IT RISK MANAGEMENT STANDARDS AND GUIDELINES
Area: Electronic Banking, Electronic Payment, Electronic Money and Other Electronic Products and Services
(Appendix to Sec. 148 on Purpose and Scope, and IT Risk Management Systems)
1.1. Continuing technological innovation and competition among existing FIs and new entrants have contributed to a wide array of electronic products and services (e-services) available to customers. These products and services have been widely adopted by BSFIs in recent years and are now a component of most institutions’ business strategy. Electronic delivery of services can have many benefits for BSFIs and their customers and can also have implications on financial condition, risk profile, and operating performance. The emergence of e- services may contribute to improving the efficiency of the banking and payment system, reducing the cost of retail transactions nationally and internationally and expanding the target customers beyond those in traditional markets. Consequently, BSFIs are therefore becoming more aggressive in adopting electronic capabilities that include sophisticated marketing systems, remote-banking capabilities, and stored value programs.
1.2. Notwithstanding the significant benefits of technological innovation, the rapid development of electronic capabilities carries risks as well as benefits and it is important that these risks are recognized and managed by BSFIs in a prudent manner to promote safe and secure e-services and operations. The basic types of risks generated by e-services are not new, the specific ways in which some of the risks arise, as well as the magnitude of their impact may be new for BSFIs and supervisors. While existing risk management guidelines remain applicable to e-services, such guidelines must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of such activities. As the industry continues to address technical issues associated with e-services, including security challenges, a variety of innovative and cost efficient risk management solutions are likely to emerge. These solutions are also likely to address issues related to the fact that BSFIs differ in size, complexity and risk management culture and that jurisdictions differ in their legal and regulatory frameworks.
2. ROLES AND RESPONSIBILITIES
2.1. Board of Directors (Board) and Senior Management. The Board is expected to take an explicit, informed and documented strategic decision as to whether and how the BSFI is to provide e-services to their customers. The Board and senior management should establish effective management oversight of the risks associated with these activities, including the establishment of specific accountability, policies and controls to manage these risks. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material systems problems or security breaches that may occur.
2.2. Compliance Officer. The compliance officer or its equivalent should be aware and informed of all relevant laws and regulatory requirements relative to the offering of e-services, including those of other countries where they also intend to deliver cross-border e-services. BSFI management should ensure that these requirements are complied with to minimize legal and compliance risks and other negative implications.
3. RISK MANAGEMENT SYSTEM
3.1. The BSFI should carefully evaluate the offering of a new e-service to customers to ensure that Management fully understands the risk characteristics and that there are adequate staffing, expertise, technology and financial resources to launch and maintain the service. A formal business strategy for introducing new service should be in place and form part of the BSFI’s overall strategy. The BSFI should also perform regular assessments to ensure that its controls for managing identified risks remain proper and adequate.
3.2. The underlying risk management processes for e-services should be integrated into the BSFI’s overall risk management framework and the existing risk management policies and processes should be evaluated to ensure that they are robust enough to cover the new risks posed by current or planned activities. Relevant internal controls and audit as required in BSFI’s risk management system should also be enforced and carried out as appropriate for its e-services. Regular review of the relevant policies and controls should be performed to ascertain that these remain appropriate to the risks associated with such activities.
3.3. The BSFI should adjust or update, as appropriate, its information security program in the light of any relevant changes in technology, the sensitivity of its customer information and internal or external threats to information. The BSFI should ensure that the related information security measures and internal control are installed, regularly updated, monitored and are appropriate with the risks associated with their products and services.
4. RISK MANAGEMENT CONTROLS
4.1. Security Controls. The BSFI should recognize that e-services should be secured to achieve a high level of confidence with both customers and business. It is the responsibility of BSFI management to provide adequate assurances that transactions performed and information flowed through the electronic delivery channels are properly protected. For this reason, the BSFI should maintain a strong and comprehensive security control system. As such, in addition to the information security standards in Appendix 75, the BSFI should also provide the following controls specific for e-services:
4.1.1. Account Origination and Customer Verification. The BSFI should use reliable methods for originating new customer accounts. Potentially significant risks may arise when it accepts new customers through the internet or other electronic channels. Thus, the BSFI should ensure that in originating new accounts using electronic channels, the KYC requirement which involves a face-to-face process is strictly adhered to.
