As financial transactions increasingly shift to digital channels, the Bangko Sentral ng Pilipinas (BSP) enjoins BSP-supervised financial institutions (BSFIs) to adopt robust control measures against cyber fraud and attacks on retail electronic payments and financial services (EPFS).
Under BSP Memorandum No. 2022-015, “BSFIs should regularly conduct risk assessments of their product features, business rules, as well as application controls, and enforce appropriate enhancements and mitigation measures.”
Further, BSFIs are advised to remove clickable links in communications sent to customers via electronic mail (email) and short message service (SMS) or text messages, and to send notifications through registered mobile numbers or email addresses when requesting changes to customer information.
After thorough risk analysis, BSFIs should implement mandatory notifications for fund transfers exceeding a predefined amount, delays in activating new soft tokens or new device registrations, and a cooling-off period for key account changes.
BSFIs must also personalize SMS messages and emails for banking services; restrict bank officers or representatives from obtaining critical information such as customer passwords, one-time passwords (OTP), or personal information numbers (PINs); create dedicated customer assistance teams for fraud cases; conduct education campaigns against online scams; and adopt strong fraud surveillance mechanisms.
The BSP likewise encourages collaboration among BSFIs and the use of information sharing platforms such as the Bankers Association of the Philippines’ Cyber Incident Database, to expedite fraud investigations and recovery of funds, and proactively address emerging fraud schemes.
“BSFIs may also need to coordinate with law enforcement authorities for the prompt resolution of cybercrimes, especially those involving public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations,” the memorandum explained.
For more information, BSP Memorandum No. M-2022-015 dated 22 March 2022, may be viewed here: