Fintech 2024 Comparisons

The past year enabled strengthened regulations on the part of the Philippine Central Bank (Bangko Sentral ng Pilipinas– BSP) and the Securities and Exchange Commission (SEC) on the key fintech verticals in the Philippines: specifically for digital banking, money service businesses (electronic money issuers (EMIs); remittance agents (RAs)) for BSP-regulated institutions and investment advisers, lending, and financing companies for the SEC-regulated institutions.

Notably, BSP Circular 1166 or the Amended EMI regulations formally recognised the distinction between closed and open-loop electronic money systems, created a tiered-capital requirement for small-scale and large-scale EMIs, and enhanced requirements on minimum systems and controls, consumer protection, disclosure requirements, interoperability with Automated Clearing Houses, and liquidity for EMIs. Given the growth of EMI adoption in the Philippines – far outpacing that of digital banks – BSP also issued the Amendments on Customer Due Diligence (CDD) and electronic Know-Your-Customer (eKYC) under BSP Circular 1170. Meanwhile, to further support open banking, the BSP, in partnership with key financial stakeholders, launched the Open Finance Sandbox as well as the Open Finance Pilot which explores API development and interoperability to enhance open banking services and the development of financial products and services.

Other notable forthcoming regulations from the BSP concern merchant acquirers. BSP’s Draft Regulatory Framework for Merchant Payment Acceptance Activities introduces a Merchant Acquisition Licence requirement for entities intending to handle merchant onboarding and payment processing, including fund transfers to merchant transaction accounts.

Strong emphasis by the lawmakers and regulators on financial consumer protection has also been seen, with the enactment of the Financial Products and Services Consumer Protection Act (FCPA), which was immediately followed by the BSP and SEC’s own respective implementing regulations to the FCPA, institutionalising rights of financial consumers as well as mandating Financial Service Providers (FSPs) to conduct a gap assessment analysis and develop a board-approved action plan in compliance with the FCPA, for submission to the BSP/SEC, which shall be subject to ongoing compliance requirements. Pursuant to the SEC’s Implementing Rules and Regulations to the FCPA, a broader category of investment advisers is also now required to register with the SEC.

The SEC also released draft circulars on its much-anticipated Guidelines on the Registration and Licensing of Online Lending Platforms (OLP) as well as the Digital Asset Securities Service Providers (DASSP). OLPs are essentially the electronic platforms of lending and financing companies for customer onboarding, loan origination, and underwriting – the registration of which is currently suspended by the SEC, subject to the finalisation of the OLP Guidelines. Meanwhile, the Draft DASSP Guidelines appear to be the enhanced and consolidated Draft Guidelines on Digital Asset Offerings and Digital Asset Exchanges (DAEs) – regulations which have been weathered and reformulated to account for the lessons brought about by market-shaping cryptocurrency events, particularly the collapses of notable global players like FTX, Voyager, and Celcius. As an example of the SEC’s tightening regulatory oversight and enforcement of unlicensed crypto-exchange/trading activities, it has also issued an advisory seeking to ban Philippine-based users’ access to the world’s largest crypto exchange: Binance as well as sought heavy regulatory enforcement by requesting the National Telecommunications Commission’s (NTCs) assistance in blocking certain unlicensed offshore investment platforms (ie, MiTrade) from the Philippine webspace.

Lastly, both new and incumbent fintech players have actively sought regulatory sandbox licences and exemptions from the BSP and SEC through their respective regulatory frameworks, albeit SEC’s Regulatory Framework is still within the drafting and finalisation stage.

Payments, e-wallets, remittance, and lending/financing activities are the fintech verticals that currently predominate the Philippine jurisdiction, both for new and for legacy players. Albeit supposedly more accessible due to its end-to-end digital nature, digital banks and digital banking, in general, are still struggling to penetrate and onboard the underbanked and unbanked segments of the population given a combination of infrastructure and cultural factors: specifically, the lagging public adoption of the National ID system which is supposed to accelerate creation of digital banking accounts through eKYC as well as the preference of retail clients to establish bank accounts through physical channels/interactions – which digital banks are currently trying to bridge through physical-digital or “phygital” solutions (ie, digital bank onboarding kiosks at actual retail establishments).

