LogoRegulatory Alerts
2024-12-09

M-2024-036: Expansion of ASTERisC* to All Banks and VASPs

Bangko Sentral ng Pilipinas expands its ASTERisC* cybersecurity compliance platform to cover all Banks and Virtual Asset Service Providers. The cloud-based system automates the real-time submission of regulatory reports, including IT profiles and incident notifications, to enhance risk-based supervisory oversight. Reporting becomes mandatory for new participants starting January 1, 2025, following required training and account provisioning.

Bangko Sentral ng Pilipinas logo

Philippines

Bangko Sentral ng Pilipinas

Click to view thumbnail

Page 1 of 3

OFFICE OF THE DEPUTY GOVERNOR I FINANCIAL SUPERVISION SECTOR MEMORANDUM NO. _________ To : ALL BANKS AND VIRTUAL ASSET SERVICE PROVIDERS (VASP) Subject : Advance Suptech Engine for Risk-based Compliance (ASTERisC*) Expansion to All Banks and VASPs Pursuant to the initial implementation of the Advance Suptech Engine for Risk-based Compliance or ASTERisC* on 01 January 2023, as outlined in Bangko Sentral ng Pilipinas (BSP) Memorandum No. M-2022-045, the BSP is expanding the use of ASTERisC* to cover all Banks and Virtual Asset Service Providers (VASP). This memorandum provides information on the general requirements on the use of ASTERisC* and the preparatory activities prior to rollout. Detailed system guides and other documentation shall be directly coordinated with the participating BSFIs and made available in the BSP website (www.bsp.gov.ph/ses/reporting _templates). A. General Description and Scope ASTERisC* is a unified Regulatory and Supervisory Technology solution that streamlines and automates regulatory supervision, reporting, and compliance assessment of BSFIs' cybersecurity risk management systems and processes. This is a cloud-based solution which supports BSP’s end-to-end process on cybersecurity supervision and oversight, including cyber-profiling, cyber incident reporting and cybersecurity control self-assessments, among others. With this platform, BSFIs can directly access and transmit cybersecurity-related reports and information in real-time. The system likewise enables deeper analyses and correlation capabilities to help the BSP implement risk-based and proactive supervisory decisions and set policy direction on cybersecurity. The expansion of ASTERisC* users will cover all Banks and Virtual Asset Service Providers (VASP). A separate notification shall be released by the BSP to cover BSFIs that are not yet included in the current phase of the implementation. B. Procedural Overview Participating BSFIs can access the system via a cloud-based web application by providing the necessary credentials. ASTERisC* can be accessed through: https://asterisc.bsp.gov.ph Authorized users can then submit select regulatory reports and assessments through web-based forms and can have access to the following: (1) a dashboard which summarizes the status of submissions and summary reports; (2) global reports predefined by the BSP, which contains charts, summary reports, or raw data; and (3) email notification for report due dates, as applicable, and BSP acknowledgement receipt.

Page 2 of 3 The BSP shall directly coordinate with the targeted BSFIs for the provision of login credentials, authentication setup, and schedule of training on the use of the system. C. Minimum Technical Requirements The minimum technical requirement for the use of ASTERisC* are as follows:

  1. Internet access;
  2. Whitelisting of the cloud-based application components of ASTERisC* in the BSFI’s network, as necessary.
  3. Latest versions of web browser such as Microsoft Edge, Firefox, and Google Chrome; and
  4. Mobile device to be used for multi-factor authentication (MFA). D. Implementation
  5. The covered regulatory reports in ASTERisC* are as follows: Report Title MOR Reference • IT Profile Report Section 148 of the MORB and Section 147- Q/145-S/142-P/126-N/163-T of the MORNBFI • Event Driven Report and Notification (EDRN) Section 148 of the MORB and Section 147- Q/145-S/142-P/126-N/163-T of the MORNBFI • Report on Crimes and Losses (RCL) Section 148 and 173 of the MORB and Section 147-Q/145-S/142-P/126-N/163-T and 172-Q/162-S/161-P/901-N of the MORNBFI • Cybersecurity Control Self-Assessment (CCSA) Compliance self-assessment against Appendix 75 and Q-62 of the MORB and MORNFI, respectively.
  6. A single user account shall be provisioned for each BSFI participant. The assigned users are required to undergo the ASTERisC* training to be conducted by the Financial Supervision Sector (FSS) prior to user account creation.
  7. The ASTERisC* user manual, instructional videos, and the User Account Form (UAF) is accessible in the BSP website (www.bsp.gov.ph/ses/reporting _templates).
  8. The UAF, approved by the BSFI Chief Compliance Officer (CCO) or any authorized personnel, shall be submitted to the BSP for the initial account

Page 3 of 3 creation and subsequent changes. The BSP should be notified by the BSFI for separation, transfer, or permanent change of the assigned user and a new UAF should be submitted, as necessary. 5. For newly enrolled BSFIs, reporting through ASTERisC* shall be effective starting 1 January 2025. Meanwhile, BSFIs may access the system in advance to prepare the IT Profile data for submission on 25 January 2025. For information and guidance. CHUCHI G. FONACIER Deputy Governor 09 December 2024

Share