AFASA compliance: Philippine banks must meet June 25, 2026 deadline with real-time fraud monitoring, AI detection, and MFA

Introduction: Scope, Audience, and Why AFASA's Fraud System Upgrade Matters

This page provides a comprehensive compliance roadmap for Philippine banks and financial institutions to meet AFASA’s fraud system upgrade deadline. It details the technical and operational requirements mandated by the Anti-Financial Account Scamming Act (AFASA), or Republic Act No. 12010, signed in July 2024. The content is specifically designed for compliance leaders, technology teams, banks, and other BSP-supervised financial institutions. Meeting the AFASA fraud system upgrade deadline is critical for the Philippine financial sector, as it ensures institutions are equipped to detect, prevent, and respond to increasingly sophisticated financial scams, thereby protecting customer accounts and maintaining trust in the financial system. In recent years, there have been significant efforts in the Philippines to improve identity verification and data quality, highlighted by the ongoing rollout of the PhilSys system and the challenges institutions face in maintaining accurate customer data.

AFASA mandates upgrades to fraud detection systems for all Bangko Sentral ng Pilipinas (BSP)-supervised financial institutions in the Philippines. The law requires the adoption of real-time fraud management systems (FMS) that can detect and block fraudulent transactions, with a compliance deadline of June 25, 2026. BSP supervised institutions are now required to implement automated, real-time fraud management systems, including device and behavioral analysis, to enhance security and prevent scams across the customer journey. This page addresses the compliance deadline and upgrade requirements, providing actionable guidance for institutions to achieve full compliance.

What is a Fraud Management System (FMS)?

A Fraud Management System (FMS) is a comprehensive platform that enables financial institutions to monitor, detect, and prevent fraudulent activities in real time. Under AFASA, all BSP-supervised financial institutions must implement mandatory FMS solutions that include real-time monitoring, behavioral analytics, geolocation and device checks, blacklist screening, and robust authentication pathways.

Summary: What is Required for AFASA's Fraud System Upgrade?

What is required?
The implementation of AFASA requires financial institutions to upgrade their fraud management systems by June 2026. Institutions must deploy real-time fraud management systems (FMS) capable of detecting and blocking fraudulent transactions, integrating behavioral analytics, device and geolocation monitoring, blacklist screening, and multi-factor authentication.
Who must comply?
All banks and financial institutions supervised by the Bangko Sentral ng Pilipinas (BSP), including e-wallet providers and other regulated entities, are required to comply with AFASA’s fraud system upgrade.
What does the deadline mean?
By 25 June 2026, all covered institutions must have fully upgraded their fraud management systems to meet AFASA requirements. Non-compliance may result in regulatory penalties and increased exposure to financial crime.

Key AFASA Requirements:

AFASA mandates upgrades to fraud detection systems for all BSP-supervised financial institutions in the Philippines.
Financial institutions must implement mandatory Fraud Management Systems (FMS) under AFASA.
Real-time fraud management systems must be adopted to detect and block fraudulent transactions.

Who is this deadline for?

Heads of Fraud, CISO, Head of Compliance, Risk Officers, and CTOs in banks and BSP-regulated financial institutions in the Philippines.
Bangko Sentral ng Pilipinas sets the rules and the compliance deadline.

AFASA Compliance: Introduction and Scope

The Anti-Financial Account Scamming Act (AFASA)

The Anti-Financial Account Scamming Act (AFASA), or Republic Act No. 12010, was signed in July 2024. This landmark law marks a significant advancement in the Philippines’ efforts to combat financial scams and protect the integrity of the financial sector. AFASA mandates that all financial institutions—including banks and e-wallet providers—adopt comprehensive fraud management systems (FMS) designed to detect, prevent, and respond to suspicious transactions.