4.1.2. Authentication1. The BSFI should use reliable and appropriate authentication methods to validate and verify the identity and authorization of customers. Authentication is facilitated by the use of factors, which are generally classified into three (3) basic groups:
a. Knowledge – Something the user knows (e.g., username, password, mobile PIN, card number account number);
b. Possession – Something the user has (e.g., payment card, token, one-time password); and
c. Inherence – Something the user is (e.g., biometrics)
a. Enrollment in transactional e-services;
b. Payments and transfers to third parties;
c. Online remittance, including those for pick-up at the BSFI branches or via door- to-door delivery;
d. Account maintenance, including change in account information and contact details; and
e. Use of payment cards (e.g., ATM, credit and debit cards) in e-commerce websites.
a. Small-value payment or other low- risk transactions, provided the same are justified by a transaction risk analysis2 and bounded by prudent thresholds established by the BSFI. The BSFI’s methodology for setting the threshold should be adequately documented and independently validated at least annually;
b. Payments and transfers made to pre-enrolled merchants in the bills payment facility and those pre-registered recipients by the customer: Provided, That the BSFI employs a robust and reliable enrollment process for third party merchants and recipients; and
c. Transaction between two (2) accounts of the same customer at the same BSFI.
4.1.3. Non-Repudiation3. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions. In such cases, the BSFI should consider implementing non-repudiation controls in the form of digital signatures, collision-free hash value of the entire transaction or unique authorization code that will provide conclusive proof of participation of both the sender and receiver in an online transaction environment. Public key infrastructure4, digital signature5, digital certificate6and certification authority7arrangements can be used to impart an enhanced level of security, authentication and authorization which can uniquely identify the person initiating transaction, detect unauthorized modifications and prevent subsequent disavowal.
4.1.4. Authorization Controls and Access Privileges. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct activities on e-services. No individual agent or system should have the authority to change his or her own authority or access privileges in the e-services authorization database. Any addition of an individual, agent or system or changes to access privileges should be duly authorized by an authenticated source empowered with adequate authority and subject to suitable and timely oversight and audit trails.
4.1.5. Confidentiality and Integrity of Information, Transactions and Records. The BSFI should ensure that appropriate measures are in place to ascertain the accuracy, completeness and reliability of e-services transactions, records and information that are either transmitted over the internal and external networks or stored in BSFI’s internal systems. Common practices used to maintain data integrity include the following:
a. E-services transactions should be conducted in a manner that make them highly resistant to tampering throughout the entire process;
b. E-services records should be stored, accessed and modified in a manner that make them highly resistant to tampering;
c. E-services transaction and record- keeping processes should be designed in a manner as to make it virtually impossible to circumvent detection of unauthorized changes.
d. Adequate change control policies, including monitoring and testing procedures, should be in place to protect against any system changes that may erroneously or unintentionally compromise controls or data reliability; and
e. Any tampering with e-services transactions or records should be detected by transaction processing, monitoring and record keeping functions.
4.1.6. Application Security. The BSFI should ensure an appropriate level of application security in its electronic delivery systems. In selecting system development tools or programming languages for developing e-services application systems, it should evaluate the security features that can be provided by different tools or languages to ensure that effective application security can be implemented. In selecting an e-services system developed by a third party, the BSFI should take into account the appropriateness of the application security of the system. It should test new or enhanced applications thoroughly using a general accepted test methodology in a test environment prior to implementation.
4.1.7. Infrastructure and Security Monitoring. The BSFI should establish an appropriate operating environment that supports and protects systems on e-services. It should proactively monitor systems and infrastructure on an ongoing basis to detect and record any security breaches, suspected intrusions, or weaknesses. The BSFI should ensure that adequate controls are in place to detect and protect against unauthorized access to all critical e-services systems, servers, databases, and applications. The attached Annex “A” provides for the minimum security measures for e-services facilities.
a. False or erroneous application information, large check deposits on new e-services accounts, unusual volume or size of funds transfers, multiple new accounts with similar account information or originating from the same internet address, and unusual account activity initiated from a foreign internet address;
b. Multiple online transfers are made to the same unregistered third-party account within a short period of time especially if the amount transferred is close to the maximum amount allowed or the value exceeds a certain amount; and
c. Change of a customer’s correspondence address shortly followed by transactions which may indicate potential fraudulent activities such as opening of an e-service account online, a request for important documents (e.g., cheque book, new e-banking password, credit card/ATM PIN) to be mailed to that address, increase of fund transfer limits, or a sudden increase of fund transfers made to unregistered third parties.
