We take great care to safeguard our clients from risks that may arise from when it comes to e-banking products and services. This memorandum is being issued to serve as the Bank’s policy in consumer protection for e-banking products and services.
The Bank shall provide consumer protection applicable to e-banking products and services, in accordance with Bangko Sentral ng Pilipinas (BSP) Circular No. 542 entitled Consumer Protection for Electronic Banking. In this regard, the Bank shall ensure that the implementation of its e-banking activities are in compliance with the requirements to safeguard customer information; prevention of money laundering and terrorist financing; reduction of fraud and theft of sensitive customer information; and promotion of legal enforceability of the Bank’s electronic agreements and transactions.
This policy shall cover all e-banking products and services offered by the Bank, including those that will be introduced later on.
Electronic banking (e-banking) generally refers to the provision of banking products and services through electronic channels such as the personal computer, through landline and mobile phone connections, or through automated teller machines (ATMs). These electronic banking products include the electronic money products that are aimed at facilitating retail payments. Currently, the Bank has the following e-banking products and services:
In compliance with BSP Circular No. 542, the following guidelines shall cover all e-banking products and services of the Bank:
a. The Bank’s Board of Directors and the Senior Management Committee shall be responsible for developing the Bank's e-banking business strategy and establishing an effective management oversight over e-banking services. This shall include the review and approval of the key aspects of the Bank's security control program and process, such as the development and maintenance of security control policies and infrastructure that properly safeguard e-banking systems and data from both internal and external threats. This will also include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.
b. The Board of Directors and the Bank’s senior management shall ensure that the Bank’s risk management policies and processes are updated and modified where necessary, to cover existing or planned e-banking services.
c. The Bank’s Compliance Officer shall also ensure that proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. The product managers and system designers should consult with the Compliance Officer during the development and implementation stages of e-banking products and services. This level of involvement will help decrease the Bank’s compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.
a. Information Security Program
The Bank, through the Information Technology Group (SBA-ITG), shall establish and maintain a comprehensive information security program which must be properly implemented and strictly enforced. The information security program should include, at a minimum, the following:
SBA-ITG shall adjust or update, as appropriate, the said information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information.
b. Information Security Measures
1. To authenticate the identity of e-banking customers, the product managers shall employ techniques appropriate to the risks associated with e-banking products and services. The implementation of appropriate authentication methodologies should start with a risk assessment process. The risk should be evaluated based on the following:
I. type of customer;
II. customer transactional capabilities (e.g., bill payment, fund transfer, inquiry)
III. sensitivity of customer information and transaction being communicated to both the Bank and the customer;
IV. ease of using the communication method; and
V. volume of transactions.
2. Because of standards for implementing a commercially reasonable system may change overtime as technology and other procedures develop, SBA-ITG , together with the Bank’s technology service providers, shall continuously review, evaluate and identify authentication technology and ensure appropriate changes are implemented for each transaction type and level of access based on the current and changing risk factors.
3. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, the product managers and system designers shall implement multifactor authentication (e.g., ATM card and PIN), layered security, or other controls reasonably calculated to mitigate those risks.
4. The authentication process should be consistent with and support the Bank’s overall security and risk management programs. An effective authentication process should have customer acceptance, reliable performance, scalability to accommodate growth, and inter-operability with existing systems and future plans as well as appropriate policies, procedures, and controls.
With the growth of e-banking and e-commerce, the Bank shall use reliable methods of originating new customer accounts in an electronic banking environment. Potentially significant risks may arise when a bank accepts new customers through the internet or other electronic channels. Thus, all concerned units/business centers shall ensure that in originating new accounts, the "Know Your Customer" or KYC policy of the Bank, which involves "face-to-face" contact, is strictly adhered to.
The Bank may receive customer complaint either through an electronic medium or otherwise, concerning an unauthorized transaction, loss, or theft in its electronic banking account. Therefore, the Bank shall ensure that controls are in place to review these notifications and that an investigation is initiated as required. To resolve disputes arising from the use of the electronic banking products and services, the concerned unit/business center shall immediately conduct an investigation.
