The Bank shall provide consumer protection applicable to e-banking products and services, in accordance with Bangko Sentral ng Pilipinas (BSP) Circular No. 542 entitled Consumer Protection for Electronic Banking. In this regard, the Bank shall ensure that the implementation of its e-banking activities is in compliance with the requirements to safeguard customer information; prevention of money laundering and terrorist financing; reduction of fraud and theft of sensitive customer information; and promotion of legal enforceability of the Bank’s electronic agreements and transactions.

This policy shall cover all e-banking products and services offered by the Bank, including those that will be introduced later on.

Electronic banking (e-banking) generally refers to the provision of banking products and services through electronic channels such as personal computers, landlines, and mobile phone connections, or through automated teller machines (ATMs). These electronic banking products include electronic money products that are aimed at facilitating retail payments. Currently, the Bank has the following e-banking products and services:

1. ATM
2. Cashless shopping using P.O.S. (Point-of-Sale)
3. Sterling Bank Online - Personal (Retail Internet Banking)
4. Sterling Bank Online - Business (Corporate Internet Banking)

In compliance with BSP Circular No. 542, the following guidelines shall cover all e-banking products and services of the Bank:

I. E-Banking Oversight Function

• The Bank’s Board of Directors and the Senior Management Committee shall be responsible for developing the Bank's e-banking business strategy and establishing effective management oversight over e-banking services. This shall include the review and approval of the key aspects of the Bank's security control program and process, such as the development and maintenance of security control policies and infrastructure that properly safeguard e-banking systems and data from both internal and external threats. This will also include a comprehensive process for managing risks associated with the increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.
• The Board of Directors and the Bank’s senior management shall ensure that the Bank’s risk management policies and processes are updated and modified where necessary, to cover existing or planned e-banking services.
• The Bank’s Compliance Officer shall also ensure that proper controls are incorporated into the system so that all relevant compliance issues are fully addressed. The product managers and system designers should consult with the Compliance Officer during the development and implementation stages of e-banking products and services. This level of involvement will help decrease the Bank’s compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

II. E-Banking Risk Management and Internal Control

• Information Security Program
  
  The Bank, through the Information Technology Group (SBA-ITG), shall establish and maintain a comprehensive information security program which must be properly implemented and strictly enforced. The information security program should include, at a minimum, the following:
  
  -Identification and assessment of risks associated with e-banking products and services;
  -Identification of risk mitigation actions, including appropriate authentication technology and internal controls;
  -Information disclosure and customer privacy policy; and
  -Evaluation of consumer awareness efforts.
  
  SBA-ITG shall adjust or update, as appropriate, the said information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information.
   
• Information Security Measures
  
  -SBA-ITG shall ensure that the information security measures and internal controls related to electronic banking are installed, regularly updated, monitored, and appropriate to the risks associated with the products and services. Please see Appendix A and Appendix B for the minimum security measures that the Bank should employ in ATM facilities and internet/mobile banking activities, respectively, to protect depositors and consumers from fraud, robbery, and other e-banking crimes.
  
  -SBA-ITG shall also take into account other relevant industry security standards and sound practices as appropriate, and keep up with the most current information security issues (e.g., security weaknesses of the wireless environment), by sourcing relevant information from well-known security resources and organizations.

III. Authentication

• To authenticate the identity of e-banking customers, product managers shall employ techniques appropriate to the risks associated with e-banking products and services. The implementation of appropriate authentication methodologies should start with a risk assessment process. The risk should be evaluated based on the following:
  
  I. type of customer;
  II. customer transactional capabilities (e.g., bill payment, fund transfer, inquiry)
  III. sensitivity of customer information and transaction being communicated to both the Bank and the customer;
  IV. ease of using the communication method; and
  V. volume of transactions.
   
• Because standards for implementing a commercially reasonable system may change over time as technology and other procedures develop, SBA-ITG, together with the Bank’s technology service providers, shall continuously review, evaluate and identify authentication technology and ensure appropriate changes are implemented for each transaction type and level of access based on the current and changing risk factors.
   
• Account fraud and identity theft are frequently the results of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, the product managers and system designers shall implement multifactor authentication (e.g., ATM card and PIN), layered security, or other controls reasonably calculated to mitigate those risks.
   