Why AFASA Compliance Matters

AFASA compliance is not just a regulatory checkbox; it is a critical safeguard for financial accounts, ensuring that customers are protected from unauthorized transactions, social engineering schemes, and account takeovers. By prioritizing AFASA compliance, financial institutions can strengthen their defenses against scams, protect customer accounts, and reinforce trust in the financial system. The law’s implementation signals a new era of accountability and proactive risk management for banks, e-wallets, and other regulated entities operating in the Philippines.

Understanding the Financial Sector

Digital Transformation and Fraud Risks

The Philippine financial sector is undergoing rapid digital transformation, with online banking and digital payment platforms becoming the norm for millions of customers. While this shift has brought greater convenience and accessibility, it has also exposed financial institutions to a surge in financial scams and fraud. Criminals are increasingly exploiting vulnerabilities in digital systems, targeting both institutions and their customers with sophisticated schemes.

Regulatory Oversight and the Need for Vigilance

For BSP-supervised financial institutions, the stakes have never been higher. The Bangko Sentral ng Pilipinas (BSP) has intensified its oversight, requiring institutions to implement advanced fraud prevention strategies and robust fraud management systems. These measures are essential not only for regulatory compliance but also for maintaining customer confidence and safeguarding funds. As the financial sector continues to evolve, institutions must remain vigilant, continuously updating their fraud prevention frameworks to stay ahead of emerging threats and ensure the security of every transaction.

The Regulatory Baseline Needed

The IRR and BSP circulars require FMS to:

Ingest real-time transactions
Profile users behaviorally
Flag anomalous device/geolocation changes
Integrate blacklist/deny-lists
Support geolocation monitoring
Support inter-firm inquiry and secure evidence preservation
Adopt stronger, intercept-resistant authentication (move away from SMS OTP where possible)

AFASA mandates the adoption of real-time fraud management systems for all regulated institutions, moving away from static controls such as manual reviews and basic security measures. Institutions must assess their transaction values over the last six months to determine the need for advanced features like blacklist screening and geolocation monitoring, ensuring compliance with regulatory expectations. In addition, financial institutions are required to limit the use of one-time PINs and adopt more secure multi-factor authentication methods under AFASA to enhance account security and protect against unauthorized access. BSP has been clear: June 25, 2026 is the target for full upgrades.

With these regulatory expectations in mind, let’s examine the technical architecture required for compliance.

The Importance of Fraud Prevention

Fraud prevention is at the heart of sustainable growth and customer trust for financial institutions in the Philippines. With the implementation of AFASA compliance, institutions are now required to deploy multi-factor authentication—including biometric authentication—to secure accounts and prevent unauthorized transactions. Regular risk assessments are essential to identify and address vulnerabilities, ensuring that fraud management systems remain effective against new and evolving threats.

Fraud teams play a pivotal role in this landscape, tasked with monitoring for suspicious transactions, investigating potential mule accounts, and detecting synthetic identities that could be used to perpetrate scams. By investing in advanced fraud prevention measures, financial institutions can protect sensitive information, reduce the risk of financial scams, and ensure the safety of customer funds. The adoption of AFASA compliance represents a turning point for the financial sector, fostering a culture of shared responsibility and holding institutions accountable for the security of their customers’ accounts. This proactive approach not only mitigates risk but also positions institutions as trusted stewards in the fight against financial crime.

Role of Bangko Sentral ng Pilipinas in AFASA Compliance

The Bangko Sentral ng Pilipinas (BSP) serves as the cornerstone of AFASA compliance for all financial institutions in the Philippines. As the country’s central monetary authority, the BSP is tasked with supervising and regulating BSP-supervised financial institutions (BSFIs) to ensure the highest standards of account security and fraud prevention. Through the issuance of implementing rules and regulations (IRR) for the Anti-Financial Account Scamming Act (AFASA), the BSP sets clear expectations for the deployment of advanced fraud management systems (FMS) across the financial sector.

