The Bangko Sentral ng Pilipinas (BSP) has released the implementing rules of the Anti-Financial Account Scamming Act (AFASA) and said on Wednesday the rules will start taking effect on June 25.
The AFASA law, or Republic Act No. 12010, aims to curb financial scams, protect consumers and strengthen trust in the country’s financial system.
Signed by President Ferdinand R. Marcos, Jr. in July 2024, the law takes effect later this month with the release of the implementing rules.
“The issuance of AFASA’s implementing rules marks a milestone in our fight against cybercrime. Beyond serving as a powerful tool against evolving financial scams, these rules also enhance consumer protection and boost confidence in the domestic financial system,” BSP Governor Eli M. Remolona, Jr. said in a statement.
In a press conference on Wednesday, BSP Deputy Governor for the Corporate Services Sector Elmore Capule said the release of the AFASA IRR was two months ahead of schedule.
“(AFASA) introduces so many new radical things into our legal system to protect our consumers and it needs a very good set of implementing rules. We were given by Congress, actually up to August 13, to come up with the rules… but we were able to beat the deadline by around two months,” Capule said.
Three circulars
Capule said the BSP has issued three circulars to implement AFASA—Information Technology (IT) Risk Management Regulations; Rules on Financial Account Inquiry and Information Sharing; and, Regulations on Temporary Holding of Disputed Funds and Coordinated Verification Process.
AFASA aims to prevent the misuse of financial accounts in fraud and scams like phishing and vishing.
It also defines and penalizes social engineering schemes, money muling activities, and related offenses. These include those committed using advances in technology, which were previously not covered by existing cybercrime laws in the Philippines.
Under the new rules, financial institutions can hold disputed funds for up to 30 days, from the previous 5 days, coordinate verification of transactions, and return disputed funds to defrauded consumers when warranted.
“AFASA cannot be solely the responsibility of the government. We all know the limits of what the government can do. It can criminalize, it can impose sanctions, but that is not enough. The industry players, those who provide these services, have a lot of responsibilities under the law. Because the principle here is they give you the services, they should be able to protect you from scammers who are using these services,” Capule said.
Fraud management
Capule said these regulations reinforce the responsibility of BSP-Supervised Institutions (BSIs) to strengthen fraud prevention and detection and outline the BSP’s authority to inquire into financial accounts linked to scams.
These regulations mandate BSIs, including clearing switch operators, to implement a real-time or near-real-time automated system to track disputed transactions within one year of the regulations’ effectivity, he said.
“We all know that a lot of our people, the customers, are being victimized for so many things. It can be ignorance, it can be because they are not used to it. So, and these are highly technical products. We use cell phones, we use PCs. So the point is they may not be able to protect themselves. No matter how much compartment of information that you can tell them, they can forget or they may still be fooled by the scammers. So a fraud management system will handle a large part of that issue,” Capule said.
He said the institutions operating these services should have a strong fraud management system. This may include enhanced verification mechanisms other than the use of one-time passwords, facial recognition and biometrics.
“It should operate to protect the consumers. And if they fail to act up with these systems, the consequence is that the financial institution which fails to abide will be the one to be responsible. I think that’s the most important thing here. There is a shifting of civil liability.
Capule said they are giving financial institutions one year to develop an enhanced fraud management system.
Bank secrecy law
Under AFASA, BSP is given the authority to investigate and inquire into financial accounts which may be involved in the commission of a prohibited act.
Capule said the authority to investigate and inquire into financial accounts shall be exercised by a duly authorized officer or body from the BSP.
“Laws on secrecy of deposits and data privacy shall not apply to financial accounts subject of BSP’s inquiry. BSP shall be authorized to issue rules on information-sharing and disclosure with Law Enforcement Agencies and other competent authorities,” Capule said.
Under AFASA, BSP has the authority to apply for cybercrime warrants and issue related orders under the Cybercrime Prevention Act.
“We all know that the Philippines is, or was before AFASA, the country with the strictest amount of secrecy law. We all know that before, to be able to look into deposits, you have to go to court. But how do you look at a bank deposit? Money laundering, you go to the Anti-Money Laundering Council. And then they go to the Court of Appeals. And then there’s a hearing, and then there’s a court order,” Capule said.
“In AFASA, the law granted the BSP the authority to look into deposits. If you are a victim of a scam, or the account is being used for money laundering, (there is) no need for a court order, no need to go to the Court of Appeals. This is very, very fast,” Capule added.
He also said AFASA urges the public to stay vigilant, safeguard their financial credentials, and promptly report suspicious transactions to BSIs or appropriate authorities.
