Financial institutions given until June 2026 to boost fraud management systems

Financial institutions under the supervision of the Bangko Sentral ng Pilipinas (BSP) have been given until June 2026 to boost their fraud management systems (FMS), and limit their use of interceptable authentication mechanisms such as one-time pins (OTPs) sent via SMS and email.

Under the Anti-Financial Account Scamming Act (AFASA), BSP-supervised financial institutions (BSFIs) with complex electronic products and services (EPS) or those with an average of at least P75 million monthly network value for the last six months are required to strengthen their FMS.

The implementing rules and regulations (IRR) of AFASA, set to take effect on June 25, 2025, require such BSIs to have their FMS cater to behavioral anomalies, blacklist screening, geolocation monitoring, mobile device and account information changes, in a bid to prevent unauthorized transactions.

“We already have a fraud management system, but we enhanced it, and we all know that it takes time to buy all the new software, so we gave the banks one year,” BSP deputy governor Elmore told reporters in a press chat in Manila City.

This is on top of the FMS required of all BSIs with an Advanced Electronic Payment and Financial Services (EPFS) license to have their FMS that is real-time, commensurate to risks, has fraud detection and blocking, comprehensive, and constantly calibrated.

“We are going into additional FMS. The present will not really suffice. Everything is moving very fast so we have this additional. Sometimes a good system is only good until the scammers find a way to go around it,” Capule said.

President Ferdinand “Bongbong” Marcos Jr. signed the AFASA, or Republic Act 1201,0 on July 20, 2024, after being designated as a priority bill by the Legislative Executive Development Advisory Council (LEDAC).

The IRR of the law also provides for BSP-supervised financial institutions to limit the use of OTPs sent to users via SMS and email, and adopt more multi-factor authentication (MFA) methods.

“With the increasing prevalence of social and engineering attacks aimed at obtaining login credentials, BSFIs should limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction,” according to BSP Circular 1213.

Among the other recommended MFA methods are biometric authentication, which allows customers to use their fingerprint scanning, facial recognition, and voice recognition to authorize transactions, and behavioral biometrics that track patterns such as typing speed, mouse, or device movements.

The BSP also allows for passwordless authentication that uses factors like biometrics, hardware tokens, and cryptographic keys, such as Fast Identity Online (FIDO), which allows biological features or a security key to log in to online accounts.

The circular also provides for adaptive authentication, which adjusts the authentication process based on the user's context to cover factors such as location, device, and behavior. This will prompt additional verification steps or other actions upon detection of unusual activity.

“We have to realize all of these things are very, very expensive, that’s the reality, so we are giving them sufficient time. But at the same time, we realize that if they will not adapt to this, we cannot really solve these scamming, these frauds, so it’s a calibrated speech,” Capule said.

According to the BSP, it received around 70,000 complaints in 2024, of which 13% were unauthorized transactions including phishing and vishing. There were 703 cases that entered into mediation during the year, with an 83% success rate.

For this year, the central bank said cases that have entered mediation from January to May have already hit 400. –NB, GMA Integrated News