The Bangko Sentral ng Pilipinas (BSP) is tightening rules on IT controls and account security for financial institutions to combat cybercrime and protect consumers. A draft circular proposes enhanced IT risk management measures under the Anti-Financial Account Scamming Act (AFASA), including adopting real-time fraud detection systems and limiting one-time passwords (OTP) via SMS or email due to social engineering risks. Financial institutions must implement tools like transaction velocity checks, geolocation monitoring, and behavioural anomaly detection. The BSP also mandates features like a “kill switch” to block transactions, customisable limits, and a “money lock” for securing funds. Notifications for account activities must include detailed information for customer verification. Institutions are required to maintain transaction logs for at least five years to ensure proper documentation.