Under the account scamming act AFASA, the BSP requires institutions to implement robust FMS capable of real-time detection and prevention of suspicious transactions. This includes the mandatory use of multi-factor authentication, biometric authentication, and geolocation monitoring to safeguard customer accounts and funds. The BSP’s guidance extends to technical specifications, operational protocols, and ongoing compliance monitoring, ensuring that all BSP supervised financial institutions are equipped to combat financial account scamming and other forms of financial crime.

Beyond setting standards, the Bangko Sentral ng Pilipinas actively monitors compliance, conducts audits, and enforces the law by imposing penalties and liability on institutions that fall short of AFASA requirements. The BSP also provides ongoing support and resources to help institutions interpret and implement the law effectively, fostering a culture of accountability and continuous improvement. By driving the implementation of anti financial account scamming measures, the BSP plays a pivotal role in protecting the integrity of the Philippine financial system and the interests of millions of customers.

Technical Architecture: What to Build (or Buy)

Real-time event streaming layer

Capture transactions, login attempts, channel events and device telemetry with < 1s latency. Use Kafka or equivalent event bus.

Feature & identity graph

Enrich events with device fingerprint, risk score, geo-history, velocity metrics and KYC attributes. Build a persistent identity graph (user ↔ device ↔ accounts ↔ linked accounts).
Banks must implement enhanced due diligence measures during customer onboarding to prevent mule accounts and detect synthetic identities used in fraudulent activities, especially in online banking environments. Addressing technology risk is essential to ensure robust protection against evolving threats.

Detection engines (hybrid)

Rules engine for deterministic blocks (blacklists, velocity limits).
Machine learning models (unsupervised + supervised) for behavioural anomalies, account takeover, mule detection, synthetic identities, and social-engineering pattern detection.
Detection engines must be capable of identifying phishing and other social engineering schemes that target sensitive information, as well as fraudulent activities that threaten financial institutions.

Decisioning & orchestration

Central decision engine that applies risk policy, returns action (allow, challenge, hold, block), and pushes real-time customer journeys (step-up auth, transaction hold, agent callback).

Authentication & step-up mechanisms

Passwordless options (passkeys, platform authenticators), in-app biometrics, device-bound keys, PKI for high risk transactions. Reduce reliance on interceptable SMS/OTP.
AFASA mandates the use of multi-factor authentication (MFA) to enhance account security. One-time pins (OTPs) via SMS and email are increasingly vulnerable and must be phased out for high-risk transactions by June 30, 2026, due to their limitations in preventing account takeovers and unauthorized access.

Case management & evidence store

Audit trail, evidence preservation, tamper-evident logs for BSP inquiries and possible restitution. GDPR-style retention/erasure policies where applicable.

Interbank / industry feed integration

API endpoints for receiving and contributing to industry blacklists, swiftly sharing indicators of compromise, and responding to BSP inquiries.

With a robust technical architecture in place, institutions must also focus on data and model governance to ensure ongoing compliance and operational effectiveness.

Data & Model Governance (Non-Negotiable)

Model lifecycle: Versioning, data lineage, feature stores, regular retrain cadence, drift monitoring, and A/B backtesting.
Explainability: Models must produce interpretable signals for investigators and regulators.
Bias & fairness checks: Ensure legitimate customers are not systematically disadvantaged by device-based blocks (e.g., rural users).
Privacy & security: Encryption at rest/in transit, role-based access, secure enclaves for PII.
Third-party risk: Due diligence and SLAs for SaaS vendors, clear data residency rules.

With strong data and model governance, institutions can confidently move forward with operationalizing their fraud management programs.