4.1.8. Audit Trail. The BSFI should ensure that comprehensive logs are maintained to record all critical e-services transactions to help establish a clear audit trail and promote employee and user accountability. Audit logs should be protected against unauthorized manipulation and retained for a reasonable period [e.g., three (3) months] to facilitate any fraud investigation and any dispute resolution if necessary. In instances where processing systems and related audit trails are the responsibility of a third-party service provider, the BSFI should ensure that it has access to relevant audit trails maintained by the service provider in accordance with existing standards. In particular, clear audit trails should exist under the following types of e-services transactions:
a. the opening, modification or closing of a customer’s account;
b. any transaction with financial consequences;
c. any authorization granted to a customer to exceed a limit; and
d. any granting, modification or revocation of systems access right or privileges.
4.1.9. Segregation of Duties. As in any traditional process, segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems. The BSFI management should ensure that duties are adequately separated and transaction processes are designed in a manner that no single person could initiate, approve, execute and enter transactions into a system that would enable fraudulent actions to be perpetrated and concealed. Segregation should also be maintained between (a) those developing and those administering the systems; and (b) those initiating static data (including web page content) and those responsible for verifying its integrity. E-services systems should be tested to ensure that segregation of duties cannot be bypassed.
4.1.10. Website Information and Maintenance. Because the BSFI’s website is available on an ongoing basis to the general public, appropriate procedures should be established to ensure accuracy and appropriateness of its information. Key information changes and updates (such as deposit, loan and foreign exchange rates), are normally subject to documented authorization and dual verification. Procedures and controls to monitor and verify website information frequently may help prevent any inadvertent or unauthorized modifications or content that could lead to reputational damage or violations of advertising, disclosure, or other compliance requirements.
4.2. Administrative and Management Controls
4.2.1. Service Availability and Business Continuity. The BSFI should have the ability to deliver e-services to all end-users and be able to maintain such availability in all circumstances within a reasonable system response time in accordance with its terms and conditions and anticipated customer expectations. Performance criteria for each critical e-service should be established and service levels should be monitored against these criteria. Appropriate measures should be taken to ensure that e-services systems and the interfaces with the internal systems can handle the projected transaction volume and future growth in transactions.
4.2.2. Incident Response and Management. The BSFI should put in place formal incident response and management procedures for timely reporting and handling of suspected or actual security breaches, fraud, or service interruptions of their e-services during or outside office hours. A communication strategy should be developed to adequately address the reported concerns and an incident response team should be established to manage and respond to the incident in accordance with existing standards enumerated in Appendix 75.
4.2.3. Outsourcing Management. Increased reliance upon partners and third party service providers to perform critical e-services functions lessens BSFI management’s direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary to ensure that:
a. The BSFI fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-services systems or applications;
b. An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-services;
c. The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined;
d. All outsourced e-services systems and operations are subject to risk management, security and privacy policies that meet the BSFI’s own standards;
e. Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house; and
f. Appropriate contingency plans for outsourced e-services activities exist.
4.3. Consumer Protection.
4.3.1. Customer Privacy and Confidentiality. The BSFI should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the institution is providing electronic products and services. Misuse or unauthorized disclosure of confidential customer data exposes the entity to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, the BSFI should make reasonable endeavours to ensure that:
a. The BSFI’s customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-services;
b. Customers are made aware of the BSFI’s privacy policies and relevant privacy issues concerning use of e-services;
c. Customers may decline (“opt out”) from permitting the BSFI to share with a third party for cross-marketing purposes any information about the customer’s personal needs, interests, financial position or banking activity; and
d. Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized. The BSFI’s standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.
4.3.2. Information Disclosure for E-Services. The BSFI should comply with all legal requirements relating to e-services, including the responsibility to provide its customers with appropriate disclosures and to protect customer data. Failure to comply with these responsibilities could result in significant compliance, legal, or reputation risk for the BSFI.
4.3.3. Consumer Awareness. Customer education is a key defense against fraud, identity theft and security breach. Therefore, the BSFI should pay special attention to the provision of easy to understand and prominent advice to its customers on security precautions for e-services. To be effective, the BSFI should maintain and continuously evaluate its consumer awareness program. Methods to evaluate a program’s effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials, the number of clicks on information security links on websites, the number of inquiries, etc. “Annex “C” provides for the minimum Consumer Awareness Program that the BSFI should convey to its customers.
