Central Bank of the Philippines mandates fraud management systems and new digital account safeguards to implement the Anti-Financial Account Scamming Act

The Central Bank of the Philippines issued amendments to its information technology risk management rules for banks, non-bank financial institutions and payment system participants to implement the information technology-related provisions of Section 6 of Republic Act No. 12010, the Anti-Financial Account Scamming Act. The changes introduce tighter standards for fraud monitoring, customer account safeguards, customer-facing security features and evidence retention for electronic products and services, and require clearing switch operators in the National Retail Payment System framework to strengthen fraud detection capabilities. Banks and other BSP-supervised financial institutions (BSFIs) offering complex electronic products and services and processing high aggregate online transaction values, defined as an average monthly network value of at least PHP 75,000,000 over the last six months, must deploy a robust automated and real-time Fraud Management System (FMS). Minimum FMS mechanisms include transaction velocity checks, monitoring of mobile device and key account-information changes, geolocation monitoring, blacklist screening and behavioural anomaly detection, supported by ongoing calibration, stress testing and independent review. FMS detection is cited as a ground to temporarily hold disputed funds and initiate coordinated verification under the AFASA, and clearing switch operators of automated clearing houses must also implement an FMS for retail ACH operations. Additional controls include a 24-hour transaction pause period after key account changes (with limited flexibility where strong authentication is in place), restrictions on installing mobile applications on unsecured devices, controls against unauthorised scripts and automation tools, stronger authentication options, and detailed real-time customer notifications. Digital platforms facilitating retail interbank transfers and other high-risk transactions must provide a properly authenticated “kill switch”, permission revocation tools, a “money lock” feature and customizable transaction limits, alongside transaction log retention for at least five years and limits on sending clickable links or QR codes via email, messaging apps or SMS. The circular takes effect 15 calendar days after publication in a newspaper of general circulation, with BSFIs required to comply with the new standards within one year from the effective date.