Circular No. 12/3: Amendments to IT Risk Management Regulations to Implement AFASA

^I^)^ CIRCULAR No. 12/3 Series of 2025 Amendments to Regulations on Information Technology Risk Management to Implement Section 6 of the Anti-Financial Account Scamming ACL IAFASAj The Monetary Board, in its Resolution No. 521 dated 22 May 2025, approved the amendments to Section 148 and Appendix 126 of the Manual of Regulations for Banks (MORB), Sections 147-Q/145-SII42-PA26-N and Appendices Q-791S-ulp-91N-15 of the Manual of Regulations for Nori-Bank Financial Institutions (MORNBFl), and Section 201, Glossary of Terms. and Appendix 201-1 of the Manual of Regulations for Payment Systems (MORPS). to implement the information technology risk management-related portion of Section 6 of Republic Act (R. A. ) No. 12010 or the "Anti. Financial Account Scamming Act (AFASA). These amendments are designed to fortify the existing regulatory framework and ensure more effective compliance with the provisions of the AFASA. Section, . Section 148 of the MORB and Sections, 47-Q/145-SII26-N of the MORNBFl (IT Risk Management System) on IT controls implementation for electronic products and services shall be amended, as follows: 1481/47-on 4.5-SII26-N. INFORMATION TECHNOLOGY RISK MANAGEMENT BANGKO SENTRAL NG PILIPINAS Subject OFFICE OFTHE GOVERNOR ... "xxx . Definition of Terms. xxx .. a. Advanced pelststent threat orAPTxxx b. Black/tst Screening shall refer to a process of screening names. transactions and account activities against a database of entities or attributes (e. g. merchants. mobile devices. and IP addresses) flagged as unsecure. fraudulent, or involved in illegal activities. c. Bot Detection shall refer to tools that prevent scripted attacks by identifying when a request or instruction likely originates from an automated program or bot through the analysis of user behavior and network data. Browser Automation shall refer to a process of automatically performing operations on a web browser to allow users to automate repetitive or complex tasks such as filling out forms. clicking buttons. navigating web pages. or scraping data. e. Card skimm, hg xxx f. Cloud computing xxx g. Coinpromi^edstate xxx h. Cyber. threatxxx I. Cybersecurityxxx J. Data Breach xxx k. Del^rise-in-depth xxx d. Page, of, I

Device F1hge, print, hg shall refer to a technique used to identify and track a specific device based on its unique combination of hardware. software. and configuration attributes. among others' in. Dtstributed denial of Service 1000S)xxx Emulatorsshall refer to software or hardware that allows a computer to perform the functions or execute programs defined for a different type of computer or device. n. o. Fraud Management Systems IFMS/ shall refer to a comprehensive set of automated and real-time monitoring and detection systems to identify and block disputed suspicious. or other similar online transactions, p. Geolocat/bn Monitoring shall refer to the process of tracking the geographic or physical location of an electronic device used by a customer. Hack/hg xxx Informatibn security program IISP)xxx Information security strategic plan IISSP) xxx Information security risk management 175PM)xxx u. Jar7broken of Rooted Deviceshall refer to a mobile device that has been modified to bypass the built-in restrictions and control or security mechanisms of the operating system. granting the user privileged access to the device's software and functionality. Killswitch shall refer to a facility that allows customers to immediately suspend their account and block outgoing financial transactions and prevent changes to account information V. W Ma/ware xxx x. MoneyLockshall refer to a security mechanism that allows customers to secure a portion of their funds. rendering it inaccessible for online or digital transactions. y. Pharming xxx z, Phi^h/hg xxx aa. Pate Limiting shall refer to a security measure that restricts the frequency of requests or actions a user or system can perform within a specific timeframe to prevent brute-force attacks and ensure fair use of resources. bb. Reportable they'orcyber-related incidentsxxx cc, Screen Scraping shall refer to a technique of extracting data from a website, application. or visual output by capturing and reading the information displayed on the screen. dd. Scrijotsshall refer to a sequence of instructions. ranging from a simple operating system command to complex programming statements, which can be executed automatically by an interpreter, ee. Secur/'q1 operat/bns center ISOC)xxx ff. Session Management shall refer to mechanisms for securely handling the creation, maintenance. and termination of user sessions in an information system. This includes processes for authenticating users, ass'gn'rig session Page 2 of, ,

