Annex BSP CIRCULAR 649 s.

2009
Registering as Non-Bank Financial Institution (comply with the requirements of Sec. X21 of the
Manual of Regulations for Banks and Sec. 4190Q/S/P/N of the Manual of Regulations for Non-Bank
Financial Institutions, when applicable)
1) Application
i. submit to the BSP an application describing the services to be offered/enhanced
and how it fits the banks overall strategy accompanied by a certification signed
by its president or any officer of equivalent rank and function to the effect that
the bank has complied with the following minimum pre-conditions:
1. adequate risk management process is in place to assess, control, monitor
and respond to potential risks arising from the proposed electronic
banking activities;
2. A manual on corporate security policy and procedures exists that shall
address all security issues affecting its electronic banking system,
particularly the following:
a. Authentication - establishes the identity of both the sender and
the receiver; uses trusted third parties that verify identities in
cyberspace;
b. Non-repudiation - ensures that transactions can not be repudiated
or presents undeniable proof of participation by both the sender
and the receiver in a transaction;
c. Authorization - establishes and enforces the access rights of
entities (both persons and/or devices) to specified computing
resources and application functions; also locks out unauthorized
entities from physical and logical access to the secured systems;
d. Integrity - assures that data have not been altered; and
e. Confidentiality - assures that no one except the sender and the
receiver of the data can actually understand the data.
3. The system had been tested prior to its implementation and that the test
results are satisfactory. As a minimum standard, appropriate systems
testing and user acceptance testing should have been conducted; and
4. A business continuity planning process and manuals have been adopted
which should include a section on electronic banking channels and
systems
2) Documentary Requirements (to be submitted upon 30 days from launching of
banks electronic banking services subject to conditional approval by the BSP)
i. A discussion on the banking services to be offered/enhanced, the business
objectives for such services and the corresponding procedures, both automated
and manual, offered through the electronic banking channels;
ii. A description or diagram of the configuration of the banks electronic banking
system and its capabilities showing:
1. how the electronic banking system is linked to other host systems or the
network infrastructure in the bank;
2. how transaction and data flow through the network;
3. what types of telecommunications channels and remote access
capabilities (e.g., direct modem dial-in, internet access, or both) exist;
and
4. what security controls/measures are installed;

iii. A list of software and hardware components indicating the purpose of the
software and hardware in the electronic banking infrastructure;
iv. A description of the security policies and procedures manual containing:
1. description of the banks security organization;
2. definition of responsibilities for designing, implementing, and
monitoring information security measures; and
3. established procedures for evaluating policy compliance, enforcing
disciplinary measures and reporting security violations;
v. A brief description of the contingency and disaster recovery plans for electronic
banking facilities and event scenario/problem management plan/ program to
resolve or address problems, such as complaints, errors and intrusions and the
availability of back-up facilities;
vi. Copy of contract with the communications carrier, arrangements for any liability
arising from breaches in the security of the system or from
unauthorized/fraudulent transactions;
vii. Copy of the maintenance agreements with the software/hardware provider/s; and
viii. Latest report on the periodic review of the system, if applicable.
3) Conditions for Monetary Board Approval
i. Existence at all times of appropriate top-level risk management oversight;
ii. Operation of electronic banking system outsourced to a third party service
provider taking into consideration the existence of adequate security controls and
the observance of confidentiality [as required in R.A. No. 1405 (Bank Secrecy
Law)] of customer information;
iii. Adoption of measures to properly educate customers on safeguarding of user ID,
PIN and/or password, use of banks products/services, actual fees/bank charges
thereon and problem/error resolution procedures;
iv. Clear communication with its customers in connection with the terms and
condition which would highlight how any losses from security breaches, systems
failure or human error will be settled between the bank and its customers;
v. Customers acknowledgement in writing that they have understood the terms and
conditions and the corresponding risks that entail in availing electronic banking
service;
vi. The banks oversight process shall ensure that business expansion shall not put
undue strains on its systems and risk management capability;
vii. The establishment of procedures for the regular review of the banks security
arrangements to ensure that such arrangements remain appropriate having regard
to the continuing developments in security technology;
viii. Strict adherence to Bangko Sentral regulations on fund transfers in cases where
clients use the electronic banking services to transfer funds;
ix. The electronic banking service shall not be used for money laundering or other
illegal activities that will undermine the confidence of the public; and
x. The Bangko Sentral shall be notified in writing thirty (30) days in advance of any
enhancements that may be made to the online electronic banking service.
xi.
4) Issuance and Operation of Electronic Money (applicable to al EMIs)
i. E-money instrument issued shall be subject to aggregate monthly load limit of
P100,000 unless a higher amount has been approved by the Bangko Sentral. In
case an EMI issues several e-money instruments to a person (e-money holder),
the total amount loaded in all the e-money instruments shall be consolidated in
determining compliance with the aggregate monthly load limit;

ii. EMIs shall put in place a system to maintain accurate and complete record of emoney instruments issued, the identity of e-money holders, and the individual
and consolidated balances thereof. The system must have the capability to
monitor the movement of e-money transactions and link e-money instruments
issued to common e-money holders. The susceptibility of a system to intentional
or unintentional misreporting of transactions and balances shall be sufficient
ground for imposition by the Bangko Sentral of sanctions, as may be applicable.
iii. E-money may only be redeemed at face value. It shall not earn interest nor
rewards and other similar incentives convertible to cash, nor be purchased at a
discount. E-money is not considered a deposit, hence, it is not insured with the
PDIC.
iv. EMIs shall ensure that e-money instruments clearly identify the issuer who is
ultimately responsible to the e-money holders. This shall be communicated to the
client who shall acknowledge the same in writing.
v. It is the responsibility of EMIs to ensure that their distributors/e-money agents
comply with all applicable requirements of the Anti-Money Laundering Law,
rules and regulations.
vi. EMIs shall provide an acceptable redress mechanism to address the complaints of
its customers.
vii. EMIs shall disclose in writing and its customers shall signify agreement to the
information embodied in Item c above upon their participation in the e-money
system. In addition, it shall provide clear guidance in English and Filipino on
consumers right of redemption, including conditions and fees for redemption, if
any. Information on available redress procedures for complaints together with the
address and contact information of the issuer shall also be provided.
viii. Prior to the issuance of e-money, EMIs should ensure that the following
minimum systems and controls are in place:
1. Sound and prudent management, administrative and accounting
procedures and adequate internal control mechanisms;
2. Properly-designed computer systems which are thoroughly tested prior to
implementation;
3. Appropriate security policies and measures intended to safeguard the
integrity, authenticity and confidentiality of data and operating processes;
4. Adequate business continuity and disaster recovery plan; and
5. Effective audit function to provide periodic review of the security control
environment and critical systems.
ix. EMIs shall provide the SDC quarterly statements containing, among others,
information on investments, volume of transactions, total outstanding e-money
balances, and liquid assets in such forms as may be prescribed later on.
x. EMIs shall notify the BSP in writing of any change or enhancement in the emoney facility thirty (30) days prior to implementation. If said change or
enhancement requires prior BSP approval, the same shall be evaluated
accordingly. Any change or enhancement that shall expand the scope or change
the nature of the e-money instrument shall be subject to prior approval of the
Deputy Governor, SES. These changes or enhancements may include the
following:
1. Additional capabilities of the e-money instrument/s, like access to new
channels (e.g. inclusion of internet channel in addition to merchant Point
of Sale terminals);
2. Change in technology service providers and other major partners in the
e-money business (excluding partner merchants), if any; and

3. Other changes or enhancements