By Andrea C. Abestano, Researcher

AMIDST the rise in online financial crimes, the Bangko Sentral ng Pilipinas (BSP) taps into heightened consumer protection through a draft framework that mitigates risks posed by BSP-supervised entities (BSI).

Based on the latest data from the Philippine National Police Anti-Cybercrime Group, it logged 6,408 cybercrime events from Jan. 1 to May 15, down by nearly a third from 9,361 events in the same period last year.

Swindling or online scams topped the list with 2,797 incidents, followed by 1,278 illegal access cases, and 527 counts of computer-related identity theft.

Given the rise of financial cybercrimes, the BSP had made it its goal to improve user safety through a draft circular of a new consumer protection framework.

The Financial Consumer Protection and Market Conduct (FCPMC) supervision framework of the BSP intends to uphold the provisions of the Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act (FCPA).

These provisions are the consumer protection standards of conduct, namely disclosure and transparency, protection of client information and assets, fair treatment, effective recourse mechanism, and financial education and awareness.

The FCPA also allows the BSP to conduct assessments of BSI’s financial consumer protection compliance separately from prudential regulations compliance.  The FCPMC is thereby responsible for putting actionable steps to the approach outlined in FCPA.

By implementing the framework, BSP-supervised Financial Institutions (BSFIs) will be evaluated on their adherence to the standards of conduct, their management of services and products, and their relationship with the users.

“It will specifically look at aspects of a BSI’s business operations that could potentially result in financial loss or other harm to financial consumers,” the BSP said in an e-mail.

The process of the FCPMC supervision framework takes a three-step approach: impact assessment, risk assessment, and supervision.

The framework starts with gauging the market conduct of the BSFIs. Covering all financial institutions under the supervision of the BSP, the framework aims to target institutions that have a higher impact on its consumers.

A BSI’s market conduct is graded as low, moderate, above average, or high based on parameters including the size of retail operations and complexity of financial products offered, dependency on third parties or agents, number and profile of retail client base, and volume and types of consumer complaints.

An institution with a higher impact grade merits higher supervision intensity.

However, the central bank said that since the FCPMC Impact Grade of a BSI will form part of the BSP’s examination process and supervisory outputs, it will be covered by Section 27 of the New Central Bank Act (RA No. 7653, as amended by RA No. 11211).

This provision would protect the BSIs as it prohibits the BSP from revealing information relating to the condition or business of any institution.

The risk assessment step looks at how harmful an institution can be (known as the FCPMC Risk Profile) based on its impact and whether the BSI has mitigated these risks.

This step requires institutions to build a Consumer Protection Risk Management System (CPRMS) that should identify, measure, and address the risks of the institution to the consumers.

The institutions’ CPRMS are then regulated by the BSP via quality assessment that gauges their adherence to the standards of conduct outlined by the BSP Circular No. 11765.

This risk-based supervisory intensity approach expands the general consumer protection standards outlined by Circular No. 1048 or the BSP Regulations on Financial Consumer Protection.

Circular No. 1048 was the founding mandate on which the FCPMC framework was built.

The act was the first to require BSIs to have a CPRMS in place, but it did not have system monitoring from the BSP.

Hence, the risk-based supervision of the FCPMC was a leap from the broad focus of the Circular No. 1048 regarding consumer protection principles and compliance as it would require institutional adherence to specific metrics.

Both impact and risk assessment are periodically updated, and the risk-based supervisory intensity, as defined by the activities that the BSP would follow in monitoring the BSI, may change accordingly to the assessments.

Supervisory activity can be any of the following as the BSP sees fit: FCPMC-focused market surveillance and monitoring, FCPMC-focused onsite examination of individual BSI, FCPMC-focused offsite supervision of individual BSI, and FCPMC-focused thematic risk assessment of a group of BSIs.

With these planned changes, Security Bank Corp. Chief Economist Robert Dan J. Roces expects that the introduction of the FCPMC framework is a crucial step towards creating a more transparent and consumer-centric financial landscape.

“The framework will address the inherent complexities and information asymmetries that often lead to consumer exploitation and erode trust in the financial system,” Mr. Roces said in a Viber message.

Since the BSP intends to establish market conduct supervision as separate from prudential supervision, it also creates a comprehensive risk-based monitoring system for both systemic risks and consumer protection.

Despite this, the central bank foresees that “at the onset of the framework’s implementation, [there would be a] lack of granular, transactional, and consumer-focused data and information may limit in-depth, evidence-based assessment of consumer protection-related risks.”

Moreover, although constant monitoring would ensure that banks and institutions incorporate these risk protection systems as part of their organizational practices in the long run, it also creates a greater burden on BSIs to meet higher security and safety requirements in the short run.

Due to the monitoring system, there is also a risk of excessive oversight that might stifle the banks’ innovation.

Implementing CPRMS would also require significant resources that would strain both BSP’s and BSI’s resources.

Increased regulatory compliance burden, training costs, and the need for better technological infrastructure are only some of the expected challenges during the transition period.

