BSP advises BSFIs to Adopt Cyber Attack Measures
BSP advises BSFIs to Adopt Cyber Attack Measures

BSP Advises Supervised Establishments to Adopt Cyber Attack Initiatives

The Bangko Sentral ng Pilipinas (BSP) has encouraged BSP-supervised financial institutions (BSFIs) to embrace more robust measures against cyber fraud and attacks on retail electronic payments and financial services (EPFS) as financial transactions increasingly shift to digital means. 

Under BSP Memorandum No. 2022-015, “BSFIs should regularly conduct risk assessments of their product features, business rules, application controls, and enforce appropriate enhancements and mitigation measures.”

BSFIs are also instructed to abolish clickable links in communications sent to customers via email and SMS or text messages, as well as to send notifications through registered mobile numbers or email addresses when requesting changes to client details. 

After an in-depth risk analysis, BSFIs should apply mandatory notifications for fund transfers exceeding a predefined amount, delays in activating new soft tokens or new device registrations, and a cooling-off period for fundamental account changes. 

BSFIs must also personalize SMS messages and emails for banking services and restrict bank representatives from acquiring critical information such as customer passwords, one-time passwords (OTP), or personal information numbers (PINs). 

In addition, BSFIs should also create dedicated customer assistance teams for fraud cases, conduct education campaigns against online scams, and adopt effective fraud surveillance mechanisms.

BSP also urged collaboration among BSFIs and information-sharing platforms like Bankers Association of the Philippines’ Cyber Incident Database to expedite fraud investigations and recovery of funds and proactively address emerging fraud schemes. 

The memorandum stated, “BSFIs may also need to coordinate with law enforcement authorities for the prompt resolution of cybercrimes, especially those involving public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations.”

Related Posts

Leave a comment