1.  To require banks to seek prior Bangko Sentral ng Pilipinas approval before they can be allowed to provide electronic banking services.  Applicant banks must prove that they have in place a risk management process that is adequate to assess, control and monitor any risks arising from the proposed electronic banking activities. As a basic requirement, banks shall submit to the Supervisory Reports and Studies Office, for processing of their applications, the following documents:

a. A description or diagram of the configuration of the bank’s electronic banking system and its capabilities showing (i) how the electronic banking system is linked to other host systems or the network infrastructure in the bank; (ii) how transaction and data flow through the network; (iii) what types of telecommunications channels and remote access capabilities (e.g. direct modem dial-in, internet access, or both) exist; and (iv) what security controls/measures are installed;

 

b. A security policies and procedures manual containing (i) a description of the bank’s security organization; (ii) definition of responsibilities for designing, implementing, and monitoring information security measures; and (iii) established procedures for evaluating policy compliance, enforcing disciplinary measures and reporting security violations; and

 

c. Other information such as (i) how the provision of electronic banking is intended to support the overall mission, strategic goals, and operating plans of the bank; (ii) whether the various security aspects of the system have been reviewed by persons with relevant expertise; and (iii) whether a contingency plan has been developed in the event of disruption in its provision in electronic banking.

For this purpose, electronic banking shall refer to systems that enable bank customers to avail themselves of the bank’s products and services through a personal computer (using direct modem dial-in, internet access, or both) or a mobile/non-mobile phone.

2. To require banks which are already offering electronic banking services prior to the effectivity of the implementing circular to comply with the requirements mentioned in item “1” above within a period of 3 months from the effectivity of the implementing circular; otherwise, they shall be prohibited from further engaging in such activities.