BSP Details Efforts to Address Fraud and Scam Threats

BSP officials discuss efforts to address fraud and scam threats through new requirements for banks and a thematic review of fraud management during 2024.

Regulation Asia sat down with Melchor T. Plabasan and Dexter S. Macatangay to discuss efforts by Bangko Sentral ng Pilipinas (BSP) to address fraud and scam threats. Plabasan is Senior Director and Department Head and Macatangay is Bank Officer V for Risk Management in the BSP’s Technology Risk and Innovation Supervision Department.

This interview was conducted for the “Fraud Barometer 2024” report, published by NICE Actimize and Regulation Asia to explore fraud trends and threats based on survey and interview data collected from 114 practitioners in Asia Pacific.

Can you describe the current fraud risk landscape and how it has evolved over the past 12 months?

Plabasan: Based on available data, a lot of incidents are still related to social engineering attacks. But we have also seen a growing number of smaller institutions being subject to targeted attacks.

Based on investigations and examinations we are involved in, a lot of the root causes point to API weaknesses and exploits because of the prevalent use of mobile apps and APIs to allow easy integration with merchants, aggregators, and other third parties. We have issued a memorandum providing recommendations on API management and security measures.

Macatangay: During the pandemic, the volume of retail fraud increased significantly. This is not just because of customer vulnerability, but also because of the adoption of technology. That’s why during the previous year, we aggressively issued new requirements for BSP supervised financial institutions (BSFIs) to strengthen their technology and controls.

Now we do not see major retail attacks affecting so many customers—not like before. Most BSFIs already mitigated those attacks, and we also observed various government agencies focusing on addressing these types of incidents. As a result, we observed a shift away from retail fraud and instead saw individual banks themselves being targeted.

What are the main expectations the BSP has set out for BSFIs when it comes to protecting customers from fraud and online scams?

Plabasan: To start, we have an IT risk management framework, which sets out our expectations for managing cyber-related risk. We also have a comprehensive financial consumer protection framework which provides the requirements for BSFIs on consumer protection risk management.

From time to time, we update these regulations and issue memoranda: for example, building on the IT risk management framework, we issued a circular on a risk-based approach to multi-factor authentication (MFA), which requires BSFIs to put in place MFA to protect sensitive communications and high-risk transactions.

Then during and after the pandemic, when we saw a lot of retail fraud, we provided additional control mechanisms, such as requiring BSFIs to implement a cooling-off period when clients change their credentials, and send personalised SMS or email notifications to clients when they are performing transactions.

BSFIs are also required to provide sufficient dedicated resources for consumer assistance to avoid delays in addressing and investigating actual cases of fraud, and to put in place robust automated and real-time fraud monitoring and detection systems that can identify anomalies in the behaviour of clients and block suspicious transactions.

Macatangay: What we observed in retail phishing cases is that when devices do get attacked and account takeover occurs, fraudulent transactions tend to be performed immediately. To address this, we introduced a memorandum requiring BSFIs to implement a holding period or delay before authorising a new device to make transactions.

In terms of consumer awareness, we intensified our campaign with circular 1140, which requires BSFIs to ensure clients have undertaken prerequisite consumer education for onboarding on electronic payment and financial services platforms, to ensure their awareness and familiarity with the minimum controls such platforms offer.

What are the BSP’s expectations on the use of technology to mitigate fraud threats, for example to implement monitoring and detection systems?

Plabasan: The BSP has always been technology agnostic. When we set the requirements, we leave it up to the BSFIs to decide how they will address the requirements.

But what we have seen so far when it comes to fraud management systems is that a lot of BSFIs are using AI/ML supported systems. This is because when they need to analyse voluminous data or compare normal versus anomalous behaviour, it really requires artificial intelligence for analysis and to provide meaningful results.

Macatangay: In terms of technology, our expectations are not about the specific technology or the vendor. We are more concerned that the BSFIs are able to deliver on what’s specified in the regulation, such as requirements for their fraud management systems to be real-time and consider inputs from various sources.

We also want BSFIs to make sure they are able to manage the risk that corresponds to the technology that they adopt. For example, if they use AI, they should conduct due diligence to assess the related risks. If they outsource to cloud service providers or other vendors, they should have a process in place to ensure that the vendor is reliable and the service meets the BSFIs’s operational and security requirements.

Plabasan: What we have also seen so far especially from technology-centric BSFIs is that they can shorten the time to deploy and avoid hefty investments in infrastructure if they resort to cloud-based fraud analytics.

A lot of them are in fact deploying software as a service (SaaS) fraud analytics, especially those institutions that are very technology-focused or have just started operations. That said, this can also be quite a challenge for BSFIs that utilise legacy platforms.

What is your approach to ensuring BSFIs have implemented the regulatory requirements on fraud risk management and how will you enforce compliance?

Macatangay: As part of our supervisory process, we conduct regular onsite examinations, which cover the end-to-end process and all risk areas of BSFIs, such as market capital, loans, IT risk management, and AML, among others.

We also conduct thematic reviews to evaluate specific areas of concern. We planned to conduct a thematic review for fraud management in 2023 to check how BSFIs implemented their respective fraud management systems but this was deferred since we are still continuously monitoring the implementation of those that are yet to fully comply. In addition, we understand that some BSFIs are still in the earlier stages of fine-tuning their platforms for fraud management, or others are still working to enhance or develop new solutions.