The dominance of payments, e-wallets, remittance, and lending/financing activities underscores the market’s adoption of fintech verticals that facilitates economic transactions for goods and services (ie, e-commerce, sending/receiving funds for payments). Predictably, this also led BSP and SEC, as regulators of such financial activities, to further revisit and enhance regulations surrounding Operators of Payments Systems (OPS), merchant acquirers, EMIs, and lending/financing companies with respect to their OLPs.

While lower in market share, other fintech verticals relating to blockchain/cryptocurrency, insurtech, wealthtech, and digital banking are also gaining steady traction.

The regulatory regimes applicable to industry participants of the main verticals (payments, e-wallets, remittance, and lending/financing activities) are driven by both the BSP and SEC. While previously, the BSP has adopted a test-and-learn approach and the SEC has erred on a more conservative approach, the accelerated innovations and market developments brought about by the past five years, particularly during the pandemic, allowed both regulators to segment and identify regulatory areas demanding strict and more traditional regulatory enforcement, such as financial consumer protection, IT risk management, and AML/CFT compliance, while recognising the need to further enable and encourage a test-and-learn approach for innovative technologies (ie, Artificial Intelligence, Robotic Process Automation) through the existing regulatory sandbox frameworks.

To evidence this, the SEC has created the Philippine Finance & Technology (PhiliFinTech) Innovation Office while the BSP has constituted its own Technical Working Group to implement their respective Regulatory Sandbox Frameworks.

The SEC, in particular, regulates fintech platforms involved in lending, financing, crowdfunding, broker-dealer, and securities trading activities in general. As above-mentioned, the SEC is also seeking to regulate DASSP activities as well as strengthen its existing regulations and licensing requirements on OLPs of financing/lending companies.

Meanwhile, the BSP regulates most of the key fintech verticals involving digital banks, money service businesses (VASPs, EMIs, RPPs, RAs, MC/FXDs), electronic payment and financial services (EPFS) providers, OPS, and merchant acquirers.

Existing laws and regulations do not prescribe a compensation model to be used by industry participants for their customers. As such, this is chiefly driven by market practice and competition. However, with respect to disclosure requirements and responsible pricing, the FCPA and the FCPA IRRs of the BSP and the SEC requires FSPs to use clear and concise language to ensure that all information concerning the financial product or service is understood by the target clients, which includes updated and accurate disclosure of information on pricing or any cost associated with the product or service.

The FCPA provides that FSPs are legally responsible for all marketing/advertising statements relative to their financial products or services. FSPs must also have internal policies and procedures for setting prices for their products and services that take into consideration, among others, the principle of responsible pricing.

Legacy players and non-legacy/emerging fintech players for the main verticals are typically subject to the same key banking and securities laws and regulations, such as the New Central Bank Act, as amended, and Manual for Regulation of Banks (MORB)/Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) for BSP-regulated financial institutions and the Securities Regulation Code (SRC)/Lending Company Regulation Act (LCRA)/Financing Company Act (FCA)/Investment Company Act (ICA) for the SEC-regulated financial institutions.

From these key laws/regulations, the BSP and SEC have issued (or are in the process of issuing) fintech vertical-specific regulations, as needed, to create a specialised regime suitable for such verticals and in recognition that certain entities cannot be assessed with the same prudential requirements applicable to legacy players (ie, specialised regimes apply for EMI, VASP, DASSP, OPS, merchant acquiring, EPFS, crowdfunding, OLP, etc). Notably, for non-bank institutions, and given the consumer protection concerns particularly for e-wallets and crypto-institutions, the BSP and SEC have required 1:1 liquidity/reserve for EMIs, VASPs, and DASSPs to be maintained and segregated from such institution’s operational funds – ensuring that fund redemptions of consumers can be met at all times. For AML/CFT compliance, VASPs are also generally required to obtain and verify certain transactional information as part of the Travel Rule requirement for all virtual asset transfers, if they are acting as an originating or beneficiary institution.

