Data Regulations in the Financial Sector of the Philippines

I. Introduction

As the financial sector in the Philippines becomes increasingly digitized, safeguarding data has never been more crucial. With the rise of online banking, mobile payments, and fintech innovations, the amount of sensitive personal and financial information being processed is growing exponentially. This transition exposes institutions to emerging privacy, cybersecurity and AI risks that threaten the confidentiality, integrity, and availability of financial data. Therefore, understanding and implementing robust data regulation measures is vital for ensuring compliance and avoiding hefty penalties.

The Philippines’ financial sector includes not only traditional banks but also finance companies, non-bank financial institutions that perform quasi-banking functions, and other entities carrying out similar roles. This may encompass a range of activities, such as providing loans, facilitating investments, managing payment systems, and offering credit-related services.

II. Overview of Regulatory Framework

Republic Act 10173 - Data Privacy Act of 2012

At the core of the Philippines' data protection landscape is the Republic Act 10173, commonly known as the Data Privacy Act of 2012 (DPA). This legislation aims to protect the privacy of individuals, establishing guidelines for the processing, collection, and storage of such information. While the Bangko Sentral ng Pilipinas (BSP) and related laws, such as the Anti-Money Laundering Act, take precedence, the DPA still applies to financial institutions processing personal information. Non-compliance with the DPA can lead to penalties ranging from an imprisonment sentence to a monetary fine of up to four million pesos.

Bangko Sentral ng Pilipinas (BSP)

The Bangko Sentral ng Pilipinas (BSP) is a regulatory body that oversees the financial sector in the Philippines, including banks, finance companies, and non-banking financial institutions. It has the following key responsibilities:

1. It issues rules and regulations for BSP-supervised financial institutions (BSFIs) through the Manual of Regulations for Banks (MORB) and guidance circulars that address emerging threats and best practices.
2. It examines and audits BSFIs to evaluate their compliance with data protection regulations and cybersecurity standards, identify vulnerabilities, and enforce effective controls.

Moreover, BSP imposes substantial monetary penalties on banks and their directors or officers to ensure accountability, prevent repeated violations, and maintain regulatory standards. Fines are structured by asset size and can be increased depending on the harm caused, severity, and intent behind the violation.

III. Data Protection in the Finance Sector & How Securiti Can Help

A. Privacy Principles

As per the DPA, financial institutions are required to ensure that personal information:

• must be collected and processed on the basis of lawfulness, fairness, and necessity;
• should only be collected for specific, legitimate purposes;
• must be accurate and up-to-date;
• should not be retained longer than necessary; and
• should be maintained in a manner that allows identification of data subjects for no longer than is necessary and appropriate safeguards are present.

Securiti’s Data Privacy automates compliance with evolving global privacy regulations.

B. Data Collection

As per DPA and BPS circulars, when collecting data, BSFI’s are obligated to:

• verify the identities of their clients;
• transparently inform clients about the purposes behind data collection; and
• obtain explicit consent to ensure responsible data management.

Securiti’s Consent Module automates consent tracking and management.

Securiti’s Privacy Notice Module automates and customizes privacy notices for compliance with global data laws, ensuring transparency and real-time updates.

C. Data Processing & Retention

As per the DPA, financial institutions must remember to only process personal information on the basis of consent, contractual necessity, legal obligation, vital interests, national emergency, public interest and the legitimate interests of the financial institution. It’s important to note that the processing of sensitive personal information and privileged information is prohibited, except when consent is given, it is required by law or needed to protect legal rights, it is necessary for medical treatment or health protection,  or it is required to achieve the lawful and noncommercial objectives of public organizations.

Moreover, as per BPS circulars, when processing data, BSFI’s have obligations such as:

• developing a thorough privacy policy that governs the entire data lifecycle, and communicating it across the organization, ensuring that employees understand their responsibilities;
• conducting regular IT assessments and audits;
• providing clients with the right to access and correct their information; and
• making sure that financial records are not maintained beyond the specified retention period (that is, for at least 5 years), which differs according to categories of financial data and types of banks.

Senior management of the covered entities in the financial sector is responsible for overseeing these practices. They must implement a monitoring and management information system that:

• promptly identifies consumer-related issues across all interactions;
• addresses weaknesses in consumer protection practices with swift corrective actions; and
• ensures compliance with relevant regulations and conducts regular internal audits.