Operational Model & Governance

Single accountable owner: Chief Fraud Officer or CRO must own programme delivery and attest to BSP. Financial institutions and their leaders have a heightened accountability to implement effective risk management systems, protect customer accounts, and comply with regulatory frameworks to prevent fraud and ensure customer security.
Steering committee: risk, legal, ops, IT, customer support and vendor leads meet weekly during implementation.
Incident playbooks: escalation paths for suspected scams, freeze/unfreeze, customer restitution and BSP reporting. Fraud teams play a critical role in resolving cases efficiently, maintaining accountability, and ensuring operational pressures such as verification, logging, documentation, and communication are managed under tight deadlines.
Service-level objectives: detection latency, mean time to investigate (MTTI), false positive rate targets.
Businesses within the financial sector face increased liability if they do not implement adequate fraud detection mechanisms and can be held accountable for lapses in safeguarding funds or failing to meet regulatory requirements.

With operational governance established, the next step is to ensure rigorous testing, assurance, and engagement with the BSP.

Testing, Assurance & BSP Engagement

Phased rollouts: sandbox → pilot (10–20% of volume) → graduated ramp.
Red-team exercises: simulate SIM-swap, social engineering, device spoofing and mule networks.
Model and rules validation: monthly performance reports; quarterly independent audit.
Regulator sandbox & attestation: invite BSP for pilot observations and provide attestation documents ahead of the June 2026 deadline. As part of the engagement process, banks may request extensions or approvals from the BSP regarding compliance deadlines or security measures.

After establishing a robust testing and assurance process, institutions should focus on monitoring key performance indicators to measure ongoing effectiveness.

KPIs & Metrics to Monitor

Detection rate of confirmed scams (%)
False positive rate (%) and customer friction metric (abandonment after challenge)
Mean time to detect (seconds) and mean time to contain (minutes/hours)
% transactions using non-interceptable authentication (passkeys / biometrics)
Number of interbank intelligence shares per month

Tracking these KPIs ensures continuous improvement and helps institutions maintain compliance and customer trust.

Customer Experience & Communications

Clearly communicate new authentication flows, which are designed to protect consumers from scams and unauthorized access, explain the safety benefits, and provide frictionless recovery routes.
AFASA emphasizes the need for continuous customer education about fraud risks, requiring institutions to provide clear guidance to consumers and victims of scams such as phishing, smishing, and vishing.
Financial institutions must provide customers with an automated ‘kill switch’ to freeze their accounts if they suspect a compromise.
Train contact center teams with standard scripts for challenge flows and restitution handling.

A positive customer experience is essential for the successful adoption of new fraud prevention measures and for maintaining trust during the transition.

Vendor Selection Checklist

Real-time processing capability
Model explainability
Integration adapters (core banking, card switches, mobile SDKs)
Compliance & audit logs
SLA for updates
Local presence/support in the Philippines
Proven data security certifications

Selecting the right vendor is crucial for seamless integration and ongoing support as institutions work toward AFASA compliance.

Practical 4-Month Action Plan (For Institutions Short on Time)

Step-by-Step Implementation Timeline:

Month 0–1: Executive signoff, gap analysis vs BSP circulars, vendor shortlist.
Month 1–2: Proof of Concept (PoC) with event streaming + identity graph; begin data migration.
Month 2–3: Integrate detection engines, case management, and step-up authentication; run pilot with select segments.
Month 4: Full deployment, final validation, submit compliance attestation to BSP, staff training, run tabletop incident drills.

This structured approach ensures institutions can meet the AFASA deadline even with limited time.

Skip Step 8 With ZIGRAM’s Complete AML System: A Modular Stack for AFASA-Ready Fraud & AML Transformation

As Philippine banks align their fraud infrastructure with AFASA requirements ahead of June 25, 2026, a fragmented compliance architecture will not suffice. Institutions need an integrated system that connects screening, transaction monitoring, investigations, and enhanced due diligence into a single intelligence loop. Achieving AFASA readiness is crucial for institutions aiming to align their controls with AFASA standards, enhancing fraud prevention, regulatory compliance, and customer trust. The Bankers Institute of the Philippines is associated with the implementation and compliance process of AFASA, supporting industry-wide readiness.