identifiers. monitoring session activity. and ensuring proper session termination to prevent unauthorized access. gg, Spearphtsfuhgxxx hh. threatactorxxx ii. Threatinte//^ence xxx jj. Transactibn Velocity Checksshall refer to a risk-based mechanism that monitors and analyzes the frequency. volume, and pattern of transaction data within predefined intervals to detect anomalies or similarities associated with fraudulent behavior. kk. Unsecure Merchants shall refer to merchants that either do not implement secure industry-standard transaction authentication protocols or have a history of invo veinent in verified fraudulent financial transactions, This shall also include merehan s that have demonstrated inadequate information security practices or have compromised or known vulnerabilities in their systems, XXx 17PiskManageme"tS:I^,'sternj77RMSl xxx c ITcontrots implementation. xxx BSFls should protect customers from fraudulent schemes done electronically. Failing to do so may erode consumer confidence in electronic channels as safe. secure. and reliable methods for financial transactions. To mitigate the impact of cyber fraud. BSFls should adopt an aggressive security posture. including the following measures: (5) Electronic products and services. xxx (a) (b) (c) XXX; XXx: XXx; Implement automated and real-time fraud monitoring and detection systems to identify and block disputed. suspicious, or fraudulent online transactions. xxx BSFls shall regularly assess the risks associated with their products and services to determine the appropriate measures for fraud prevention. BSFls engaged in complex electronic products and services and handling high aggregate values of online transactions must adopt a robust Fraud Management System IFMS) capable of rapidly detecting. preventing. and blocking disputed. suspicious. or other fraudulent transactions. including new and evolving fraud schemes. For purposes of the succeeding provisions. complex electronic products and services shall refer to advanced electronic payment and financial services (EPFS) as defined under Sections 70117'01-or401-SAI4-PI401. N/404-T and high aggregate values of online transactions shall refer to average monthly network value of transactions of at least Seventy-Five Million Pesos (Php 75,000,000.00) for the last six (6) months. To ensure robustness of their FMS, covered BSFls shall implement all of the following essential fraud rules and mechanisms: Page 3 of 11

nansact, bn velocity checks or thresholds. Monitoring the frequency of incoming and outgoing transactions within a specific time frame to detect unusually rapid activity. which may indicate fraudulent behavior, The FMS should be able to detect. and/or block transactions with unusual velocity, such as multiple. similar. simultaneous, or consecutive transactions. including those that might be facilitated through automated bots. in alware. zero-day exploits. and other similar means or attack vectors, Additionally, risk-based thresholds or limits for the amount or volume of transactions. based on the risk profile of the consumer. may be imposed to detect and/or block usage outside the customer's normal spending patterns; Mobile device and account informatibn changes, Monitoring changes on the mobile device and account identifying information such as mobile number and email address. among others, which may indicate account takeover attacks. The FMS should be capable of analyzing subsequent transactions for fraud patterns and temporarily blocking transactions for a certain timeframe once suspicious activities are noted after the change; Geolocat/bn momt'offhg. Tracking the geographic location of transaction initiators to identify activities from unexpected locations. The FMS should be capable of stopping transactions outside the usual location or country. or triggering enhanced due diligence procedures. as necessary; Black/,:st screemhg. Analyzing transactions against databases of unsecure merchants. as well as account activities associated with mobile devices and IP addresses involved in fraudulent transactions. The FMS should include rules to block such transactions to prevent fraud exposure of customers: and Behay/bra/ Anoman^s. Detecting deviations from a user's typical behavior. such as spending patterns or login habits. which could indicate unauthorized access. This also includes deviations in collective transactional behavior such as the execution of multiple fund transfers with few or same recipients. or patterns of numerous transactions indicating concentration to very few recipients with no business purpose. To strengthen fraud detection and prevention. BSFls shall leverage a combination of rule-based approaches. machine learning algorithms. and other technologies to adapt to evolving fraud tactics. Likewise, constant calibration of the FMS shall be enforced through continuous data analysis. risk assessments. adaptive rule adjustments. machine learning refinements. regular stress testing, independent review and audits. and proactive mori'tonng of fraud patterns. among others' Detection through FMS is one of the grounds for BSFls to temporarily hold funds subject of a disputed transaction and initiate a coordinated verification process. Moreover. BSFls shall perform actions necessary to preserve the integrity of financial accounts involved in the disputed transaction. Hence. BSFls shall establish and enforce clear and comprehensive policies. standards. and procedures on their FMS implementation to cover the following: lit ) (iii) Iivj (v) Page 4 on,

