[BCM] [BML] [E3] [PD] [CBF] [1] Retail & Corporate Banking Services

CBF-1 Retail & Corporate Banking Services 

This chapter, “BCM Procedure for CBF-1 Retail & Corporate Banking Services for the Bank of Maldives,” establishes a structured and practical framework for ensuring the continuity and timely recovery of the Bank’s most critical customer-facing financial services.

Retail and Corporate Banking Services form the backbone of Bank of Maldives’ operations, supporting daily financial transactions, customer confidence, and the stability of the national payment ecosystem. Any prolonged disruption to these services may have immediate financial, regulatory, and reputational implications for the Bank and the wider Maldivian economy.

The purpose of this chapter is to guide Bank of Maldives teams in understanding what must be recovered, how it should be recovered, and when recovery actions must be executed across the full disruption lifecycle.

By defining pre-crisis readiness measures, immediate response actions within the first 24 hours, and structured restoration steps thereafter, this chapter translates Business Continuity Management principles into clear, actionable procedures aligned with ISO 22301 expectations and banking regulatory requirements.

Designation of Critical Business Function

Supporting Sub-CBFs for CBF-1 – Retail & Corporate Banking Services:

• 1.1 Customer Onboarding & Account Opening
• 1.2 Deposit & Withdrawal Services
• 1.3 Payment Processing & Fund Transfers
• 1.4 Lending & Credit Management
• 1.5 Card Services & Merchant Solutions
• 1.6 Digital & Online Banking
• 1.7 Trade & Corporate Financial Solutions
• 1.8 Account Maintenance & Reporting

This function is classified as critical due to its direct impact on financial stability, customer confidence, regulatory compliance, and the day-to-day functioning of the Maldivian economy.

WHAT: Description and Importance of the Critical Business Function

WHAT this function does

Retail & Corporate Banking Services enable Bank of Maldives to deliver core financial services to individuals, SME, corporations, and institutional customers across branches, digital channels, and payment networks. These services ensure uninterrupted access to funds, payments, credit facilities, and financial reporting.

WHY it is critical

• Directly affects customer access to money and financial obligations
• Supports national payment systems and economic activity
• Subject to strict regulatory, Shariah (where applicable), and service-level requirements
• Prolonged disruption may lead to reputational damage, regulatory penalties, and systemic risk

Pre-Crisis Preparedness (Reduce Phase)

Objective

To proactively minimise the likelihood and impact of disruptions to Retail & Corporate Banking Services, ensuring that Bank of Maldives is operationally ready to respond effectively to any incident affecting its core banking functions.

HOW – Pre-Crisis Readiness and Risk Reduction Activities

1. Governance, Roles, and Responsibilities

• Assign CBF Ownership and Recovery Leadership:
  • Designate a CBF-1 Owner responsible for overall operational continuity.
  • Appoint a Recovery Lead to coordinate immediate response and restoration activities.
• Define Roles and Responsibilities:
  • Establish clear roles for branch managers, IT teams, operations, and risk teams.
  • Ensure cross-functional teams understand escalation protocols, decision authority, and reporting lines.
• Integrate with Corporate BCM Framework:
  • Align all CBF-1 preparedness activities with the Bank of Maldives’ broader Business Continuity Management and Crisis Management frameworks.

2. Process Mapping and Dependency Analysis

• Document End-to-End Processes for Sub-CBFs (1.1–1.8):
  • Customer onboarding & account opening
  • Deposit & withdrawal services
  • Payment processing & fund transfers
  • Lending & credit management
  • Card services & merchant solutions
  • Digital & online banking
  • Trade & corporate financial solutions
  • Account maintenance & reporting
• Identify Critical Dependencies:
  • Core banking system and middleware
  • Digital and mobile banking platforms
  • ATM and card networks
  • Payment gateways and correspondent banks
  • Branch facilities and data centres
  • Key vendors and third-party providers
• Establish Recovery Priorities:
  • Rank Sub-CBFs based on customer impact, regulatory requirements, and financial risk exposure.

3. Risk Assessment and Mitigation

• Conduct Regular Risk Assessments:
  • Identify threats such as cyber incidents, natural disasters, system failures, or power outages.
  • Assess potential operational, financial, and reputational impact.
• Implement Mitigation Controls:
  • Deploy redundant systems, backup infrastructure, and failover solutions.
  • Ensure off-site and secure data backup and replication for all critical banking systems.
  • Maintain alternative work arrangements for key staff, including remote or mobile access.
• Regularly Review Risk Appetite and Tolerance:
  • Adjust preparedness measures in line with the Bank of Maldives’ risk management framework.