In the Philippines, relevant government agencies each have their own regulatory sandbox framework. This includes the following.

Bangko Sentral ng Pilipinas (BSP) Regulatory Sandbox Framework

The BSP Regulatory Sandbox Framework applies to all BSP-Supervised Financial Institutions (BSFls), third-party service providers of BSFls, other BSP-registered institutions, and all other entities that intend to offer or use an emerging or new technology to deliver financial products or services that could fall under the jurisdiction of the agency. Each applicant must undergo a four-stage process which includes: application, evaluation, testing, and exit stage. Relative to other sandbox frameworks, the BSP has a more open approach by essentially allowing any entity to apply provided it falls under its regulatory purview.

Securities and Exchange Commission (SEC) Draft Sandbox Regulatory Framework

Last October 2023, the SEC issued its draft regulatory sandbox framework which will allows interested applicants to test innovative financial products and services within a live controlled environment. The regulatory sandbox shall have four stages: application, evaluation, testing, and exit stage. Unlike the BSP sandbox framework which allows application by any interested player, the SEC adopts a more conservative approach by providing a comprehensive list of eligible activities and innovations that are allowed to enter and operate within the regulatory sandbox.

As of the date of writing, the SEC has not yet issued an official sandbox regulatory framework.

Insurance Commission (IC)

The IC has issued various guidelines on the adoption of a regulatory sandbox framework. These include the following.

Regulatory sandbox framework for insurance technology (insurtech) innovations

The regulatory sandbox framework allows licensed insurance providers to test technical innovations in the conduct of insurance business. The framework may also allow participation of entities which are not regulated by the IC but whose collaboration will require the performance of acts that will result in business or transactions that will require licensing, regulation or approval by the IC, provided that the entity complies with existing regulations of the IC.

Regulatory sandbox framework for financial technology (fintech) innovations for health maintenance organisations (HMOs) and pre-need companies

The IC subsequently issued guidelines on the adoption of the regulatory sandbox framework for fintech innovations for HMOs and pre-need companies. The same guidelines adopted by the IC for insurtech entities shall be applied.

Regulatory sandbox framework for innovations in the insurance, HMOs and pre-need industries

In its aim to facilitate further development and innovation, the IC issued guidelines on the regulatory sandbox framework which applies to a licensed insurance provider, HMO, pre-need company, insurance or reinsurance broker, adjuster, mutual benefit association, or any other entity regulated by the IC which intends to offer innovative products, services, business models and other mechanisms not included or covered in the above-mentioned IC guidelines.

The regulators of the main fintech verticals/industries in the Philippines are the SEC and the BSP.

The SEC is the primary regulator of corporations in the Philippines. Aside from this, the SEC regulates fintech entities involved in lending, financing, crowdfunding, broker-dealer, and securities trading activities in general. Moreover, the SEC also seeks to regulate activities involving digital assets with its issuance of the Draft DASSP Guidelines.

Meanwhile, BSP exercises jurisdiction over all forms of banks in the Philippines (ie, universal, digital, commercial, thrift, rural banks), and non-bank financial institutions – ie, quasi-banks, money service businesses (such as EMIs, VASPs, Remittance Agents, Money Changer/Foreign Exchange Dealers), OPS, and merchant acquirers.

As an aside, with respect to insurtech or related activities, these shall fall under the regulatory purview of the IC. With respect to e-commerce activities and private express and/or messenger delivery service (PEMEDES), this is within the regulatory purview of the Department of Information and Communications Technology (DICT).

Regulatory agencies allow outsourcing of certain functions to third-party service providers, and such outsourced obligations can be upon the discretion of the outsourcing entity, save for certain regulatory exceptions.

