Account Services | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|