Philippines Central Bank Approves New e-KYC Rules

On March 30, 2023, the Bangko Sentral ng Pilipinas (BSP) released a circular outlining amendments to existing customer due diligence (CDD) requirements for supervised financial institutions (FIs). The updates include new electronic know your customer (eKYC) rules detailing how digital IDs (such as the Philippines’ national ID, PhilSys) can be used during customer onboarding. 

These amendments come in light of the BSP’s wider financial inclusion agenda, which seeks to address the lack of identity documents that have historically left many individuals unbanked. According to BSP Governor Felipe M. Medella, “eKYC is one of the key enablers to promote innovation and digital transformation” to help increase account ownership throughout the region. 

Amended CDD Requirements 

The new CDD requirements are reflected in section 921/921Q of the Manual of Regulations for Banks (MORB). The updated wording provides minimum requirements for FIs conducting eKYC and expands on how the process must utilize “appropriate systems” to collect and record information. Specifically, the conditions now provide for information and communication technology to be used to capture and record customers’ biometric and other personal information. ln cases where PhilSys is presented, only the front portion, or face, needs to be scanned. FIs are also advised that the PhilSys Number (PSN) on the digital ID’s back portion must remain confidential due to applicable laws and regulations.

Additionally, firms implementing eKYC through a digital ID system must:

• Understand the basic components of the digital lD system, particularly how they apply to the CDD requirements
• Apply an informed risk-based approach to a reliance on digital lD systems for CDD
• Utilize anti-fraud and cyber-security processes to support digital identity authentication
• Ensure all eKYC practices comply with relevant data sharing and protection privacy laws and rules about data processing, storage, and management

eKYC in APAC

The Philippines is one of the latest jurisdictions in Asia Pacific to update its policy guidelines to help FIs comply with anti-money laundering and combatting the financing of terrorism (AML/CFT) rules on knowing their customers. 

In 2019, Hong Kong’s Securities and Futures Commission updated its Code of Conduct to introduce new onboarding rules in non-face-to-face contexts. The update enabled regulated FIs to perform digital client identity verification to open a bank account remotely. Also in 2019, the Hong Kong Monetary Authority (HKMA) issued a circular on the “remote onboarding of individual customers.” Since then, the HKMA has advised firms on implementing remote onboarding initiatives. Published in June 2020, these best practices include:

• Adequately assessing money laundering and terrorist financing (ML/TF) risks associated with a remote onboarding initiative prior to its launch.
• Applying a risk-based approach in the design and implementation of AML/CFT control measures.
• Monitoring and managing the ability of the technology adopted to meet AML/CFT requirements on an ongoing basis.
• Ensuring that ongoing monitoring takes into account vulnerabilities associated with the product and delivery channel.

In June 2021, Malaysia’s central bank also issued policy guidelines on eKYC measures. These include multi-factor authentication of identities, specifically concerning “something the customer possesses (e.g., identity card, registered mobile number), something the customer knows (e.g., PIN, personal information), and something the customer is (e.g., biometric characteristics).” Malaysia also requires FIs to ensure that automated eKYC tools have a false acceptance rate (FAR) of no more than 5 percent. Firms must audit these tools at least once every quarter.

Key Takeaways 

With robust eKYC processes and high-accuracy tools, FIs can:

• Determine which customers have a higher risk of being involved in money laundering, fraud, terrorist financing, and other financial crime. 
• Conduct perpetual/continuous KYC rather than periodic-based reviews.
• Use analytics to facilitate regulation-compliant and accurate evaluations.

To ensure a smooth transition, the circular notes that FIs with existing eKYC systems have one year to comply with the updated requirements. However, firms that intend to shift to an eKYC system will need to comply with the new rules before implementing any new processes.