Philippine banks must strengthen safeguards against money laundering and terrorism financing across all payment activities, the Bangko Sentral ng Pilipinas (BSP) ordered, warning that banks remain accountable for violations even when using third-party payment aggregators.

Under Memorandum No. 2026-017 issued last Friday, May 8, the central bank directed all BSP-supervised financial institutions (BSFIs) to maintain rigorous onboarding and monitoring processes to prevent the financial system from being used for illegal transactions.

Notably, the new rule clarified that the participation of payment aggregators in the payment chain cannot “transfer, diminish, or substitute” the legal obligations of banks providing the underlying settlement services and access to payment rails.

“[Banks] are expected to retain primary responsibility for anti-money laundering and counter-terrorism and proliferation of weapon of mass destruction financing (AML/CTPF) compliance for merchant payment activities, whether conducted as the originating financial institution (OFI) or the receiving financial institution (RFI), through payment aggregators or similar intermediaries,” the memo read.

A payment aggregator is an entity that facilitates the acceptance and processing of transactions for multiple merchants by providing them access to payment services, rails, and settlement.

Some payment aggregators operating in the Philippines include PayMongo, DragonPay, and Xendit.

These entities are responsible for onboarding and managing merchants, often transacting on their behalf while maintaining independent obligations for AML and risk monitoring.

While efficient for scaling digital payments, the BSP noted that this intermediary role creates additional operational layers that must not obscure regulatory visibility.

To address this, the BSP clarified that “payment aggregators or similar entities bear independent and commensurate AML/CTPF responsibilities” regarding their specific roles in onboarding and controlling sub-merchant access.

These responsibilities include conducting merchant due diligence, implementing risk mitigation measures, and “suspicious transaction reporting, in accordance with the above regulations.”

However, the BSP stressed that responsibility ultimately remains with the banks.

Even as aggregators manage their own functions, the regulator said banks “retain primary responsibility for AML/CTPF risks associated with settlement accounts.”

To comply with the directive, banks are now required to maintain “adequate visibility over the underlying merchants and related payment activities.”

Banks must also ensure they have “sufficient access to sub-merchant information, transaction-level data, and merchant risk profiles.”

Additionally, the new rule stressed that banks cannot take a passive approach to oversight.

They are expected to apply risk-based standards when onboarding and monitoring sub-merchants.

Banks must also conduct “periodic reviews with clear triggers for restricting or terminating relationships involving high-risk or non-compliant sub-merchants.”

To prevent the commingling of funds, the memo also said accounts must be properly classified.

Banks are required to ensure that account openings follow the Manual of Regulations for Payment Systems (MORPS) definition of a merchant account, which refers to a transaction account used to receive funds from merchant payment activities.

To maintain the integrity of these transactions, banks were instructed to “maintain clear and effective differentiation between merchant accounts and personal accounts” based on the nature and risk characteristics of the activity.

Further, the BSP raised concerns over the growing incidence of digital payment fraud, particularly involving the exploitation of quick-response (QR) code technology.

As such, banks must implement appropriate risk-based measures to prevent and detect mule merchants, including the unauthorized use or misuse of QR codes by individuals or entities other than registered merchants.