BSP keeps June 2026 deadline for PH banks to upgrade fraud management systems

The Bangko Sentral ng Pilipinas (BSP) is keeping the June 2026 deadline for financial institutions to boost their fraud management systems (FMS) and limit their use of interceptable authentication mechanisms for now, top officials said.

According to BSP deputy governor Elmore Capule, the deadline will remain in place for now, mandating banks to step up their FMS in line with the Anti-Financial Account Scamming Act (AFASA).

“As of now we are not extending it, so they have to catch up,” he said in an interview in Manila.

“Ang pinaka-importante ‘yung industry protocol, meaning kapag ako na-scam, alam dapat ng buong industry ‘yan para walang nagtatalunan. 'Di ba supposedly habang tumatalon hinahabol? Dapat ‘yan, kapag ako na-scam, nag-report ako, dapat naka-alert na lahat,” he added.

(The most important thing is an industry protocol — meaning if I get scammed, the whole industry should know about it so no one just passes the buck. Supposedly, while the funds are moving they are being chased after. It should be that once I’m scammed and I report it, everyone should already be on alert.)

Under the AFASA, BSP-supervised financial institutions (BSIs) with complex electronic products and services (EPS) or those with an average of at least P75 million monthly network value for the last six months are required to strengthen their FMS.

The implementing rules and regulations (IRR) of AFASA, require such BSIs to have their FMS cater to behavioral anomalies, blacklist screening, geolocation monitoring, mobile device and account information changes, in a bid to prevent unauthorized transactions.

This is on top of the FMS required of all BSIs with an Advanced Electronic Payment and Financial Services (EPFS) license to have their FMS that is real-time, commensurate to risks, has fraud detection and blocking, comprehensive, and constantly calibrated.

“Dapat kasi updated na lahat ‘yan, so ‘pag lumang technology ka pa rin at nakalusot, sorry ka dahil ang presumption, you are negligent,” Capule said.

“‘Pag may loss, they will pay for it. ‘Pag mag-file ako ng adjudication for them to return the money, panalo agad ako,” he added.

(It should all be updated by now so if you’re still using old technology and something slips through, that’s on you. The presumption is that you are negligent.

If there’s a loss, they’ll have to pay for it. If I file for adjudication for them to return the money, I win right away.)

For his part, BSP general counsel Roberto Figueroa said he has received some feedback that some banks are requesting to have the period to comply extended.

“I heard that feedback, but I don’t know exactly which bank gave that feedback kasi nga (because) the deadline is fast approaching, but it was just, you know, reported to me that there was a request to extend,” he said.

“That’s a matter being discussed internally kung pagbibigyan ba ‘yung extension na ‘yun (if that extension will be granted) but as far as the BSP is concerned, the deadline is still, I think if I’m not mistaken, June of this year,” he added.

President Ferdinand “Bongbong” Marcos Jr. signed the AFASA, or Republic Act 12010 on July 20, 2024, after being designated as a priority bill by the Legislative Executive Development Advisory Council (LEDAC).

The IRR of the law also provides for BSP-supervised financial institutions to limit the use of OTPs sent to users via SMS and email, and adopt more multi-factor authentication (MFA) methods.

Among the other recommended MFA methods are biometric authentication, which allows customers to use their fingerprint scanning, facial recognition, and voice recognition to authorize transactions, and behavioral biometrics that track patterns such as typing speed, mouse, or device movements.—AOL, GMA Integrated News