BW FILE PHOTO

THE BANGKO SENTRAL ng Pilipinas (BSP) has released circulars implementing the Anti-Financial Account Scamming Act (AFASA), which allows the regulator to probe financial accounts suspected to be involved in prohibited acts identified under the law.

The BSP released three circulars that contain guidelines to implement the AFASA, which was signed into law by President Ferdinand R. Marcos, Jr. in July 2024. The law seeks to help prevent and penalize financial cybercrime.

The central bank is authorized investigate and inquire into financial accounts involved in prohibited acts or offenses under the AFASA. These include money mule activities and social engineering schemes, which could be considered economic sabotage if it involves three or more people as perpetrators or victims, mass mailers, or human trafficking, as well as other offenses such as opening a financial account under a fictitious name or using the identity or identification documents of another person.

Circular No. 1214 details the rules of procedure on the conduct of inquiry into financial accounts and sharing of financial account information by the BSP. Bank secrecy laws will not apply to the financial accounts under inquiry or investigation by the BSP.

Under the guidelines, requests to inquire into a financial account must be filed by competent authorities — which include the Philippine National Police, National Bureau of Investigation, Department of Justice, Anti-Money Laundering Council, Cybercrime Investigation and Coordinating Center, or any government agency authorized to investigate or prosecute prohibited acts under the AFASA, as well as financial regulators authorized to investigate crimes or offenses related to their respective regulatory functions and adjudicate financial consumer complaints — with the BSP’s Consumer Account Protection Office.

Requests must be supported by the purpose and justification for an inquiry into a financial account, the description of the account suspected to be involved, details of the prohibited act, and other relevant information.

Competent authorities must also enter into an agreement with the BSP for the sharing of financial account information, which include the account number, the account owner’s personal information, transaction records, and the documents submitted for opening or maintaining accounts, among others.

Meanwhile, Circular No. 1215 covers the regulations on the temporary holding of funds subject of disputed transactions and coordinated verification process.

The circular applies to all BSP-supervised institutions (BSIs) that shall pursue the coordinated verification of disputed transactions, regardless whether the funds remain in the financial system or not.

Under the circular, BSIs are mandated to collaborate and establish an integrated and holistic industry protocol for the temporary holding of disputed funds and coordinated verification of disputed transactions in accordance with law and the rules and regulations issued by the BSP.

Account owners are also encouraged to engage with BSIs to take reasonable steps to protect their information, report any disputed transactions, cooperate during investigations, and comply with security practices, among others.

BSIs have the authority to temporarily hold disputed funds for a period of not more than 30 calendar days, consisting of the initial and extended holding periods. The period to hold disputed funds may be further extended by a court of competent jurisdiction.

The initial holding can be extended by not more than 25 calendar days from the lapse of the initial holding period if there are “reasonable grounds to believe that the funds held are likely to be disputed funds, and additional time is needed to complete the coordinated verification process.”

The central bank is also tasking BSIs to “institutionalize a secure, real-time or near-real-time, automated system for tracing disputed transactions, with capability to generate and record a visible disputed transaction chain, trigger the temporary holding of disputed funds, and induce timely alerts for involved BSIs.”

Lastly, Circular No. 1213 includes amendments to regulations on information technology risk management for BSP-supervised financial institutions (BSFIs) to implement the AFASA’s provisions.

“BSFIs should protect customers from fraudulent schemes done electronically. Otherwise, Failing to do so may erode consumer confidence to use in electronic channels as safe, secure, and reliable methods of making for financial transactions will be eroded,” the BSP said. “To mitigate the impact of cyber fraud, BSFIs should adopt an aggressive security posture.”

These measures include implementing automated and real-time fraud monitoring and detection systems to identify and block disputed, suspicious and fraudulent online transactions. These range from transaction velocity checks or thresholds, geolocation monitoring, and blacklist screening, among others.

“To strengthen fraud detection and prevention, BSFIs shall leverage a combination of rule-based approaches, machine learning algorithms, and other technologies to adapt to evolving fraud tactics,” the BSP said.

“Likewise, constant calibration of the FMS (fraud management systems) shall be enforced through continuous data analysis, risk assessments, adaptive rule adjustments, machine learning refinements, regular stress testing, independent review and audits, and proactive monitoring of fraud patterns, among others.”

Safeguards to be implemented also include an implementation of a 24-hour transaction pause period after applying key account changes; adoption of strong device fingerprinting; and limitation on the use of interceptable authentication mechanisms such as one-time passwords (OTPs).

“With the increasing prevalence of social engineering attacks aimed at obtaining login credentials, BSFIs should limit the use of authentication mechanisms that can be shared to, or intercepted by, third parties unrelated to the transaction,” the central bank said.

“Moreover, BSFIs engaged in complex electronic products and services and handling high aggregate values of online transactions must adopt strong authentication mechanisms to ensure the integrity of customer-initiated transactions.”

Instead of OTPs, institutions can utilize biometric authentication, behavioral biometrics, password-less authentication and adaptive authentication.

“Descriptive customer notification for account activities and financial transactions should enable customers to verify the legitimacy of activities on their accounts. Real-time notification should be sent through secure channels such as mobile apps, messaging apps, e-mail, or SMS.” — Luisa Maria Jacinta C. Jocson

RELATED ARTICLESMORE FROM AUTHOR