4.3.4. Complaints Resolution. The BSFI may receive customer complaint either through an electronic medium or otherwise, concerning an unauthorized transactions, loss or theft in the e-services account. Therefore, it should ensure that controls are in place to review these notifications and that an investigation is initiated as required. The BSFI should also establish procedures to resolve disputes arising from the use of the e-services.
4.3. Cross-Border E-Banking Activities.
4.4.1. Before a BSFI initiates cross-border e-services, its management should conduct appropriate risk assessment and due diligence to ensure that it can adequately manage the attendant risks. It must also comply with any applicable laws and regulations, both the home country as well as those of any foreign country that may assert jurisdiction over e-services that are directed at its residents. Further, the BSFI should ensure that it has an effective and ongoing risk management program for its cross-border e-services activities;
4.4.2. Before engaging in transactions involving cross-border e-services with foreign customers, the BSFI should ensure that adequate information is disclosed on its Web site to allow potential customers to make a determination of the BSFI’s identity, home country, and whether it has the relevant regulatory license(s) before it establishes the relationship. This information will help improve transparency and minimize legal and reputational risk associated with the offering of cross border e-services.
5. INDEPENDENT ASSESSMENT
5.1. An appropriate independent audit function is also an important component of a BSI’s monitoring mechanisms. The audit coverage should be expanded commensurate with the increased complexity and risks inherent in e-services and should include the entire process as applicable (i.e., network configuration and security, interfaces to legacy systems, regulatory compliance, internal controls, support activities performed by third-party providers etc.).
5.2. The BSFI should also make arrangements for independent assessments to be conducted on its systems before the launch of the relevant services or major enhancements to existing services. The person(s) (i.e., the assessor) contracted by the BSFI to perform independent assessment should have, and be able to demonstrate, the necessary expertise in the relevant fields. He/she should be independent from the parties that develop or administer the system and should not be involved in the operations to be reviewed or in selecting or implementing the relevant control measures to be reviewed. He/she should be able to report findings freely and directly to the authorized BSFI senior management.
5.3. Subsequent to an initial independent assessment, the BSFI should conduct risk assessment at least every two (2) years or when there are substantial changes to determine if further independent assessment should be required and the frequency and scope of such independent assessment. Any substantial changes to the risk profile of the services being provided, significant modifications of the network infrastructure and applications, material system vulnerabilities or major security breaches are to be taken into consideration in the risk assessment.
6.1. These guidelines are intended for all electronic products and services offered by BSFIs to their customers. These are focused on the risks and risk management techniques associated with electronic delivery channels to protect customers and general public. It should be understood, however, that not all the customer protection issues that have arisen in connection with new technologies are specifically addressed in subject guidelines. Additional issuances may be issued in the future to address other aspects of consumer protection as the financial service environment through e-services evolves.
SECURITY CONTROLS ON SPECIFIC ELECTRONIC SERVICES AND CHANNELS
Automated Teller Machine (ATM)
1. To minimize/prevent ATM frauds and crimes, the BSFI, at a minimum, implement the following security measures with respect to its ATM facilities:
a. Locate ATM’s in highly visible areas;
b. Provide sufficient lighting at and around the ATMs;
c. Where ATM crimes (e.g., robbery, vandalism, skimming) are high in a specific area or location, the BSFI should install surveillance camera or cameras which shall view and record all persons entering the facility. Such recordings shall be preserved by the BSFI for at least thirty (30) days;
d. Implement ATM programming enhancements like masking/non-printing of card numbers;
e. Educate customers by advising them regularly of risks associated with using the ATM and how to avoid these risks;
f. Conduct and document periodic security inspection at the ATM location;
g. Educate BSFI personnel to be responsive and sensitive to customer concerns; and
h. Post a clearly visible sign near the ATM facility which, at a minimum, provides the telephone numbers of the BSFI as well as other BSFIs’ hotline numbers for other cardholders who are allowed to transact business in the ATM, and police hotlines for emergency cases.
