Scribd
Upload
363 views2 pages

BSP Memorandum m-2021-059

This memorandum from the Bangko Sentral ng Pilipinas provides guidance to financial institutions on sharing information for fraud investigations. It notes that the shift to digital services has increased opportunities for cybercrime and fraudulent schemes often span multiple institutions. It discusses that the Data Privacy Act allows for sharing of personal information to protect lawful rights in fraud investigations without a court order. Financial institutions are advised they can share relevant information such as names, addresses, account and transaction details with other institutions and authorities to investigate fraud while ensuring data privacy principles are followed.

Uploaded by

Minguito, Rijade
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
363 views2 pages

BSP Memorandum m-2021-059

This memorandum from the Bangko Sentral ng Pilipinas provides guidance to financial institutions on sharing information for fraud investigations. It notes that the shift to digital services has increased opportunities for cybercrime and fraudulent schemes often span multiple institutions. It discusses that the Data Privacy Act allows for sharing of personal information to protect lawful rights in fraud investigations without a court order. Financial institutions are advised they can share relevant information such as names, addresses, account and transaction details with other institutions and authorities to investigate fraud while ensuring data privacy principles are followed.

Uploaded by

Minguito, Rijade
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

BANGKO SENTRAL NG PILIPINAS

OFFICE OF THE DEPUTY GOVERNOR


FINANCIAL SUPERVISION SECTOR

MEMORANDUM NO. M-2021-059

To : ALL BSP SUPERVISED FINANCIAL INSTITUTIONS (BSFIs)


Subject : Information Sharing for Fraud Investigations

The financial services industry is massively shifting to digital financial and payment
services in response to the COVID-19 pandemic. As a result cyberthreat actors have more
avenues and channels to perpetrate cybercriminal activities which exploit vulnerabilities of BSP
Supervised Financial Institutions (BSFIs) and their clients The BSP's ongoing cyberthreat
surveillance shows that the impact of cyber-attacks and fraudulent schemes increasingly extend
over two or more financial institutions simultaneously.

In order to resolve and effectively investigate fraudulent transactions involving two or


more BSFIs, there needs to be coordinated and transparent information sharing mechanisms in
place. However, one of the major hurdles in sharing relevant information, particularly those
involving sensitive personal information, in pursuit of fraud investigation, is the Data Privacy
Act of 2012 (DPA) or R.A. 10173 Under the DPA personally identifiable. information (PII) of
data subjects cannot be freely shared without the data subjects' consent and without legitimate
purpose. These covers all financial accounts such as e-money accounts credit card accounts, and
other non- deposit accounts.

To address this legal concern, the BSP sought clarification and advice from the National
Privacy Commission (NPC) with respect to information sharing for fraud investigations. Based
on NPC Advisory Opinion No. 2021- 026:

a. Sec. 13 (f) of the DPA which allows processing of personal information for the
protection of lawful rights and interests of natural or legal persons shall apply to sharing
of relevant information for fraud investigations and

b. The above processing does not require an existing court proceeding, and thus, will not
necessarily require a court order.

All BSFIs are therefore advised of the above NPC Advisory Opinion and to cooperate
and share relevant information to third parties, such as other financial Institutions. payment
gateway providers third party service providers and law enforcement agencies, among others in
the conduct of fraud investigations Information which may be shared/disclosed to the said
parties, include, but are not limited to:

a. Name

b. Home/Delivery Address
c. Email Address

d. Mobile or other contact details

e Bank/financial account information

f. Bank/financial transaction details

In sharing the above information, BSFIs should ensure that the basic data privacy
principles of transparency. legitimate purpose and proportionality are adhered to Moreover, an
existing court order or proceeding is not a pre-requisite for information sharing to happen.

For information and guidance.

You might also like