BSP Memorandum No. M-2024-029: Guidelines on Risk Management Systems for AFASA Compliance

.; ., To BANGKO SENTRAL NG PILIPINAS Subject OFFICE OF THE DEPUTY GOVERNOR I FINANCIAL SUPERVISION SECTOR Republic Act No. 12010. otherwise known as the 'Anti-Financial Account Scamming Act IAFASA).' seeks to curb financial cybercrimes, protect financial consumers' interests, and maintain the integrity of the financial system, This law took effect on 13 August 2024, Section 6 of the AFASA reiterates. clarifies. and further reinforces the duty and responsibility of all Bangko Sentra/ rig PIfipinas (BSP)-Supervised Financial Institutions IBSFls) to employ adequate risk management systems and controls to protect their clients' financial accounts. Thus: MEMORAN DUM No. M-2024-o29 ALL BSP-SUPERVISED FINANCIAL INSrrruTioNS IBSFlsj Reiterating the Guidelines on Risk Management Systems and Controls to Protect Financial Accounts in relation to Section 6 of Republic Act No. ,2010 orthe Anti-Financial Account Scamming Act IAFASAi Sec. 6. Resy:, on516Mty. to Protect Access to Cffent^ Financial Account. - Institutions shall ensure that access to their clients' Financial Accounts is protected by adequate risk management systems and controls such as MFA, FMS and other Account Owner enrollment and verification processes: Prow'dad That such risk management systems and controls are proportionate and coinmensurate to the nature, size. and complexity of their operations. Institutions that are determined by the BSP to be compliant with the requirements of adequate risk management systems and controls shall riot beliable for anyloss or damage arising from the offenses under Sections 4 and 5 of this Act Without prejudice to other liabilities under existing laws and consistent with BSP rules and regulations. Institutions shall beliable for restitution of funds to the Account Owners for failure to employ adequate risk management systems and controls, or failure to exercise the highest degree of diligencein preventing loss or damage arising from the offenses under Sections 4 and 5. Conviction shall not be a prerequisite to the restitution of funds. Relative thereto. BSFls are enjoined to strictly observe the BSP issuances on the adoption of adequate risk management systems and controls, particularly the following: I. Information technology 11Tj and cybersecurity risk management controls laid down under Section 148 of the Manual of Regulations for Banks (MORB). Sections 147. or145-SII42-PA26-NII63. T of the Manual of Regulations for Non-Bank Financial Institutions (MORNBFl), and their related appendices; 2. Amendments to the regulations on IT risk management under BSP Circular No. 1140. Series of 2022; and 3. Anti. Money Laundering IAML)/Countering Terrorist and Proliferation Financing (GTPF)controls under Sections 911 and 921 of the MORB. Sections 911-Q, 921"Q/601- SI601-NISOl-Prim-T of the MORNBFl, and their subsequent amendments. To reiterate. under the IT Risk Management Standards and Guidelines. ' BSFls are required to provide various controls specific to e-services, including application security. Appendix 79 to Section 148 of the MORB and Appendix Q-66 to Sections147. q145. S, 142. P, 126-N, and163. Tof the MORNBFlon Electronic Banking. Electronic Payment. Electronic Money and Other Electronic Products and Services.