2. The BSFI must study and assess ATM crimes to determine the primary problem areas. Procedures for reporting ATM crimes should also be established. Knowing what crimes have occurred will aid the BSFI in recognizing the particular problem and to what degree it exists so that it can implement the necessary preventive measures. In this connection, all BSFIs are encouraged to share information involving ATM fraud cases to deter and prevent proliferation of the crime.
Online Internet Financial Services
1. Assurance should be provided that online login access and transactions performed over the internet are adequately protected and authenticated. In addition, customers should be adequately educated on security measures that must be put in place to uphold their interests in the online environment.
2. With internet connection to internal networks, financial systems and devices may now be potentially accessed by anyone from anywhere at any time. The BSFI should implement physical and logical access security to allow only authorized personnel to access its systems. Appropriate processing and transmission controls should also be implemented to protect the integrity of systems and data.
3. There should be a mechanism to authenticate official website to protect customers from spoofed or faked websites. The BSFI should determine what authentication technique to adopt to provide protection against these attacks. For wireless applications, it should adopt authentication protocols that are separate and distinct from those provided by the wireless network operator.
4. Monitoring or surveillance systems should be implemented to alert BSFI of any erratic system activities, transmission errors or unusual online transactions. A follow-up process should be established to verify that these issues or errors are adequately addressed subsequently. High resiliency and availability of online systems and supporting systems (such as interface systems, backend host systems and network equipment) should be maintained to meet customers’ expectations. Measures to plan and track capacity utilization as well as guard against online attacks should be established.
5. As more customers log into BSFI’s website to access their accounts and conduct a wide range of financial transactions for personal and business purposes, a suite of measures must be established to protect customers’ interests in using online systems. Furthermore, customers should be educated on the risks of using online financial services before they subscribe to such services. Ongoing education must be available to raise the security awareness of customers to protect their systems and online transactions.
Mobile and Phone Financial Services
1. For electronic services using mobile phone, the BSFIs must ensure the security of transactions by implementing the following, among others:
a. Employment of a SIM Toolkit with end-to-end encryption feature from hand phones to m-banking servers, to protect data transmission in m-banking; and
b. Adoption of dual authentication process (i.e., MPIN) to ensure that the party initiating the transaction is the owner of the device and is authorized to perform such transaction.
2. For phone banking and other financial services, the BSFI must ensure the security of transactions, by implementing the following, among others:
a. The service shall not be used for transactions with high value or risk;
b. All IVR conversations shall be recorded, including customer’s phone number, transaction detail, etc;
c. The service shall use reliable and secure authentication methods; and
d. The use of customer authentication method such as PIN and password for financial transactions.
Other Mobile Online and Payment Services
1. Mobile online and payment services are extensions of the online financial services which are offered by the BSFI and accessible from the internet via computers, laptops and similar devices. Security measures which are similar to those of online financial and payment systems should also be implemented on the mobile online services and payment systems. A risk assessment should be conducted to identify possible fraud scenarios and appropriate measures should be established to counteract payment card fraud via mobile devices.
2. The BSFI may require customers to download its mobile online services and payment applications directly from third party repositories (e.g., Apple store, Google Play and Windows Market Place) on to mobile devices. Customers must be able to verify the integrity and authenticity of the application prior to its download. The BSFI should also be able to check the authenticity and integrity of the software being used by the customers.
3. As mobile devices are susceptible to theft and loss, there must be adequate protection of sensitive data used for mobile online services and payments. Sensitive data should be encrypted to ensure the confidentiality and integrity of these data in storage, transmission and during processing.
4. Customers should be educated on security measures to protect their own mobile devices from theft and loss as well as viruses and other errant software which cause malicious damage and harmful consequences.
Point of Sale Devices
1. Point of Sale (POS)/Electronic Data Capture (EDC) enable electronic fund transfer from customer’s account to acquirer’s or merchant’s account for payment of a transaction. The party providing POS terminal must always increase the physical security around the vicinity of such POS terminal and on the POS terminal itself, among others, by using POS terminal that minimizes the possibility of interception on such terminal or in its communication network.
2. The BSFI deploying POS devices at merchant locations must familiarize the merchant with the safe operation of the device. The acquiring institution must ensure that the POS devices as well as other devices that capture information do not expose/store information such as the PIN number or other information classified as confidential. It must also ensure that a customer’s PIN number cannot be printed at the point of sale for any reason whatsoever.