• The authentication process should be consistent with and support the Bank’s overall security and risk management programs. An effective authentication process should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans as well as appropriate policies, procedures, and controls.

IV. Account Origination and Customer Verification

With the growth of e-banking and e-commerce, the Bank shall use reliable methods of originating new customer accounts in an electronic banking environment. Potentially significant risks may arise when a bank accepts new customers through the internet or other electronic channels. Thus, all concerned units/business centers shall ensure that in originating new accounts, the "Know Your Customer" or KYC policy of the Bank, which involves "face-to-face" contact, is strictly adhered to.

V. Monitoring and Reporting of E-banking Transactions

• Monitoring systems can determine if unauthorized access to computer systems and customer accounts has occurred. The product managers and system designers must ensure that a sound monitoring system is in place, which should include audit features that can assist in the detection of fraud, money laundering, compromised passwords, or other unauthorized activities.
   
• SBA-ITG shall be responsible for the activation and maintenance of audit logs which can help the Bank to identify unauthorized activities, detect intrusions, reconstruct events, and promote employee and user accountability. This control process can also facilitate the Bank in the submission of suspicious activities reports as required by the Anti-Money Laundering Council (AMLC) and other regulatory bodies.
   
• When users are no longer authorized to access a particular system, the same must be reported promptly to the security administrators for the timely removal or suspension of user account access.
   
• Whenever critical systems or processes are outsourced to third parties, SBA-ITG shall ensure that the appropriate logging and monitoring procedures are in place and that suspected unauthorized activities are communicated to the Bank in a timely manner.
   
• An independent party (e.g., internal or external auditor) should also review activity reports documenting the security administrators' actions to provide the necessary checks and balances for managing system security.

• Consumer awareness is a key defense against fraud and identity theft and security breaches. Please see Appendix C for the minimum Consumer Awareness Program that the Bank should convey to its customers.
   
• To be effective, the Retail Banking Group (RBG) and Product Management Department (PMD-MG) under the Marketing Group shall implement and continuously evaluate its consumer awareness program. Methods to evaluate a program’s effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e.g., ID/password), the number of clicks on information security links on websites, the number of inquiries, etc.

• The Bank shall provide its customers with a level of comfort regarding information disclosures or transparencies, protection of customer data, and business availability that they can expect when using traditional banking services.
   
• To minimize operational, legal, and reputational risks associated with e-banking activities, the Bank shall make adequate disclosure of information and take appropriate measures to ensure adherence to customer privacy and protection requirements. (Please see Appendix D for the minimum disclosure requirements of the Bank).
   
• In order to meet customers' expectations, the Bank shall ensure that effective capacity, business continuity, and contingency planning are in place. The PMD-MG, in coordination with SBA-ITG, must be able to deliver e-banking services to all end-users and maintain such availability in all circumstances (e.g., 24/7 availability). Likewise, PMD-MG must ensure that effective incident response mechanisms and communication strategies are in place to minimize risks arising from unexpected events, including internal and external attacks.
   
• Safekeeping of Records. The Bank shall safe keep/monitor records or information regarding e-banking financial transactions and disclosures, just like the record-keeping required in paper-based transactions. In this regard, all vital records relating to e-banking financial transactions and disclosures shall be retained for a period of at least five (5) years or permanently (whenever applicable) by all concerned units/business centers.
   
• Safekeeping of these records or information means both hardcopies and softcopies (whenever applicable) of the same must be retained free from tampering or corruption within the assigned or applicable retention period.

The Bank may receive customer complaint either through an electronic medium or otherwise, concerning an unauthorized transaction, loss, or theft in its electronic banking account. Therefore, the Bank shall ensure that controls are in place to review these notifications and that an investigation is initiated as required. To resolve disputes arising from the use of the electronic banking products and services, the concerned unit/business center shall immediately conduct an investigation.

Although the above guidelines are focused on the risks and risk management techniques associated with an electronic delivery channel to protect customers and the general public, it should be understood, however, that not all of the consumer protection issues that have arisen in connection with new technologies are specifically addressed in this policy. Additional policies may be issued in the future to address other aspects of consumer protection as the financial service environment through electronic banking evolves.