non-repudiation of transactions, authorization controls and access privileges. In addition. BSFls should ensure adoption of the following key controls to protect financial accounts: I. FraudMa"agement^ystems"=Ms), BSFls are required to implement automated and real-time fraud monitoring and detection systems to identify and block suspicious or fraudulent online transactions. The expected sophistication and capabilities of BSFls' FMS should be coinmensurate to the risks associated with their digital financial and payment platforms. As fraud and cyber threats evolve. the BSFls' FMS must be constantly calibreted to be able to process surges in transactions, collectively analyze customer profiles/behavior. and detect new fraud patterns. 2 BSFls may employ a combination of rules-based. machine-learning, and other technologies to ensure robustness of their FMS. Below are some examples of fraud rules and mechanisms which may be adopted or integrated by BSFlsin the implementation of their FMS: a. Geolocation blocking - the FMS may stop transactions outside the usual location or country or trigger enhanced due diligence procedures. b. Transaction velocity checks/thresholds - the FMS should detect and/or block transactions with unusual velocity. such as multiple transactions which might be performed by automated bots or in alware. Moreover. transactions limits may be assigned to financial accounts such as number of transfers per day. maximum transfers per account. etc. c. Changes in mobile device and account information controls - the FMS should be able to detect and monitor changes in mobile device and account information. For example. surges in new mobile device registration of customers within a short timeframe might signal automated account takeover attacks. BSFls may likewise automatically block transactions after change of device or account information within a certain timeframe leg. , 24-hour cooling off period ) d. Blocking of transactions from blacklisted merchants/sites - the FMS may include rules to block transactions from known malicious sites and insecure merchants. 2. Infrastructure and security monitoring. The BSFl should establish an appropriate operating environment that supports and protects systems on e￾services. It should proactive Iy monitor systems and infrastructure on an ongoing basis to detect and record any security breaches. suspected intrusions. or weaknesses. The BSFl should ensure that adequate controls are in place to detect and protect against unauthorized access to all critical e-services systems, servers. databases, and applications. 3 The BSFl should put in place effective monitoring mechanisms to detect in a timely manner suspicious online transactions and unusual activities. A sound monitoring system should include audit features that can assist in the detection of fraud, money laundering, compromised passwords, or other unauthorized activities. In particular. the monitoring mechanism for personal e-services should be able to detect cases similar to the following:4 2 3 BSP Circular No. 1140. Series of 2022 Section 4.17. Appendix 79 to Section 148 of the MORB and Section 41.7. Appendix Q-66 to Sections 147. Q. 145-S. 142-P, 126-N. and 163-T of the MORNBFl. Id 4 Page 2 of "

a. False or erroneous application information, large check deposits on new a services accounts. unusual volume or size of funds transfers. multiple new accounts with similar account information or originating from the same internet address. and unusual account activity initiated from a foreign internet address; b. Multiple online transfers are made to the same unregistered third-party account within a short period of time. especially ifthe amount transferred is close to the maximum amount allowed or the value exceeds a certain amount: and c. Change of a customer's correspondence address shortly followed by transactions which may indicate potential fraudulent activities, such as opening of an e-service account online. a request for important documents (eg. , cheque book. new e. banking password. credit card/ATM PIN) to be mailed to that address. increase of fund transfer limits. or a sudden increase of fund transfers made to unregistered third parties. ' 3. Multi"Factor Authentication in, ,^47. The BSFl should use reliable and appropriate authentication methods to validate and verify the identity and authorization of customers. The use of single factor authentication alone is considered inadequate to address the risks inherent in sensitive communications and/or high-risk transactions. Thus, BSFls should adopt MFA or use a minimum of two (2) I;actors in such instances. This requirement shall apply to online transactions where the risk of compromise is heightened. As authentication methods continue to evolve. the BSFlshould monitor. evaluate, and adopt sound