Co-author: Liane Stella R. Candelario l June 12, 2026 l The Manila Times
The Philippine financial system is facing a hostile digital threat environment. Cyber fraud has grown in speed, scale and sophistication — exploiting authentication gaps, weaponizing social engineering to hijack financial accounts and leveraging money mules to launder proceeds across the banking system.
This is reflected in the Anti-Financial Account Scamming Act’s (Afasa) declaration of policy, which acknowledges that criminal syndicates are actively targeting financial accounts and luring ordinary Filipinos into becoming unwitting accessories to fraud.
Meanwhile, rapid digital transformation — driven by the proliferation of e-wallets, virtual currencies, mobile banking and real-time payment systems — has dramatically expanded the potential vulnerabilities for Bangko Sentral ng Pilipinas (BSP)-Supervised Financial Institutions (BSFIs). This is why fragmented, compliance-minimum approaches to cybersecurity can no longer adequately address these threats.
It is against this backdrop, and as part of the BSP’s broader 2024–2029 Financial Services Cyber Resilience Plan (FSCRP), that the BSP has moved to reinforce the existing regulatory framework and enhance cyber resilience of the banking and financial sector. Through BSP Circular 1232, the BSP has replaced the IT Rating System, embedded in the Supervisory Assessment Framework, with the Cybersecurity Maturity Framework (CMF) and the Cybersecurity Control Self-Assessment (CCSA).
Along with the Afasa and its implementing circulars, these issuances form a compliance web that demands concrete action from every BSFI.
Four maturity tiers
Under BSP Circular 1213, the BSP will now evaluate the BSFI’s cybersecurity maturity based on the CCSA and other supervisory activities, which assessment shall fall under any of the four maturity tiers (Foundational, Established, Managed and Optimized).
These tiers are calibrated to reflect a BSFI’s cybersecurity maturity: from Foundational BSFIs that demonstrate minimal adoption of control requirements to the mature Optimized BSFIs that fully adopt requirements and continuously enhance their risk management framework.
The CCSA operationalizes these tiers through capability-based questions on critical cybersecurity control areas. Crucially, CCSA results directly drive supervisory ratings and off-site surveillance assessments, making cybersecurity maturity a tangible regulatory risk variable.
Pursuant to the FSCRP, the BSP targets to have a strong cybersecurity culture and awareness (FSCRP Goal 3), as well as to have holistic cybersecurity best practices and standards (FSCRP Goal 4). These goals provide the strategic regulatory rationale behind both the CMF/CCSA regime and the Afasa circulars.
The FSCRP Goal 3 targets the human dimension: boards, management, employees and consumers. Its priority actions: a structured cyber education program for BSFI boards; regular CISO forums; cybersecurity road shows for smaller institutions; and consumer digital literacy campaigns; signal that culture is now a supervisory expectation.
The CMF’s Optimized tier explicitly requires cybersecurity to be fully embedded in strategic planning and enterprise decision-making, with the board and senior management overseeing cyber risks.
Meanwhile, the FSCRP Goal 4 demands holistic practice aligned with the international cybersecurity standards, covering people, process and technology. Notably, a priority action under this goal names the CMF, digital security controls reform, API security and supply chain risk management as a unified reform package — all now operationalized through the CCSA’s measurable assessment requirements.
The Afasa and its implementing circulars add an enforcement layer with direct technical implications. BSP Circular 1213 requires BSFIs with complex electronic products and high aggregate online transaction values to deploy robust Fraud Management Systems (FMS).
Mandatory FMS capabilities include transaction velocity checks, behavioral anomaly detection, geolocation monitoring and blacklist screening, each mapped to the social engineering schemes and money muling activities that Afasa penalizes.
From a governance perspective, boards can no longer treat cybersecurity as a purely technical matter. The CCSA and Goal 3 of the FSCRP require demonstrated board-level oversight, a defined cyber risk appetite and active participation in education programs. Gaps here will register in CMF assessments and supervisory ratings.
Operationally, the Afasa circulars impose tight turnaround obligations: initial holding of disputed funds must occur promptly upon a complaint or FMS finding, and monthly Temporarily-Held Funds Reports. These timelines presuppose end-to-end automated systems and trained fraud operations teams.
The CMF/CCSA, FSCRP and Afasa circulars are not parallel initiatives. Instead, they are interlocking instruments pursuing one objective: a financial system where cybersecurity maturity is measurable, fraud is structurally impeded and accountability for failure is unambiguous.
For BSFIs, the question is no longer whether these obligations apply, but how quickly all functions can be brought into coherent alignment.
***The views expressed herein are his own and do not necessarily reflect the opinion of his office as well as FINEX. For comments, email msgorriceta@gorricetalaw.com. Photo is from Pinterest.