The Bangko Sentral ng Pilipinas (BSP) has ordered banks and other financial institutions to conduct regular cybersecurity self-assessments, as part of a broader push to strengthen digital defenses and curb rising fraud risks.
Under Circular No. 1232, dated 27 April, supervised financial institutions are required to evaluate their cybersecurity frameworks, including risk management systems and incident response capabilities, using a structured self-assessment approach aligned with regulatory standards.
The move builds on earlier proposals by the BSP to institutionalize annual cybersecurity maturity assessments across the financial sector, amid increasing exposure to cyber threats driven by rapid digitalization.
The latest requirement comes as the central bank tightens its broader digital security framework, including a firm deadline for banks to implement enhanced fraud management systems by the end of next month.
These measures include stronger transaction monitoring, real-time fraud detection and improved customer protection protocols, as part of efforts to reduce financial cybercrime and unauthorized transactions.
The BSP is also moving to phase out one-time passwords (OTPs) as a primary authentication method, citing vulnerabilities to phishing and social engineering attacks. The shift is expected to accelerate adoption of more secure verification tools such as biometrics and device-based authentication.
The BSP has also strengthened inter-agency coordination in tackling financial crimes, signing information-sharing agreements with the Cybercrime Investigation and Coordinating Center (CICC), National Bureau of Investigation (NBI), and Securities and Exchange Commission (SEC).
These agreements allow the lawful sharing of confidential financial account data to support investigations into scams and related offenses, in line with the Anti-Financial Account Scamming Act (AFASA).
BSP General Counsel Roberto L. Figueroa said the initiative reflects a coordinated approach to safeguarding the financial system.
“Financial crimes evolve rapidly. No single regulator or law enforcement authority, however capable, can address these threats alone,” Figueroa said, emphasizing the need for closer collaboration among regulators and enforcement agencies.
The agreements establish procedures for requesting and securing data from the BSP’s Consumer Account Protection Office, enabling authorities to build cases and respond more effectively to fraudulent activities while maintaining compliance with bank secrecy and data privacy laws.