These limitations are among the normal “birth pains” that are expected when enforcing a milestone law such as the FCPA, the BSP said.

However, by meeting the standards of the new framework, institutions can create a trustworthy profile that protects users from the impacts of their processes.

This creates a bridge that BSIs can utilize to build stronger client relationships.

For the BSP, the framework will not alter the current supervisory approaches but builds upon them by “[providing] a methodology through which consumer protection issues are surfaced and given equal importance [as that of] prudential risks.”

“Swindling and financial crimes are on the rise because of how easy it is for the wrong people to get a hold of user information,” Daniel B. Benito, a manager at a business process outsourcing (BPO) company, said.

Mr. Benito was one of the 4,000 cases of illegal access cases in the country.

“It came as a complete shock since that money was allotted for my bills and savings, having it gone left damage to my mental stability that time,” Mr. Benito, said reminiscing the events that happened a year ago.

He added that it began when someone who claimed to be from the bank called and said that his card was up for renewal.

The person knew the details of his account and only needed his confirmation and an OTP. Given the number of things he was juggling at that moment, the possibility of it being a scam did not occur to him.

A few days later, while withdrawing from his account, he noticed that his balance was lower than it should be and learned that his savings money was taken out of his bank.

After a series of customer service processes, in the end, he was unable to retrieve his money as the banks said that it was due to his own “negligence.”

For Mr. Benito, decreasing the risks of fraud starts by informing the users of the products and the current dangers that arise.

“I charged what happened to me as a learning experience but if I had been advised earlier that there are scam calls such as that, I would have been able to avoid it,” he said.

With the aid of the FCPMC framework, this can be attained as it mitigates “finance-related crimes and fosters collaboration between regulators and financial service providers,” Security Bank’s Mr. Roces said.

The BSP, on the other hand, said that while the framework does not focus on specific cybercrimes, it is designed to determine risks that are most detrimental to consumer welfare and ensure that BSIs are well-equipped with systems and controls to mitigate such risks.

“Protection of consumer assets against fraud and misuse is among the standards of conduct that the framework assesses,” the BSP said.

In this standard of conduct, BSIs are expected to implement fraud risk management mechanisms, enable multi-factor authentication, and provide timely transaction notifications, among others.

“These are considered essential in detecting and curtailing fraudulent or unauthorized transactions,” BSP added.

Despite the role of the framework, Mr. Roces emphasized that the success of the framework relies on consumers taking an active role in safeguarding their interests and staying informed and assertive in exercising their rights.

Similarly, the central bank said that a big role remains on the users since they are “the first level of defense against threats to the safety and integrity of financial accounts and personal information.”

With the FCPMC in place, this ensures that the banks and institutions’ role in consumer safety is met.

However, it does not eliminate the risks of financial crimes especially when the fault lies with the users.

As Mr. Roces said, “Taken together, regulators, financial institutions, and consumers can create a more robust and equitable financial ecosystem that will support economic growth.”

It is only through the successful collaboration of these three that the framework will thrive. The role of users in the framework lies in their use of resources that FCPMC would offer.

“While the myriad of BSP rules and regulations already require BSIs to protect our deposits and investments, [users] must also exercise our responsibilities as protectors of our accounts and finances,” the BSP said.

Bank lending, for example, entails a risk that must be managed by both users and institutions.

Credit risk management, one of the many roles a CPRMS would undertake, handles lending risks.

Credit risk management ensures that appropriate policies, risk strategies, and processes are informed to the lender prior to the credit granting.

Despite the presence of a credit risk management system and the availability of lending services in banks, there remains a rise in lending apps as of late which may lead to greater risks for users.

“It is just easier and more convenient to loan in apps and personally I find it less risky than bank credits which I am not familiar with,” Unice C. Alimurung, a secondary school practicing teacher, said in an e-mail.

When asked about the risks she perceives in banks, she nodded at interest rates.

“I tried to take a loan in [my] bank once and the interest rate was confusing to me. The yearly repricing on a home loan I was looking at also made me scared at the surprises I might have by next year as rates go higher,” she said.

She pointed out that it is also harder to bounce back from credit ratings than to just loan from a new app hence making her shy away from bank lending.

Once FCPMC is enacted, banks will be under higher supervision with their informative campaigns regarding services such as lending. However, even with this in place, users will not be able to know the information available without their initiative.

“The [FCPMC] framework would help of course in ensuring that we are protected but I think it still comes down to how much [users] know and are willing to know,” Ms. Alimurung said.

Hence, for Mr. Roces, the framework’s enactment may empower consumers to make informed decisions by ensuring access to accurate information.

“As more digital financial services continue to evolve, the FCPMC framework will be important in protecting consumers and promoting financial inclusion,” he said.

“In the long run, the ultimate intent of the framework is a system where all BSIs practice ‘doing good’ to consumers because it is already ingrained in their DNA,” the BSP said.

The central bank said that as of end-May 2024, the draft framework is under revision, considering meritorious comments received from internal and external stakeholders, consistent with the BSP’s policy making process.