4. Resource Preparedness

• Staff Readiness:
  • Maintain minimum staffing levels for essential Sub-CBFs during crises.
  • Cross-train employees to perform multiple critical functions if key staff are unavailable.
• Facilities and Equipment:
  • Verify availability of alternative branch locations or temporary operating sites.
  • Ensure continuity of ATMs, POS devices, and network connectivity.
• Third-Party and Vendor Readiness:
  • Confirm disaster recovery and business continuity arrangements with service providers, card networks, and correspondent banks.
  • Include vendor contact lists and escalation procedures in the CBF-1 continuity plan.

5. Technology and Data Preparedness

• System Backup and Recovery:
  • Ensure all core banking, digital banking, and payment systems have up-to-date backups and tested recovery procedures.
  • Validate RPO (Recovery Point Objective) and RTO (Recovery Time Objective) assumptions for each Sub-CBF.
• Alternative Processing Options:
  • Define manual or offline procedures for high-priority transactions (e.g., cash withdrawals, fund transfers, payments).
  • Maintain documented workarounds for digital service outages.
• Security Measures:
  • Ensure cybersecurity measures, including firewalls, endpoint protection, and intrusion detection, are operational and monitored.

6. Testing, Training, and Awareness

• Conduct Regular Exercises:
  • Simulate realistic disruption scenarios for CBF-1, including IT system failures, branch outages, or staff shortages.
  • Test manual processing procedures, alternate sites, and recovery strategies.
• Staff Awareness and Training:
  • Train staff on their roles during disruption scenarios.
  • Ensure understanding of escalation processes, communication protocols, and operational priorities.
• Continuous Improvement:
  • Capture lessons learned from exercises and minor incidents.
  • Update BCM procedures, recovery steps, and staff training accordingly.

Outcome

Through proactive Pre-Crisis Preparedness, Bank of Maldives ensures that CBF-1 Retail & Corporate Banking Services are operationally resilient, dependencies and risks are clearly understood, and teams are ready to respond and recover efficiently. This phase strengthens the Bank’s ability to maintain critical services, minimise customer and financial impact, and transition smoothly into the Respond, Resume, and Recovery Phase in the event of an incident.

Within T+24 Hours (Response and Recovery Phase)

Objective

To rapidly assess the impact of the disruption, activate business continuity arrangements, stabilise the operating environment, and resume minimum acceptable levels of Retail & Corporate Banking Services within the first 24 hours of an incident.

HOW – Respond, Resume and Recovery Activities

1. Incident Confirmation and Plan Activation

• Confirm the occurrence, nature, and severity of the disruption affecting CBF-1.
• Activate the relevant Business Continuity Plan (BCP) and, where applicable, the Crisis Management Plan.
• Notify:
  • CBF-1 Owner and Recovery Lead
  • Senior Management and Crisis Management Team
  • IT Disaster Recovery and Facilities Management teams (as applicable)

2. Impact Assessment and Situation Reporting

• Conduct a rapid impact assessment covering:
  • Availability of core banking systems
  • Status of branches, ATMs, and digital channels
  • Availability of staff, premises, and third-party services
• Identify affected Sub-CBFs (1.1–1.8) and estimate:
  • Service downtime
  • Customer impact
  • Regulatory or financial exposure
• Provide structured situation reports to management at defined intervals.

3. Service Prioritisation and Recovery Sequencing

• Prioritise recovery based on customer impact, regulatory obligations, and financial risk.
• Focus first on essential services required to maintain public confidence and liquidity, including:
  • Deposit and withdrawal services
  • Payment processing and fund transfers
  • Digital and online banking access
• Defer lower-priority activities, where necessary, with management approval.

4. Operational Response and Service Resumption

• Implement approved recovery strategies, including:
  • Switching to alternate systems or recovery sites
  • Activating IT disaster recovery environments
  • Enabling manual or semi-manual processing for critical transactions
• Redeploy trained staff to support priority Sub-CBFs and locations.
• Restore minimum service levels for:
  • Branch operations
  • ATM and card services
  • Online and mobile banking platforms

5. Control Measures and Risk Management

• Apply enhanced controls during recovery operations, including:
  • Dual authorisation for manual transactions
  • Segregation of duties where feasible
  • Detailed logging of all exceptions and workaround activities
• Monitor operational risks arising from:
  • Increased transaction volumes
  • Manual processing
  • Reduced staffing or system limitations

6. Internal and External Communication

• Issue timely and consistent communications to:
  • Internal teams on operational status and recovery instructions
  • Customers regarding service availability and alternative channels
• Coordinate all external messaging through approved communication channels.
• Notify regulators, payment networks, and key partners in line with regulatory and contractual requirements.