Securiti’s Risk Assessment solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors.

Securiti's Data Subject Request (DSR) Automation simplifies and streamlines the process of managing data subject requests and automates tasks such as access, deletion, and correction requests, ensuring compliance while reducing manual effort and risk.

D. Data Sharing with Third Parties

As per BSP guidelines, before sharing or outsourcing data with third parties, BSFI’s are obligated to:

• obtain explicit consumer consent; and
• evaluate the security practices of their third-party providers and ensure that external vendors adhere to stringent measures to maintain the confidentiality and integrity of sensitive data (this includes establishing contractual obligations that enforce compliance with data protection and security standards).

The responsibilities of the Board of Directors (BOD) of the BSFI in overseeing outsourcing arrangements are multifaceted. They include:

• cultivating awareness of operational risks, including financial and non-financial impacts from third-party vendors;
• approving an operational risk management framework aligned with the institution's objectives; and
• evaluating risks and materiality of outsourcing arrangements.

It’s also important to remember that as per the DPA, the financial institution is responsible for personal information under its control, even when transferred to third parties for processing, whether locally or internationally. They must ensure that third parties provide an equivalent level of data protection through contracts or other reasonable means.

Securiti’s Vendor Risk Management solution automates vendor risk assessments, tracks subcontractor engagements and data breaches, and provides automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.

Securiti’s Data Access Governance (DAG) tool allows organizations to oversee and manage access to personal data across different jurisdictions.

E. Data Subject Rights

As per the DPA, financial institutions are obligated to grant clients several rights regarding the processing of their personal information, including the rights to:

• be informed about the collection and processing of their personal data, including its purpose, scope, recipients, storage period, and methods of processing;
• access their personal data, including the content, sources, recipients, and details of how it is processed;
• request corrections if their personal data is inaccurate, incomplete, or outdated;
• ask for personal data to be blocked, removed, or destroyed if it is inaccurate, unlawfully obtained, or no longer needed for the original purpose;
• seek compensation for damages caused by the mishandling of their personal data; and
• obtain a copy of their personal data in a structured, commonly used, and machine-readable format, allowing them to transfer it to another system.

A data subject’s rights may be exercised by their lawful heirs or assigns in the event of their death or incapacity.

Securiti's Data Subject Request (DSR) Automation simplifies and streamlines the process of managing data subject requests and automates tasks such as access, deletion, and correction requests, ensuring compliance while reducing manual effort and risk.

F. Data Breach Prevention and Incident Response

MORB specifies procedures for BSFI’s to notify the BSP in case of reportable incidents, which include:

• unauthorized access (e.g., hacking);
• system-level compromises affecting core systems;
• significant impacts on numerous customer accounts;
• major data losses or breaches;
• spear phishing attacks targeting senior personnel;
• service outages from attacks like Distributed Denial of Service (DDoS);
• material financial losses to the institution and stakeholders;
• suspected involvement of advanced threat actors; and
• disruptions lasting over two hours due to natural, man-made, or technical threats.

As per these guidelines, they are required to notify the BSP within two hours of discovering a reportable incident. A detailed follow-up report must be submitted within 24 hours, including:

• the incident's nature;
• initial detection details;
• impact assessment;
• initial response actions; and
• information regarding the activation of any business continuity or crisis management plans.

It’s important to remember that even if an incident does not qualify as a major cyber-related incident, it must still be reported.

As per the DPA, notification must also be sent to the National Privacy Commission (NPC) and affected individuals describing the nature of the breach and steps taken to address it. However, notification may be delayed to determine the breach’s scope, prevent further damage, or restore system integrity.

Securiti’s Data Security Posture Management solution empowers organizations to mitigate data breach risks, safeguard data sharing, and enhance compliance while minimizing the cost and complexity of implementing data controls.

Securiti’s Breach Management solution automates breach notifications and compliance actions, ensuring timely reporting of security incidents.