3. Operators of point of sale devices are encouraged to work towards interoperability of cards from other schemes.
Electronic Payment Cards (ATM, Credit and Debit Cards)
1. Payment cards allow cardholders the flexibility to make purchases wherever they are. Payment cards exist in many forms; with magnetic stripe cards posing the highest security risks. Sensitive payment card data stored on magnetic stripe cards is vulnerable to card skimming attacks. Card skimming attacks can happen at various points of the payment card processing, including payment kiosks and POS terminals. In addition to counterfeit/ skimmed cards, fraudulent activities associated with payment cards include lost/ stolen cards, card-not-received and card-not-present transactions.
2. The BSFI providing payment card services should implement adequate safeguards to protect sensitive payment card data. Sensitive payment card data should be encrypted to ensure the confidentiality and integrity of these data in storage, transmission and during processing. Pending the required adoption of EMV chip-cards by 01 January 2017, all BSFIs engaged in the payment card business should consider implementing the following measures to mitigate exposure from skimming attacks:
a. Installation of anti-skimming solutions on ATM and POS machines to detect the presence of foreign devices placed over or near a card entry slot;
b. Establishment of detection and alert mechanisms to appropriate personnel for follow-up response and action;
c. Implementation of tamper-resistant keypads to ensure that no one can identify which buttons are being pressed by customers;
d. Implementation of appropriate measures to prevent shoulder surfing of customers’ PINs; and
e. Conduct video surveillance of activities at these machines and maintain the quality of CCTV footage.
3. New payment cards sent to customers via courier should only be activated upon obtaining the customer’s instruction. Online transactions should only be allowed if authorized by the customers. Authentication of customers’ sensitive static information, such as personal identification number (PIN) or passwords, should be performed by the card issuer and not by third party payment processing service providers. Appropriate security mechanisms should also be implemented for card-not- present transactions via internet to reduce fraud risk associated with this type of transaction.
4. To enhance payment card security, cardholders should be notified promptly via transaction alerts on withdrawals/charges exceeding customer-defined thresholds made on their payment cards. The transaction alert should include information such as source and amount of the transaction to assist customers in identifying a genuine transaction.
5. Fraud detection systems with behavioral scoring and correlation capabilities should be implemented to identify and curb fraudulent activities. Risk management parameters should be calibrated according to risks posed by cardholders, nature of transactions or other risk factors to enhance fraud detection capabilities. Follow-up actions for transactions exhibiting behavior which deviates significantly from a cardholder’s usual card usage patterns should be instituted. These transactions should be investigated into and the cardholder’s authorization obtained prior to completing the transaction.
1. General Requirement
a. Information on the duties of the BSFI and customers;
b. Information on who will be liable for unauthorized or fraudulent transactions;
c. Mode by which customers will be notified of changes in terms and conditions;
d. Information relating to how customers can lodge a complaint, and how a complaint may be investigated and resolved;
e. Disclosures that will help consumers in their decision-making (e.g., PDIC insured, etc.);
f. For internet environment, information that prompt in the BSFI’s website to notify customers that they are leaving the BSFI’s website and hence they are not protected by the privacy policies and security measures of the BSFI when they hyperlink to third party’s website.
2. Disclosure Responsibility
a. Compliance officers should review BSFI’s disclosure statements to determine whether they have been designed to meet the general and specific requirements set in the regulation;
b. For BSFIs that advertise deposit products and services on-line, they must verify that proper advertising disclosures are made (e.g., whether the product is insured or not by the PDIC; fees and charges associated with the product or services, etc.). Advertisements should be monitored to determine whether they are current, accurate, and compliant;
c. For BSFIs that issue various products like stored value cards, e-wallets, debit cards and credit cards, they must provide information to consumers regarding the features of each of these products to enable consumers to meaningfully distinguish them. Additionally, consumers would find it beneficial to receive information about the terms and conditions associated with their usage. Example of these disclosures include:
– PDIC insured or non-insured status of the product;
– Fees and charges associated with the purchase, use or redemption of the product;
– Liability for loss;
– Expiration dates, or limits on redemption; and
– Toll-free telephone number for customer service, malfunction and error resolution.
d. Whenever e-services are outsourced to third parties or service providers, the BSFI should ensure that the vendors comply with the disclosure requirements of the Bangko Sentral.