To minimize/prevent ATM frauds and crimes, the Bank should, at a minimum, implement the following security measures with respect to automated teller machine facilities:

• Locate ATMs in highly visible areas;
• Provide sufficient lighting at and around the ATM;
• Where ATM crimes (e.g., robbery, vandalism) are high in a specific area or location, the Bank should install surveillance cameras or cameras, which shall view and record all persons entering the facility. Such recordings shall be preserved by the bank for at least thirty (30) days;
• Implement ATM programming enhancements like masking/non-printing or card numbers; 
• Educate customers by advising them regularly of risks associated with using the ATM and how to avoid these risks; 
• Conduct and document periodic security inspections at the ATM location, and make the pertinent information available to its clients; 
• Educate bank personnel to be responsive and sensitive to customer concerns and to communicate them immediately to the responsible bank officer; and
• Post near the ATM facility a clearly visible sign which, at a minimum, provides the telephone numbers of the bank as well as other banks’ helpline numbers for other cardholders who are allowed to transact business in the ATM, and police hotlines for emergency cases. 

The Bank must study and assess ATM crimes to determine the primary problem areas. Procedures for reporting ATM crime should also be established. Knowing what crimes have occurred will aid the Bank in recognizing the particular crime problem and to what degree it exists so that it can implement specific prevention measures to mitigate the risk. In this connection, banks are encouraged to share information involving ATM fraud cases to deter and prevent the proliferation of the crime.

​​​​​​1. Network controls

Implement adequate security measures on the internal networks and network connections to public networks or remote parties. Segregate internal networks into different segments having regard to the access control needed for the data stored in, or systems connected to, each segment.

Properly design and configure the servers and firewalls used for the e-banking services either internet-based or delivered through wireless communication networks (e.g., install firewalls between internal and external networks as well as between geographically separate sites). Deploy strong and stringent authentication and controls, especially in remote access or wireless access to the internal network.

Implement anti-virus software, network scanners and analyzers, intrusion detectors, and security alerts as well as conduct regular system and data integrity checks.

Maintain access security logs and audit trails. These should be analyzed for suspicious traffic and/or intrusion attempts.

Ensure that wireless software for wireless communication networks includes appropriate audit capabilities (e.g., recording dropped transactions).

Develop built-in redundancies for single points of failure which can bring down the entire network.

2. Operating Systems Controls 

Harden operates the system by configuring system software and firewall to the highest security settings consistent with the level of protection required, keeping abreast of enhancements, updates, and patches recommended by system vendors.

Change all default passwords for new systems immediately upon installation as they provide the most common means for intruders to break into systems.

3. Encryption 

Implement encryption technologies that are appropriate to the sensitivity and importance of data to protect the confidentiality of information while it is stored or in passage over external and internal networks.

Choose encryption technologies that make use of internationally recognized cryptographic algorithms where the strengths of the algorithms have been subjective to extensive tests.

Apply strong "end-to-end" encryption to the transmission of highly sensitive data (e.g., customer passwords) so that the data are encrypted all the way between customers’ devices and the Bank’s internal systems for processing data. This would ensure that highly sensitive data would not be compromised even if the Bank's web servers or internal networks were penetrated.

4. Website and Mobile Banking Authentication 

Authenticate the official websites to protect the Bank’s customers from spoofed or faked websites. The Bank should determine what authentication technique to use to provide protection against these attacks. 

For wireless applications, adopt authentication protocols that are separate and distinct from those provided by the wireless network operator.

5. Physical Security 

House all critical or sensitive computers and network equipment in physically secure locations (e.g., away from environmental hazards, unauthorized entry and public disclosure, etc.). 

Implement physical security measures such as security barriers (e.g., external walls, windows): entry controls (e.g., biometric door locks, manual or electronic logging, security guards), and physical protection facilities/devices (e.g., water and fire detectors, uninterruptible power supply (UPS), etc.) to prevent unauthorized physical access, damage to and interference with the e-banking services. 

6. Developments and Acquisition 

Separate physical/logical environments for development, testing, staging, and production.

Provide separate environments for the development, testing, staging, and production of internet-facing web-based applications; connect only the production environment to the internet.

7. IT Personnel Training 

Provide appropriate and updated training to IT personnel on network, application, and security risks and controls so that they understand and can respond to potential security threats.

