BSP eyes tighter rules on IT risk management

THE BANGKO SENTRAL ng Pilipinas (BSP) is looking to tighten rules on information technology (IT) controls and account security for financial institutions, as part of efforts to stamp out cybercrime and protect consumers.

In a draft circular posted on its website, the BSP proposed amendments to the manuals of regulations for banks and nonbank financial institutions to strengthen its regulatory framework on IT risk management.

These proposed changes are in line with the implementation of the Anti-Financial Account Scamming Act (AFASA), it said.

“These amendments are designed to fortify the existing regulatory framework and ensure more effective compliance with the provisions of the Act,” it added.

In July 2024, President Ferdinand R. Marcos, Jr. signed into law the AFASA, which seeks to prevent and penalize financial cybercrime.

The law also grants the central bank the authority to investigate these violations and apply for cybercrime warrants and orders.

Under the draft rules, BSP-supervised financial institutions (BSFIs) are required to adopt an “aggressive security posture” to mitigate the impacts of cyber fraud.

“BSFIs should protect customers from fraudulent schemes done electronically. Failing to do so may erode consumer confidence in electronic channels as safe and reliable methods for financial transactions.”

These include implementing automated and real-time fraud monitoring and detection systems.

For example, BSFIs must adopt a robust fraud management system (FMS) “capable of rapidly detecting and preventing fraudulent transactions, including new and evolving fraud schemes.”

The central bank said the FMS is required for institutions engaged in complex services or dealing with high volumes and value of transactions.

“To ensure robustness of their FMS, BSFIs may employ any or a combination of rule-based, machine learning, and other technologies,” it said.

The BSP said mechanisms such as transaction velocity checks or thresholds may help detect unusual activities or transactions that may indicate fraudulent behavior.

Other mechanisms include monitoring changes on mobile device and account information, geolocation monitoring to track activities from unexpected locations, blacklist screening to prevent fraud exposure and detecting behavioral anomalies to catch unauthorized access.

“Detection through FMS is one of the grounds for BSFIs to temporarily hold funds and initiate a coordinated verification process,” according to the draft circular.

The BSP said the FMS should be implemented at the automated clearing house level, which is a “central point for monitoring and flagging suspicious and fraudulent transactions at scale.”

“Specifically, the automated clearing house shall engage clearing switch operators with capability to implement an FMS for retail operations to strengthen the fraud prevention mechanisms within the industry,” it added.

PESONet and InstaPay are automated clearing houses that were launched in December 2015 under the central bank’s National Retail Payment System framework.

“Financial accounts must be protected with robust security measures aligned with the BSFI’s risk profile to mitigate risks such as cyberattacks, unauthorized access, and fraudulent transactions,” the BSP said.

These include an implementation of a 24-hour transaction hold period after applying key account changes; restriction on installing mobile applications on unsecured devices; prohibition of unauthorized scripts or automation tools; proper authentication and integrity checks; and adoption of strong device fingerprinting, among others.

LIMIT USE OF OTP
Under the draft rules, the central bank is also seeking to limit the use of interceptable authentication mechanisms, such as one-time passwords (OTP) through SMS or e-mail.

“With the increasing prevalence of social engineering attacks aimed at obtaining login credentials, BSFIs should limit the use of authentication mechanisms that can be shared to or intercepted by third parties unrelated to the transaction,” it said.

It cited stronger authentication mechanisms such as biometric authentication, behavioral biometrics, passwordless authentication, adaptive authentication and artificial intelligence (AI) and machine learning.

“Descriptive customer notification for account activities and financial transactions should enable customers to verify the legitimacy of activities on their accounts. Real-time notification should be sent through secure channels such as mobile apps, messaging apps, e-mail, or SMS,” it added.

Customer notifications must have clear and complete information such as recipient identity, transaction amount and currency, date and time, and other key information.

“Further, OTP messages should be personalized with sufficient transaction details. While sensitive information may be redacted, the notification must still allow the customers to accurately identify the transaction.”

Accountholders must also be able to verify the identity of the recipient of fund transfers to ensure that all transactions are directed to the intended payee, the BSP said.

“In addition, BSFIs should ensure that off-us transactions adhere to an industry-wide, standardized approach that facilitates the secure and reliable method to exchange information necessary for payee verification.”

Off-us refers to a transaction that takes place outside of a financial institution’s network.

KILL SWITCH
Digital platforms facilitating retail interbank fund transfers and other high-risk transactions must offer features such as a “kill switch” to suspend the account and block outgoing transactions and a stop payment feature to cancel fraudulent batch transfers.

It also proposed a “money lock” feature that can secure a portion of funds in an account as well as customizable transaction limits.

“BSFIs must not send clickable links or QR codes via e-mail, instant messaging apps, or SMS, unless the link or QR code is anticipated by the customer, provides only information, and does not redirect to a website or web application that requires the input sensitive information or login credentials,” it added.

The BSP is also requiring BSFIs to collect relevant transaction logs and backup these records for at least five years to ensure proper documentation of account activities.

The draft circular also noted that customers should be “empowered with tools, knowledge, and support to actively protect their financial accounts.” — Luisa Maria Jacinta C. Jocson