IV. Data Governance Framework & How Securiti Can Help

As per the MORB, BSFI’s are required to establish a governance framework to manage IT risks and operational risks. To effectively address these risks, they must develop frameworks for:

1. IT Governance, which includes:
   • incorporating information security into the overall governance structure by creating policies, clarifying responsibilities, assigning roles, and establishing procedures that integrate security into all business functions; and
   • ensuring third-party networks and vendors comply with security policies and undergo regular audits to mitigate additional risks.
2. Risk Identification and Assessment, which includes:
   1. conducting regular audits and risk assessments to identify, analyze, and prioritize potential threats; and
   2. monitoring vulnerabilities through tools such as threat intelligence feeds, audits, and penetration testing to ensure that potential threats are identified early.
3. IT Controls Implementation, which includes:
   1. an information security system and a clear framework for managing IT projects,  integrating people, processes, and technology to protect confidentiality and integrity;  and
   2. enabling the identification, prevention, detection, response to, and recovery from security incidents, ensuring compliance with evolving cyber threats;
4. Risk Measurement and Monitoring, which includes:
   1. establishing key performance and risk indicators; and
   2. having dedicated quality assurance and quality control procedures.

Moreover, BSP has established a Reporting Governance Framework whereby BSFI’s are obligated to:

• have written policies and procedures for report generation;
• submit periodic reports to the BSP about financial conditions as per BSP's standards;
• conduct thorough reviews and assessments of their reports before submission to ensure they are complete, accurate, consistent, and reliable;
• be aware of the demerit points system for reporting violations, which may lead to non-monetary sanctions if over 100 points are accumulated within a year; and
• submit an action plan to BSP to address any identified deficiencies in the reporting system promptly.

Securiti's Data Governance module automates data discovery, classification, and lifecycle management to ensure compliance and enable efficient data control across environments.

V. Data Security & How Securiti Can Help

As per the DPA, financial institutions are required to ensure the security and protection of personal data from unauthorized access, destruction, alteration, or any other unlawful processing. They must implement appropriate organizational, physical, and technical measures for this.

The level of security must be based on:

• the nature of the personal information;
• the risks associated with processing;
• the size and complexity of the organization;
• best practices in data privacy; and
• the cost of implementing security measures.

As per the DPA and BPS circulars, BSFI’s are mandated to implement comprehensive security measures that may include:

• encryption protocols (e.g., AES-256) for data at rest and in transit, ensuring that sensitive information is unreadable to unauthorized users;
• firewalls to protect network perimeters and deploy intrusion detection systems (IDS) to monitor for suspicious activities within the network;
• access controls and authentication mechanisms, such as multi-factor authentication (MFA) to verify user identities; and
• up-to-date software and systems to mitigate vulnerabilities, including antivirus and anti-malware solutions;
• a security policy for data processing;
• a process for identifying vulnerabilities and addressing security incidents; and
• regular monitoring for breaches.

Securiti's Data Security solution prevents unauthorized access to sensitive data with monitoring, threat detection, and compliance controls across cloud and on-premises environments.

VI. Other Legal Framework Supporting Data Protection & How Securiti Can Help

Under the Electronic Commerce Act of 2000, organizations in the Philippines are obligated to:

• legally recognize and utilize electronic documents and digital signatures in their transactions;
• ensure that their electronic systems are secure to prevent unauthorized access and breaches to avoid penalties; and
• maintain accurate records of electronic transactions.

Under the Anti-Money Laundering Act (AMLA), organizations are required to:

• conduct thorough Customer Due Diligence (CDD), which includes verifying customer identities and monitoring transactions for suspicious activities; and
• integrate CDD measures with their electronic transaction processes, ensuring that they comply with AMLA requirements while using electronic channels.

Securiti’s Data Privacy Module automates compliance with evolving global privacy regulations.

VII. AI in the Financial Sector

The integration of artificial intelligence (AI) in the financial sector is highlighted in the AI and ICT Roadmap of the Philippines. Moreover, various bills, such as House Bill No. 7396 and House Bill No. 10457, propose frameworks for AI governance in the Philippines. Thus, formal regulations are expected in the coming years and organizations need to be prepared to implement AI governance mechanisms and AI accountability measures to make sure they are not subject to heavy penalties.

Securiti's AI Security & Governance module protects AI systems by managing data security, privacy, and compliance, ensuring safe and ethical AI operations.

VIII. Conclusion

Conclusively, data protection in the financial sector demands robust governance, advanced security frameworks, and strict regulatory compliance.

Securiti, as the pioneer of the Data Command Center, offers a powerful centralized platform that ensures the secure use of data and enables responsible GenAI integration. With its unified approach to data intelligence, control, and orchestration across hybrid multi-cloud environments, Securiti empowers financial institutions to protect sensitive information, enhance customer trust, and confidently meet complex regulatory standards.

Request a demo to learn more.