BSP sets control measures vs cyber frauds

In response to the cyber frauds that continue to plague the public, the Bangko Sentral ng Pilipinas has issued BSP Memorandum No. M-2022–015 requiring banks and other financial institutions regulated by the BSP to adopt additional control measures.

Note that this is an advice, not a mandate. Thus, financial institutions are not strictly required to implement these measures in their transactions. However, should an incident happen, it is likely that a bank’s failure to show proof that it has employed comparable measures to protect its customers would earn censure from the BSP.

The BSP’s issuance recommends that banks and financial institutions adopt the following measures:

1. Removal of clickable links in emails or SMS sent to retail customers followed by an information campaign that the banks will no longer be sending clickable links.
2. Customer notification through existing mobile or email registered with the banks whenever there is a request to change a customer’s mobile number, email address, or account credentials.
3. After the conduct of a thorough risk analysis and assessment, the implementation of the following controls:
4. Mandatory fund transfer transaction notification to customers through SMS and/or email for transactions exceeding a predefined amount;
5. Holding period or delay before activation of a new soft token on a mobile device; and
6. Cooling-off period before the implementation of requests for key account changes such as those for the mobile number and email address.
7. Personalized SMS/Email OTP messages for device registration, fund transfer, and profile update, among others,
8. Restriction to any bank officer or representative from manually obtaining or inquiring about critical authentication information such as customer password and/or one-time password/pin (OTP).
9. Creation of dedicated and well-resourced customer assistance teams that deal with feedback on potential fraud cases on a priority basis.
10. Conduct of regular customer education campaigns against online scam and phishing schemes with mechanisms to monitor their effectiveness and relevance; and
11. Adoption of strong fraud surveillance mechanisms to ensure prompt responses in dealing with the growing threat of online scams.

Taken together, these measures will introduce significant friction to customer transactions on digital platforms. However, what we are learning from the digital transformations happening in different aspects of our lives, slow is not necessarily bad. While companies can (and they do!) continuously engaged in customer education, it is often easier to put in place improvements to the systems that will protect customers from themselves. Fast is definitely not better than perfect and most of the things that are broken cannot be put back together again.

In the next few months, we will see if the BSP’s efforts bear fruit. The challenge though is that while regulators and companies continue to evolve and improve controls, fraudster also continue to iterate and fine-tune their scams.