BSP Recommends Control Measures against Cyber Fraud and Attacks on Retail Electronic Payments and Financial Services

The Bangko Sentral ng Pilipinas (“BSP”) issued Memorandum No. M-2022-015 to remind BSP Supervised Financial Institutions (“BSFI”) to conduct continuing risk assessment of its product features, business rules and application controls, and implement appropriate enhancements and mitigation, as necessary. 

Financial transactions increasingly shift to electronic or digital channels, hence attacks on retail customers using mobile and internet/web have also risen. The most prevalent among the schemes employed are account takeover and social engineering attacks that involve phishing and its variations, which intend to manipulate customers into disclosing sensitive personal and account information necessary to execute unauthorized transactions.

To ensure consistent and industry-wide approach in countering the aggressive phishing campaigns, BSFIs are advised to adopt the following supplementary control measures:

1. Removal of clickable links in emails or SMS sent to retail customers followed by an information campaign that the BSFI will no longer be sending clickable links.
2. Customer notification through existing mobile or email registered with the BSFI whenever there is a request to change a customer’s mobile number, email address, or account credentials.
3. After the conduct of a thorough risk analysis and assessment, the following controls must be implemented:
   1. Mandatory fund transfer transaction notification to customers through SMS and/or email for transactions exceeding a predefined amount;
   2. Holding period or delay before activation of a new soft token on a mobile device; and
   3. Cooling-off period before the implementation of requests for key account changes such as those for the mobile number and email address.
4. Personalized SMS/email OTP messages for device registration, fund transfer, and profile update, among others.
5. Restriction to any BSFI officer or representative from manually obtaining or inquiring about critical authentication information such as customer password and/or one-time password and pin.
6. Creation of dedicated and well-resourced customer assistance teams that deal with feedback on potential fraud cases on a priority basis.
7. Conduct of regular customer education campaigns against online scam and phishing schemes with mechanisms to monitor their effectiveness and relevance; and
8. Adoption of strong fraud surveillance mechanisms to ensure prompt responses in dealing with the growing threat of online scams.

BSFIs are encouraged to collaborate and utilize existing information sharing platforms, such as the Bankers Association of the Philippines Cyber Incident Database to facilitate fraud investigation and/or recovery of funds. In certain instances, BSFIs may need to seek assistance and cooperate with law enforcement authorities for prompt resolution of cybercrime cases, especially if these involve public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations.

The full text of M-2022-015 may be accessed here.