HomeForexAFASA: A milestone in cybersecurity for Philippine banking

AFASA: A milestone in cybersecurity for Philippine banking

FREEPIK

By Pierce Oel A. Montalvo

IT’S ONE SMALL STEP for the central bank, and one giant leap for the Philippine banking industry.

Signed last July, the new Anti-Financial Account Scamming Act (AFASA) signifies the most comprehensive attempt yet to protect Filipino consumers from digital financial crimes.

Beyond the short-term, the AFASA serves as a cornerstone for the central bank’s 2024–2029 Financial Services Cyber Resilience Plan. The plan outlines a comprehensive roadmap and key framework designed to strengthen the financial services sector’s resilience against cyber threats.

“It will protect our people from falling prey to perpetrators who target their banks and e-wallet accounts,” President Ferdinand R. Marcos, Jr. said during the signing ceremony of the law.

The legislation reflected a shared commitment among government and financial leaders to address the growing threat of cybercrime head-on.

“We express our full support for the new anti-financial account scamming law. This will help us strengthen consumer protection and foster trust and confidence in the Philippine financial system,” said Bangko Sentral ng Pilipinas (BSP) Governor Eli M. Remolona, Jr.

Online scams continue to happen just about anywhere, and at unprecedented rates. A study by the nonprofit Global Anti-Scam Alliance revealed that approximately $1.03 trillion was lost by consumers worldwide in scams in 2023.

According to data from the same study, the Philippines would have lost an estimated P459.98 billion from digital scams during the same year, or 1.9% of its economic output.

Cybersecurity firm Kaspersky also reported that the Philippines recorded the highest number of financial phishing attempts targeting business devices in Southeast Asia in 2023, with 163,279 incidents detected and blocked throughout the year.

The BSP further reported that 59.48% of cyber fraud losses among BSP-supervised financial institutions (BSFIs) in 2023 were attributed to account takeovers, identity theft, and phishing. Overall, cyberfraud losses surged by 212% compared to 2022.

“[T]his is essential in this time as cybercriminals use technology to defraud fellow Filipinos — causing not only personal economic loss through them but also a loss of trust in financial institutions,” said Mr. Marcos.

These figures underscored an urgency of robust legal and institutional measures to combat digital financial crimes. The specifics of the AFASA reveal how the BSP aims to reinforce financial security in the Philippines.

THE LAW IN BRIEFAFASA seeks to strengthen security measures and boost consumer confidence in the expanding financial technology sector. In an annual report by Fintech News Philippines, e-money accounts grew by 12.9% to 47.6 million as of the second quarter of 2022.

Meanwhile, data from the Bangko Sentral ng Pilipinas (BSP) revealed that the proportion of Filipino adults with bank accounts rose to 65% in 2022, up from 56% in 2021.

A key element of the AFASA is its explicit definition of “financial account scamming,” which points to a range of illicit activities.

These include traditional money muling operations, where individuals utilize their accounts to facilitate the transfer of illicit funds.

“[Money muling operations include] opening accounts using fake names or identity documents belonging to other people and selling or renting out financial accounts,” said Atty. Nicasio A. Conti, chief executive officer of research and intelligence agency Capstone-Intel, in a Messenger chat.

The AFASA also recognizes social engineering schemes as a form of financial account scamming.

“Examples of social engineering schemes include impersonating a representative of an institution to obtain sensitive information or using electronic communications to deceive someone and gain access to their information,” said Mr. Conti.

The AFASA also designates money muling or social engineering as “economic sabotage” if it involves: (a) conspiracy of three or more people; (b) three or more victims; (c) mass mailers; or (d) human trafficking.

“There is no specific threshold for amount involved or specific pattern to be considered to qualify a money muling activity or a social engineering scheme as economic sabotage,” said the BSP in a statement.

“As long as the money muling activity or social engineering scheme is committed in the manner mentioned above, it shall be considered economic sabotage.”

Penalties under AFASA are extensive. Money muling carries 6-8 years imprisonment and/or fines from P100,000 to P500,000. Social engineering scams result in 10-12 years (up to 14 if the victim is a senior citizen) and fines up to P1 million (or up to P2 million for senior citizen victims).

Economic sabotage can lead to life imprisonment and fines up to P5 million.

BSFIs will also be responsible for reimbursing customers who lose money due to scams if the bank didn’t have proper anti-fraud measures in place or acted negligently. They will also be liable if they fail to freeze funds involved in a disputed transaction as required by the new law.

“For claims not exceeding P10 million, aggrieved account holders may file a formal complaint for adjudication before the Consumer Complaints Resolution Office of the BSP,” the central bank said.

The scope of AFASA extends beyond traditional banking services as well. Mr. Conti said that the AFASA covers all types of financial accounts, including deposit accounts, trust accounts, investment accounts, credit card accounts, and electronic wallets.

This broad coverage ensures comprehensive protection against various forms of financial account scamming across the board.

The AFASA also compels all BSFIs to adopt more rigorous measures to protect consumers. In a memorandum elaborating upon AFASA’s prescribed risk management systems, the BSP reinforces the responsibility of BSFIs to employ proper fraud management systems, infrastructure and security monitoring, multi-factor authentication, and user enrollment and verification processes.

According to the same memorandum, BSFIs are now expected to keep extensive audit trails for e-service transactions. BSFIs now must also undergo annual Vulnerability and Penetration Testing from independent external parties.

“The degree of sophistication and layers of risk management system and controls depends on the size, nature and complexity of BSFIs’ business models and operations,” said the BSP.

