To guard consumers against fraud and cyberattacks, the Bangko Sentral ng Pilipinas (BSP) has ordered banks and other financial firms to ramp up security measures, especially when sending text messages or emails to clients.

The central bank said that as financial transactions increasingly shift to digital channels, BSP-supervised companies must adopt robust control measures against cyber fraud and attacks on retail electronic payments and financial services.

In particular, SMS or text messages as well as emails that financial firms send to customers in relation to their banking services must be personalized rather than in a generic form.

Related to this, the BSP advises financial firms to remove clickable links in communications sent to customers.

A basic measure is to send notifications to customers through registered mobile numbers or email addresses when requesting changes to customer information.

This is important in that banks, after thorough risk analysis, should implement mandatory notifications for fund transfers that exceed a predefined amount, delays in activating new security tokens or new device registrations, and a cooling-off period for key account changes.

Restrict critical info

Banks should also restrict officers or representatives from obtaining critical information such as customer passwords, one-time passwords or personal information numbers.

Further, financial firms must create dedicated customer assistance teams for fraud cases, conduct education campaigns against online scams and adopt strong fraud surveillance mechanisms.

These are all spelled out in BSP Memorandum No. 2022-015, issued last March, which requires banks to regularly conduct risk assessments of their product features, business rules and application controls.

According to BSP Governor Benjamin Diokno, the BSP had observed that cyberattacks and fraudulent schemes affect two or more financial institutions at the same time.

“These [affected entities] include the originating and receiving banks, as well as nonbank financial institutions such as e-money issuers, virtual asset service providers and remittance companies,” Diokno had said.