Home Banking & Finance BSP says no extension for Sept. 30 deadline for banks’ multi-factor authentication...
BSP says no extension for Sept. 30 deadline for banks’ multi-factor authentication shift
THE CENTRAL BANK will not extend the end-September deadline for banks and credit card issuers to adopt tighter standards for client verification, as the regulator looks to improve cybersecurity at a time of increasing use of digital payment platforms.
BSP Circular 958 issued in April requires banks and credit card issuers to put in place a multi-factor authentication (MFA) system for online transactions. The measure seeks to verify a client’s identity using at least two different methods before one can proceed with high-value fund transfers or payments.
The new requirement seeks to prevent cases of the so-called “card-not-present” fraud, where hackers use more sophisticated attacks via the Internet or through app-based platforms to steal money.
“We have been receiving a lot of queries, [but] we won’t extend the deadline so it’s still Sept. 30, 2017,” Melchor T. Plabasan, deputy director of the BSP’s Core Information Technology Specialist Group, said during the banking and finance session of the 2017 Cybersecurity Summit last week.
All BSP-supervised entities have been required to set up internal protocols for the MFA since May, while stricter verification standards are to be fully implemented by the fourth quarter.
Mr. Plabasan, however, said additional guidelines will be released ahead of next month’s deadline to allow some room for banks to continue offering digital services, but in a limited capacity.
“If you’re not yet ready for MFA… the one possibility would be disabling certain features or transactions which are considered high risk or sensitive as defined in Circular 958,” the BSP official told an audience of bank information technology specialists.
Among the most common e-commerce transactions are bills payment, online shopping, purchase of airline tickets, and hotel bookings, according to the central bank circular. Financial firms must adopt “more stringent security controls” for such deals to deter fraudsters from stealing money.
Under the guidelines, a bank must use two approaches in checking a client’s identity before making a sale or accepting a fund transfer. Among the options include using a password or personal identification number; presenting a payment card or a one-time password sent via text message; and using a fingerprint or retina scan.
This way, it can be established by the bank that the person who owns the account is actually the one making the transaction before it will allow the sale or transfer to proceed.
BSP Governor Nestor A. Espenilla, Jr. has tagged rising cybersecurity threats as a concern for the central bank, while acknowledging that the greater use of digital platforms would entail greater efficiency and financial inclusion.
The central bank is heading the set-up of the National Retail Payments System, where it wants to raise the share of digital payments to 20% of total transactions by 2020 from just 1% in 2013. — Melissa Luz T. Lopez