industry practices to address current and changing risk factors. ' 4. Accountow"erenro//merita"dyer/, 7catio"processes andongoingmonitoring of customer account and transactfons. BSFls should adopt sound user enrollment and verification processes in on boarding customers to their digital financial channels and applications. ' Reliable methods must be used for originating new accounts. ' identifying the customer. ' and verifying the true identity of the customer based on official identification documents 110sy' presented against established data sources, including the use of focial recognition technologies. " For instance, BSFls may adopt sound device enrollment procedures such as enrollment of unique device ID IUDIDj bound to the registered user/customer and mobile security controls which prevent the use of rooted/jailbroken mobile devices and emulators. These procedures should be complemented by appropriate AML/CTPF customer due diligence polices and controls, particularly in criboarding and updating customer information. In addition, BSFls must adopt an AML/CFr monitoring system proportionate to their respective risk profile and business complexity. and strengthen risk and 5 6 Id Section 4.12 of Appendix 79 to Section 148 of the MopB and Section 4.12 of Appendix Q-66 to Sections147"Q. 145-S, 142-P. 126-N. and 163-T of the MORNBFl. Seesection 4.11 in relation to Section 41.2 of Appendix 79 to Section 148 of the MopB and Section 4.11 in relation to Section 4.12 of Appendix Q. 66 to Sections 147Q, 145-S, 142-P. 126-N. and 163-T of the MORNBFl. Id See Customer identification. ' Section 921 of the MopB and Sections 921-Q. 601-S. 601-N, and SOL P of the MORNBFl. Id See"Face-to-Face contact. ' Section 921 of the MORB and Sections 921-Q. 601-S. 601-N. and 501-P of the MORNBFl ? B 9 ID 11 Page 3 of 4

materiality based on ongoing monitoring of customers' accounts and transactions, including periodic sanctions screening. '2 Lastly, BSFls should cooperate with the BSP and law enforcement agencies for the prosecution of cyber. criminals (including money mules) to the extent permitted by relevant laws and regulations. 1' 5. AudittmM The BSFl should ensure that comprehensive logs are maintained to record all critical e-services transactions to help establish a clear audit trail and promote employee and user accountability. '" The various layers of the transaction execution that must have an audit trail may include the application. server, and network layer, among others, The comprehensive logs also I^cilitate the conduct of detailed investigation and attribution of unauthorized transactions and/or access to accounts. 6. q, 'betsec"fity tests and evaluations. BSFls of foring digitsy electronic financial services are required to undergo an annual Vulnerability Assessment and Penetration Testing tvAPT) performed by an independent external party. " BSFls should also employ effective testing methodologies and practices to validate the effectiveness of its information and cybersecurity program. 16 It should be emphasized that under Section 6 of the AFASA. BSFls which are determined by the BSP to be compliant with the requirements of adequate risk management systems and controls shall riot be liable for any loss or damage arising from the offenses under Sections 4 and 5 of the AFASA. However, BSFls shall be liable for the restitution of funds to Account Owners for the failure to employ adequate risk management systems and controls or the failure to exercise the highest degree of diligence in preventing loss or damage arising from the said offonses. Subject to the promulgation of the implementing rules and regulations of the AFASA all BSFls are expected to ensure compliance with the guidelines on risk management systems and controls to protect financial accounts under existing BSP regulations For guidance and implementation. See 'On-going monitoring of customers. accounts. and transactions, ' Section 921 of the MopB and Sections 921. Q. 601-5.601-N. 501. P. and, 01Tof the MORNBFl in relation to Section 911 of the MORB and Section 911-Q of the MORNBFl. '3 See Section 4.2 of Appendix 75 to Section 148 of the MopB and Sections 147-Q, 145-S, 142-P. and 126. N of the MORNBF!. Section 4.18 of Appendix 79 to Section 148 of the MORB and Appendix Q-66 to Sections147-Q. 145. S. 142-P, 126-N. and 163-T of the MORNBFl. Section 3.7. Z(d) of Appendix 75 to Section 148 of the MORB. See Section 4.1 of Appendix Q. 62 to Sections147. Q. 145. S. 142. P. 126. N. and 163-T of the MORNBFl. 16 Seesection 5.7.2 of Appendix 75 to Section 148 of the MopB. Seesection 4.1 of Appendix Q. 62 to Sections 147-Q. 145-S. 142-P. ,26-N. and 163-T of the MORNBFl. 12 19 September 2024 14 15 Digitally signed by , Chuchi G. Funacier Date: 202409.19 13:59:40 +08'00' CHUCHI G. FONACIER Deputy Governor Page 4 of 4