BSP Compliance for PSPs: Meeting Circular 1160 and AFASA

Licensed payment service providers in the Philippines are discovering that having a fraud management system is no longer optional: it is a condition of continued operation. The Bangko Sentral ng Pilipinas has made this explicit through Circular 1160 and its successor frameworks, including the Anti-Financial Account Scamming Act, and it is now examining institutions against specific performance benchmarks, not just the presence of a tool.

For PSPs and e-money issuers, the compliance gap is rarely about intent. It is about knowing precisely what BSP is looking for, where institutions most commonly fall short and how to build a defensible controls framework that scales with the business.

What BSP Actually Requires from Licensed PSPs

The Philippines exiting the FATF grey list process accelerated a significant tightening of BSP’s regulatory expectations for payment service providers. The obligations now covering PSPs and EMIs fall under several overlapping frameworks, and the requirements have moved well beyond high-level policy statements.

The core requirement is a dedicated, auditable fraud management system. A manual rules component embedded in a core banking platform does not satisfy the intent of the circular, because BSP expects a system purpose-built for fraud detection, with documented workflows and the ability to produce evidence on demand.

AML screening obligations run in parallel. PSPs must screen customers at onboarding and counterparties at the point of transaction. The 2023–2024 thematic review introduced explicit performance benchmarks for name screening accuracy, meaning institutions now need to demonstrate not just that screening occurs, but that it meets a defined standard.

AFASA adds a further layer. The Anti-Financial Account Scamming Act introduces specific detection requirements around device intelligence, behavioral biometrics and early warning signals, all of which must be demonstrable to BSP on inspection.

The BSP Thematic Review and Name Screening Performance

Every two years, BSP conducts a sector-wide thematic review. These reviews have moved from broad guidance to specific, testable benchmarks, and the 2023–2024 cycle set performance standards for AML name screening that PSPs are now expected to meet.

The benchmarks distinguish between two screening contexts. At onboarding, the required accuracy is higher because a merchant or customer who matches a sanctions or PEP list should not be onboarded at all. At the transaction or payment screening stage, a slightly lower threshold applies, reflecting the volume and speed of payment flows, though the regulator still expects documented false-positive and false-negative rates.

What this creates for PSPs is an evidence obligation, not just a deployment obligation. Having a screening tool running is not enough. BSP expects institutions to show how their tool performs against those benchmarks, meaning they can explain what happens when a name is spelled differently, written in a different script, or deliberately modified to avoid a match.

That last scenario is more common than it sounds: individuals on sanctions lists sometimes alter the spacing or spelling of their name when transacting, and a screening tool that cannot catch near-matches will produce false negatives that BSP examiners will identify.

Want to understand how SEON maps to BSP’s FMS and AML requirements?

Speak with an APAC compliance specialist

Where PSPs Most Commonly Fall Short

The most common gap is a system that is integrated but not scanning. Some PSPs activate an FMS to satisfy a licensing requirement, then defer full transaction scanning due to cost or volume pressure. BSP does not treat this the same as having no system, but it does not treat it as compliant either. If a fraud event occurs while the system is dormant, the regulator’s view is that a working control was available and unused, and penalties tend to reflect that.

The second gap is screening that stops at onboarding. AFASA requires beneficiary screening at the point of payout, not just customer screening at registration. PSPs that were built for cross-border corridors and later added local payout flows often carry this gap without realizing it, because the original compliance build never anticipated domestic transaction volume.

The third gap is device and behavioral coverage that starts too late. AFASA requires detection at registration and login, not just at payment initiation. A PSP with strong transaction-level rules but nothing running at the pre-transaction layer has a visible hole that BSP examinations will find.

The fourth gap is case management that exists separately from reporting. Spreadsheets do not satisfy BSP’s audit requirements. The regulator expects an auditable chain of events from the initial alert through investigation to the filed STR within a single system. Anything that breaks that chain creates a documentation problem that is difficult to fix retrospectively.

Transaction Screening Thresholds: The Risk-Based Approach

For PSPs processing millions of domestic payout transactions per year, the cost of screening every transaction against AML watchlists at a per-transaction rate is not commercially viable. Low-value transactions — many in the hundreds of pesos — would incur more screening costs than the fraud risk they pose.

BSP’s framework explicitly permits a risk-based approach, and the regulator accepts threshold logic when it is properly documented. A PSP might screen all transactions above a defined peso threshold (for example, PHP 10,000 for domestic payouts) and apply lighter device and behavioral checks for transactions below that threshold. The rationale is defensible because fraudsters and money launderers operating at scale do not target sub-threshold transaction values — they represent low-return, high-volume noise rather than material risk.

The threshold-based model also provides a practical path for early-stage licensees to start on a compliant footing and scale their scanning commitment as revenue grows. The critical requirement is that the threshold logic is written into a formal risk policy, approved at the board level and available for inspection. A threshold that exists in practice but not in documentation does not satisfy the circular.

AFASA Requirements: Detection Before the Transaction

The Anti-Financial Account Scamming Act introduced the most detailed behavioral and device-level requirements BSP has ever imposed on PSPs. The detection capabilities it mandates operate across the full customer journey, starting at registration.

At the device level, PSPs must detect jailbroken or rooted devices, device farms where a single physical handset accesses multiple accounts, emulators and VPN or proxy usage at login or transaction initiation. These signals matter because they are the infrastructure layer of organized scam operations — device farms, in particular, are how account takeover attacks and synthetic identity fraud operate at scale.

Behavioral biometrics add a second layer. BSP expects monitoring for anomalous session patterns, including whether a user is on a call during a high-value transaction (a strong indicator of a phone scam), unusual typing speed or touch behavior and session patterns inconsistent with account history. No single signal is sufficient on its own — the regulatory expectation is that multiple weak signals are correlated to identify sophisticated operations that no single rule would catch.

At onboarding, AFASA requires fraud checks before the KYC and AML phase begins. Digital footprint analysis using email address age, phone number history and device signals at the point of account application is now an expected control, not an enhancement.

The Modular FMS Approach: Starting Compliant, Scaling Smart

Early-stage PSPs and EMIs face a real tension between the full cost of an enterprise FMS and the revenue base available before the business reaches transaction scale. The regulatory framework does not require everything to be activated simultaneously, so a phased approach is viable, provided each phase genuinely satisfies its requirements.

Phase 1: Integration and Attestation

Complete the technical integration of an FMS and obtain vendor confirmation that the system is live. This allows a PSP to demonstrate to BSP that a compliant system is in place, satisfying the basic licensing requirement and enabling the institution to produce documentation that regulators request at examination.

Phase 2: Risk-Based Transaction Scanning

Activate transaction scanning starting with cross-border transactions, where regulatory scrutiny is highest, then extending to high-value domestic payouts. The threshold policy must be documented and board-approved before this phase goes live.

Phase 3: Full AFASA Coverage

Extend device intelligence and behavioral biometrics to registration and login journeys. AML screening for both onboarding and payment flows should also have documented performance benchmarks aligned to the thematic review standards at this stage.

The critical constraint across all three phases is that phase one cannot become a permanent state. BSP expects the system to be operationally active as transaction volume develops, and examinations will probe whether the rollout has a genuine timeline rather than an indefinite deferral.

Choosing the Right FMS for BSP Compliance

Not every fraud management system is built for the specifics of the BSP regulatory environment. When evaluating options, PSPs should test vendors against several criteria that are specific to this market.

BSP circular coverage documentation matters more than generic compliance claims. A credible vendor should provide a mapping of their capabilities to specific BSP circulars, including Circular 1160, AFASA requirements and the thematic review performance benchmarks. If the vendor cannot produce this mapping, the PSP inherits the documentation burden.

Configurable screening profiles by jurisdiction are operationally important for PSPs running multiple corridors. The ability to apply different AML watchlist combinations and fuzzy matching thresholds for Philippines versus Thailand versus Indonesia transactions, without returning to the codebase, is both a regulatory requirement in some markets and an operational efficiency in all of them.

Fuzzy matching quality is a practical concern that BSP’s name screening benchmarks make into a compliance one. Filipino names exhibit many common patterns that generate high false-positive rates when run through generic matching logic, creating an operational burden that scales poorly at transaction volumes in the millions per day.

PSPs should ask vendors whether their fuzzy matching logic is proprietary and tunable by jurisdiction, or whether it is inherited from a third-party data provider with limited configurability. The difference becomes apparent during examination when BSP requests documented false-positive rates.

Transparent data sourcing creates audit confidence. PSPs need to be able to tell BSP exactly which watchlists their screening tool queries, when those lists were last updated and what the update frequency is. A vendor that cannot publish this information clearly creates a documentation gap at examination time.

Finally, ongoing monitoring with automated notifications is a requirement that the regulations have made explicit. Counterparties who were clean at onboarding can become sanctioned or PEP-listed during an ongoing relationship. A system that flags these changes in real time, rather than relying on periodic re-screening, is what BSP’s framework anticipates.

FAQ

Does BSP require PSPs to scan every transaction through an FMS?

No. BSP permits a risk-based approach where transaction scanning thresholds are set based on transaction value and risk category. Low-value transactions below a documented peso threshold can be excluded from full AML screening, but device and behavioral checks should still apply. The threshold logic must be approved at the board level and available for inspection.

What happens if our FMS is integrated but not actively scanning transactions?

BSP distinguishes between technical integration and operational effectiveness. A dormant system provides some evidence of compliance infrastructure but does not fully satisfy the circular requirements. If a fraud event occurs while the system is inactive, penalty exposure is typically higher than the cost of running the scanning, because the regulator’s view is that a working control was available and unused.

What performance benchmarks does BSP require for AML name screening?

The 2023–2024 thematic review introduced explicit performance thresholds, with higher accuracy required at onboarding than at payment screening. PSPs should work with their FMS vendor to document performance test results aligned to these benchmarks and be prepared to present this documentation during a BSP examination.

Can we use a modular FMS and activate features gradually?

Yes. A phased approach is commercially viable and broadly consistent with BSP’s expectations for early-stage licensees, provided the phased timeline is documented, and each phase genuinely satisfies its portion of the regulatory requirement. Phase one cannot remain permanent once the business is generating material transaction volume.

Does our FMS need to cover both onboarding AML screening and payment screening?

Yes. Screening only at onboarding is a common gap. AFASA and the payment screening circulars require that counterparties are screened at the point of the transaction, not just at account opening. For cross-border transactions, both sender and beneficiary must be screened. For domestic payouts, the beneficiary screening obligation applies.

How does AML name screening handle common Filipino names?

Common name patterns in the Philippines generate high false-positive volumes when run through generic matching logic, creating an operational problem at scale and a compliance issue when BSP requests documented false-positive rates.

PSPs should evaluate whether their vendor’s fuzzy matching is configurable by jurisdiction and name pattern, and whether the underlying logic is proprietary or sourced from a third party. Vendors that cannot tune sensitivity at the country level will produce false-positive rates that are difficult to defend against BSP’s thematic review benchmarks.

What BSP circulars are most relevant for PSP fraud and AML compliance?

The primary references are BSP Circular 1160 on fraud management for BSP-supervised institutions, the AFASA implementing rules, and the AML-specific circulars on screening and transaction monitoring. BSP’s thematic review reports, the most recent completed in 2023–2024, update the performance expectations that institutions are now examined against.

Take the First Step Toward Transformative Fraud Prevention