Although the above guidelines are focused on the risks and risk management techniques associated with an electronic delivery channel to protect customers and the general public, it should be understood, however, that not all of the consumer protection issues that have arisen in connection with new technologies are specifically addressed in this policy. Additional policies may be issued in the future to address other aspects of consumer protection as the financial service environment through electronic banking evolves.
To minimize/prevent ATM frauds and crimes, the Bank should, at a minimum, implement the following security measures with respect to automated teller machine facilities:
Locate ATM’s in highly visible areas;
Provide sufficient lighting at and around the ATM;
Where ATM crimes (e.g., robbery, vandalism) are high in a specific area or location, the Bank should install surveillance camera or cameras, which shall view and record all persons entering the facility. Such recordings shall be preserved by the bank for at least thirty (30) days;
Implement ATM programming enhancements like masking/non-printing or card numbers;
Educate customers by advising them regularly of risks associated with using the ATM and how to avoid this risks;
Conduct and document periodic security inspection at the ATM location, and make the pertinent information available to its clients;
Educate bank personnel to be responsive and sensitive to customer concerns and to communicate them immediately to the responsible bank officer; and
Post near the ATM facility a clearly visible sign which, at a minimum, provides the telephone
numbers of the bank as well as other banks’ hotline numbers for other cardholders who are allowed to transact business in the ATM, and police hotlines for emergency cases.
The Bank must study and assess ATM crimes to determine the primary problem areas. Procedures for reporting ATM crime should also be established. Knowing what crimes have occurred will aid the Bank in recognizing the particular crime problem and to what degree it exists so that it can implement specific prevention measures to mitigate the risk. In this connection, banks are encouraged to share information involving ATM fraud cases to deter and prevent proliferation of the crime.
1. Network controls
Implement adequate security measures on the internal networks and network connections to public network or remote parties. Segregate internal networks into different segments having regard to the access control needed for the data stored in, or systems connected to, each segment.
Properly design and configure the servers and firewalls used for the e-banking services either internet-based or delivered through wireless communication networks (e.g., install firewalls between internal and external networks as well as between geographically separate sites). Deploy strong and stringent authentication and controls especially in remote access or wireless access to the internal network.
Implement anti-virus software, network scanners and analyzers, intrusion detectors and security alert as well as conduct regular system and data integrity checks.
Maintain access security logs and audit trails. These should be analyzed for suspicious traffic and/or intrusion attempts.
Ensure that wireless software for wireless communication network includes appropriate audit capabilities (e.g., recording dropped transactions).
Develop built-in redundancies for single points of failure which can bring down the entire network.
2. Operating Systems Controls
Harden operating system by configuring system software and firewall to the highest security settings consistent with the level of protection required, keeping abreast of enhancements, updates and patches recommended by system vendors.
Change all default passwords for new systems immediately upon installation as they provide the most common means for intruders to break into systems.
3. Encryption
Implement encryption technologies that are appropriate to the sensitivity and importance of data to protect confidentially of information while it is stored or in passage over external and internal networks.
Choose encryption technologies that make use of internationally recognized cryptographic algorithms where the strengths of the algorithms have been subjective to extensive tests.
Apply strong "end-to-end" encryption to the transmission of highly sensitive data (e.g., customer passwords) so that the data are encrypted all the way between customers’ devices and the Bank’s internal systems for processing data. This would ensure that highly sensitive data would not be compromised even if the Bank's web servers or internal networks were penetrated.
4. Website and Mobile Banking Authentication
Authenticate official website to protect the Bank’s customers from spoofed or faked websites. The Bank should determine what authentication technique to use to provide protection against these attacks.
For wireless applications, adopt authentication protocols that are separate and distinct from those provided by the wireless network operator.
5. Physical Security
House all critical or sensitive computers and network equipment in physically secure locations (e.g., away from environmental hazards, unauthorized entry and public disclosure, etc.).
