Banks warned on non-compliance to online authentication measures

MANILA, Philippines — The Bangko Sentral ng Pilipinas (BSP) has ordered banks that failed to adopt stricter authentication measures for online transactions to deactivate certain transactions to mitigate the risk of fraud and to protect cardholders.

BSP Deputy Governor Chuchi Fonacier issued Memorandum 2017 – 031 reminding all BSP-supervised financial institutions (BFIs) to comply with Circular 958 on the adoption of multi-factor authentication techniques for sensitive communications and high risk transactions.

Fonacier said non or partially compliant banks should disable functionalities used to facilitate sensitive communications and high risk transactions.

She added banks that failed to adopt the multi-factor authentication techniques should implement acceptable interim or compensating controls to mitigate the risk of fraud and protect cardholders.

In particular, multi-factor authentication is mandatory for those transactions considered as sensitive communications and/or high-risk such as enrollment in transactional e-services, payments and fund transfers to third parties, online remittance, account maintenance and use of payment cards in e-commerce websites, among others.

The process makes use of a combination of two or more authentication factors such as knowledge or something the user knows such as password, PIN; possession or something the user has in his/her possession such as payment card, one-time password generated through a security token or sent via SMS; and inherence or something that is inherent to the user such as fingerprint and retinal pattern.

Fonacier said non-compliance to the circular is classified as a ‘serious offense’ under the Manual of Regulations for Banks and Manual of Regulations for Non-Bank Financial Institutions.

Violators, she added, face monetary sanctions.

Last April, the BSP issued the circular due to the increasing propensity and sophistication of cyber-attacks involving fund transfers, payments, and other transactions via online channels.

With the ongoing migration to EMV (Europay, MasterCard, and Visa) technology, the BSP said cyber-attackers face reduced fraud opportunities in traditional schemes which require customers to physically present their payment cards or the so-called “card present transactions” in ATM and/or POS terminals.