Safety of E-Wallets in the Philippines

Safety of E-Wallets in the Philippines

If one goes into stores, there are multiple ways of paying one’s purchases. One could pay through traditional means, i.e., through cash, debit or credit card or through their electronic wallets, more commonly known as “e-wallet”, an electronic card which allows the user to pay for transactions made online through a computer or a smart phone[1].

In the Philippines, there are different kinds of e-wallets such as PayMaya, GCash,  SMART Money, and Coins.ph[2]. Most use a client-side wallet where it allows the end-user to manage their account[3]. Some allow the user to load their accounts with money while others link their credit or debit card information with their accounts[4].

Regardless of the differences in their features, it is clear that e-wallets provide convenience in terms of seamless transactions. Given this advantage, it is only a matter of time until it replaces the traditional means of payment. Visa reported that there was a jump in the use of electronic payments from 46% in 2015 to 57% in 2017[5]. Oliver Wyman, a management consultancy firm, predicted that there will be a surge of around 6% in the use of non-cash payments such as e-wallets by 2022[6].

Despite this rosy outlook, the Philippines is behind its Asian neighbors. In China, 50% of its transactions were done through non-cash payments in 2016[7]. In Indonesia, the non-cash transactions have increased from 27% to 30% between 2012 – 2016[8]. This is because there are still barriers to the adoption of cashless technology in the Philippines. One of which is the general fear of falling prey to scammers.

The Bangko Sentral ng Pilipinas (BSP) provided three ways of ensuring the safety of consumers and users. First, Section 4 of BSP Circular No. 649 requires electronic money issuers (EMI) to maintain a record-keeping system, which would store the e-money instruments issued, the identity of e-money holders, and individual and consolidated balances. The system must be able to keep track of the movement of e-money transactions and link the e-money instruments issued to common e-money holders[9].  This has to be communicated to the client who will acknowledge the same in writing[10].

Second, BSP requires EMIs to maintain a redress mechanism which would allow customers to file complaints[11]. Third, EMIs should have the following minimum risk management systems and controls before they operate:

  1. Internal controls[12]
  2. Properly designed and tested computer systems[13]
  3. Appropriate security policies and measures[14]
  4. Business continuity and recovery plans[15]
  5. Audit function[16]; and
  6. Compliance with Anti-Money Laundering Act (AMLA) regulations[17].

Failure to comply with such requirements would result in penalties and sanctions imposed by other applicable laws, rules, and regulations[18].

To bolster protection in cashless payments, BSP has issued Circular No. 808 to tighten cybersecurity protocols[19]. In order to manage IT risks and information security issues, BSP requires EMIs to establish a robust IT Risk Management (ITRM) System that covers IT governance, risk identification and assessment, IT controls implementation, and risk measurement and monitoring[20].

IT governance is concerned with the leadership and organizational structures and processes to ensure that the IT strategic plan is aligned with the EMI’s business strategy. This includes IT policies, procedures, and standards that would serve as a guide to achieve IT objectives[21], which should also incorporate an IT audit. This allows the Board to have an independent assessment of technology risk management process and IT controls[22].

Risk identification and assessment should be able to identify all information assets, any foreseeable threats to these assets, the probability of occurrence of the threats, and the adequacy of existing controls[23].

IT controls implementation should be able to address the overall integrity of the environment and include clear and measurable performance goals[24]. This would include encrypting sensitive data to ensure the confidentiality and integrity of personal data stored, transmitted, and processed[25]. Regarding mobile and phone financial services, EMIs are required to adopt a dual authentication process to ensure that the party initiating the transaction is the owner of the device[26].

Risk measurement and monitoring is concerned with measuring IT activities based on internal and industry standards to determine the efficacy and efficiency of existing operations[27]. It must have a quality assurance/quality control procedure for all significant activities to ensure that IT is delivering value to business in a cost-effective manner[28].

