The Bangko Sentral ng Pilipinas (BSP) has issued a memo reminding all its supervised financial institutions (BFSIs) to complete their implementation of multi-factor authentication (MFA) techniques for sensitive communications and/or high risk transactions.
The Memorandum No. M-2017-031 issued on Wednesday (4 October) is in line with central bank's Circular No. 958 issued last April instructing BFSIs to adopt MFA to better protect their customers from increasing sophisticated cyberattacks that involve fund transfers, payments, and other online-based transactions.
Under the Circular, financial institutions are required to collect two or more factors to verify their customer's identify before they could enroll in transactional e-services, pay and transfer money to third parties, remit online, account maintenance, and use payment cards in e-commerce websites.
The authentication factors can then be a combination of something that customer knows (e.g. username, password, mobile PIN, card number, and account number); something that customer has (e.g. payment card, token, and one-time password); and biometrics.
In line, BSP warned that non-compliance to the Circular will be considered as serious offence under the Manual of Regulations for Banks (MORB) and Manual of Regulations for Non-Bank Financial Institutions (MORNBFI).
The central bank added that BFSIs that fail or did not complete the implementation of MFA should "disable functionalities used to facilitate sensitive communications and/or high risk transactions" and "implement acceptable interim/compensating controls to mitigate the risk of fraud and protect cardholders".
They will also be subjected to monetary sanctions.