Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Jun 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Philippines: Data Protection in the Financial Sector

Financial Services
sankai / Signature collection / istockphoto.com

1. Governing Texts

Data protection in the Philippines, in general, is governed by the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), which came into force on 15 August 2012. The Act covers all natural and juridical persons who process personal data, including private and government institutions or government-owned and controlled institutions, subject to certain exemptions, and segregates them as either personal information controllers and/or personal information processors relative to the extent of their control over such processing.

The Act is extraterritorially applied to individuals based abroad and entities even when the actual processing of personal data is done outside of the Philippines under the following conditions:

  • the personal data processed relates to a Philippine citizen or resident;
  • the foreign individual or entity has a link with the Philippines, such as in the following instances:
    • it is party to a locally executed contract;
    • it has locally established central management and control; and
    • it has a branch, agency, office, or subsidiary in the Philippines and has access to the personal data processed by such branch, agency, office, or subsidiary; or
  • the foreign individual or entity has other links in the Philippines, such as, but not limited to, the following instances:
    • the individual or entity carries out business in the Philippines; and
    • the personal data processed by the individual or entity was collected or held by an entity in the Philippines.

The Act is of general application and does not prohibit other public authorities from processing personal data pursuant to their statutorily and/or constitutionally mandated functions. Likewise, it does not prohibit public authorities from issuing specific regulations covering data protection in areas under their jurisdiction so long as it does not go below the minimum requirements of the Act.

Banks and other financial institutions, such as payment service providers and microfinance and small to medium-sized enterprise lending institutions, are also governed by regulations issued by the Philippines' independent central monetary authority, namely the Bangko Sentral ng Pilipinas ('BSP'). While life and non-life insurance companies, mutual benefit associations, and trusts for charitable uses are governed by the Issuances of the Republic of the Philippines Department of Finance Insurance Commission ('the Insurance Commission').

1.1. Legislation

The Act adheres to the general principles of transparency, legitimate purpose, and proportionality.

Transparency requires financial institutions to declare before, or as soon as reasonably practicable, the legitimate purpose/s behind the collection and subsequent processing of personal data, even where such purpose is supported by existing regulation or law. In relation to this, the Act recognises the rights of data subjects to be informed of the following:

  • a description of the personal information to be entered into the system;
  • the purposes for which personal data is being or are going to be processed;
  • the basis of processing when it is not based on consent;
  • the scope and method of the personal information processing;
  • the recipients or classes of recipients to whom they are or may be disclosed;
  • the methods utilised for automated access, if the same is allowed by the data subject, and the extent to which such access is authorised;
  • the identity and contact details of the personal information controller or its representative;
  • the period for which the information will be stored; and
  • the existence of their rights.

The right to due notice gives rise to data subjects' right to object to the processing of their personal data, including those related to direct marketing, automated processing, or profiling.

Aside from the requirement of due notice, data subjects must be given the reasonable right to access their data, in a structured and commonly used format, upon demand, including, but not limited to the sources from which data was obtained, the recipients, reasons for disclosure, and access logs.

Financial institutions must also provide mechanisms to allow data subjects to exercise the following correlative rights:

  • dispute and/or correct the inaccuracy of their personal data; and
  • suspend, withdraw, block, remove, or destroy outdated, false, unnecessary, or unlawfully obtained and/or processed personal data.

Under the principle of legitimate purpose, financial institutions must process personal data fairly and lawfully under the recognised criteria for processing either personal information or sensitive personal information. For personal information, the following constitute a lawful basis for processing:

  • consent has been obtained from the data subject;
  • processing is necessary for the fulfilment of a contract with the data subject or to fulfil the request of the data subject preparatory to such contract;
  • processing is necessary for compliance with a legal obligation;
  • processing is necessary to protect vitally important interests of the data subject, including life and health;
  • processing is necessary in response to a national emergency for public order and safety, or for the fulfilment by a public authority of its mandate; or
  • processing is necessary for the legitimate interests of the controller or processor or by a third party or parties to whom the data is disclosed, subject to constitutionally protected fundamental rights and freedoms of the data subject.

Sensitive personal information may only be processed under the following bases:

  • consent has been obtained from the data subject;
  • processing is required by existing laws and regulations;
  • processing is necessary to protect the life and health of the data subject or another person, and the data subject is legally or physically incapable of expressing consent;
  • processing is necessary for purposes of medical treatment carried out by a medical practitioner or a medical treatment institution; or
  • processing is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defence of legal claims, or when provided to government or public authority.

With respect to proportionality, financial institutions must ensure that they have existing mechanisms to ensure the continuing accuracy, relevance, adequacy of personal data relative to the purpose for its collection and processing (not excessive). Furthermore, they are allowed to retain personal data only for as long as necessary for the fulfilment of said purposes.