ELECTRONIC SERVICES CONSUMER AWARENESS PROGRAM
1. Internet Products and Services
a) Secure Login ID and Password or PIN.
i. Do not disclose Login ID and Password or PIN.
ii. Do not store Login ID and Password or PIN on the computer.
iii. Regularly change password or PIN and avoid using easy-to-guess passwords such as names or birthdays. Password should be a combination of characters (uppercase and lowercase) and numbers and should be at least six (6) digits in length.
b) Keep personal information private.
i. Do not disclose personal information such as address, mother’s maiden name, telephone number, social security number, bank account number or e-mail address — unless the one collecting the information is reliable and trustworthy.
c) Keep records of online transactions.
i. Regularly check transaction history details and statements to make sure that there are no unauthorized transactions.
ii. Review and reconcile monthly credit card and bank statements for any errors or unauthorized transactions promptly and thoroughly.
iii. Check e-mail for contacts by merchants with whom one is doing business. Merchants may send important information about transaction histories.
iv. Immediately notify the BSFI if there are unauthorized entries or transactions in the account.
d) Check for the right and secure website.
i. Before doing any online transactions or sending personal information, make sure that correct website has been accessed. Beware of bogus or “look alike” websites which are designed to deceive consumers.
ii. Check if the website is “secure” by checking the Universal Resource Locators (URLs) which should begin with “https” and a closed padlock icon on the status bar in the browser is displayed. To confirm authenticity of the site, double-click on the lock icon to display a security certificate information of the site.
iii. Always enter the URL of the website directly into the web browser. Avoid being re-directed to the website, or hyperlink to it from a website that may not be as secure.
iv. If possible, use software that encrypts or scrambles the information when sending sensitive information or performing e-banking transactions online.
e) Protect personal computer from hackers, viruses and malicious programs.
i. Install a personal firewall and a reputable anti-virus program to protect personal computer from virus attacks or malicious programs.
ii. Ensure that the anti-virus program is updated and runs at all times.
iii. Always keep the operating system and the web browser updated with the latest security patches, in order to protect against weaknesses or vulnerabilities.
iv. Always check with an updated anti- virus program when downloading a program or opening an attachment to ensure that it does not contain any virus.
v. Install updated scanner softwares to detect and eliminate malicious programs capable of capturing personal or financial information online.
vi. Never download any file or software from sites or sources, which are not familiar or hyperlinks sent by strangers. Opening such files could expose the system to a computer virus that could hijack personal information, including password or PIN.
f) Do not leave computer unattended when logged-in.
i. Log-off from the internet banking site when computer is unattended, even if it is for a short while.
ii. Always remember to log-off when e-banking transactions have been completed.
iii. Clear the memory cache and transaction history after logging out from the website to remove account information. This would avoid incidents of the stored information being retrieved by unwanted parties.
i. Read and understand website disclosures specifically on refund, shipping, account debit/credit policies and other terms and conditions.
ii. Before providing any personal financial information to a website, determine how the information will be used or shared with others.
iii. Check the site’s statements about the security provided for the information divulged.
iv. Some websites’ disclosures are easier to find than others — look at the bottom of the home page, on order forms or in the “About” or “FAQs” section of a site. If the customer is not comfortable with the policy, consider doing business elsewhere.
h) Other internet security measures:
i. Do not send any personal information particularly password or PIN via ordinary e-mail.
ii. Do not open other browser windows while doing online transactions.
iii. Avoid using shared or public personal computers in conducting financial transactions.
iv. Disable the “file and printer sharing” feature on the operating system if conducting financial transactions online.
v. Contact the BSFI concerned to discuss security concerns and remedies to any online e-services account issues.
2. Other Electronic Products/Channels
a) Automated Teller Machine (ATM) and debit cards
i. Use ATMs that are familiar or that are in well-lit locations where one feels comfortable. If the machine is poorly lit or is in a hidden area, use another ATM.
ii. Have card ready before approaching the ATM. Avoid having to go through the wallet or purse to find the card.
iii. Do not use ATMs that appear to have been tampered with or otherwise altered. Report such condition to the BSFI.
iv. Memorize ATM card PIN and never disclose it with anyone. Do not keep those numbers or passwords in the wallet or purse. Never write them on the cards themselves. And avoid using easily available personal information like a birthday, nickname, mother’s maiden name or consecutive numbers.
v. Be mindful of “shoulder surfers” when using ATMs. Stand close to the ATM and shield the keypad with hand when keying in the PIN and transaction amount.
