These scenarios are not hypothetical extremes, but realistic, high-impact events that financial institutions in the Philippines must be prepared to withstand.
The objective is to ensure that each Sub-CBS is stress-tested against operational, cyber, third-party, and systemic risks. This supports the regulatory expectation that banks proactively identify vulnerabilities, assess their impact, and implement resilience measures—particularly those involving the integration of Cyber and ICT risks, as required under BSP guidelines.
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
1.1 |
Customer Onboarding and Account Application |
Prolonged outage of the digital onboarding platform due to cloud service failure |
Inability to onboard new customers; revenue loss; reputational damage |
Implement multi-region cloud redundancy; offline onboarding fallback |
Cloud resilience, API gateway failure, digital channel outage |
|
1.2 |
Customer Identification and Verification (KYC/CDD) |
Failure of the eKYC/biometric verification system due to a cyberattack |
Delayed or failed KYC checks; regulatory non-compliance risk |
Deploy alternate KYC channels; strengthen identity verification security controls |
Cyberattack on identity systems, data integrity compromise |
|
1.3 |
Account Approval and Opening |
Internal system processing error leading to mass account approval delays |
Customer dissatisfaction; backlog; operational bottleneck |
Introduce workflow automation controls and manual override procedures |
Core banking system failure, workflow engine disruption |
|
1.4 |
Initial Funding and Deposit Booking |
The payment gateway outage is preventing initial funding transactions |
Failed account activation; liquidity delays |
Integrate multiple payment channels; real-time monitoring of gateway availability |
Third-party payment processor outage, network disruption |
|
1.5 |
Product Terms Setup and Account Parameter Maintenance |
Misconfiguration of account parameters during system update |
Incorrect interest/fees applied; financial loss; compliance breach |
Implement change management controls; automated configuration validation |
System configuration errors, DevOps pipeline vulnerabilities |
|
1.6 |
Deposit Transactions Processing |
Core banking system downtime during the peak transaction period |
Inability to process deposits; branch and ATM disruption |
Deploy a high-availability architecture; transaction queuing mechanisms |
Core system outage, database failure, infrastructure overload |
|
1.7 |
Withdrawal and Funds Access Processing |
ATM network outage due to telecom failure |
Customers unable to access funds; reputational impact |
Diversify telecom providers; enable branch fallback services |
Network connectivity failure, ATM switch disruption |
|
1.8 |
Account Servicing and Customer Maintenance |
CRM system outage due to ransomware attack |
Inability to update customer records; service delays |
Implement endpoint protection, regular data backups, and recovery testing |
Ransomware attack, data encryption risk |
|
1.9 |
Interest, Fees, and Charges Processing |
Batch processing failure due to corrupted data |
Incorrect interest postings; financial discrepancies |
Strengthen data validation controls; reconciliation checkpoints |
Data corruption, batch job failure |
|
1.10 |
Statement, Passbook, and Balance Reporting |
Failure of the reporting engine due to a system integration error |
Customers unable to access statements; regulatory reporting delays |
Implement parallel reporting systems; automated report validation |
Data warehouse failure, reporting system outage |
|
1.11 |
Digital Account Access and Channel Integration |
Mobile banking app outage caused by DDoS attack |
Customers unable to access accounts; transaction failures |
Deploy DDoS protection; scale infrastructure dynamically |
Cyberattack (DDoS), API gateway overload |
|
1.12 |
Reconciliation and Exception Management |
Failure in the reconciliation engine due to data mismatch across systems |
Unresolved discrepancies; financial reporting risk |
Automate reconciliation processes; implement exception alerts |
Data inconsistency, system interface failure |
|
1.13 |
Fraud Detection and Transaction Monitoring |
AI fraud detection system failure or evasion by sophisticated attack |
Increased fraud losses; delayed detection |
Enhance fraud analytics models; implement layered detection controls |
Cyber fraud attack, AI model manipulation |
|
1.14 |
Regulatory Reporting and Compliance Monitoring |
Failure to submit regulatory reports due to a system outage |
Regulatory penalties; compliance breach |
Maintain backup reporting systems; manual reporting procedures |
Regulatory system interface failure, data extraction issues |
|
1.15 |
Incident Response, Business Continuity, and Recovery |
Simultaneous cyberattack and data centre outage (compound scenario) |
Prolonged service disruption; inability to recover within tolerance |
Conduct scenario testing; establish alternate recovery sites; crisis management activation |
Cyber-physical convergence risk, data centre failure, DR site activation |
The identification of Severe but Plausible Scenarios across CBS-1 Retail Deposit and Account Services enables Security Bank Corporation to move beyond traditional risk management towards a forward-looking operational resilience posture.
By systematically analysing high-impact disruption scenarios, the bank can validate whether its existing controls, recovery capabilities, and response strategies are sufficient to remain within defined impact tolerances.
Importantly, the integration of Cyber and ICT risks across all Sub-CBS reflects the growing interdependence between digital infrastructure and the delivery of financial services.
In line with BSP Circular 1203, this structured approach ensures that Security Bank not only complies with regulatory expectations but also strengthens its ability to anticipate, withstand, and recover from disruptions—thereby safeguarding customer trust and maintaining financial system stability.
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Retail Deposit & Account Services | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|