Bangko Sentral ng Pilipinas (BSP) has urged financial institutions to adopt robust control measures against cyber attacks on retail electronic payments and financial services (EPFS) due to the increasing shift to digital channels.

According to the memorandum that BSP had circulated, “BSFIs should regularly conduct risk assessments of their product features, business rules, as well as application controls, and enforce appropriate enhancements and mitigation measures.”

Furthermore, BSP advised financial institutions to remove clickable links in emails or text messages and to send notifications through registered mobile numbers or email addresses when requesting changes to customer information.

After thorough risk analysis, financial institutions should also implement mandatory notifications for fund transfers exceeding a predefined amount, delays in activating new soft tokens or new device registrations, and a cooling-off period for key account changes.

According to BSP, banks must also personalise SMS messages and emails for banking services; restrict bank officers or representatives from obtaining critical information such as customer passwords, one-time passwords (OTP), or personal information numbers (PINs); create dedicated customer assistance teams for fraud cases; conduct education campaigns against online scams; and adopt strong fraud surveillance mechanisms.

The regulator likewise encourages collaboration among financial institutions and the use of information sharing platforms such as the Bankers Association of the Philippines’ Cyber Incident Database, to expedite fraud investigations and recovery of funds, and proactively address emerging fraud schemes.

“BSFIs may also need to coordinate with law enforcement authorities for the prompt resolution of cybercrimes, especially those involving public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations,”

the memorandum explained.