BSP issues fraud management rules

The Bangko Sentral ng Pilipinas (BSP) has approved new rules on banks and non-banks’ robust fraud management systems to build up its cybersecurity resiliency.

BSP Circular No. 1140, which BSP Governor Benjamin E. Diokno signed last March 24, amended the existing IT risk management regulation not just to reinforce consumer education and awareness of cyber threats but also to strengthen cybersecurity and minimize losses due to fraud and cybercriminal activities.

The revised circular instructed BSP supervised financial institutions (BSFIs) to beef up customer protection against fraudulent schemes. “Otherwise, consumer confidence on the use of electronic channels as safe and reliable method of making transactions will be eroded,” said the BSP.

Some of the changes to the rules and why it is called “robust” fraud management is the implementation of automated and real-time fraud monitoring and detection systems to identify and block suspicious or fraudulent online transactions.

“The expected sophistication and capabilities of BSFIs' fraud monitoring systems (FMS) should be commensurate to the risks associated with their digital financial and payment platforms,” according to the circular. It noted that as fraud and cyber threats continue to evolve and penetrate BSFIs’ layers of controls, the FMS should be “constantly calibrated” in order to “process surges in transactions, collectively analyze customer profiles/behavior, and detect newfraud patterns.”

“To ensure robustness and effectiveness in early detection and prevention of fraudulent and suspicious activities, it is optimal that the FMS is able to collect, monitor, and analyze transactions from all channels,” said the BSP.

It added that linking and integrating FMS with anti-money laundering systems will form a more “cohesive and comprehensive financial crime prevention system.”

As for consumer awareness and customer education which the BSP said is a key defense against fraud, identity theft and security breach, BSFIs are instructed to ensure that their customers will be able to easily understand any prominent advice on security precautions for e-services.

“As an integral part of their customer onboarding process, BSFIs will ensure that their clients have undertaken a pre-requisite consumer education course/program on the safe and secure use of electronic payment and financial services (EPFS), including the associated risks,” said BSP.

The circular also instructed BSFIs to explore the use of interactive platforms/materials such as but not limited to video clips, online quizzes, infographics etc., to effectively communicate the risks.

“BSFIs will likewise adopt a program aimed at promoting continuing awareness and constantly reminding its clients on the safe and secure use of EPFS,” said the BSP.

BSFI’s consumer awareness program should be updated regularly. The BSP suggested that in evaluating the effectiveness of a program, BSFIs should do the following: tracking the number of customers who report fraudulent attempts to obtain their authentication credentials; the number of clicks on information security links on websites; and the number of inquiries.

The BSP is giving BSFIs until end-December 2022 to comply with circular standards, and to show its plan of actions including specific timelines and status before achieving full compliance. The BSP will start checking on the manner of compliance by September this year.

The circular will implement stricter supervisory enforcement actions to “ensure timely implementation of preventive and/or corrective measures as needed.”

“As part of its enforcement actions, the BSP may impose corrective actions and/or sanctions to improve the BSFI's risk management systems and processes or limit the level of or suspend any business activity that has adverse effects on the safety or soundness of the BSFI, among others. sanctions may likewise be imposed against a BSFI and/or its directors, officers and/or employees,” said the BSP.

It was in December 2021 when Diokno first announced BSP’s intention to issue stronger regulations on banks’ fraud management systems following the hacking crisis which victimized a number of BDO Unibank Inc. clients. The hacking incident also involved Union Bank of the Philippines. BDO has identified 700 hacked accounts which will be reimbursed.

The new circular is part of a comprehensive cybersecurity guidelines that BSP has been preparing.

Last week, the BSP issued two memos on cybersecurity issues. One of the memos required a stronger, more adequate IT and cybersecurity risk management practices in BSFIs’ use of application programming interfaces (API) and its interconnections. The other memo recommended eight supplementary control measures against cyber attacks such as phishing on retail electronic payments and financial services.

Diokno has said that BSP has a lot more grounds to cover in implementing a “holistic governance, risk, and compliance solution” on cybersecurity which is “aimed at strengthening BSP’s own cybersecurity posture as well as BSP’s cybersecurity supervision and oversight capabilities.”