IRRs

The Implementing Rules and Regulations of Republic Act No. 10173 ('IRRs') of the Act were signed into effect on 24 August 2016 by the National Privacy Commission ('NPC'). The provisions of the IRRs further elaborate on the provisions of the Act and provide granularity on some of its requirements in the areas of data security, the rights of data subjects, data breach notification, outsourcing and subcontracting agreements, as well as registration and compliance requirements.

Relevant circulars issued by the NPC

The NPC has issued several circulars providing granularity in specific areas of data privacy pursuant to its rule-making function under the Act, including:

Currently, the NPC has issued circulars covering data security in government, data sharing in government, personal data breach management, registration of data processing systems, requests for advisory opinions, personal data processing for loan-related transactions, and data sharing in the private sector. Circulars, unlike statutes, do not require a congressional amendment to effect any revision in internal policy. As such, they may be revised or supplemented from time to time.

Sector-specific regulation

There are a number of existing statutes and/or regulations issued by public authorities that specifically impact data protection in financial institutions, such as banks, payment service providers, microfinance lenders, and insurance companies.

Confidentiality

Under BSP Circular No. 707 (Loans and Other Credit Accommodations) 2010 and Circular No. 754 (Credit Card Operations) 2012, the data covering a borrower, cardholder, or consumer shall be kept strictly confidential by banking institutions, except for in the following circumstances:

  • consent to disclose has been obtained from the borrower or consumer;
  • release, submission, or exchange of customer information with other financial institutions, credit information bureaus, lenders, their subsidiaries and affiliates;
  • upon orders of a competent court or government agency duly authorised by law;
  • disclosure to collection agencies, counsels, and other agents of the bank to enforce its rights against the borrower;
  • disclosure to third-party service providers solely for the purpose of assisting or rendering administrative services to a bank; and
  • disclosure to insurance companies covering a bank from borrower default or credit loss, or the borrower from fraud or unauthorised charges.

With the advent of the Act, as well the issuance of BSP Circular No. 857 on Financial Consumer Protection 2014, as amended by BSP Circular No. 890 on Amendments to the Manual of Regulations for Banks and Manual of Regulations for Non-Bank Financial Institutions 2015 ('BSP Circular 890') and BSP Circular No. 1048 on Guidelines and Procedures Governing the Consumer Assistance and Management System of BSP-Supervised Financial Institutions ('BSP Circular 1048'), implementing these exceptions is qualified.

While the disclosure of personal data, as a form of processing, may be permissible without consent under certain lawful criteria provided under the Act, data subjects must still be informed of the possible disclosure of their data, including the purposes and recipients of such data.

Moreover, any disclosures made under the circumstances above should be protected by the appropriated contractual clauses between the parties to the disclosure, to ensure the continuing protection of such data across channels. On the one hand, third-party service providers who may be exposed to personal data under an outsourced function must be bound to follow the Act's provisions covering processors. On the other hand, organisations, to whom personal data is disclosed for a purpose separate and independent from the interests of the disclosing entity, must be covered by an appropriate data sharing agreement.

Consumer protection standards

BSP Circulars 890 and 1048 enforces provisions intended for the protection of client information, covering all BSP-supervised financial institutions ('BSFIs'), which now include licenced virtual currency exchanges and other new digital financial products and services. These circulars recognise the right of consumers to expect that personal data, disclosed in the course of a financial transaction, is kept strictly confidential.

To this end, BSFIs must be able to demonstrate their ability to protect customer personal data through, among other things:

  • the adoption of a privacy policy governing all the stages of the lifecycle of information, including its disposal. This policy must be properly communicated throughout the organisation and capable of enforcing sanctions for any violations thereof;
  • the establishment of appropriate systems to protect the confidentiality and security of customer personal data, including an information security plan;
  • the formulation of an accountability framework for implementing the security plan;
  • the identification and assessment of risks to customer personal data; the regular monitoring and vulnerability testing of the organisation's safeguard programme;
  • an employee management and training policy relative to addressing the risks to customer personal data;
  • a strong IT system in place to protect the confidentiality, integrity, and availability of customer personal data;
  • proper classification and storage of sensitive customer information;
  • secure disposal of customer personal data; and
  • an adequate security breach response plan in the event of a personal data breach.

Any sharing of customer personal data must be preceded by written notice to customers explaining clearly how such sharing shall be conducted. Likewise, written consent from the customer, in general, must be obtained before such sharing subject to both the exceptions provided under client confidentiality and the requirements of the Act (as discussed above). Customers must be given access to the information shared, with a corresponding right to challenge the accuracy and completeness of the information.

Similarly, the BSP issued BSP Circular No. 542 on Consumer Protection for Electronic Banking 2006 ('BSP Circular 542'), providing rules and regulations concerning consumer protection for electronic (e-banking) products and services. Under BSP Circular 542, banks are required to implement a comprehensive information security programme and information security measures and controls to address the risks of e-banking, including:

  • appropriate authentication measures;
  • account origination and customer verification; and
  • monitoring and reporting e-banking transactions through audit logs.

