Perform Scenario Testing
CBS-4: Payment and Settlement Systems
Introduction
![[OR] [MB] [E4] [CBS] [4] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/04aa13d5-6654-4a09-8a31-ea1003a15192.png)
As part of Maybank Malaysia’s commitment to operational resilience and regulatory compliance, identifying severe but plausible scenarios is a critical exercise for each Critical Business Service (CBS).
For CBS-4: Payment and Settlement Systems, the highly interconnected nature of financial transactions necessitates an integrated view of potential disruptions, including cyber threats and ICT system failures.
This chapter presents a structured assessment of potential high-impact disruption scenarios for each detailed process within CBS-4.
These scenarios represent realistic yet challenging events that could test the Bank’s resilience capabilities.
Each scenario is examined through the Cyber and ICT Risk integration lens, reflecting the increasing interdependency between technology infrastructure and service continuity.
Furthermore, for each process, we provide evidence of proactive risk management actions currently in place. These actions demonstrate Maybank’s strategic foresight, control maturity, and readiness to mitigate emerging threats.
This risk-informed approach strengthens operational response and aligns with the regulatory expectations outlined in Bank Negara Malaysia’s Operational Resilience guidelines and global best practices.
Below is a detailed table outlining recommended “Severe but Plausible Scenarios” for each process under CBS-4: Payment and Settlement Systems, integrating Cyber and ICT Risks, and evidence of proactive risk management actions.
CBS-4: Payment and Settlement Systems – Severe but Plausible Scenarios and Cyber/ICT Risk Integration
|
No. |
Sub-CBS |
Severe but Plausible Scenario |
Cyber/ICT Risk Integration |
Evidence of Proactive Risk Management Action |
|
1 |
Retail Funds Transfer Processing |
Core banking system outage during peak hours |
Core system DDoS attack |
DDoS mitigation tools and rerouting architecture are in place |
|
2 |
Corporate & Bulk Payments |
Batch file corruption due to system misconfiguration |
Insider threat or privilege misuse |
Role-based access control (RBAC) and activity logging |
|
3 |
Real-Time Gross Settlement (RENTAS) |
RENTAS host connectivity loss to the BNM node |
Network routing attack or DNS hijacking |
Encrypted VPN to BNM and an alternate leased line connection |
|
4 |
Cross-Border Payments (SWIFT) |
SWIFT connector compromise (e.g., fraudulent instruction) |
Malware in the SWIFT Alliance interface |
SWIFT CSP compliance and periodic security validation |
|
5 |
Cheque Clearing |
Data mismatch or delay due to third-party failure |
Poor encryption or API dependency |
Vendor due diligence and automated fallback routing |
|
6 |
E-Wallet and Mobile Payment Integration |
Mobile app API outage from third-party aggregator |
API abuse or integration vulnerability |
Penetration testing and traffic throttling |
|
7 |
JomPAY & Bill Payments |
National biller integration is down for an extended period |
External service interruption |
Biller redundancy and daily connectivity health checks |
|
8 |
Merchant & Acquiring Payments |
POS transaction flow delay due to the gateway outage |
Gateway spoofing or protocol flaw |
Secure channel protocols and endpoint authentication |
|
9 |
ATM & CDM Transactions Settlement |
ATM/CDM transaction queue overflow due to sync failure |
Sync script corruption or patch rollback |
Dual-site processing and periodic integrity checks |
|
10 |
Fraud & Risk Monitoring in Payment Systems |
Fraud detection rules disabled or bypassed |
Malware, rule manipulation, or config tampering |
Endpoint protection and 24/7 SOC alerting on config changes |
|
11 |
Reconciliation & Daily Settlement |
The end-of-day report job fails due to system delay |
System clock misconfiguration or corruption |
Time-sync verification protocol and job resumption scripts |
|
12 |
Chargeback & Dispute Resolution |
Spike in disputes overwhelms case management team |
Bot-generated chargeback abuse |
Automated triage and fraud pattern detection using ML |
|
13 |
Payment System Resilience & Uptime |
Simultaneous failure of primary and backup data centres |
Coordinated ransomware or data centre attack |
Geo-redundancy, immutable backups, and ransomware drills |
Legend
- Cyber/ICT Risk Integration: Shows the nature of ICT/cyber threats tied to the scenario.
- Evidence of Proactive Risk Management Action: Demonstrates implemented control, mitigation, or governance mechanism addressing the risk.
Summing Up ...
The analysis of severe but plausible scenarios for CBS-4 highlights the multifaceted risks facing Maybank’s Payment and Settlement Systems.
While traditional operational disruptions remain relevant, integrating cyber and ICT risks into scenario planning ensures that resilience efforts remain future-proof and aligned with the digital threat landscape.
Each identified scenario is grounded in a realistic, data-driven risk perspective and linked to existing or planned mitigation strategies.
These scenarios stress the need for end-to-end visibility, layered controls, and rapid recovery mechanisms across the payment value chain, from cyberattacks on real-time payments to third-party outages in bill payment systems.
The proactive risk management measures outlined assure that the Bank is aware of potential vulnerabilities and actively working to strengthen its resilience posture.
Continuous scenario testing, technology audits, and cyber simulation exercises will be key to enhancing preparedness and maintaining uninterrupted delivery of this critical business service under all conditions.
![[OR] [MB] [E4] [DP] [CBS] [2] Payment and Settlement Systems](https://no-cache.hubspot.com/cta/default/3893111/1a3adbfa-94ad-43ce-a533-8afc3e93450d.png)
![[OR] [MB] [E4] [CBS] [4] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/c6dc183a-daa3-48a7-bdb8-1637e70ad225.png)
![[OR] [MB] [E4] [CBS] [4] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/991bb294-c578-4aa7-98af-4e408289a1a7.png)
![[OR] [MB] [E4] [CBS] [4] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/d4ca4697-0628-48d3-b279-f59262c9b590.png)
![[OR] [MB] [E4] [CBS] [1] [SuPS] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/6a146a73-5fc3-4f62-9bf4-5d9abae3dacf.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