vi. If the ATM is not working correctly, cancel the transaction and use a different ATM. If possible, report the problem to the BSFI.
vii. Carefully secure card and cash in the wallet, handbag, or pocket before leaving the ATM.
viii. Do not leave the receipt behind. Compare ATM receipts to monthly statement. It is the best way to guard against fraud and it makes record-keeping easier.
ix. Do not let other people use your card. If card is lost or stolen, report the incident immediately to the BSFI.
b) Credit cards
i. Never disclose credit card information to anyone. The fraudulent use of credit cards is not limited to the loss or theft of actual credit cards. A capable criminal only needs to know the credit card number to fraudulently make numerous charges against the account.
ii. Endorse or sign all credit cards as soon as they are received from the BSFI.
iii. Like ATM card PINs, secure credit card PINs. Do not keep those numbers or passwords in the wallet or purse and never write them on the cards themselves.
iv. Photocopy both the front and back of all credit cards and keep the copies in a safe and secure location. This will facilitate in the immediate cancellation of the card if lost or stolen.
v. Carry only the minimum number of credit cards actually needed and never leave them unattended.
vi. Never allow credit card to use as reference (credit card number) or as an identification card.
vii. Never give your credit card account number over the telephone unless dealing with a reputable company or institution.
viii. When using credit cards, keep a constant eye on the card and the one handling it. Be aware of the “swipe and theft” scam using card skimmers. A skimmer is a machine that records the information from the magnetic stripe on a credit card to be downloaded onto a personal computer later. The card can be swiped on a skimmer by a dishonest person and that data can then be used to make duplicate copies of the credit card.
ix. Do not leave documents like bills, bank and credit card statements in an unsecure place since these documents have direct access to credit card and/or deposit account information. Consider shredding sensitive documents rather than simply throwing them away. (Some people will go through the garbage to find this information).
x. Notify the BSFI in advance of a change in address.
xi. Open billing statements promptly and reconcile card amounts each month.
xii. Do not let other people use your card. If card is lost or stolen, report the incident immediately to the BSFI.
c) Mobile Phones/Devices
i. Do not disclose your Mobile Banking Pin (MPIN) to anyone.
ii. Regularly change the MPIN.
iii. Do not let other people use your mobile phone enrolled in a mobile banking service. If the phone is lost or stolen, report the incident immediately to the BSFI.
iv. Be vigilant. Refrain from doing mobile banking transactions in a place where you observe the presence of “shoulder surfers”.
v. Keep a copy of the transaction reference number provided by the Bank whenever you perform a mobile banking transaction as an evidence that the specific transaction was actually executed.
(Circular No. 958 dated 25 April 2017)
- BSFIs shall comply with the foregoing requirements on customer authentication by 30 September 2017. In this regard, a BSFI should be able to show its plan of actions with specific timelines, as well as the status of initiatives being undertaken to fully comply with the provisions of Item “4.1.2” of Appendix 78, upon request of the Bangko Sentral starting May 2017. This transitory period, however, should not excuse BSFIs from immediately complying with the MFA requirements imposed by affiliated payment networks.
- Transaction risk analysis refers to the evaluation of risk related to a specific transaction taking into account various criteria including, but not limited to, customer behavioral transaction pattern, payee profile, nature of product/service to be acquired and transition value.
- Non-repudiation is a means of ensuring that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
- Public Key Infrastructure (PKI) refers to the use of public key cryptography in which each customer has a key pair (i.e. unique electronic value called a public key and a mathematically-related private key). The private key is used to encrypt (sign) a message that can only be decrypted by the corresponding public key or to decrypt message previously encrypted with the public key. The public key is used to decrypt message previously encrypted (signed) using an individual’s private key or to encrypt a message so that it can only be decrypted (read) using the intended recipient’s private key.
- Digital certificate is a digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be.
- Digital Certificate is the electronic equivalent of an ID card that authenticates the originator of digital signature.
- Certification Authority (CA) is the organization that attests using a digital certificate that a particular electronic message comes from a specific individual or system.
- Buffer overflow attack is a method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt memory in data.
- Hypertext Markup Language (HTML) is a set of codes that can be inserted into text files to indicate special interfaces, inserted images, and links to the hypertext documents.
- Hyperlink is an item on a webpage, that, when selected, transfers the user directly to another location in a hypertext document or to another webpage, perhaps on a different machine.