CHD

BSP · Circular

BSP Circular 1213: IT Risk Management Updates under AFASA

IT risk and fraud controls for EPFS: FMS requirements, transaction pause rules, customer protections, and CSO obligations under AFASA.

Author: Atty. Ferdi
Published: 2025-05-30

BSP Circular No. 1213 (Series of 2025) updates MORB/MORNBFI IT risk rules and MORPS provisions to implement the AFASA requirements on fraud detection, customer protection, and account security for electronic products and services.

Key Changes

  • Expanded IT risk definitions (e.g., FMS, bot detection, device fingerprinting, geolocation monitoring).
  • Mandatory Fraud Management System (FMS) for complex EPFS and high‑value online transactions (>= PHP 75M average monthly network value over the last 6 months).
  • Core fraud rules required: velocity checks, account changes monitoring, geolocation checks, blacklist screening, behavioral anomaly detection.
  • Transaction Pause Period (TPP): 24‑hour pause after key account changes, with limited exceptions.
  • Device and channel controls: block rooted/jailbroken devices and emulators; restrict scripts/automation tools.
  • Strong authentication requirements for high‑risk channels (biometrics, behavioral biometrics, passwordless, adaptive).
  • Customer notification standards for transaction details and account changes.
  • Payee verification and standardized off‑us transaction info exchange.
  • Customer tools mandated: kill switch, permission revocation, money lock, customizable transaction limits.
  • Log retention: minimum 5 years with required transaction metadata.
  • CSO obligations: ACH CSOs must implement FMS for retail ACH monitoring.
  • New transitory timeline: compliance required within 1 year of effectivity.

Who Is Affected

  • Banks, non-banks, and payment service providers offering EPFS.
  • ACH Clearing Switch Operators (CSOs).
  • IT risk, cybersecurity, and fraud management teams.

Effective Date & Transition

The circular takes effect 15 calendar days after publication in a newspaper of general circulation. BSFIs have one year from effectivity to comply.

Compliance Actions Checklist

  • Deploy or enhance FMS with the required fraud rules and calibration routines.
  • Implement 24‑hour TPP after key account changes, or tighten controls if shortening.
  • Block unsafe devices (rooted/jailbroken/emulators) and automation scripts.
  • Upgrade authentication to strong, phishing‑resistant methods for high‑risk use cases.
  • Standardize customer alerts with transaction details and reference numbers.
  • Enable payee verification for off‑us transactions.
  • Provide customer self‑service tools (kill switch, money lock, permission revocation).
  • Strengthen logging and retention for at least 5 years.
  • Ensure CSO FMS readiness for ACH monitoring.

FAQs

What triggers the requirement for a robust FMS? Complex EPFS and high aggregate online transaction volumes (>= PHP 75M average monthly value over 6 months).

Can the TPP be shortened? Yes, but only if strong authentication is in place and the BSFI assumes the related risks.

Do CSOs need their own FMS? Yes. ACH CSOs must implement FMS capabilities for retail ACH monitoring.

Related Links

AboutPricingRegulatory UpdatesBSPAMLCSECContact
© 2026 Compliance Help Desk
All rights reserved
PrivacyTermsFair Use