Banks told to tighten online security as cyber attacks rise

MANILA, Philippines - The Bangko Sentral ng Pilipinas (BSP) has directed banks to adopt stricter authentication measures for online transactions to foster secure digital financial services environment and protect consumers against cyber attacks.

BSP Deputy Governor Nestor Espenilla Jr. issued Circular 958 containing amendments to the Manual of Regulations for Banks and Manual of Regulations for non-bank financial institutions to adopt multi-factor authentication techniques for certain transactions.

“This is in response to the increasing propensity and sophistication of cyber-attacks involving fund transfers, payments, and other transactions via online channels,” Espenilla said.

He stated in the circular the amendments align existing regulations, to the extent possible, with leading standards and recognized principles on customer authentication.

Espenilla said all BSP supervised financial institutions are expected to implement the multi-factor authentication by Sept. 30.

He added plan of actions with specific timelines, as well as the status of initiatives being undertaken to achieve full compliance, should be readily available for BSP inspection starting next month.

With the ongoing migration to EMV (Europay, MasterCard, and Visa) technology, the BSP said cyber-attackers face reduced fraud opportunities in traditional schemes which require customers to physically present their payment cards or the so-called “card present transactions” in ATM and/or POS terminals.

Similar to the experience of other countries that have adopted EMV technology, the BSP is then expecting an upsurge of cyber-attacks targeting card-not-present (CNP) transactions in the Philippines that intends to fully shift to the National Retail Payment System (NRPS) by 2020.

CNP transactions are normally done via online through internet or mobile applications such as fund transfers and payment of utility bills; buying airline tickets; online booking of hotels, tours and tickets; online shopping for products and services; and a host of other activities in e-commerce websites and other online or mobile platforms.

“In this regard, the new policy mandates stronger authentication controls and measures to protect online customers as well as address the increasing cyber-threats,” the BSP added.