Thresholds. parameters. and workflow in the FMS that would trigger the temporary holding of funds; Actions to be taken when funds are temporarily held. including additional verification and/or authorization protocols. confirmation procedures, and other investigation procedures to assess veracity of the FMS trigger: and Temporary holding of funds sub'ect of a disputed transaction and coordinated verification as required under Sections 7 and 8 of the AFASA. Industry Protocol, and Bangko Sentral issuances implementing the same. FMS requirement for Clearing Switch Operators ICSOs/ CSOs of Automated Clearing Houses IACHs) shall implement an FMS for monitoring and flagging SUSPICIOUS and fraudulent transactions. Specifically. the CSOs shall have the necessary technical and operational capabilities to implement an FMS for retail ACH operations to strengthen fraud detection mechanisms within the payments industry. Financial accounts must be protected with security measures to mitigate risks such as cyberattacks. unauthorized access, and fraudulent transactions. These safeguards for financial accounts must include all of. but are not limited to, the following: Implementation of a 24 hour Transaction Pause Period (TPP) after applying key account changes. wherein customers will be restricted in performing financial transactions. Key account changes refer to modification in information deemed essential by BSFls to secure access to a customer's accounts. This includes. but is not limited to. updates to mobile number, email address, and registered/authenticated device used to access the account. BSFls may opt to shorten the TPP or implement transaction restrictions/limits during the TPP. provided that strong authentication mechanisms are in place and the BSFl shall be fully accountable for the associated risks; Restriction on installing mobile applications on unsecured devices. such as, but not limited to those with outdated systems. rooted orjailbroken devices. or emulators; Prohibition of the use of unauthorized scripts or automation tools (e. g. . screen scraping. browser automation) to access financial accounts and execute transactions through implementation of the following: behavioral analysis. rate limiting. session management. and bot detection. among others; Proper authentication and integrity checks to ensure that transactions initiated from front-end applications accessible to customers are riot altered prior to. or during transmission or execution in backend systems; Adoption of strong device fingerprinting. a technique that collects data about the device being used. along with the implementation of effective mechanisms to prevent spoofing of device identity; and Limitation on the use of interceptable authentication mechanism leg. One-Time Pins [OTPs] via SMS and email). With the increasing prevalence of social engineering attacks aimed at obtaining login Page 5 of, I

credentials, BSFls should limit the use of authentication mechanisms that can be shared to. or intercepted by, third parties unrelated to the transaction. The guidelines on the adoption of multi-factor authentication IMFA) are outlined in Appendix 791Q-66. Moreover. BSFls engaged in complex electronic products and services and handling high aggregate values of online transactions must adopt strong authentication mechanisms to ensure the integrity of customer initiated transactions. These include any of the following: Biometric authenticatibn provides customer convenience and enhanced security as biometrics can be difficult to replicate or steal. Examples include fingerprint scanning, facial recognition, and voice recognition. among others; Behavioral biometrics can track behavioral patterns. such as typing speed, mouse. or device movements. This can be implemented as part of continuous authentication and linked to anomaly/fraud detection; Password/ess authenticat, bn eliminates traditional passwords but uses factors like biometrics. hardware tokens and cryptographic keys. An example is the use of Fast Identity Online IFIDO), a technical specification for online user identity authentication. allowing biological features or a FIDO security key to log in to online accounts; or Adaptive authentication dynamically adjusts authentication process based on user's context. to cover factors such as location, device, and behavior. Upon detection of unusual activity. it can prompt additional verification steps or other actions. depending on risk appetite, Descriptive customer notification for account activities and financial transactions should enable customers to verify the legitimacy of activities on their accounts, Real-time notification should be sent through secure channels such as mobile apps. messaging apps, email. or SMS. BSFls should ensure that customer notifications contain clear and complete information. including the recipient identity (e. g. . payee or merchant name or account number), transaction amount and currency. date and time, transaction type, reference number. and device or browser information, as applicable. Further, OTP messages should be personalized with sufficient transaction details. While sensitive information may be redacted. the notification must still allow the customers to accurately identify the transaction. At a minimum. notifications should be sent for withdrawal transactions. fund transfers exceeding a predefined threshold. merchant and bills payments. device registration. new login information or authentication methods. auto-debit arrangements, third party enrollments and fund transfer recipients. and profile updates. Page 6 on,

