BSP Amends Customer Due Diligence and e-KYC Regulations

On 30 March 2023, the Bangko Sentral ng Pilipinas (“BSP”), through its Monetary Board, issued BSP Circular No. 1170 (“Circular”) on the Amendments to Sections 921 and 921Q of the Manual of Regulations for Banks/Manual of Regulations for Non-Bank Financial Institutions on customer due diligence (“CDD”), including guidelines on electronic Know-Your-Customer (“e-KYC”) using digital identity (“ID”) system.

With regard to CDD, the BSP now requires the following risk-based approach depending on the type of customer, business relationship or nature of the product, transaction or activity: where a covered person is unable to comply with the CDD measures, it shall (i) not open the account, commence business relations, or perform the transaction; or (ii) terminate the business relationship; in both cases, the covered person concerned shall consider filing a suspicious transaction report in relation to the customer.

On the matter of customer identification, the BSP now recognizes an individual’s record in the Philippine Identification System (“PhilSys”) as an official and sufficient proof of identity. Where the PhilSys Card Number (“PCN”) or PhilSys Number (“PSN”) derivative, or the Philippine Identification (“PhilID”) card, in physical or digital form, is presented by the customer, it shall be accepted as official and sufficient proof of identity, subject to proper authentication, and the covered person shall no longer require additional documents to verify the customer’s identity. If the official document presented is not the PhilID, PCN or PSN derivative, the covered person may classify identification documents based on its reliability and ability to validate the information indicated therein and ensure that risks are mitigated. 

In relation to the above, the BSP allows covered persons to implement appropriate systems of data collection and recording. However, in cases where the PhilID is presented, only the front portion/face should be photocopied/scanned. The PSN located at the back portion of the PhilID must remain confidential subject to applicable laws and regulations.

Covered persons may use different methods to conduct customer identification and verification including e-KYC through digital ID systems that cover the process of identity proofing/enrolment and authentication. The digital ID system to be used in conducting CDD must be supported by robust technology, adequate governance, processes, and procedures that provide appropriate level of confidence that the system produces accurate results. It should also be soundly protected against cyber-attacks and internal malfeasance or external manipulation/falsification by unauthorized users to fabricate false or synthetic identities. 

In implementing e-KYC through the digital ID system, the covered person shall ensure that its conduct of e-KYC complies with relevant user consent and data sharing and protection/privacy laws, rules and regulations for data processing, storage, and management. All related transaction/s and their attendant risks or obligations, including the roles and responsibilities of each party involved, must be explicitly, clearly, and adequately provided by the covered person, and are explained to, understood, and accepted by the customer.

Covered persons with existing e-KYC, using a digital ID system, at the time of the effectivity of the Circular shall comply with the requirements prescribed therein within 1 year from effectivity of the Circular. For covered persons without existing e-KYC and that intend to adopt the same, strict compliance with the e-KYC requirements prescribed in the Circular must be ensured prior to implementation.