8. Service Providers 

Perform due diligence regularly to evaluate the ability of the service providers (e.g., internet service provider, telecommunication provider) to maintain an adequate level of security and to keep abreast of changing technology.

Ensure that the contractual agreements with the service providers have clearly defined security responsibilities.

9. Independent Audit, Vulnerability Test, and Penetration Testing 

Conduct regular audits to assess the adequacy and effectiveness of the risk management process and the attendant controls and security measures.

Perform vulnerability tests or assessments to evaluate the information security policies, internal controls, and procedures, as well as the system and network security of the Bank. Assessment should also include the latest technological developments and security threats, industry standards, and sound practices.

Conduct penetration testing at least annually.

The audit and test should be conducted by security professionals or internal auditors who are independent in the development, implementation, or operation of e-banking services, and have the required skills to perform the evaluation.

For e-banking services provided by an outside vendor or service provider, ensure that the above tests and audit are performed and the Bank is provided with the result and actions taken on system security weaknesses.

10. Incident Response

Establish an incident management and response plan and test the predetermined action plan relating to security incidents.

To ensure security in their e-banking transactions and personal information, consumers should be oriented on their roles and responsibilities, which, at a minimum include the following:

1. Internet Products and Services 

A. Secure Login ID and Password or PIN   

• Do not disclose your Login ID and Password or PIN
• Do not store Login ID and Password or PIN on the computer.
• Regularly change password or PIN and avoid using easy-to-guess passwords such as names or birthdays, Password should be a combination of characters (uppercase and lowercase) and numbers, and should be at least 6 digits in length.

B. Keep personal information private

• Do not disclose personal information such as an address, mother’s maiden name, telephone number, social security number, bank account number or e-mail address – unless the one collecting the information is reliable and trustworthy.
• Keep records of online transactions
• Regularly check transaction history details and statements to make sure that there are no unauthorized transactions.
• Review and reconcile monthly credit card and bank statements for any errors and unauthorized transactions promptly and thoroughly.
• Check e-mail for contacts by merchants with whom one is doing business. Merchants may send important information about transaction histories.
• Immediately notify the Bank if there are unauthorized entries or transactions in the account.
• Check for the right and secure website. 
• Before doing any online transactions or sending personal information, make sure that the correct website has been accessed. Beware of bogus or "look-alike" websites that are designed to deceive consumers.
• Check if the website is “secure” by checking the Universal Resource Locators (URLs) which should begin with “https” and a closed padlock icon on the status bar in the browser is displayed. To confirm the authenticity of the site, double-click on the lock icon to display the security certificate information of the site.
• Always enter the URL of the website directly into the web browser. Avoid being re-directed to the website, or hyperlinked to it from a website that may not be as secure.
• If possible, use software that encrypts or scrambles the information when sending sensitive information or performing e-banking transactions online.
• Protect personal computers from hackers, viruses, and malicious programs.
• Install a personal firewall and a reputable anti-virus program to protect your personal computers from virus attacks or malicious programs.
• Ensure that the anti-virus program is updated and runs at all times.
• Always keep the operating system and the web browser updated with the latest security patches, in order to protect against weaknesses or vulnerabilities.
• Always check with an updated anti-virus program when downloading a program or opening an attachment to ensure that it does not contain any virus.
• Install updated scanner software to detect and eliminate malicious programs capable of capturing personal or financial information online.
• Never download any file or software from sites or sources, which are not familiar or hyperlinks sent by strangers. Opening such files could expose the system to a computer virus that could hijack personal information, including passwords or PINs.
• Do not leave the computer unattended when logged in. 
• Log off from the internet banking site when the computer is unattended, even if it is for a short while.
• Always remember to log off when e-banking transactions have been completed.
• Clear the memory cache and transaction history after logging out from the website to remove account information. This would avoid incidents of the stored information being retrieved by unwanted parties.
• Check the site’s privacy policy and disclosures. 
• Read and understand website disclosures specifically on refund, shipping, account debit/credit policies, and other bank terms and conditions.
• Before providing any personal financial information to a website, determine how the information will be used or shared with others.
• Check the site’s statements about the security provided for the information divulged
• Some websites' disclosures are easier to find than others – look at the bottom of the home page, on order forms, or in the "About" or "FAQs" section of the site. If the customer is not comfortable with the policy, consider doing business elsewhere.
• Other internet security measures: 
• Do not send any personal information, particularly passwords or PINs via ordinary e-mail. Do not open other browser windows while banking online.
• Avoid using shared or public personal computers in conducting e-banking transactions.
• Disable the “file and printer sharing” feature on the operating system if conducting banking transactions online. Contact the banking institution to discuss security concerns and remedies to any online e-banking account issues.
   