7. Monitoring, Escalation, and Decision Support

• Continuously monitor recovery progress against defined recovery objectives.
• Escalate unresolved issues, resource constraints, or emerging risks to senior management.
• Adjust recovery strategies as needed based on evolving conditions and management direction.

is positioned to transition into the Restore and Return Phase for full service normalisation.

Outcome

By the end of the Within T+24 Hours phase, Retail & Corporate Banking Services at Bank of Maldives are stabilised at minimum acceptable service levels, critical customer transactions are supported, and the Bank.

After T+24 Hours (Restore and Return Phase)

Objective

To fully restore Retail & Corporate Banking Services to normal operating conditions, ensure data and process integrity, address residual impacts of the disruption, and formally transition from recovery mode to business-as-usual operations.

HOW – Restore and Return Activities

1. Full System and Infrastructure Restoration

• Restore all Sub-CBFs under CBF-1 to their primary systems, environments, and locations, where applicable.
• Confirm that:
  • Core Banking System performance is stable
  • Digital and online banking platforms are fully functional
  • Payment gateways, card networks, and ATM services are operating normally
• Decommission temporary recovery environments or alternate processing sites in a controlled manner once stability is confirmed.

2. Data Integrity Validation and Reconciliation

• Perform comprehensive data validation across all Sub-CBFs, including:
  • Customer account balances
  • Transaction histories
  • Loan and credit records
  • Trade finance and corporate transaction data
• Reconcile all transactions processed during the disruption, particularly:
  • Manually processed transactions
  • Deferred or queued payments
  • Offline or batch-processed activities
• Resolve discrepancies promptly and document corrective actions taken.

3. Backlog Clearance and Service Normalisation

• Clear outstanding customer requests, including:
  • Account opening and maintenance requests
  • Pending fund transfers and settlements
  • Loan approvals, disbursements, or repayments
• Gradually return service delivery timelines to standard service-level agreements (SLAs).
• Monitor service volumes closely to ensure systems and staff can sustain normal operating loads.

4. Risk, Control, and Compliance Review

• Reinstate standard internal controls and approval thresholds that may have been relaxed during the recovery phase.
• Review all exception handling and override activities performed during the disruption.
• Ensure full audit trails are available for:
  • Regulatory reviews
  • Internal audit
  • Shariah governance (where applicable)

5. Customer and Stakeholder Communication

• Communicate clearly to customers that:
  • Services have been restored
  • Normal banking operations have resumed
• Address customer complaints, disputes, or financial impacts arising from the disruption.
• Provide formal updates or incident reports to:
  • Regulators
  • Payment network partners
  • Key corporate and institutional clients, where required

6. Staff Transition and Operational Stabilisation

• Stand down crisis or recovery teams and transition responsibilities back to normal operational management.
• Ensure staff welfare and workload normalisation following extended recovery efforts.
• Resume normal branch, contact centre, and back-office operating models.

7. Post-Incident Review and Continuous Improvement

• Conduct a formal Post-Incident Review (PIR) covering:
  • Effectiveness of response and recovery actions
  • Achievement of recovery time objectives (RTOs)
  • Issues encountered across people, process, technology, and third-party dependencies
• Capture lessons learned and improvement actions.
• Update:
  • BCM procedures for CBF-1
  • Recovery strategies and assumptions
  • Training materials and exercise scenarios

Outcome

Upon completion of the Restore and Return Phase, Retail & Corporate Banking Services at Bank of Maldives are fully stabilised, all temporary measures are retired, regulatory and customer obligations are met, and the Bank is formally returned to business-as-usual operations with strengthened resilience for future disruptions.

The BCM Procedure for CBF-1 Retail & Corporate Banking Services provides Bank of Maldives with a disciplined and repeatable approach to managing disruptions that affect core banking operations.

 By clearly outlining roles, priorities, and recovery actions across the reduce, respond, recover, restore, and return phases, this procedure ensures that essential customer services can be maintained or resumed within acceptable timeframes, even under adverse conditions.

Ultimately, this chapter reinforces the Bank’s commitment to operational resilience, customer protection, and regulatory compliance. When consistently maintained, tested, and improved, the procedures defined here enable Bank of Maldives to respond decisively to disruptions, restore confidence swiftly, and return to business-as-usual operations with minimal impact on customers and stakeholders.