WebClick Tracer

May 27, 2024

Banks told to adopt measures against cyber attacks

As financial transactions increasingly shift to digital channels, the Bangko Sentral ng Pilipinas (BSP) has directed banks and financial institutions to adopt robust control measures against cyber fraud and attacks on retail electronic payments and financial services (EPFS).

The regulator issued Memorandum No. 2022-015 directing BSP-supervised financial institutions (BSFIs) to regularly conduct risk assessments of their product features, business rules, as well as application controls, and enforce appropriate enhancements and mitigation measures.

Likewise, banks and financial institutions were also directed to remove clickable links in communications sent to customers via electronic mail and SMS or text messages.

Furthermore, BSFIs were told to send notifications through registered mobile numbers or email addresses when requesting changes to customer information.

After thorough risk analysis, BSFIs should implement mandatory notifications for fund transfers exceeding a predefined amount, delays in activating new soft tokens or new device registrations, and a cooling-off period for key account changes.

The institutions must also personalize SMS messages and emails for banking services; restrict bank officers or representatives from obtaining critical information such as customer passwords, one-time passwords (OTP), or personal information numbers (PINs); create dedicated customer assistance teams for fraud cases; conduct education campaigns against online scams; and adopt strong fraud surveillance mechanisms.

The regulator is pushing the use of information sharing platforms such as the Bankers Association of the Philippines’ Cyber Incident Database, to expedite fraud investigations and recovery of funds, and proactively address emerging fraud schemes.

“BSFIs may also need to coordinate with law enforcement authorities for the prompt resolution of cybercrimes, especially those involving public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations,” the central bank said.