BSP intensifies efforts to ‘curb’ cybercrimes

The Bangko Sentral ng Pilipinas (BSP) is further strengthening its cybercrime-fighting policies and calling on the private sector to also increase vigilance against money laundering and terrorist-financing activities such as illegal online gambling.

“The BSP is adopting policies and regulations to guide banks and other supervised institutions in deploying a risk-based approach to cybersecurity management,” said BSP Governor Benjamin E. Diokno on Wednesday, June 1. He is the incoming finance secretary in the next administration.


Diokno is urging the public to report suspected unlawful activities to the Philippine National Police and the National Bureau of Investigation.

The BSP is also reminding all supervised financial institutions or BSFIs to follow strict due diligence requirements and monitoring of clients’ accounts and transactions, as well as the reporting of suspicious transactions. BSFIs are also reminded to ensure that “appropriate control measures are in place to restrict access of minors, government employees and other prohibited players on these online gambling facilities.”

Last month, the BSP issued a reminder and a warning to BSFIs that despite its capabilities to detect and prevent digital-related fraud, cyber criminals still find ways to target people’s weakest side.

Diokno said most cyber incidents reported to the BSP target retail customers and these cyber criminals were not even “highly technical” or using advanced tools. What they do, he said, is exploit human weaknesses such as greed and naivety.

Based on the BSP’s cyber threats surveillance, in 2021 the top three types of cyber incidents reported by BSFIs were: phishing; “card not present” fraud; and identity theft.

The most common cyber fraud is phishing and other variants such as smishing and vishing. It leads to account takeover and social engineering attacks. These are intended to manipulate customers into disclosing sensitive personal and account information necessary to execute unauthorized transactions.

The “card not present” is a fraud not involving physical presentation of the card to the merchant and may be conducted online or over the phone.

The BSP has recently amended the IT or information technology risk management rules under Circular No. 1140, to strengthen the financial system’s cybersecurity posture and minimize losses from fraud and cyber-criminal activities.

Since cyber attacks and fraudulent schemes affect two or more financial institutions simultaneously, the BSP via the circular wants BSFIs to implement complementary controls as well as “robust” and effective fraud management systems for both originating and receiving institutions. These efforts will serve as early warning mechanisms to reduce fraud losses.

Some of the changes to the rules and why it is called “robust” fraud management is the implementation of automated and real-time fraud monitoring and detection systems to identify and block suspicious or fraudulent online transactions.

The circular wants BSFIs' fraud monitoring systems (FMS) to be commensurate to the risks associated with their digital financial and payment platforms. It also noted that as fraud and cyber threats continue to evolve and penetrate BSFIs’ layers of controls, the FMS should be “constantly calibrated” in order to “process surges in transactions, collectively analyze customer profiles/behavior, and detect new fraud patterns.”

Linking and integrating FMS with anti-money laundering systems will likewise form a more “cohesive and comprehensive financial crime prevention system,” said the BSP.

The BSP has received almost 10,000 consumer complaints in 2021 and while not all are cyber-related, it is a significant chunk or rising threats against financial consumers, both online and offline.