Under BSP Circular 542, banks must adopt responsible privacy policies and information practices including adequate disclosures to customers who join new e-baking services. At a minimum, banks must provide the following disclosures to protect consumers:

  • information on the duties of the banking institutions and customer;
  • information on who will be liable for unauthorised or fraudulent transactions;
  • the mode by which customers will be notified of changes in the terms and conditions; information relating to how customers can lodge a complaint, and how a complaint may be investigated and resolved;
  • disclosures that will help consumers in their decision making; and
  • information that notifies customers that they are leaving the banking institutions' website and hence are no longer protected by its privacy policies and security measures.

1.2. Supervisory authorities

The provisions of the Act are enforced by the NPC, which is comprised of the Privacy Commissioner and two Deputy Privacy Commissioners. The NPC exercises the following general powers and functions, including:

  • ensuring compliance of controllers and processors with the provisions of the Act;
  • receiving complaints and institute investigations in relation to the Act;
  • issuing cease and desist orders, as well as imposing a temporary or permanent ban on the processing of personal data upon finding that the processing will be detrimental to national security and public interest;
  • recommending to the Department of Justice the prosecution and imposition of penalties specified in Sections 25 to 29 of the Act;
  • reviewing, approving, rejecting, or requiring modification of privacy codes voluntarily adhered to by controllers and/or processors;
  • providing assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity, or any person;
  • ensuring proper and effective coordination with data privacy regulators in other countries and private accountability agents;
  • participating in international and regional initiatives for data privacy protection;
  • negotiating and contracting with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws;
  • assisting Philippine companies doing business abroad when responding to foreign privacy or data protection laws and regulations; and
  • generally, performing such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.

With respect to banks and non-bank financial institutions, including payment service providers, the BSP is the primary regulator. In particular, the BSP exercises supervisory and rule-making powers in areas of money, banking, and credit. It regulates the operations of banks, finance companies, and non-bank financial institutions performing quasi-banking functions. It is also considered the primary overseer over retail payment systems in the Philippines.

The collection and dissemination of credit rating information arising from credit and credit-related activities of all entities in the financial industry are controlled and governed by the Credit Information Corporation.

The Insurance Commission exercises the supervisory authority of the operations of life and non-life insurance companies, including pre-need institutions.

While these regulators have specific authority covering their respective industries, this does not prevent the NPC from exercising its enforcement powers against financial institutions in relation to the Act.

2. Personal and Financial Data Management

2.1. Legal basis for processing

Under the principle of legitimate purpose, financial institutions must process personal data fairly and lawfully under the recognised criteria for processing either personal information or sensitive personal information. For personal information, the following constitutes a lawful basis for processing:

  • consent has been obtained from the data subject;
  • processing is necessary for the fulfilment of a contract with the data subject, or to fulfil the request of the data subject prior to such contract;
  • processing is necessary for compliance with a legal obligation;
  • processing is necessary to protect vital important interests of the data subject, including life and health;
  • processing is necessary in response to a national emergency for public order and safety, or for the fulfilment by a public authority of its mandate; or
  • processing is necessary for the legitimate interests of the controller or processor or by a third party or parties to whom the data is disclosed, subject to constitutionally protected fundamental rights and freedoms of the data subject.

For the purposes of this section, personal information is defined as 'any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.'

The following constitute sensitive personal information:

  • information regarding an individual's race, ethnic origin, marital status, age, colour, and religious, philosophical or political affiliations;
  • information regarding an individual's health, education, genetic, or sexual life of a person, or to any proceeding for any offence committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  • issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licences or their denial, suspension, or revocation, and tax returns; and
  • specifically established by an executive order or an act of Congress to be kept classified.

Sensitive personal information may only be processed under the following bases:

  • consent has been obtained from the data subject;
  • processing is required by existing laws and regulations;
  • processing is necessary to protect the life and health of the data subject or another person, and the data subject is legally or physically incapable of expressing consent;
  • processing is necessary for purposes of medical treatment carried out by a medical practitioner or a medical treatment institution; or
  • processing is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defence of legal claims, or when provided to government or public authority

Under NPC Circular No. 20-01, with respect to entities engaged in the processing of personal data for purposes of granting loan facilities, including lending companies and financing companies, the further processing of borrowers' personal data for other compatible purposes is permissible so long as a direct and objective link exists between the primary purpose and other such purposes, including customer behaviour, system administration, service quality maintenance, customer service or support. Marketing, cross-selling, or sharing of personal data to third parties for purposes of offering other products or services not related to loans must be based on separate conditions as enumerated in this section.

Lending companies, financing companies, and other persons acting as such are prohibiting from requiring unnecessary permissions involving personal data in the use of online apps for loan processing activities. Only application permissions that are suitable and necessary for compliance with Know Your Customer requirements, determining creditworthiness, fraud prevention, and debt collection shall be allowed. Access to contact details and the harvesting of social media contacts for use in debt collection or to harass, in any way, the borrower or his/her contacts are prohibited. Likewise, the use of personal data to engage in unfair collection practices as defined under applicable laws and/or regulations shall be punishable under the Act.

