MANILA — In an effort to curb financial scams, the Bangko Sentral ng Pilipinas (BSP) is giving BSP-supervised institutions (BSI) one year to comply with new requirements for fraud management systems (FMS) under RA 12010 or the Anti-Financial Account Scamming Act's (AFASA) implementing rules.

This includes various banks and e-wallets under the central bank with electronic payment and financial services (EPFS).

The minimum requirements are automated and real-time fraud monitoring and detection systems to block fraudulent online transactions.

Meanwhile, some institutions are required to have more sophisticated systems, BSP Deputy Governor Elmore Capule said during a media briefing at BSP Manila on Wednesday, June 11.

"You have a machine learning system looking at our behaviors and trying to see whether or not there is something wrong. Blacklist screening-- as the system progresses, there will be, we call it, a suspicious person, suspicious transactions. It should be in a database. And once this person transact, then there can be a blacklist. It can be screened, stopped," Capule said.

Other requirements include the ability to identify mobile device and account information changes, and transaction velocity checks of thresholds, and do geolocation monitoring.

This is for institutions engaged in complex electronic products and services and have an average monthly network value of transactions of at least P75-million for the last six months.

"Now, the institutions operating these services should have a strong fraud management system, meaning it should operate to protect the consumers. And if they fail to come up with these systems, the consequence is that the financial institution that fails to abide will be the oneSCAM responsible. I think that's the most important thing here. There is a shifting of civil liability," Capule said.

The implementing rules will be effective starting June 25.

Aside from strengthening fraud management systems, the rules also allow for temporary holding of disputed funds, as well as coordinated verification.

"It provides for a temporary holding of funds, meaning if I am defrauded and I inform my bank or financial institution, they can hold the funds, just like that, without going to court, without going to the police, without getting a court order. Notify your institution, they can hold. Five and a maximum of 30 days," Capule told the media.

ALTERNATIVES TO OTP

The BSP also recommends BSIs use other measures for multi-factor authentication aside from one-time password.

"Based on our recent surveillance, even the OTPs now. It is also quite vulnerable. So we're recommending that financial institutions to look for other alternative measures of doing multi-factor authentication. So I think we have also indicated under Circular 1213 the other types of more advanced forms of authentication," BSP Technology Risk and Innovation Supervision Department Deputy Director Maricris Salud said during the press briefing.

Under Circular No. 1213, institutions are required to adopt "strong authentication mechanisms" such as biometric authentication, behavioral biometrics, passwordless authentication, and adaptive authentication.