Another highlight of the new law is the heightened power of the BSP in its investigation of financial accounts.

“BSP deemed it necessary to obtain new powers to help law enforcement authorities (LEAs) and competent government agencies in preventing and combatting financial account scams,” the BSP added.

Through the AFASA, the BSP gains the power to investigate suspicious transactions and share related information with law enforcement.

The BSP emphasized that financial account investigations would require prior evidence of potential involvement in money muling or social engineering schemes, and that any resulting information would be shared solely with LEAs and relevant government authorities.

“Any information that may be shared by BSP should be used solely for the purpose of filing and prosecuting a criminal case for violation of the AFASA,” said the BSP.

Consequently, bank secrecy laws do not apply to financial accounts under investigation of the BSP.

These exemptions apply to the Law on Secrecy of Bank Deposits, the Foreign Currency Deposits Act of the Philippines, and the Revised Non-Stock Savings and Loan Association Act of 1997.

This measure modifies the application of said laws, facilitating greater government oversight for investigations made by the BSP.

“It should be understood, however, that the authority to enforce penal provisions of the AFASA, including the powers to investigate and prosecute the prohibited acts defined under the law, make arrests and to file criminal complaints, are still lodged with the LEAs and appropriate authorities,” the BSP said.

THE SENTIMENTBy enhancing security, the AFASA aims to boost consumer confidence and promote wider use of financial services, aligning with the BSP’s goals for a robust digital financial ecosystem.

However, according to the Bankers Association of the Philippines (BAP), the strict measures of the AFASA may leave to unintended outcomes.

“For example, the rapid freeze and verification requirements may introduce operational delays, particularly if the verification process or industry-wide reporting mechanisms lack standardization,” the BAP said in an e-mail interview.

“This could result in temporary inconveniences for legitimate account holders and delays in fund access during verification procedures.”

Carlos T. Tengkiat, chief information security officer for Rizal Commercial Banking Corp., said that there should be no unforeseen consequences arising from the new law.

“There are safeguards in place [that] also the penalize those who seek to abuse the information sharing portion of the investigation among various public and private sector personnel,” he said in an e-mail.

The BAP also said that informal sector participants who lack understanding of the legal risks associated with account misuse may initially face challenges.

The BSP’s 2021 financial inclusion survey revealed that only 7% of Filipinos have attended a seminar on financial literacy.

Furthermore, only 2% of Filipino respondents answered all six basic financial literacy questions correctly, in the same survey.

“This emphasizes the need for an extensive public awareness campaign to inform the public and SMEs of AFASA’s regulations and discourage them from unknowingly participating in money-muling activities,” said the BAP.

“The informal financial sector would benefit because the law gives avenues for them for investigation as well as restitution for the crimes committed against them,” said Mr. Tengkiat.

Capstone-Intel’s Mr. Conti said that balancing strict security protocols with a smooth customer experience will also be a critical concern.

“Of course, there still are the provisions of the Data Privacy Act. Overly stringent measures could frustrate users, so banks need to focus on user-friendly yet secure solutions.”

Mr. Tengkiat also said that be the shifting landscape of technologies as well as the creativity of fraudsters would be a potential challenge.

“These may make controls fluid, to cope with these financial institutions must be able to anticipate new threats, adopt new technologies as well as preserving good customer experience when their services are used,” Mr. Tengkiat said.

Despite the new law, trust in financial technology remains compromised among Filipino consumers, amid scams persisting in the country’s financial landscape.               

“I’m usually very careful,” said Nikki Bryce Roque, in his Facebook post, recounting how he lost his entire mobile wallet balance to financial account scammers last November.

A seemingly legitimate text message, sent through the wallet’s official SMS number, alerted Mr. Roque to an impending insurance renewal and prompted him to click a link to cancel the charge.

The link led him through a series of supposedly official web pages requesting his one-time password and mobile wallet PIN, resulting in an unauthorized transaction that drained his account dry.

“They can even invade legit sites and incorporate their scamming mechanisms there,” said Mr. Roque in a Messenger chat.

A recent survey by mobile operator trade body GSMA reveals that 71.4% of Filipinos perceive growing risks to account security, with financial fraud being a major concern.

Furthermore, a 2023 GSMA survey revealed that 67% of Filipinos did not report instances of scams to law enforcement. Reporting was hampered by complexity, perceived ineffectiveness, and uncertainty about where to report.

When asked if he believed he was adequately informed by his banks, service providers, or even the BSP, Mr. Roque said: “No, I didn’t even know it exists.”

Another e-wallet user and scam victim, who requests to remain anonymous, also said that he was not aware with the law’s existence.

Investigations by his service provider regarding his case claimed that one-time passwords were sent to only the user’s device, a claim the user says is impossible. 

He has since contacted both his e-wallet service provider and the BSP through official channels about his incident, albeit hearing no response from the central bank. “It feels like they didn’t take any action regarding my concern. They didn’t even reach out to me once.”

Mr. Roque said that the new law has only transferred the responsibility to central banks and not to the institutions who are needing more stringent security features.

“If the bank heavily invests in the investigation phase rather than strengthening its security features, it means they are willing to let their clients get robbed as long as they are not held legally liable.”

Nonetheless, the BAP remains optimistic.

“The BAP anticipates that AFASA will encourage the sector to expand product offerings focused on account security and fraud prevention, which aligns with the association’s goals of elevating cybersecurity standards in Philippine banking and providing consumers with secure, reliable financial services,” the BAP said.

No comments

leave a comment