701 ELECTRONIC BANKING SERVICES

701 ELECTRONIC BANKING SERVICES

The following are the guidelines concerning electronic banking activities.

Application. Banks wishing to provide and/or enhance existing electronic banking services shall submit to the Bangko Sentral an application describing the services to be offered/enhanced and how it fits the bank’s overall strategy. This shall be accompanied by a certification signed by its president or any officer of equivalent rank and function to the effect that the bank has complied with the following minimum pre-conditions:

a. An adequate risk management process is in place to assess, control, monitor and respond to potential risks arising from the proposed electronic banking activities;

b. A manual on corporate security policy and procedures exists that shall address all security issues affecting its electronic banking system, particularly the following:

(1) Authentication – establishes the identity of both the sender and the receiver; uses trusted third parties that verify identities in cyberspace;

(2) Non-repudiation – ensures that transactions cannot be repudiated or presents undeniable proof of participation by both the sender and the receiver in a transaction;

(3) Authorization – establishes and enforces the access rights of entities (both persons and/or devices) to specified computing resources and application functions; also locks out unauthorized entities from physical and logical access to the secured systems;

(4) Integrity – assures that data have not been altered; and

(5) Confidentiality – assures that no one except the sender and the receiver of the data can actually understand the data.

c. The system had been tested prior to its implementation and that the test results are satisfactory. As a minimum standard, appropriate systems testing and user acceptance testing should have been conducted; and

d. A business continuity planning process and manuals have been adopted which should include a section on electronic banking channels and systems.

Pre-screening of applicants.

a. The Bangko Sentral, thru the Technical Working Group on Electronic Banking, shall pre-screen the overall financial condition as well as the applicant-bank’s compliance with Bangko Sentral rules and regulations based on the latest available Bank Performance Rating (BPR) and Report of Examination (ROE) including CAMELS Rating.

b. The Working Group shall ensure that the applicant bank’s overall financial condition can adequately support its electronic banking activities and that it shall have complied with certain comprehensive prudential requirements such as, but not limited to, the following:

(1) Minimum capital requirement and net worth to risk assets ratio;

(2) Satisfactory solvency, liquidity and profitability positions;

(3) CAMELS composite rating of at least 3, (this number, however can be flexible depending on other circumstances prevailing), and with at least a moderate risk assessment system (RAS) based on the latest regular examination; and

(4) There are no uncorrected major findings/exceptions noted in the latest Bangko Sentral examination.

Approval in principle.

a. Based on the recommendation of the Technical Working Group on Electronic Banking, the Deputy Governor of the appropriate sector of the Bangko Sentral, shall approve in principle the application so that banks may immediately launch and/or enhance their existing electronic banking services.

b. Banks shall be informed of the conditional approval of the Deputy Governor of the appropriate sector of the Bangko Sentral and they shall in turn notify the Bangko Sentral on the actual date of its launching/enhancement.

Documentary requirements.

a. Within thirty (30) calendar days from such launching/enhancement, banks shall submit to the appropriate supervising department of the Bangko Sentral for evaluation, the following documentary requirements:

(1) A discussion on the banking services to be offered/enhanced, the business objectives for such services and the corresponding procedures, both automated and manual, offered through the electronic banking channels;

(2) A description or diagram of the configuration of the bank’s electronic banking system and its capabilities showing:

(i)  how the electronic banking system is linked to other host systems or the network infrastructure in the bank;

(ii) how transaction and data flow through the network;

(iii) what types of telecommunications channels and remote access capabilities (e.g., direct modem dial-in, internet access, or both) exist; and

(iv) what security controls/measures are installed;

(3) A list of software and hardware components indicating the purpose of the software and hardware in the electronic banking infrastructure;

(4) A description of the security policies and procedures manual containing:

(i)  description of the bank’s security organization;

(ii) definition of responsibilities for designing, implementing, and monitoring information security measures; and

(iii)established procedures for evaluating policy compliance, enforcing disciplinary measures and reporting security violations;

(5) A brief description of the contingency and disaster recovery plans for electronic banking facilities and event scenario/problem management plan/ program to resolve or address problems, such as complaints, errors and intrusions and the availability of back-up facilities;

(6) Copy of contract with the communications carrier, arrangements for any liability arising from breaches in the security of the system or from unauthorized/fraudulent transactions;

(7) Copy of the maintenance agreements with the software/hardware provider/s; and

(8) Latest report on the periodic review of the system, if applicable.

b.  If after the evaluation of the submitted documents, the Working Group has still some unresolved issues and gray areas, the bank may be required to make a presentation of its electronic banking transactions to the Bangko Sentral.

Conditions for Monetary Board approval. Upon completion of evaluation, the appropriate recommendation shall be made to the Monetary Board. The following shall be the standard conditions for approval:

a. Existence at all times of appropriate top-level risk management oversight;

b. Operation of electronic banking system outsourced to a third party service provider taking into consideration the existence of adequate security controls and the observance of confidentiality [as required in R.A. No. 1405 (Bank Secrecy Law)] of customer information;

c. Adoption of measures to properly educate customers on safeguarding of user ID, PIN and/or password, use of bank’s products/services, actual fees/bank charges thereon and problem/error resolution procedures;

d. Clear communication with its customers in connection with the terms and condition which would highlight how any losses from security breaches, systems failure or human error will be settled between the bank and its customers;

e. Customer’s acknowledgement in writing that they have understood the terms and conditions and the corresponding risks that entail in availing electronic banking service;

f. The bank’s oversight process shall ensure that business expansion shall not put undue strains on its systems and risk management capability;

g. The establishment of procedures for the regular review of the bank’s security arrangements to ensure that such arrangements remain appropriate having regard to the continuing developments in security technology;

h. Strict adherence to Bangko Sentral regulations on fund transfers in cases where clients use the electronic banking services to transfer funds;

i. The electronic banking service shall not be used for money laundering or other illegal activities that will undermine the confidence of the public; and

j.  The Bangko Sentral shall be notified in writing thirty (30) days in advance of any enhancements that may be made to the online electronic banking service.

Requirements for banks with pending applications. The same procedure and requirements stated in the foregoing shall apply to all banks with pending applications with the Bangko Sentral, except on the submission of the documents enumerated in in this Section. Banks which have already submitted all the required information/documents need not comply with this requirement.

Exemption. Electronic banking services that are purely informational in nature are exempted from these regulations: Provided, however, That should such services be upgraded to transactional service, then prior Bangko Sentral approval shall be required.

Sanctions. For failure to seek Bangko Sentral approval before launching/enhancing/implementing electronic banking services, and/or submit within the prescribed deadline the required information/documents, the following monetary penalties and/or suspension of electronic banking activities or both, shall be imposed on erring banks and/or its officers:

Monetary penalties Amount

a. For responsible officer/s and/or director/s – for failure to seek prior Bangko Sentral approval and/or for non-submission, delayed submission of required information/documents

a one time penalty of P200,000

b. On the bank – for failure to seek prior Bangko Sentral and/or for non-submission/delayed submission of required information/documents

P30,000 per day starting from the day the offense was committed up to the time the same was corrected