BSP intensifies measures vs cyber attacks


The Bangko Sentral ng Pilipinas (BSP) is again urging its supervised financial institutions (BSFIs) to implement “robust” measures against cyber fraud and attacks on their retail electronic payments and financial services (EPFS).

On Wednesday, June 29, the BSP reminded BSFIs, which are all banks and non-banks, to adhere to a previously-issued memorandum (Memorandum No. 2020-015) to shield EPFS against cyber-related hits. They do this by regularly conducting risk assessments and by removing clickable links in communications sent to customers via electronic mail or email, and short message service (SMS) or text messages.

BSP building and logo/Reuters

“After thorough risk analysis, BSFIs should implement mandatory notifications for fund transfers exceeding a predefined amount, delays in activating new soft tokens or new device registrations, and a cooling-off period for key account changes,” said the BSP.

Other control measures recommended by the BSP are: personalized SMS messages and emails for banking services; restrict bank officers or representatives from obtaining critical information such as customer passwords, one-time passwords, or personal information numbers; create dedicated customer assistance teams for fraud cases; conduct education campaigns against online scams; and adopt strong fraud surveillance mechanisms.

“BSFIs may also need to coordinate with law enforcement authorities for the prompt resolution of cybercrimes, especially those involving public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations,” said the BSP.

The memo, first issued last March, called for robust fraud management systems by BSFIs to build up its cybersecurity resiliency.

BSP Circular No. 1140 amended the existing IT risk management regulation not just to reinforce consumer education and awareness of cyber threats but also to strengthen cybersecurity and minimize losses due to fraud and cybercriminal activities.

The revised circular instructed BSFIs to beef up customer protection against fraudulent schemes. “Otherwise, consumer confidence on the use of electronic channels as safe and reliable method of making transactions will be eroded,” said the BSP.

Some of the changes to the rules and why it is called “robust” fraud management is the implementation of automated and real-time fraud monitoring and detection systems to identify and block suspicious or fraudulent online transactions.

The circular is part of a comprehensive cybersecurity guidelines that BSP has been preparing.

Earlier this month, the BSP also urged the private sector to increase vigilance against money laundering and terrorist-financing activities such as illegal online gambling, and to report suspected unlawful activities to the Philippine National Police and the National Bureau of Investigation.

The BSP is also reminding BSFIs to follow strict due diligence requirements and monitoring of clients’ accounts and transactions, as well as the reporting of suspicious transactions.

Most cyber incidents reported to the BSP target retail customers. These cyber criminals were not even “highly technical” or using advanced tools, said the BSP.

Based on the BSP’s cyber threats surveillance, in 2021 the top three types of cyber incidents reported by BSFIs were: phishing; “card not present” fraud; and identity theft.

The most common cyber fraud is phishing and other variants such as smishing and vishing. It leads to account takeover and social engineering attacks. These are intended to manipulate customers into disclosing sensitive personal and account information necessary to execute unauthorized transactions.

The “card not present” is a fraud not involving physical presentation of the card to the merchant and may be conducted online or over the phone.

The BSP has received almost 10,000 consumer complaints in 2021 and while not all are cyber-related, it is a significant chunk or rising threats against financial consumers, both online and offline.