Instances of sharing credit data to and from third parties for the purpose of determining the creditworthiness of borrowers, other than those required under applicable law or regulation, must be authorised under the lawful conditions provided under the Act as enumerated above.   

2.2. Privacy notices and policies

There are no industry-specific guidelines on the content of privacy notices and policies other than that provided under the Act. While the BSP's consumer protection regulations require the implementation of privacy policies for the protection of clients' information, the Act provides greater granularity on this requirement. As discussed above, the following elements must be present in an organisation's privacy policy and/or notice:

  • description of the personal information to be collected and/or processed;

  • purposes for which personal information is being or is to be processed;
  • the basis of processing when it is not based on consent;
  • scope and method of personal information processing;
  • the recipients or classes of recipients to whom they are or may be disclosed;
  • methods utilised for automated access, if the same is allowed by the data subject, and the extent to which such access is authorised;
  • the identity and contact details of the personal information controller or its representative;
  • the period for which the information will be stored; and
  • the existence of their rights.

Under NPC Circular No. 2020-01, entities engaged in the processing of personal data for purposes of granting loan facilities, including lending companies or financing companies, are required to provide all borrowers with the following details in a clear language and in the most appropriate format:

  • all information concerning all phases of the loan processing activity, from loan solicitation, loan origination, repayment, debt collection, and remedial measures;
  • the fact that a loan processing activity entails the use of profiling, automated processing, automated decision-making, or scoring;
  • the categories of data considered in deciding whether to approve or disapprove a loan application, subject to such entities' right to implement reasonable policies determining the minimum information and manner of disclosure to a borrower; and
  • the period for which the information will be stored; and
  • the existence of their rights.

2.3. Data security and risk management

Security of personal data

Apart from the principles of transparency, legitimate purpose, and proportionality, controllers and processors, including financial institutions, are required to implement reasonable and appropriate organisational, physical, and technical measures intended for the protection of personal data against both natural and human dangers which may cause accidental or unlawful loss or destruction, access, fraudulent misuse, alteration, disclosure, contamination, and other forms of unlawful processing. Such measures must include:

  • safeguards to protect its computer network;
  • implementation of a security policy relating to the processing of personal information;
  • mechanisms for identifying and accessing reasonably foreseeable vulnerabilities to its computer network (penetration and vulnerability testing) as well as for regular monitoring for personal data security incidents and personal data breaches and taking preventive, corrective, and mitigating action in addressing them;
  • mechanisms for promptly notifying the NPC and affected data subjects of personal data breaches involving personal data which may lead to identity fraud, reasonably believed to be acquired by an unauthorised person, and which may give rise to a real risk of serious harm to data subjects' rights and freedoms.
  • contractually require third-party processors to implement appropriate security measures; and
  • implementation of strict confidentiality covering its employees, agents or representatives whose operation and hold personal data.

Additional measures

In terms of data security, the IRRs identify additional requirements for financial institutions engaged in the processing of personal data, such as:

  • organisational security measures;
  • physical security measures; and
  • technical security measures.

Organisational security measures

Financial institutions processing personal data should:

  • designate an individual/s to function as a data protection officer ('DPO') accountable for ensuring the organisation's compliance with the Act, guidance on the qualifications of a which have been issued by the NPC with the NPC Advisory 17-01 Designation of DPOs (14 March 2017) ('NPC Circular 17-01');
  • implement data protection policies that provide for organisational, physical, and technical security measures, taking into account the nature, scope, context, and purposes of the processing;
  • maintain records of their processing activities, which should include the following information:
    • the purposes for the processing of personal data;
    • the categories of data subjects, personal data, and recipients of such data;
    • general information as to the flow of personal data within the organisation; and
    • the security measures in place to protect such data;
  • conduct capacity building, orientation, or training programmes for employees, agents, or representatives, regarding privacy or security policies; and
  • implement procedures for:
    • obtaining consent, where necessary, depending on the type of personal data processed and the purpose for the processing;
    • ensuring that data is limited only to the extent necessary to meet the declared purpose;
    • data access management, system monitoring and security incident management;
    • addressing a data subject's exercise of his/her rights under the Act; and
    • data retention and disposal.

Physical security measures

Financial institutions processing personal data should:

  • maintain procedures to monitor and limit access to facilities where personal data processing is conducted, including an acceptable use policy that specifies the proper use of and access to electronic media;
  • ensure privacy in facilities where processing of personal data is conducted;
  • ensure that only individuals actually performing official duties shall be in the room or work station where personal data is processed;
  • implement procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of personal data; and
  • implement procedures that prevent the mechanical destruction of files and equipment shall be established including security against natural disasters, power disturbances, external access, and other similar threats.