ZIGRAM’s Complete AML System delivers this through four tightly integrated products:

PreScreening.io – Name Screening
Transact Comply – Transaction Monitoring
Entity Hero – Risk Case Management

Together, these form a regulator-ready AML + Fraud ecosystem aligned with BSP expectations under AFASA.

This closed-loop ecosystem ensures:

Faster detection
Lower false positives
Stronger regulatory defensibility
Seamless audit readiness

Penalties and Liability Under AFASA

The Anti-Financial Account Scamming Act (AFASA) introduces a rigorous framework of penalties and liability for financial institutions and individuals who fail to uphold its standards. Financial institutions that do not implement effective fraud management systems or fail to prevent unauthorized transactions face significant consequences, including being held liable for customer losses resulting from financial scams, online scams, or account takeovers. The law is clear: institutions must take proactive steps to secure accounts, monitor transactions, and prevent fraud—or risk substantial financial and reputational damage.

AFASA also targets individuals involved in financial crime, imposing criminal penalties for activities such as money muling, social engineering schemes, and other fraudulent acts that compromise the security of financial accounts. Administrative sanctions, including fines and regulatory penalties, may be levied by the BSP against institutions that do not comply with the law’s requirements. These measures are designed to ensure that both institutions and individuals are held accountable for their roles in preventing and responding to financial crime.

By establishing strict liability and robust enforcement mechanisms, AFASA compels financial institutions to prioritize fraud prevention, invest in advanced fraud management systems, and maintain vigilant oversight of all transactions. This approach not only protects customers’ funds and accounts but also strengthens the overall resilience of the Philippine financial sector against evolving threats.

Best Practices for AFASA Compliance

To achieve and sustain compliance with AFASA, financial institutions in the Philippines must adopt a proactive, technology-driven approach to fraud prevention and detection. Implementing advanced fraud management systems that leverage machine learning and artificial intelligence is essential for identifying suspicious transactions and preventing unauthorized access to financial accounts. These systems should be constantly calibrated to adapt to new scam patterns and emerging risks, ensuring that fraud detection remains effective as threats evolve.

Multi-factor authentication, including biometric authentication and behavioral biometrics, should be standard for securing customer accounts and mitigating the risk of phishing and social engineering schemes. Regular risk assessments and continuous monitoring are critical for identifying vulnerabilities and ensuring that fraud prevention measures remain robust. Financial institutions should also invest in comprehensive training and awareness programs for both customers and employees, empowering them to recognize and respond to potential scams.

Collaboration is another key best practice: institutions should actively share information and best practices with regulators and industry peers to strengthen collective defenses against financial crime. By regularly reviewing and updating their fraud management systems, financial institutions can ensure ongoing compliance with AFASA, reduce the risk of financial scams, and protect the funds and trust of their customers.

Mule Networks and Financial Crime

Mule networks have become a critical threat vector in the Philippine financial sector, especially under the lens of the Anti-Financial Account Scamming Act (AFASA). These networks operate by recruiting individuals—sometimes unwittingly—to open or lend their financial accounts for the movement of illicit funds. Once scammers gain access, they rapidly transfer stolen money through layers of mule accounts, making it difficult for authorities and financial institutions to trace the origin and destination of the funds.

For financial institutions, the presence of mule accounts poses significant risks, including exposure to money laundering, terrorist financing, and other forms of financial crime. Fraud management systems (FMS) must be equipped to detect suspicious transactions and behavioral anomalies that signal mule activity. This includes monitoring for unusual transaction patterns, rapid movement of funds, and connections between seemingly unrelated accounts.

Advanced fraud detection technologies, such as machine learning and biometric authentication, are essential tools in this fight. By analyzing transaction data in real time and verifying account owners through biometric methods, institutions can identify and block mule networks before they can exploit vulnerabilities. Compliance with the financial account scamming act and the broader anti financial account scamming framework is not just about meeting regulatory requirements—it’s about safeguarding the integrity of the entire financial sector in the Philippines.

