Consistent with the BSP’s initiatives to foster a secure digital financial services environment, the Monetary Board (MB) recently approved the amendments to existing regulations mandating BSP supervised financial institutions (BSFIs) to adopt multi-factor authentication (MFA) techniques for certain transactions. This is in response to the increasing propensity and sophistication of cyber-attacks involving fund transfers, payments and other transactions via online channels.
With the ongoing migration to EMV technology, cyber-attackers face reduced fraud opportunities in traditional schemes which require customers to physically present their payment cards or the so-called “card present transactions” in ATM and/or POS terminals. Similar to the experience of other countries that have adopted EMV technology, the BSP is then expecting an upsurge of cyber-attacks targeting card-not-present (CNP) transactions in the Philippines. CNP transactions are normally done via online through internet or mobile applications such as fund transfers and payment of utility bills through a bank’s internet banking system; buying airline tickets through an airline’s website; online booking of hotels, tours and tickets; online shopping for products and services; and a host of other activities in e-commerce websites and other online/mobile platforms. In this regard, the new policy mandates stronger authentication controls and measures to protect online customers as well as address the increasing cyber-threats.
The enhancement to the regulation aims to reinforce the BSFI’s adoption of more stringent security controls for certain types of transactions. In particular, MFA is mandatory for those transactions considered as sensitive communications and/or high-risk such as enrollment in transactional e-services, payments and fund transfers to third parties, online remittance, account maintenance and use of payment cards in e-commerce websites, among others. Nevertheless, the policy supports a risk-based approach which provides for alternative and less stringent authentication procedures for identified low risk transactions. It also provides an elbow room for BSFIs to be flexible in MFA adoption taking into account peculiarities in products, services and operational processes.
The MFA makes use of a combination of two or more authentication factors such as: (1) knowledge or something the user knows such as password, PIN; (2) possession or something the user has in his/her possession such as payment card, one-time password (OTP) generated through a security token or sent via SMS; and (3) inherence or something that is inherent to the user such as fingerprint and retinal pattern. This provides for a more reliable authentication method and a stronger fraud deterrent mechanism that limits unauthorized access; and protects the integrity of customer data and transaction details. This in turn contributes to increased customer confidence leading to more prevalent usage of digital financial services which is aligned with the National Retail Payment Systems (NRPS) objective of a cash-light economy by 2020.
By 30 September 2017, all BSFIs are expected to implement MFA. Further, plan of actions with specific timelines, as well as the status of initiatives being undertaken to achieve full compliance, should be readily available for BSP inspection starting May 2017.