Technical security measures

Financial institutions processing personal data should:

  • maintain the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • implement a process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
  • implement policies for the encryption of personal data during storage and while in transit, authentication, and other technical security measures that control and limit access.

Information technology risk management

In August 2013, the BSP issued BSP Circular No. 808 Guidelines on Information Technology Risk Management for All Banks and Other BSP Supervised Institutions 2013 to regulate advances in technology used by BSFIs. 

It implements enhanced guidelines on information technology risk management to supervise aggressive and widespread adoption of technology in the financial service industry. The BSP later issued BSP Circular No. 982 Enhanced Guidelines on Information Security Management 2017 ('BSP Circular 982') which further enhances these guidelines particularly in the area of cybersecurity.

Under BSP Circular 982, the BSP imposes IT risk management standards and guidelines in the following areas:

  • information security governance;
  • information security programme management; and
  • cyber threat intelligence and collaboration.

2.4. Data retention/record keeping

Apart from the data security requirements covering personal data retention/record keeping provided under the Act, the IRRs, and NPC Circular No. 16-01, the foregoing regulations do not prescribe a specific retention period other than the principle that such data should not be retained longer than necessary for:

  • the fulfilment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
  • the establishment, exercise, or defence of legal claims; or
  • legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by an appropriate government agency.

Furthermore, under the Act, an organisation's retention policy may be made in compliance with guidelines set by law. For example, under BSP Circular 950, BSFIs records shall be maintained and safely stored as long as the account exists. All transaction records and documents of covered persons shall be maintained and safely stored for five years from the date of the transaction. The records of customer identification and transaction documents covering a closed account must be kept on record for at least five years from the date of the account's closure.

Where an account or customer is the subject of a money laundering case led in court, such customer records must be retained and safely kept beyond the five year retention period, until the Anti-money Laundering ('AML') Council Secretariat has officially confirmed the case's resolution, decision or termination with finality.

BSFIs shall designate at least two officers who will be jointly responsible and accountable in the safekeeping of all records and documents required to be retained under the Anti-Money Laundering Act of 2001 ('AML Act').

Furthermore, under NPC Circular No. 20-01, lending companies, financing companies, and other persons acting as such shall adopt and implement reasonable policies regarding the retention of the personal data of those whose loan applications were denied and of borrowers who have fully settled their loans. Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined. Otherwise, applicable penalties as provided for in the Act may be imposed.

3. Financial Reporting and Money Laundering

The Revised Implementing Rules and Regulations of Republic Act No. 9160 as amended (2016) ('RIRRs') of the AML Act, cover persons, including banks and non-bank financial institutions, trust entities, pawnshops, non-stock savings and loan associations, electronic money issuers, insurance companies, and institutions and persons dealing with securities. Such entities are required to maintain a system for verifying the true identities and/or legal existence of their clients based on reliable and independent sources, documents, data, or information.

In the conduct of customer due diligence, covered persons should undertake measures covering the following areas: customer identification, minimum customer information and identification documents, and ongoing monitoring of customers, accounts, and transactions.

With respect to customer identification, covered persons must conduct face-to-face contact at the commencement of the relationship with the customer or as reasonably practicable. The use of information and communication technology is permissible. The RIRRs provide a comprehensive list of minimum information and identification documents covered persons are required to collect from a customer, whether a natural or juridical entity. Covered persons may rely on third parties to perform customer identification, provided that they are also covered persons or financial institutions operating outside of the Philippines but covered by equivalent customer identification and face-to-face requirements.

Under the RIRRs, covered persons may outsource the conduct of customer identification, including face-to-face contact, to a counter-party, intermediary, or agent. The outsource, counter-party, or intermediary shall be regarded as an agent of the covered person, that is, the processes and documentation are those of the covered person itself. The ultimate responsibility for identifying the customer and keeping the identification documents remains with the covered person.

Where an account is opened or a transaction is conducted by any person on behalf of another, covered persons shall establish and record the true and full identity and the existence of both the account holder and the beneficial owner or person on whose behalf the transaction is being conducted.

Covered persons shall, on the basis of materiality and risk, update all customer information and identification documents of existing customers required to be obtained under the AML Act. They shall report to the Anti-Money Laundering Council ('AMLC') all covered transactions and suspicious transactions within five working days, unless the AMLC prescribes a different period not exceeding 15 working days, from the occurrence thereof.

For this purpose, covered transactions refer to transactions in cash or other equivalent monetary instrument exceeding PHP 500,000 (approx. €8,620). Suspicious transactions are those, regardless of the amount, where the following conditions exist:

  • there is no underlying legal or trade obligation, purpose, or economic justification;
  • the client is not properly identified;
  • the amount involved is not commensurate with the business or financial capacity of the client;
  • taking into account all known circumstances, it may be perceived that the client's transaction is structured in order to avoid being the subject of reporting requirements under the AML Act, as amended;
  • any circumstance relating to the transaction is observed to deviate from the profile of the client and/or the client's past transactions with the covered person;
  • the transaction is in any way related to an unlawful activity or any money laundering activity or offence, that is about to be committed, is being, or has been committed; or
  • any transaction that is similar, analogous or identical to any of the foregoing.