2. Other Electronic Products

A. Automated Teller Machine (ATM) and debit cards

• Use ATMs that are familiar or that are in well-lit locations where one feels comfortable. If the machine is poorly lit or is in a hidden area, use another ATM.
• Have your card ready before approaching the ATM. Avoid having to go through the wallet or purse to find the card.
• Do not use ATMs that appear to have been tampered with or otherwise altered. Report such conditions to the Bank.
• Memorize ATM personal identification number (PIN) and never disclose it to anyone. Do not keep those numbers or passwords in the wallet or purse. Never write them on the cards themselves. And avoid using easily available personal information like a birthday, nickname, mother’s maiden name, or consecutive numbers.
• Be mindful of "shoulder surfers" when using ATMs. Stand close to the ATM and shield the keypad with your hand when keying in the PIN and transaction amount.
• If the ATM is not working correctly, cancel the transaction and use a different ATM. If possible, report the problem to the Bank.
• Carefully secure the card and cash in the wallet, handbag, or pocket before leaving the ATM.
• Do not leave the receipt behind. Compare ATM receipts to monthly statements. It is the best way to guard against fraud and it makes record-keeping easier.
• Do not let other people use your card. If the card is lost or stolen, report the incident immediately to the Bank.

B. Do not leave documents like bills, and bank statements in an unsecured place since these documents have direct access to deposit account information. Consider shredding sensitive documents rather than simply throwing them away. (Some people will go through the garbage to find this information).

C. Notify the bank in advance of a change in address.

D. Open billing statements promptly and reconcile card amounts each month.

Do not let other people use your card. If the card is lost or stolen, report the incident immediately to the Bank.

Since customers may find it difficult to take in lengthy and complex advice, the Bank should devise effective methods and channels for communicating with them on security precautions. The Bank may make use of multiple channels (e.g., Bank's website, alert messages on a customer's mobile phone, messages printed on customer statements, promotional leaflets, and circumstances when the Bank's frontline staff communicate with their customers) to enforce these precautionary measures.

1. General Requirement

Banks offering electronic banking services have to adopt responsible privacy policies and information practices. Banks should provide disclosures that are clear and readily understandable, in writing, or in a form the consumers may print and keep.

Banks should also ensure that consumers who sign-up for a new banking service are provided with disclosures (e.g., pamphlets) informing them of their right as a consumer.

At a minimum, the following disclosures should be provided to protect consumers and inform them of their rights and responsibilities.

• Information on the duties of the banking institution and customers
• Information on who will be liable for unauthorized or fraudulent transactions
• The mode by which customers will be notified of changes in terms and conditions
• Information relating to how customers can lodge a complaint, and how a complaint may be investigated and resolved
• Disclosures that will help customers in their decision-making (e.g., PDIC insured, etc.)
• For the internet environment, information that prompts the bank's website to notify customers that they are leaving the banking institutions' website and hence they are not protected by the privacy policies and security measures of the banking institutions when they hyperlink to third party's website

2. Disclosure Responsibility

• Compliance officers should review the bank's disclosure statements to determine whether they have been designed to meet the general and specific requirements set in this circular.
• For banks that advertise deposit products and services online, they must verify that proper advertising disclosures are made (e.g., whether the product is insured or not by the PDIC; fees and charges associated with the product or services, etc.). Advertisements should be monitored to determine whether they are current, accurate, and compliant. 
• Banks that issue various products like stored value cards, e-wallets, and debit cards, must provide information to consumers regarding the features of each of these products to enable consumers to meaningfully distinguish them. Additionally, consumers would find it beneficial to receive information about the terms and conditions associated with their usage.

Examples of these disclosures include:

1. PDIC insured or non-insured status of the product;
2. Fees and charges associated with the purchase, use, or redemption of the product;
3. Liability for lost;
4. Expiration dates, or limits on redemption; and
5. Toll-free telephone number for customer service, malfunction, and error resolution.