Banks will be liable for “serious” offenses they fail to adopt multi-factor authentication (MFA) for card transactions, the Bangko Sentral ng Pilipinas (BSP) said.
In a memorandum, central bank Deputy Governor Chuchi Fonacier noted that the September 30 deadline for BSP-supervised financial institutons (BSFIs) to adopt MFA techniques had lapsed.
“In this regard, the BSP reiterates that non-compliance with the aforementioned requirement shall be classified as ‘serious offense’…,” she said.
Alternatively, Fonacier said non- or partially-compliant BSFIs should undertake the following pending full implementation of MFA solutions:
• disable functionalities used to facilitate sensitive communications and/or high risk transactions; or
• implement acceptable interim/compensating controls to mitigate the risk of fraud and protect cardholders.
The Bangko Sentral ordered the adoption of MFA in response to increasingly sophisticated cyberattacks directed at fund transfers, payments and other online transactions.
It expects cyber attackers to come up with new schemes as the banking industry adopts chip-based or EMV technology for automated teller machines (ATMs) and credit cards and drops the use of magnetic stripes.
The regulator had said that with the ongoing migration to EMV technology, cyber attackers face reduced fraud opportunities using traditional schemes that require customers to physically present or use their cards at ATMs and point of sales terminals.
It expects cyber attacks to zero-in on card-not-present (CNP) transactions, similar to the experience of other countries that have adopted EMV technology.
CNP transactions are done online using internet or mobile applications for fund transfers, bill payments, ticket purchases and many others. Online shopping and a host of other e-commerce activities are also popular targets.
In this regard, the policy mandates stronger authentication controls and measures to protect customers as well as address increasing cyber-threats, the BSP said.
The rule is consistent with initiatives to foster a secure digital financial services environment, it said, adding that enhancing regulation aims to reinforce the BSFI’s security controls for certain types of transactions.
MFA is mandatory for transactions considered as sensitive communications and high-risk, such as enrollment in transactional e-services, payments and fund transfers to third parties, online remittance, account maintenance and use of payment cards in e-commerce websites, among others.
The central bank noted MFA uses a combination of two or more factors such as a supplementary query, a one-time password or even fingerprints or retinal patterns. This provides for a more reliable authentication method and a stronger fraud deterrent mechanism.
This would lead to higher customer confidence, the BSP said, leading to increased use of digital financial services aligned with the National Retail Payment Systems objective of a cash-light economy by 2020.