The Bangko Sentral ng Pilipinas (BSP) has ordered all BSP supervised financial institutions (BSFIs) to cooperate and to share relevant information in aid of investigating fraudulent activities.

(Photo via Pixabay)

BSP Deputy Governor Chuchi G. Fonacier in a memo (Memorandum No. M-2021-059) she signed on Nov. 2, is advising all banks and non-banks to follow guidelines on information sharing to “ensure that the basic data privacy principles of transparency, legitimate purpose and proportionality are adhered to” and that an “existing court order or proceeding is not a pre-requisite for information sharing to happen.”

BSP Deputy Governor Chuchi G. Fonacier

Fonacier said the popularity and increased usage of digital financial and payment services have also increased the number of “cyberthreat actors” which now have “more avenues and channels to perpetrate cybercriminal activities which exploit vulnerabilities of (BSFIs) and their clients.”

Based on the BSP’s continuous cyberthreat surveillance, the impact of cyber-attacks and fraudulent schemes extend over to two or more financial institutions simultaneously.

The memo, said Fonacier, should “resolve and effectively investigate fraudulent transactions involving two or more BSFIs (but) there needs to be coordinated and transparent information sharing mechanisms in place.”

The BSP sought clarification from the National Privacy Commission (NPC) on the sharing of relevant information, especially sensitive personal information, which will need to be disclosed to investigate fraud.

The clarification focused on provisions in the Data Privacy Act of 2012 (DPA) or Republic Act No. 10173 which stated that personally identifiable information (PII) of data subjects cannot be freely shared without the data subjects’ consent and without legitimate purpose.

Fonacier said PII covers all financial accounts such as e-money accounts, credit card accounts, and other non-deposit accounts.

The BSP after consulting with NPC said information sharing to probe for fraud is permitted as per an NPC Advisory Opinion. It said that the DPA “allows processing of personal information for the protection of lawful rights and interests of natural or legal persons (and this) processing does not require an existing court proceeding, and thus, will not necessarily require a court order.”

Citing the NPC Advisory Opinion, the BSP said all BSFIs should cooperate and share relevant information to third parties, such as other financial institutions, payment gateway providers, third party service providers and law enforcement agencies, among others in the conduct of fraud investigations.

Information which may be shared or disclosed include: name; home/delivery address; email address; mobile or other contact details; bank/financial account information; and bank/financial transaction details.

Source: Manila Bulletin (