BSP Says Banks Must Improve Cybersecurity

Banks must improve cybersecurity, according to BSP.

BSP — The Bangko Sentral ng Pilipinas is requiring stronger, more adequate IT and cybersecurity risk management practices in non-banks and banks’ use of application programming interfaces (APIs) and its interconnections.

Photo source: Philstar

On Wednesday, the central bank released Memorandum No. M-2022-016 — a new memorandum for API security controls including the adoption of good practices for API management and the controls and processes supporting the connectivity, operation, and endpoint security of APIs.

In the memorandum, BSP Deputy Governor Chuchi G. Fonacier said that API which is used not only by BSFIs (BSP-supervised financial institutions) but also payment gateways, online merchants, and technology service providers, is now the new normal with digitalization.

READ ALSO: BSP Advises Public To Exchange Or Deposit “Unfit” Coins

Application Programming interfaces (APIs) are a set of rules and specifications for software programs to communicate with each other and to interface between different programs to facilitate interaction.

While this (API) has traditionally been utilized by BSFIs internally for the ease of connecting systems and applications, APIs are now exposed to a wider range of interconnected external parties in the digital ecosystem,” Fonacier said. “These developments introduce new risk vectors for BSFIs that must be addressed through adequate IT and cybersecurity risk management practices.

BSP Deputy Governor Chuchi Fonacier
BSP Deputy Governor Chuchi Fonacier | Photo source: Manila Bulletin

Likewise, the BSP official is reminding BSFIs to “promptly” report any breaches, cyber incidents, or crimes involving APIs to the central bank as per its EDRN (event-driven report and notification) and RCL (report on crimes and losses) requirements under Circular No. 1104 which was issued in November 2020.

The central bank recommends that BSFIs should make sure that system and audit logs capture failed attempts, denied access, input validation failures, or any failures in security policy checks.

Fonacier also said that the controls specified in the said memorandum are not exhaustive as BSFIs may adopt any other generally accepted good practices for API applicable to the use cases that may not be captured in the said memorandum.

Thank you for visiting You may express your reactions or thoughts in the comments section. Also, you may follow us on Facebook as well.

Leave a Comment