Covered persons are prohibited from communicating, directly or indirectly, in any manner or by any means, to any person or entity, the fact that a covered or suspicious transaction has been or is about to be reported, including the contents of the report, or any other related information. Moreover, any information about such reporting shall not be published or aired, in any manner or form, by the mass media, or through electronic mail, or other similar devices.

4. Banking Secrecy and Confidentiality

Under the Law on Secrecy of Bank Deposits Republic Act No. 1405 ('the Banking Secrecy Law'), all deposits with banks or banking institutions in the Philippines, including investments in government-issued bonds are considered absolutely confidential in nature. As such they cannot be examined, inquired, or looked into by any person, government official, bureau or office, except for in the following instances:

  • written consent of the depositor has been obtained;
  • in cases of impeachment of an impeachable government officer;
  • upon order of a competent court in cases of bribery or dereliction of duty of public officials, or where the money deposited or invested is the subject matter of the litigation;
  • upon a subpoena issued by the Ombudsman of the Philippines concerning an investigation it is conducting, provided that there must already be a case pending in court, the account be clearly identified, the inspection be limited to the subject matter of the pending case, and the bank personnel and the depositor must be notified to be present during the inspection;
  • the Republic of the Philippines Bureau of Internal Revenue can inquire into bank deposits in an application for compromise of tax liability or determination of a decedent's gross estate;
  • the AMLC can examine bank accounts pursuant to a court order, where there is probable cause that the deposits are related to an unlawful activity or money laundering offence;
  • the AMLC can examine bank accounts without a court order where there is probable cause that the deposits are related to certain crimes such as kidnapping for ransom, violation of the Republic Act No. 9165 Comprehensive Dangerous Drugs Act of 2002, hijacking, destructive arson, and murder; or
  • the BSP can examine bank accounts in the course of its periodic or special examination regarding compliance with AML Act.

5. Insurance

The Insurance Commission is mandated to supervise and regulate life and non-life insurance companies including mutual benefit associations, as well as trusts for charitable uses. The Insurance Commission has the authority to issue, suspend and revoke licenses to insurance agents, general agents, resident agents, underwriters, brokers, adjusters, and actuaries.

6. Payment Services

On February 2009, the BSP approved BSP Circular No. 649 on the issuance of electronic money ('e-money') and the operations of e-money issuers ('EMIs') in the Philippines 2009. Banks and non-bank financial institutions planning to be an EMI must obtain prior approval from the BSP prior to issuing e-money. Furthermore, they are required to implement properly designed and thoroughly tested computer systems, appropriate security policies and measures intended to safeguard the integrity, authenticity, and confidentiality of data and operating processes, adequate business continuity and disaster recovery plans, and effective audit functions to periodically review their security control environment and systems.

EMIs shall notify the BSP in writing of any change or enhancement in the e-money facility 30 days prior to implementation. If such changes require BSP approval, it shall be evaluated accordingly.

7. Data Transfers and Outsourcing

NPC Circular 16-01 provides guidance on the following stages of the personal data lifecycle, including storage, access, transfers, and disposal. NPC Circular 16-01 regulates transfers of personal data depending on the medium used. Further encryption and authentication are required for personal data transfers using electronic mail and portable media. Transfers of personal data via fax machines are prohibited. For transfers of personal data via mail or post, only registered mail or guaranteed parcel post service should be utilised under procedures that ensure the appropriate recipient or authorised representative.

Outsourcing and subcontracting agreements

Controllers and processors may subcontract or outsource the processing of personal information, including the collection and storage thereof. However, such engagements must be covered by an appropriate contract binding the subcontractor to:

  • process personal data only upon the documented instructions of the controller, or processor, where subcontracting arrangements are involved;
  • impose the obligation of confidentiality on its personnel who are involved in the processing of personal data;
  • implement appropriate security measures and comply with the requirements of the Act and the other issuances of the NPC;
  • refrain from further subcontracting without prior documented instructions from the controller, or processor, where subcontracting arrangements are involved;
  • assist the controller or processor where subcontracting arrangements are involved, in responding to requests by data subjects in the exercise of their rights;
  • assist the controller or processor where subcontracting arrangements are involved, in complying with the requirements of the Act and the other issuances of the NPC;
  • delete or return all personal data, at the option of the controller or processor where subcontracting arrangements are involved, upon the termination of the engagement; and
  • provide the controller or processor where subcontracting arrangements are involved, all information necessary to demonstrate compliance to the Act and to allow for audits.