We will conduct a thematic review for fraud management during 2024 to assess the state of adoption of the new requirements in circular 1140 by the industry and potentially start applying sanctions to noncompliant BSFIs on a case-by-case basis.

Plabasan: Besides onsite examinations and thematic reviews, we have also strengthened our offsite surveillance. So now we have much more frequent interfacing with regulated entities, especially when we are dealing with an important compliance issue like fraud management.

The intention of our enforcement framework is really to elicit a prompt response from the supervised entity. So, yes, we may take enforcement actions against BSFIs depending on the nature and extent of noncompliance with our rules, their fraud profile, the number of complaints, and other factors.

How does your engagement with BSFIs help to drive better fraud management outcomes?

Plabasan: We have a programme where we engage with the Chief Information Security Officers (CISOs) of BSFIs on a quarterly basis to discuss emerging threats and best practices. We have made a lot of effort in terms of active engagement with regulated entities.

In fact, we have also implemented a SupTech solution that enables BSFIs to automate their reporting and further enhances the quality of our communications with them. Based on feedback from BFSIs so far, the platform appears to be helping to reduce the regulatory burden for the industry.

Macatangay: The collaboration with CISOs is very important because much of our research involves global studies to understand how other countries are adapting to similar challenges.

But when it comes to adopting new or adjusting existing regulations in the Philippines, it really requires us to understand how our actions can affect the operations of domestic institutions from those who are working on these issues in the local setting on a day-to-day basis.

This collaboration also ensures our response to issues like fraud risk is more comprehensive, covering all aspects and challenges that arise from any regulatory change. In addition, it aids in the implementation of new regulations because the CISOs will be generally familiar with new requirements in advance, which helps them make the necessary preparations.

Plabasan: We have also found that this collaborative approach promotes greater transparency among supervised entities. For example, when it comes to reporting incidents, we now observe that BSFIs are more transparent because they know that we will uphold the confidentiality of their information and we use a secure platform to facilitate the reporting.

How does the BSP cooperate with other government agencies on addressing fraud and online scams?

Macatangay: We are frequently collaborating with the Department of Information and Communications Technology (DICT), which has delegated to the BSP the function of being the sectoral Computer Emergency Response Team (CERT) for the banking sector. This means we have to communicate with CERT-Ph the major cyber incidents in the banking sector that could have broader impacts on the Philippines.

We also collaborate extensively with law enforcement agencies like the National Bureau of Investigation (NBI) and the Philippine National Police (PNP), sharing information with them on a quarterly basis on crime groups, emerging threats, and other matters.

Plabasan: We also coordinate with the legislative branch of the government on certain bills which need to be prioritised, so it’s really a whole-of-government approach that we are taking to address cyber-related crimes.

Currently, we are pushing for the passage of the Anti-Financial Account Scamming Act (AFASA), which will institutionalise penalties for social engineering-related crimes and online scams, including the use of mule accounts. Under this new law, consumers who allow their accounts to be used by criminals to launder money will face steep penalties.

How does the BSP use information sharing to address fraud threats, such as when dealing with cross-border issues?

Plabasan: We fully recognise the value of information sharing because essentially it allows us and even supervised entities to come up with a proactive response.

For example, if we are able to immediately alert institutions who may also be affected by a similar modus operandi, then it also enhances their preparedness.

Aside from local information sharing platforms, we are also participating in information sharing among central banks in the Southeast Asian region. We also participate in a group within the Bank for International Settlements (BIS) that works on cybercrime, as well as in other international committees where we gain and share threat intelligence.

With regard to investigations, tracking payments, and recovering assets, international collaboration would typically run through the Anti-Money Laundering Council (AMLC) or our law enforcement agencies, which have established arrangements with Interpol and other authorities.

What are your main priorities moving forward in terms of introducing or amending laws and regulations to address fraud risks more comprehensively?

Macatangay: From a fraud risk perspective, the main law we are prioritising is the AFASA.

In terms of our own regulations, we plan to issue a formal regulation on API security on top of the guidelines already issued. This regulation will detail our expectations on API security risk management, the monitoring BSFIs need to perform, and provide other clarifications, to specifically target API-related vulnerabilities.

We are also revisiting the Appendix 79 provisions of the Manual of Regulations for Banks (MORB), which focuses on electronic payment and financial services. We are revisiting this because the provisions were created in 2013, and we see areas for improvement to address emerging threats and make the specified controls more relevant to the current state of our digital environment.

What is the BSP doing to help promote consumer education and awareness regarding fraud risk?

Plabasan: Consumer education is already embedded in our regulations, which include expectations for BSFIs to always consider consumer education when they offer new products and services. Under circular 1140, it should be incorporated right at the start, before the client is onboarded and can avail of digital products and services, not just during the client relationship.

At the same time, we are also heavily utilising our social media channels to educate consumers about cyber hygiene practices, and we work with other government agencies and the private sector in terms of messaging and awareness campaigns.

This interview was conducted for the “Fraud Barometer 2024” report, published by NICE Actimize and Regulation Asia to explore fraud trends in Asia Pacific. Download the report here. 

To Top
Share via
Copy link
Powered by Social Snap