Banks and other financial institutions may be held liable for fraud suffered by their clients if they fail to implement fraud management systems (FMS) within the mandated one-year transition period, a top official at the Bangko Sentral ng Pilipinas (BSP) said.

BSP Deputy Governor Elmore O. Capule told reporters on the sidelines of the Anti-Financial Account Scamming Act (AFASA) press briefing on Wednesday, June 11, that financial institutions may face serious consequences if they fail to comply with the new law.

First, they may face administrative sanctions. Second, “if somebody gets defrauded and their system is not ready, they can be held once civilly liable. So instead of going after the scammer, the institution will have to pay,” Capule said.

“If you fail to comply with the fraud management system, then you can be held civilly liable for the damage caused to the victim,” Capule asserted, adding that the likelihood of falling victim to frauds could be lesser if financial institutions had already built FMS.

Capule said that if the system is in place, fraud could be prevented. But in cases where banks still do not run the system, they may be held responsible for the losses.

“So it’s [FMS] a very big deterrent. I hope, in one year’s time, they should comply,” Capule said.

Under the AFASA, the BSP requires all financial institutions with complex electronic products and services (EPS) and those with a high aggregate value of digital transactions—initially set at ₱75 million per month—to implement a more sophisticated FMS.

Maricris A. Salud, deputy director at the BSP’s technology risk and innovation supervision department, noted that commercial banks or big banks are on track to fully comply with the mandate.

“It’s actually the smaller institutions who are asking for the transitory provision,” Salud further said.

Capule said that while one-time password (OTP)-based multi-factor authentication was once state-of-the-art, evolving threats now require more advanced and supplemental security measures, as outlined in Circular 1213, prompting the adoption of additional FMS.

“Sometimes, a good system is only good until the scammers find a way to go around it,” Capule said.

As such, Capule said that the central bank is “recommending financial institutions to look for other alternative measures including multi-factor authentication [MFA].” This is on top of OTPs which is a widespread mode of authentication.

Among the recommended MFA methods are biometrics—such as fingerprint, facial, and voice recognition—and behavioral tools that analyze user patterns like typing speed and device movements to verify identity.

Passwordless authentication methods, including biometrics, hardware tokens, and cryptographic keys, such as Fast Identity Online (FIDO), which enable users to log in using biological features or a security device instead of a password, are also permitted.