Under NPC Circular No. 20-01, lending companies, financing companies, and other persons acting as such may outsource any personal data processing activity it may deem appropriate. Details of the authorised processor or third-party service provider must be made available to borrowers. Parties to such outsourcing arrangements must be covered by an appropriate contract as described above. Such entities remain to be responsible for any personal data under its control or custody, including the processing of information that have been outsourced.

Data sharing agreements

Outsourcing and subcontracting arrangements should be distinguished from data sharing arrangements. Data sharing is defined under the IRRs as the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor. Under the IRRs, where a data sharing arrangement exists, the following requirements must be in place:

  • the consent of the data subject shall be required even when the sharing of the data is between affiliate companies;
  • data sharing for commercial purposes, including direct marketing, should be covered by a data sharing agreement, establishing safeguards for data privacy and upholding the rights of data subjects;
  • the data subject shall be provided with the identities of the parties to the sharing arrangement, including processors, the purpose for the sharing, the categories of personal data involved, and the existence of the rights of data subjects; and
  • all parties to the sharing arrangement shall be required to adhere to the data privacy principles laid down in the Act and the various issuances of the NPC.

The requirements of the IRR are further qualified by NPC Circular No. 20-03 covering data sharing agreements in the private sector which allows the sharing of personal data among private entities on the basis of the lawful conditions provided under the Act as described in section on legal basis for processing above, other than consent. In such instances, the information required to be disclosed to data subjects as enumerated above may be embodied in an appropriate privacy notice. Furthermore, while data sharing agreements are not required in all instances, the execution of such agreements is considered by the NPC as a sound recourse that demonstrates accountability and good faith compliance to the Act, the IRR, and other NPC issuances. These factors are taken to account in the investigation and adjudication of complaints and in the conduct of compliance checks by the NPC.

NPC Circular No. 20-03 generally provides the following as the contents of a data sharing agreement:

  • purpose and lawful basis for the data sharing;
  • objectives of the data sharing;
  • parties to the data sharing;
  • term of the data sharing;
  • operational details of the data sharing;
  • security measures (organisational, physical, and technical) protecting the shared data;
  • the rights of data subjects; and
  • rules of retention and data disposal.

Data sharing agreements shall be subject to review by the NPC and periodic review by the parties thereto. All shared personal should be returned, destroyed, or disposed of, upon termination of the arrangement.

8. Breach Notification

NPC Circular No. 16-03 provides the guidelines for personal data breach management, specifically the standards for determining the existence of a personal data breach and its reporting requirements to the NPC and to affected data subjects. NPC Circular 16-03 applies to all controllers, including financial institutions, who are legally responsible for providing the appropriate notifications. Processors, however, are legally required to notify controllers of any breach in personal data processing and assist the latter in the preparation of the appropriate notices.

A personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, processed personal data. The NPC has enumerated three manifestations of such breaches:

  • an availability breach resulting from loss or accidental or unlawful destruction of personal data;
  • an integrity breach resulting from alteration of personal data; and/or
  • a confidentiality breach resulting from the unauthorised disclosure of or access to personal data.

Breach management

Both controllers and processors are required to maintain a security incident management policy. Its components include, among other things, the formation of a data breach response team, comprised of at least one member with sufficient authority to make decisions regarding critical actions, when necessary, and the implementation of incident response and mitigation procedures and breach prevention or minimisation measures, including the conduct of a privacy impact assessment. The guidelines for the conduct of a privacy impact assessment are provided for under the NPC Advisory 17-03 Guidelines on Privacy Impact Assessments.

Procedure for personal data breach reporting and mitigation

Incident response procedures should align with the guidelines for notification to the NPC and/or affected data subjects. Notification to the NPC is mandatory where there is knowledge or reasonable belief by either controllers or processors that a personal data breach with the following conditions has occurred:

  • the breach involves sensitive personal information or any other information that may be used to enable identity fraud, while other information may include data about the financial or economic situation of the data subject, usernames, passwords, and other login data, biometric data, copies of identification documents, or government-issued licenses or unique identifiers;
  • there is reason to believe that the information may have been acquired by an unauthorised person; and
  • there is reason to believe that the unauthorised acquisition is likely to give rise to a breach.

Circular No. 16-03 provides for additional qualifications should the existence of above-mentioned conditions remain uncertain:

  • the information involved would likely affect national security, public safety, public order, or public health;
  • the personal data breach affects at least 100 individuals;
  • the information involved is legally considered confidential; or
  • the personal data breach affects data subjects comprising vulnerable groups such as minorities, minor children, refugees, persons with disabilities, seniors, and other similarly situated individuals.

