THE BANGKO SENTRAL ng Pilipinas (BSP) is considering requiring different authentication measures for banks, depending on the volume of transactions they process, as bigger lenders face higher risks than smaller ones.

More sophisticated fraud management systems (FMS) would also require higher investments, which could burden smaller banks, officials said.

BSP Technology Risk and Innovation Supervision Department Deputy Director Maricris A. Salud told reporters on the sidelines of a media briefing on Wednesday that they may require more stringent authentication measures for banks that process larger transactions, which is a practice in other countries.

They are studying the matter as smaller banks have said that they may be unable to immediately implement the FMS requirement under the Anti-Financial Account Scamming Act (AFASA), Ms. Salud said.

The AFASA was signed into law by President Ferdinand R. Marcos, Jr. in July 2024 and aims to help prevent and penalize digital financial cybercrime.

“We’re giving them some leeway to incorporate these new controls… But depending on the nature of their clients, if they’re really very sophisticated and they see that they can transition into these new forms of technology, then they should already have invested in those types of authentication,” Ms. Salud said.

“Some digital banks are already using like this type of advanced authentication… It’s a balance of what their business needs are and also the security.”

Based on the regulator’s gap assessment, while bigger banks said they are on track to have their FMS ready within a year, other lenders said they would need to re-engineer some of their systems or processes to be able to comply, she said.

“The cost of the FMS varies depending on the sophistication, features and functionalities available. The sophisticated FMS deployed by the bigger banks normally range from P30-P50 million. In some cases, pricing can involve one-time cost and/or recurring costs or base fee plus a fixed fee per transaction,” Ms. Salud said.

“These are very expensive. But, you know, that’s the price of going into these payment systems, these new technologies. If you offer a product, there has to be safety measures to ensure that the user will be safe… It’s part of doing business,” BSP Deputy Governor Elmore O. Capule said at the same briefing. “And because of competition, I think they will be able to manage the cost. They know this. When we started with digital banking, what we encountered first were viruses… Now, it’s just one step in the evolution.”

Mr. Capule said banks that cannot comply with the FMS requirement will face sanctions and penalties.

“If somebody gets defrauded and their system is not ready, … they can be the ones civilly liable. So, instead of going after the scammer, the institution will have to pay because they failed. That’s what’s in the law. If you fail to comply with the fraud management system, then you can be held civilly liable for the damages caused to the victim. The principle is, had that system been in place,… you would not have been defrauded,” he said.

The BSP this month released three circulars that contain the implementing rules of the AFASA. Banks have been given six months to update their own frameworks to take the AFASA’s implementing rules into account and one year or until June 25, 2026 to adopt FMS and new security measures for consumers as alternatives or to supplement one-time passwords.

Prohibited acts or offenses under the AFASA include money mule activities and social engineering schemes, which could be considered economic sabotage if it involves three or more people as perpetrators or victims, mass mailers, or human trafficking, as well as opening a financial account under a fictitious name or using the identity or identification documents of another person. — A.M.C. Sy