Challenges in Implementing AFASA

Implementing the Anti-Financial Account Scamming Act (AFASA) introduces a new level of complexity for financial institutions in the Philippines. One of the foremost challenges is achieving real-time fraud detection and prevention, which requires significant upgrades to existing fraud management systems (FMS) and supporting infrastructure. Institutions must ensure their FMS are constantly calibrated to adapt to evolving scam patterns and high risk transactions, which demands ongoing investment in technology and skilled personnel.

Deploying multi-factor authentication (MFA) methods such as facial recognition and behavioral biometrics adds another layer of complexity. Integrating these advanced authentication tools into legacy systems can be technically challenging and may require a complete overhaul of customer onboarding and transaction processes. At the same time, financial institutions must strike a balance between robust security and a seamless customer experience, ensuring that security measures do not create unnecessary friction for legitimate users.

The Bangko Sentral ng Pilipinas (BSP) has underscored the importance of industry-wide collaboration and information sharing to combat fraud. This means institutions must not only focus on their internal controls but also participate in shared intelligence networks to stay ahead of emerging threats. Ultimately, successful implementation of AFASA hinges on the ability of financial institutions to adapt quickly, leverage cutting-edge technology, and foster a culture of shared responsibility across the sector.

Benefits of Compliance

Achieving compliance with the Anti-Financial Account Scamming Act (AFASA) delivers substantial benefits for financial institutions operating in the Philippines. By implementing advanced fraud management systems (FMS) and adopting robust security measures, institutions can significantly reduce the risk of unauthorized transactions and protect both their customers’ funds and their own reputations. Enhanced fraud detection and prevention capabilities not only safeguard against financial crime but also reinforce the overall security and trustworthiness of the financial sector.

AFASA compliance positions financial institutions as leaders in customer protection, fostering greater trust and confidence among account holders. The adoption of technologies such as machine learning and biometric authentication provides a competitive edge, enabling institutions to offer secure, user-friendly services that meet the evolving expectations of digital banking customers. Furthermore, by proactively addressing the requirements of the account scamming act afasa, institutions can avoid regulatory penalties, reputational damage, and financial losses associated with fraud and scams.

Ultimately, prioritizing AFASA compliance demonstrates a commitment to anti financial account scamming and the long-term health of the Philippine financial market. It enables institutions to build resilient systems, respond swiftly to emerging threats, and unlock new growth opportunities in an increasingly digital and interconnected financial landscape.

Why This Matters for the June 25, 2026 AFASA Deadline

Banks must demonstrate:

Real-time fraud monitoring capability
Watchlist and blacklist integration
Investigative documentation
Risk-based enhanced due diligence
Transparent audit trails

ZIGRAM’s Complete AML System addresses each of these pillars in a modular, cost-efficient architecture that can be deployed quickly via API or on-premise.

For Philippine financial institutions working toward AFASA compliance, the question is no longer whether to upgrade but whether their systems are integrated enough to withstand regulatory scrutiny.

Checklist: Must-have before June 25, 2026

Real-time transaction & device telemetry capture
Behavioural analytics + anomaly detection models in production
Industry blacklist integration & interbank sharing APIs
Step-up authentication frameworks (passwordless options) implemented for high-risk flows
Tamper-evident evidence store & case management system
Independent validation report & internal attestations ready for BSP
Customer communication & recovery workflows tested

Final Note (For Compliance Professionals)

Meeting the June 25, 2026 deadline represents a turning point in the Philippines’ fight against financial scams, marking a shift to proactive, real-time security measures. This deadline is both a regulatory requirement and an opportunity: institutions that prioritise customer-centric, low-friction security will reduce scam losses and build trust. For RegTech providers (like ZIGRAM), there is urgent demand for modular FMS components such as identity graphs, ML models, and interbank intelligence layers that plug into legacy cores quickly and securely.