Controllers are mandated to notify the NPC within 72 hours upon knowledge of or reasonable belief by either a controller or a processor that a personal data breach has occurred. While a delay in notification may be allowed for purposes of determining the scope of the breach, preventing further disclosures, or restoring integrity to an affected system, it is prohibited where the breach involves at least 100 data subjects or such disclosure will harm or adversely affect data subjects. Controllers are expected to provide the NPC with a full report of the breach within five days from notification subject to approved requests for additional time. For guidance on the contents of the notification, the NPC issued the NPC Advisory 18-02 Guidelines on Security Incident and Personal Data Breach Reportorial Requirements

In the event of a personal data breach requiring notification to the NPC, controllers are also required to notify affected data subjects within 72 hours upon knowledge of or reasonable belief thereof. The NPC may exempt a controller from notification where it may be against the public interest or the interests of the affected data subjects. The NPC may further postpone such notification if it can potentially hinder the progress of a criminal investigation related to such breach.

Further to the requirement of notification, controllers and/or processors are required to file an annual security incident report covering personal data breaches and other information security incidents which occurred during the previous year.

9. Fintech

FinTech companies inherently deal with the personal data of their customers. As such, they are covered by the Act. Considering that FinTech companies employ various modes of personal data processing, the following should be key considerations in ensuring compliance:

  • consent, notification, and the data subject's right to information: while the Act requires data subjects' express consent, prior to any personal data processing, unless otherwise permitted by the law, the greater challenge is to ensure that such consent is obtained with sufficient notification of the mode and extent by which personal data shall be processed. This includes the use of automated decision-making processes;
  • appointment of a DPO: the Act requires companies involved in the processing of the personal data to appoint a DPO who is duty-bound to monitor and ensure compliance to the Act and the NPC's related issuances;
  • data breach management and notification: the company should have procedures in place to monitor, detect, and mitigate data breaches. In instances where sensitive personal information is involved, such procedures should include notification to the NPC within 72 hours upon actual knowledge or reasonable belief that a notifiable breach has occurred.

10. Enforcement

NPC

The Act imposes a number of penalties for criminal violations of its provisions, including, among other things, unauthorised access, processing, malicious disclosure and intentional breach of privacy of personal data. The penalties may range from monetary fines amounting to PHP 500,000 (approx. €8,620) to PHP 5,000,000 (approx. €86,190) and/or imprisonment between one to six years depending on whether the violation involves sensitive personal information and/or the alleged act involves a series or combination of violations.

If the offender is a corporation, partnership, or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the violation may result in the suspension or revocation of any of its rights under the Act. If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed.

The NPC also has the power to adjudicate and award indemnity on matters affecting any personal information, including the issuance of fines.

NPC Circular 17-01 requires companies covered under the Act to register its DPO and data processing systems (i.e. ICT and manual filing systems) when any of the following conditions exist:

  • the company employs at least 250 employees;
  • the company processes sensitive personal information of at least 1000 individuals; or
  • the processing is likely to pose a risk to the rights and freedoms of data subjects.

Under NPC Circular 18-02 - Guidelines on Compliance Checks, the NPC can conduct compliance checks on personal information controllers or personal information processors, whether in government or the private sector, under the following modes:

  • privacy sweep: a review of publicly available information such as but not limited to, websites, mobile applications, raffle coupons, brochures, and privacy notices;
  • documents submission: the NPC may require the submission of documents and additional information after a privacy sweep to, among others, clarify certain findings from the initial stage; and
  • on-site visit: the NPC may, if there are persistent or substantial findings of non-compliance with the Act and its related issuances, conduct on-site visits. 

Companies, including financial institutions, may be subject to compliance checks under the following considerations:

  • level of risk to the rights and freedoms of data subjects posed by the personal data processing of a company;
  • reports received by the NPC against the company, or its sector/industry;
  • non-registration of a company that is subject to the mandatory registration requirement as provided under NPC Circular 17-01;
  • unsecured or publicly available personal data found on the internet that may be traced to a company; and
  • other considerations that indicate non-compliance with the Act or the issuances of the NPC.

BSP

The BSP may impose monetary and non-monetary sanctions against BSFIs and/or its directors, officers, and/or employees for any violation of the provisions of its circulars relating to IT risk management.

Under the Banking Secrecy Law, any violation of its provisions may subject the offender upon conviction, to an imprisonment of not more than five years or a fine of not more than PHP 20,000 (approx. €340) or both.

AMLC

As for the AML Act, after due notice and hearing, the AMLC may, at its discretion, impose sanctions, including monetary penalties, warning or reprimand, upon any covered person, its directors, officers, employees, or any other person for the violation of the AMLA and the RIRRs, or for failure or refusal to comply with AMLC orders, resolutions and other issuances. Such monetary penalties shall be in amounts as may be determined by the AMLC to be appropriate, which shall not be more than PHP 500,000 (approx. €8,620) per violation.

The imposition of administrative sanctions shall be without prejudice to the ling of criminal charges against the persons responsible for the violation.

11. Additional Areas of Interest

No further information.

Juan Paolo Fajardo Partner
[email protected]
Fajardo Law Offices, Metro Manila
Arthur Anthony S Alicer Partner
[email protected]
Fajardo Law Offices, Metro Manila,

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback