Bank IT Security Regulatory Framework 2025
- Graybox Security
- Oct 8, 2025
- 3 min read
Banking sector in the Philippines
Oct 2025
The Philippines' central bank, Bangko Sentral ng Pilipinas (BSP), added new compliance requirements for IT security that apply to the banks in 2025.
Graybox Security provides comprehensive information and IT security advisory, assessment, GRC, security testing, managed security and training services that directly address all the information security and compliance requirements mandated by BSP:
BSP Circular No. 1154 (2025) - Prudential requirements for digital banks
BSP Circular No. 1213 (June 2025) - IT Risk Management to implement AFASA
Republic Act 12010 (July 2024) - Anti- Financial Account Scamming Act (AFASA) (July 2024)
BSP Circular No. 982 (2017) - Enhanced Guidelines on Information Security Management
BSP Circular No. 808 (2013) - Guidelines on Information Technology Risk Management
IT security and governance requirements
Compliance Requirement | Compliance Description | Graybox Security Services | Reference |
Audit trail, risk assessment, and documentation | Maintain audit trails, conduct ongoing IT risk assessments for financial transaction integrity, and submit technical documentation preventing account takeovers, phishing, and other frauds to BSP | Advisory Services for IT Risk Management and Vulnerability Management | BSP Circular No. 1213 (June 2025) |
Vulnerability assessments & penetration tests | Banks are required to conduct periodic vulnerability testing and penetration tests as part of IT governance and submit reports to BSP. | BSP Circular No. 1213 (June 2025) | |
Data protection and log integrity | Transaction logs and customer data must be protected against unauthorized access or manipulation and securely backed up for audits and forensic investigations. | Data Governance, Security Architecture advisory and Managed Detection and Response (MDR) | BSP Circular No. 1213 (June 2025) |
Governance for digital banks | Digital banks must strengthen governance, IT and cybersecurity risk management, operational controls aligned with digital banking risk profiles and report cybersecurity strategies, and risk governance measures to the BSP. | BSP Circular No. 1154 (2025) | |
Phishing-resistant authentication | Phishing-resistant, device-bound authentication methods beyond SMS or email OTPs, including biometrics, passkeys, or hardware security keys, to secure digital onboarding, logins, and transactions. | Advisory Services on Identity and Access Management (IAM), eKYC, MFA and advanced authentication methods | RA. 12010 Anti- Financial Account Scamming Act (July 2024) |
Information Security Management System | Requires banks to implement comprehensive information security management systems (ISMS) including organizational, physical, and technical control measures. | BSP Circular No. 982 (2017) | |
Information Technology Risk Management | Risk management framework focusing on IT risk including cybersecurity threats and vulnerabilities. | IT Risk Management, assessment and governance framework implementation | BSP Circular No. 808 (2013) |
Step-by-Step Compliance Guide
Perform Initial Digital Maturity and Cybersecurity Assessments for compliance gap analysis to serve as an input for IT security and compliance roadmap
Formalize IT Risk Management Governance
Implement Information Security Management System (ISMS)
Perform Data Governance assessment and improvements
Implement Strong Authentication Controls for all digital banking access points
Implement financial transaction integrity systems to keep and back up tamper-resistant logs and audit trails
Establish Continuous Vulnerability Management and regular Penetration Testing
Establish real-time threat monitoring through Managed Detection and Response (MDR)
Develop and test Incident Response and Business Continuity Management plans
Educate staff with a Cybersecurity Awareness Program and specialized training to mitigate insider and Social Engineering risks
Review and update Security Posture annually and ensure ongoing regulatory reporting and compliance