[ BSP CIRCULAR NO. 269, December 21, 2000 ]

NEW GUIDELINES CONCERNING ELECTRONIC BANKING ACTIVITIES



The Monetary Board, in its Resolution No. 2130 dated December 8, 2000, approved the following new guidelines concerning electronic banking activities:

1.         Banks wishing to provide and/or enhance existing electronic banking services shall submit to the BSP an application describing the services to be offered/enhanced and how it fits the bank's overall strategy. This shall be accompanied by a certification signed by its President or any officer of equivalent rank and function to the effect that the bank has complied with the following minimum pre-conditions:

a       An adequate risk management process is in place to assess, control, monitor and respond to potential risks arising from the proposed electronic banking activities;

b.      A manual on corporate security policy and procedures exists that shall address all security issues affecting its electronic banking system, particularly the following:

i.          Authentication - establishes the identity of both the sender and the receiver; uses trusted third parties that verify identities in cyberspace;

ii.          Non-repudiation - ensures that transactions can not be repudiated or presents undeniable proof of participation by both the sender and the receiver in a transaction;

iii.         Authorization - establishes and enforces the access rights of entities (both persons and/or devices) to specified computing resources and application functions; also locks out unauthorized entities from physical and logical access to the secured systems;

iv.         Integrity - assures that the data has not been altered,

v.         Confidentiality - ensures that no one except the sender and the receiver of the data can actually understand the data.

c.       The system had been tested prior to its implementation and that the test results are satisfactory. As a minimum standard, appropriate systems testing and user acceptance testing should have been conducted, and

d.      A business continuity planning process and manual have been adopted which should include a section on electronic banking channels and systems.

2.         The BSP, thru the Technical Working Group on Electronic Banking, shall pre-screen the overall financial condition as well as the applicant-bank's compliance with the BSP rules and regulations based on the latest available Bank Performance Rating (BPR) and Report of Examination (ROE) including CAMELS.

The Working Group shall ensure that the applicant bank's overall financial condition can adequately support its electronic banking activities and that it shall have complied with certain comprehensive prudential requirements such as, but not limited to, the following:

a.    Minimum capital requirement and net worth to risk assets ratio;
b.    Satisfactory solvency, liquidity and profitability positions;
c.    CAMELS composite rating of at least 3 (this number, however can be flexible depending on other circumstances prevailing), and with at least a moderate risk assessment system (RAS) based on the latest regular examination;
d.    There are no uncorrected major findings/exceptions noted in the latest BSP examination.

3.         Based on the recommendation of the Technical Working Group on Electronic Banking, the Deputy Governor, SES, shall approve in principle the application so that banks may immediately launch and/or enhance their existing electronic banking services.

4.         Banks shall be informed of the conditional approval of the DG, SES and they shall in turn notify the BSP on the actual date of its launching/enhancement.

5.         Within thirty (30) calendar days from such launching/enhancement, banks shall submit to the BSP thru the Supervisory Reports and Studies Office (SRSO) for evaluation, the following documentary requirements:

a.      A discussion on the banking services to be offered/enhanced, the business objectives for such services and the corresponding procedures, both automated and manual, offered through the electronic banking channels;

b.      A description or diagram of the configuration of the bank's electronic banking system and its capabilities showing (i) how the electronic banking system is linked to other host systems or the network infrastructure in the bank; (ii) how transaction and data flow through the network; (iii) what types of telecommunications channels and remote access capabilities (e.g. direct modem dial-in, internet access, or both) exist, and (iv) what security controls/measures are installed;

c.       A list of software and hardware components indicating the purpose of the software and hardware in the electronic banking infrastructure;

d.      A description of the security policies and procedures manual containing (i) a description of the bank's security organization; (ii) definition of responsibilities for designing, implementing, and monitoring information security measures; and (iii) established procedures for evaluating policy compliance, enforcing disciplinary measures and reporting security violations;

e.      A brief description of the contingency and disaster recovery plans for electronic banking facilities and event scenario/problem management plan/program to resolve or address problems, such as complaints, errors and intrusions and the availability of back-up facilities;

f.        Copy of contract with the communications carrier; arrangements for any liability arising from breaches in the security of the system or from unauthorized/fraudulent transactions;

g.      Copy of the maintenance agreements with the software/hardware provider/s; and

h.       Latest report on the periodic review of the system, if applicable.

6.         If after the evaluation of the submitted documents, the Working Group has still some unresolved issues and grey areas, the bank may be required to make a presentation of its electronic banking transactions to BSP.

7.         Upon completion of evaluation, the appropriate recommendation shall be made to the Monetary Board. The following shall be the standard conditions for approval:

a.      Existence at all times of appropriate top-level risk management oversight;

b.      Operation of electronic banking system outsourced to a third party service provider taking into consideration the existence of adequate security controls and the observance of confidentiality [as required in Republic Act. No. 1405 (Bank Secrecy Law)] of customer information;

c.       Adoption of measures to properly educate customers on safeguarding of user ID, PIN and/or password, use of bank's products/services, actual fees/bank charges thereon and problem/error resolution procedures;

d.      Clear communication with its customers in connection with the terms and condition which would highlight how any losses from security breaches, systems failure or human error will be settled between the bank and its customers;

e.      Customer's acknowledgement in writing that they have understood the terms and conditions and the corresponding risks that entail in availing electronic banking services;

f.        The bank's oversight process shall ensure that business expansion shall not put undue strains on its systems and risk management capability;

g.      The establishment of procedures for the regular review of the bank's security arrangements to ensure that such arrangements remains appropriate having regard to the continuing developments in security technology;

h.       Strict adherence to Bangko Sentral regulations on fund transfers in cases where clients use the electronic banking services to transfer funds;

i.        The electronic banking service shall not be used for money laundering or other illegal activities that will undermine the confidence of the public; and

j.        The BSP shall be notified in writing thirty (30) days in advance of any enhancements that may be made to the online electronic banking service.

8.         The same procedure and requirements stated in the foregoing shall apply to all banks with pending applications with the BSP, except on the submission of the documents enumerated in item no. 5 i.e., banks which have already submitted all the required information/documents need not comply with this requirement.

9.         Banks with existing electronic banking services but do not qualify as a result of the pre-screening process mentioned in item 2 hereof, shall be given three (3) months within which to show proof of improved overall financial condition and/or substantial compliance with BSP's prudential requirements, otherwise, their electronic banking activities will be temporarily suspended until such time that the same have been complied with.

10.       Sanctions, in the form of monetary penalties and/or suspension of electronic banking activities or both, shall be imposed on erring banks and/or its officers for failure to: (a) seek BSP approval before launching/enhancing/implementing electronic banking services, and/or (b) submit within the prescribed deadline the required information/documents.

Monetary penalties proposed to be imposed, in accordance with Sections 36 and 37 of R.A. No. 7653 (The New Central Bank Act) are as follows:

a.         For the officer/s and/or director/s responsible for failure to seek prior BSP approval and/or for non-submission/delayed submission of required information/documents, a one time penalty of P200,000; and

b.         For the banking institution for failure to seek prior BSP approval and/or for non-submission/delayed submission of required information/documents, a penalty of P30,000 per day starting from the day the offense was committed up to the time the same was corrected.

This Circular supersedes the provisions of Circular No. 240 dated 5 May 2000 insofar as inconsistent herewith.

This Circular shall take effect immediately.

Adopted: 21 Dec. 2000

(SGD.) RAFAEL B. BUENAVENTURA
Governor