Implement physical security measures such as security barriers (e.g., external walls, windows): entry controls (e.g., biometric door locks, manual or electronic logging, security guards) and physical protection facilities/devices (e.g., water and fire detectors, uninterruptible power supply (UPS), etc.) to prevent unauthorized physical access, damage to and interference with the e-banking services.
6. Developments and Acquisition
Separate physical/logical environments for the development, testing, staging and production.
Provide separate environments for the development, testing, staging and production of internet facing web-based applications; connect only the production environment to the internet.
7. IT Personnel Training
Provide appropriate and updated training to IT personnel on network, application and security risks and controls so that they understand and can respond to potential security threats.
8. Service Providers
Perform due diligence regularly to evaluate the ability of the service providers (e.g., internet service provider, telecommunication provider) to maintain an adequate level of security and to keep abreast of changing technology.
Ensure that the contractual agreements with the service providers have clearly defined security responsibilities.
9. Independent Audit, Vulnerability Test and Penetration Testing
Conduct regular audit to assess the adequacy and effectiveness of the risk management process and the attendant controls and security measures.
Perform vulnerability test or assessment to evaluate the information security policies, internal controls and procedures, as well as system and network security of the Bank. Assessment should also include latest technological developments and security threats, industry standards and sound practices.
Conduct penetration testing at least annually.
The audit and test should be conducted by security professionals or internal auditors who are independent in the development, implementation or operation of e-banking services, and have the required skills to perform the evaluation.
For e-banking services provided by an outside vendor or service provider, ensure that the above tests and audit are performed and the Bank is provided with the result and actions taken on system security weaknesses.
10. Incident Response
Establish an incident management and response plan and test the predetermined action plan relating to security incidents.
To ensure security in their e-banking transactions and personal information, consumers should be oriented of their roles and responsibilities, which, at a minimum include the following:
1. Internet Products and Services
A. Secure Login ID and Password or PIN
B. Keep personal information private
2. Other Electronic Products
A. Automated Teller Machine (ATM) and debit cards
B. Do not leave documents like bills, bank statements in an unsecured place since these documents have direct access to deposit account information. Consider shredding sensitive documents rather than simply throwing them away. (Some people will go through the garbage to find this information).
C. Notify the bank in advance of a change in address.
D. Open billing statements promptly and reconcile card amounts each month.
Do not let other people use your card. If card is lost or stolen, report the incident immediately to the Bank.
Since customers may find it difficult to take in lengthy and complex advice, the Bank should devise effective methods and channels for communicating with them on security precautions. The Bank may make use of multiple channels (e.g., Bank's website, alert messages on a customer's mobile phone, messages printed on customer statements, promotional leaflets, circumstances when the Bank's frontline staff communicate with their customers) to enforce these precautionary measures.
1. General Requirement
Banks offering electronic banking services have to adopt responsible privacy policies and information practices. Banks should provide disclosures that are clear and readily understandable, in writing, or in a form the consumers may print and keep.
Bank should also ensure that consumers who sign-up for a new banking service are provided with disclosures (e.g., pamphlet) informing him of his right as a consumer.
At a minimum, the following disclosures should be provided to protect consumers and inform them of their rights and responsibilities.
2. Disclosure Responsibility
Example of these disclosures include:
1. PDIC insured or non-insured status of the product;
2. Fees and charges associated with the purchase, use or redemption of the product;
3. Liability for lost;
4. Expiration dates, or limits on redemption; and
5. Toll-free telephone number for customer service, malfunction and error resolution.
Shopping has never been more convenient. With the smart phones and tablets, you can buy and pay for goods and services anywhere you may be. Here are practical measures to ensure that you protect your ShopNPay Debit and Prepaid Cards when mobile shopping.
In this age of technology, there are many ways a fraudster can steal your personal information. When shopping or banking online, remember to take these sensible tips and precautions to protect yourself and your financial accounts.
With long ATM lines and the risk of carrying large amount of cash, it’s more convenient to pay for goods and services using your ShopNPay Debit and Prepaid Cards. Here are some practical advice to protect your cards when purchasing via point-of-sale (POS) terminal.