EMIs are required to report to BSP their annual IT profile as well as any breach in information security[29] to ensure compliance with such protocols. Failure to comply results in penalties provided by Section 37 of Republic Act No. 7653, which include fines[30], suspension of rediscounting privileges or access to Bangko Sentral credit facilities[31], suspension of lending or foreign exchange operations or authority to accept new deposits or make new investments[32], suspension of interbank clearing privileges[33], and/or revocation of quasi-banking license[34].

The convenience offered by e-wallets is undeniable. Surveys have predicted an increase in its usage by Filipinos. However, the safety of the information of Filipino users must not be compromised. Thus, it is imperative to incorporate strict guidelines. The different requirements expected of EMIs and corresponding penalties imposed are a step in the right direction.

[1] The Economic Times. “Definition of ‘E-wallets’.” The Economic Times.  Accessed October 27, 2018. https://economictimes.indiatimes.com/definition/e-wallets

[2] Pineda, Amiel. “Top 8 Cashless, Digital & E-Payment Systems for Consumers & Merchants in the Philippines.” (grit.ph, May 8, 2018) Accessed October 27, 2018. https://grit.ph/cashless/

[3] https://electronics.howstuffworks.com/gadgets/high-tech-gadgets/digital-wallet1.htm

[4] Id at footnote 2.

[5] Vicente, Reynaldo. “Special Report: The state of digital payments in the Philippines.” (upgrademag.com, July 16, 2018) Accessed October 27, 2018. http://www.upgrademag.com/web/2018/07/16/the-state-of-digital-payments-in-the-philippines/

[6] Asian Banking & Finance. “E-wallets to snap up 6% of Philippine payments by 2022.” (Asian Banking & Finance, June 18, 2018) Accessed on October 27, 2018. https://asianbankingandfinance.net/cards-payments/news/e-wallets-snap-6-philippine-payments-2022

[7] Asian Banking & Finance. “Chart of the Week: Check out mobile wallet adoption across Asia.” (Asian Banking & Finance, June 20, 2018) Accessed on October 27, 2018. https://asianbankingandfinance.net/cards-payments/news/chart-week-check-out-mobile-wallet-adoption-across-asia

[8] Id.

[9] BSP Circular No. 649, Section 4(B).

[10] BSP Circular No. 649, Section 4(D).

[11] BSP Circular No. 649, Section 4(F).

[12] BSP Circular No. 649, Section 4(H).

[13] Id

[14] Id

[15] Id

[16] Id

[17] BSP Circular No. 649, Section 4(E).

[18] BSP Circular No. 649, Section 7.

[19] Lopez, Melissa Luz T. “E-money transactions hit all-time high in 2016.” (BusinessWorld online, May 23, 2017) Accessed on October 27, 2018. http://www.bworldonline.com/content.php?section=Finance&title=e-money-transactions-hit-all-time-high-in-2016&id=145584

[20] BSP Manual of Regulations for Banks, Section X176.7.

[21] BSP Manual of Regulations for Banks, Section X176.7.1.b.

[22] BSP Manual of Regulations for Banks, Section X176.7.1.c.

[23] BSP Manual of Regulations for Banks, Section X176.7.2.

[24] BSP Manual of Regulations for Banks, Section X176.7.3.

[25] BSP Circular No. 808, Annex “A”.

[26] Id.

[27] BSP Manual of Regulations for Banks, Section X176.7.4.

[28] BSP Manual of Regulations for Banks, Section X176.7.4.c.

[29] BSP Manual of Regulations for Banks, Section X176.8.

[30] Republic Act No. 7653 (1993), Section 37 (a).

[31] Republic Act No. 7653 (1993), Section 37(b).

[32] Republic Act No. 7653 (1993), Section 37 (c).

[33] Republic Act No. 7653 (1993), Section 37 (d).

[34] Republic Act No. 7653 (1993), Section 37 (e).

Disini & Disini Law Office
info@privacy.com.ph