Mechanisms should be established to enable account holders to verify the identity of the recipient of fund transfers. ensuring that transactions are directed to the intended payee. In addition. BSFls should ensure that off-us transactions adhere to an industry-wide, standardized approach that facilitates the secure and reliable method to eXchange information necessary for payee verification. In implementing these controls. the BSFls should ensure adequate safeguards against possible abuses and maintain continued compliance with relevant rules and regulations under the NRPS framework. as well as those governing secrecy of bank deposits and data privacy. Customers should be empowered with tools, knowledge, and support to actively protect their financial accounts. Therefore. digital platforms facilitating retail interbank fund transfers and other high-risk transactions. must offer all of the following features and functional ities: A self-service facility that enables account holders to suspend their account and block outgoing financial transactions. and prevent unauthorized changes to account information when fraud. compromise, or suspicious activities are detected I"kill switch"). The kill switch instructions must be properly authenticated and verified; A mechanism to revoke account access or permissions for trusted devices. online merchants. third-party applications. or electronic products and services. As the financial ecosystem becomes more interconnected, customers can access their accounts through various channels and link them to merchants or third-party applications, enhancing convenience but also increasing security risks. To address these risks. BSFls should enable customers to manage permissions. allowing them to view. manage, and revoke external access to their financial accounts. thereby strengthening security and reducing potential threats: A "money lock" feature that allows account holders to secure a portion of their funds, rendering it inaccessible for online or digital transactions. The locked funds cannot be moved or transferred digitally without first unlocking them. either through in-person verification at BSFl branches or strong authentication mechanisms through digital channels. This feature is designed to limit the customer's exposure to fraud or unauthorized transactions by safeguarding the locked portion of the account balance; and Iiv) Customizable transaction limits that enable account holders to mitigate fraud risks by setting restrictions on the number, value. or type of transactions that may be executed. provided. that these remain within the limits predefined by BSFls. These limits may include daily transaction cap, maximum transfer amounts. withdrawal limits. online payment restrictions, and cross-border transaction thresholds. among others. To ensure the feature's effectiveness, any changes to transaction limits should require strong authentication and prompt customer notifications. BSFls must establish sound controls and processes to prevent unauthorized (1) digital account on boarding: and (2) linking of a financial account to an online account. Page 7 of 11

BSFls must collect relevant transaction logs, protect them against unauthorized manipulation. and retain them with adequate back-up for a period of at least five (5) years, unless otherwise required by law or other regulations. or direction from the Bangko Sentral to retain them for a longer period. This ensures a detailed record of account activities that Minimum information that must be captured in the transaction logs includes the following: Ii) Name and account number of sender/s; I'i) Date and time of transaction/s: ('I' ) Transaction amount and currency; ('v) Name of receiving financial institution/s; (v) Name and account number of recipient/s; tvi) Unique transaction reference Ie. g. Originating Financial Institution [OFl]. CSO. Receiving Financial Institution IRFl] transaction reference); Mode of payment instruction Ie. g. . PESONet. InstaPay. check. ATM transfer); (viii) Mode of transaction authentication Ie. g. . device-based authentication. biometric. and password or pin. etc. ); Nori-financial information (e. g. . change of password and challenge question); Transaction channel (e. g. . mobile. web. integration with partner etc. ); and Network, hardware. and software information (e. g. device fingerprint. device details, IP address. and/or browser information). Ik) BSFls must not send clickable links or quick-response (QR) codes via email. instant messaging apps. or SMS. unless the sending of the link or QR code is prompted by a prior customer action. only provides information. or does riot redirect to a website or web application that requires the user to input sensitive information or login credentials. In addition. a shared accountability framework shall be adopted to strengthen strategies for safeguarding financial accounts. This framework underscores collective responsibility and collaboration among all parties involved in financial transactions - financial institutions, account holders. and third-party entities - thereby playing a critical role in mitigating risks of unauthorized transactions and determining liability for the losses. tai BSFls shall comply with all applicable laws and regulations and ensure that adequate risk management systems and controls are in place, proportionate to the complexity of the electronic products and services offered; facilitates thorough investigation. coordinated verification. and analysis of fraudulent patterns. Ivii) (ixl (x) Ixi) BSFls should clearly and consistently inform their customers of their responsibilities in maintaining cyber hygiene practices. which include: Safeguarding digital financial accounts by utilizing and activating the security features provided by BSFls: Reading and understanding the terms and conditions for using the digital platform and actively engaging in the educational and awareness campaigns to help customers familiarize themselves with the platform's security features. understand the risks and common fraud schemes targeting financial consumers, and learn he strategies to mitigate such risks; Ii) (in Page 8 on,

