When using mobile or digital devices, it’s crucial to be cautious about phishing attempts and other exploitative schemes. There have been instances where scams, disguised as an official bank communication, intend to manipulate customers into sharing sensitive information that results in unauthorized transactions.
Last March 22, 2022, Bangko Sentral ng Pilipinas (BSP) issued a memorandum and added eight more control measures to avoid these cyberattacks. It’s mandated that BSP-supervised financial institutions (BSFI) should have a continuing risk assessment of their product features and execute mitigation and improvement measures.
The BSP advises the removal of clickable links in emails or text messages that are sent to customers. Furthermore, they are requiring participating banks to establish strong information campaigns that BFSI-members should no longer send aforementioned clickable links.
Regarding changes in any customer details, financial institutions should notify customers through existing mobile or registered emails any requests pertaining to revisions to their mobile number, email address, or other customer data.
It also requires implementation of the controls after the risk analysis and assessment, such as a mandatory fund transfer transaction notification to customers via SMS and email for transactions beyond a limited amount. The memorandum also includes a holding period or delay before activating a new soft token on a mobile device and a cooling-off period between requested implementations for account changes such as email addresses and mobile phone numbers.
They also recommend that BSFIs provide:
- Personalized SMS/email one-time password (OTP) messages for device registrations, fund transfers, and profile updates.
- Officers or representatives are to be restricted from manually obtaining or inquiring about critical authentication information such as customer passwords and OTPs/PINs.
- Customer assistance teams that address potential fraud cases on a priority basis.
- A regular education campaign against online scams and phishing schemes for customers.
- A strong fraud surveillance mechanism to ensure active responses in dealing with increasing online scams.
BSFIs are encouraged to collaborate in facilitating fraud investigation and recovery of funds using information-sharing platforms, such as the Bankers Association of the Philippines Cyber Incident Database.
We at Third Pillar are supporting this memorandum through our software services and implementation process. Our team aims to avoid threats that affect companies, easily comply with today’s regulations, and help your customers be less vulnerable to other cyberattack schemes.