Avoiding disclosure of sensitive account information such as usernames. passwords, PIN codes, OTPs. authenticator code, or any other login credentials: Warning against money mule offenses, including lending, or allowing others to use their financial accounts; Verifying website address. contact information, and mobile applications through official sources; and (vi) Reporting suspicious. unauthorized. or fraudulent transactions promptly to the respective BSFls and fully cooperating with the BSFls' investigation and resolution process. Further details about the consumer awareness program can be found in Section 4.33. and Annex C of Appendix 791 Appendix Q"66 and BSFls should enforce and regularly evaluate that third-party entities/service providers involved in financial transactions strictly adhere to contractual obligations on availability. information security. and cybersecurity, among others. Such third-party entities/service provider are required to promptly respond and fully cooperate with the BSFls in cases of fraud and cyber-related incidents, Furthermore, BSFls should ensure the outsourcing arrangements, including the contract provisions. are compliant with applicable Bangko Sentral rules and regulations on outsou reing and vendor management. Failure to perform the above duties and responsibilities may subject the BSFls or third-party entities/service providers to liability for losses arising from fraudulent transactions. Detailed guidelines/standards on Electronic Products and Services are shown in Appendix 791Q-66. d. Ptsk measurement and momtor/hg. xxx (iii) Iiv) tv) Section 2. Appendix 126 of the MORB and Appendices Q-791S-1/1P-91N-15 of the MORNBFl on National Retail Payment System Framework (NRPS) shall be amended. as follows: XXX XXX D. Clearing Switch Operator ICSO) Xxx I. Key Principles a. xxx. b. xxx. C. XXX d. xxx e. xxx. f. xxx. g, CSOs of ACHs shall implement a fraud management system IFMS) for monitoring and flagging suspicious and fraudulent transactions. Specifically. the CSOs shall have the necessary technical and operational capabilities to implement an FMS for retail ACH operations to strengthen fraud detection mechanis s within the payments industry. Page 9 of, ,

Section 3. The Glossary of Terms in the MORPS shall include the following: GLOSSARY OF TERMS XXX FraudManagement^:ystem {FMS/- refers to a comprehensive set of automated and real-time monitoring and detection systems to identify and block disputed. suspicious, or other similar online transactions, pursuant to Bangko Sentral regulations on information technology risk management. Section 4. Section 201 of the MORPS shall be amended. as follows: NATIONAL RETAIL PAYMENT SYSTEM FRAMEWORK XXX 201.4 Specific rules appffcab/e to transactions perf@r", ed under the NPPS 178, "ework The following rules shall apply to retail payment transactions which are cleared and settled in accordance with the NRPS Framework: a. Minimum requirements to offer Electronic Payment and Financial Service IEPFS). EPFS. which shall require Bangko Sentral approval in accordance with Sections 701h'01-Q/401-SAI4-PI 401-N of the MopB/MORNBFl and Section 501 of the MORPS. refer to BSFl products and/or services that enable consumers to carry out or initiate payments electronically financial transactions and other related services through a point of interaction. To offer EPFS BSFls shall conform to the following requirements: U I xxx; (2 ) xxx; Guidelines for electronic banking. electronic payment. electronic money and other electronic products and services. Section 5. Appendix 201-I of the MORPS on the NRPS Framework shall be amended, as follows: (3) xxx; and (4) BSFls shall conform to Sections 148ft47-or145-SII42-PI126-N and Appendix 791Q 66 of the MORB/MORNBFl on the IT Risk Management Standards and XXX D. Clearing Switch Operator ICSOi xxx Key Principles 11 I xxx. (zI xxx. (3) xxx. (4) xxx. Page, O of, ,

(5I xxx. (6I xxx. (7) CSOs of ACHs shall implement a fraud management system (FMS) for monitoring and flagging suspicious and fraudulent transactions. Specifically. the CSOs shall have the necessary technical and operational capabilities to implement an FMS for retail ACH operations to strengthen fraud detection mechanisms within the payments industry. Section 6. The existing footnote in Section 1481/47-Q/145-SII4Z-Ph26-N on the previous transitory provisions are hereby deleted. The following new transitory provision shall be incorporated as footnote to Sect'on 1481/47-or145-SII26-N as follows: BSFls shall comply with the standards provided in this Circular within one (1) year from its effective date. Section 7. Efl^ctivity Clause. This Circular shall take effect fifteen (15) calendar days following its publication in any newspaper of general circulation. FOR THE MONETARY BOARD: 1'4 ELI M. REMOLONA, JR. Governor -:!'c, AC^'202<' Page " of 11