BSFIs are prohibited from outsourcing inherent functions such as AML/CFT oversight and internal audit. Material outsourcing arrangements also generally require BSP approval. Vendors of BSFIs are required to pass the minimum controls/due diligence checks on key risk areas related to outsourcing, such as security and privacy, data ownership/location/retrieval, and business continuity planning. Mandatory contractual requirements involve, at the minimum, the vendor’s business continuity plan, due diligence/periodic service performance assessment, and independent audit/review. Insofar as data ownership/location/retrieval is concerned, at a minimum, the contract should contain the following provisions:

• the BSFI retains exclusive ownership over all of its data;
• the vendor acquires no rights whatsoever to use the BSFI’s data for its own purpose or for any purpose other than what is required based on the scope of service; and
• the vendor does not have the right to prevent the duly authorised access of BSFI to its own data. For these provisions to work as intended, the terms of data ownership must not be subject to unilateral amendment by the vendor.

The SEC has fairly limited regulations with respect to outsourcing of functions. In 2014, the SEC issued SEC Memorandum Circular No 5, Series of 2023, which provides for guidelines on outsourcing of functions of broker dealers. Pursuant to the circular, broker dealers may only outsource back-office functions and cannot outsource material activities and any other activity which involves any interaction or direct contact with clients related to buying and/or selling securities or solicitation of investments in securities.

With respect to lending/financing companies, the FCPA provides that the lending/financing companies are solely liable for the acts of their vendors/third-party collecting agents (ie, in the event of an unfair lending practice)

Both the BSP and the SEC enforce strict liability for fintechs with respect to funds and assets in their regulated fintech players’ platforms, notwithstanding that custodial functions of such funds/assets may be outsourced. Other activities warrant regulatory oversight and enforcement depending on their impact on such funds/assets (ie, in the event of cybercrimes) and the system integrity/business continuity of such platforms.

With respect to e-commerce activities, the recently enacted Internet Transactions Act imposes the following responsibilities for e-marketplaces or digital platforms:

• clearly identify e-commerce transactions, persons, and promotional offers on their platform;
• require online merchants to submit essential information;
• maintain and regularly update a list of online merchants;
• comply with data privacy laws/regulations and information security standards to be set by the Bureau, NPC, and other issuances of relevant government agencies;
• prohibit the sale of regulated goods without the necessary permits and licence information, and contractually obligate compliance with relevant sale procedures and limitations;
• establish an effective redress mechanism for online consumers and merchants;
• require all online merchants to comply with product disclosure requirements; and
• exercise ordinary diligence in performing the above obligations.

The BSP, in the performance of its supervisory powers over BSP-Supervised Institutions (BSIs), is equipped with enforcement tools or actions which it can exercise to ensure that licensed entities are and remain qualified to possess the same. Enforcement actions that may be imposed include, but are not limited to the following.

• Corrective action or measures intended to primarily require BSIs to rectify any deviations from the standards, principles and conditions expected for the exercise of their respective licence and/or authority. Corrective actions may include issuance of directives and warnings.
• The BSP may also impose sanctions such as (i) suspension of activities; (ii) revocation of licences; (iii) administrative sanctions on responsible directors/officers who approve relevant transactions; or (iv) monetary penalties in certain cases.

Recently, it has issued cancellations of the Certificates of Registration of two VASPs: Coinville Phils., Inc. and Bexpress, Inc. It has also issued an extension on the moratorium for the entry of new non-bank EMIs for another year, or until 15 December 2024, subject to the exceptions under the Regulatory Sandbox Framework for entities that offer strong value propositions to provide e-money services.

With respect to the SEC, the agency has authority to issue Cease and Desist Orders to prevent fraud and injury to the investing public, as well as to impose administrative sanctions over non-compliant licensed entities. The SEC has authority to suspend or revoke registrations or licences, impose fines, and impose administrative sanctions on relevant officers, directors, or persons performing similar functions.

Recently, the SEC issued an advisory banning Binance from Philippine access, which was supposedly implemented by the end of February 2024 but, as of the date of writing, was reportedly stalled subject to further evaluation from the SEC, taking into consideration all the possible ramifications of such ban, including implications to Filipino customers’ funds. The SEC also regularly issues advisories and notices to the public against unregistered offshore exchanges.

Philippine data privacy regulations are primarily embodied in the Philippines’ Data Privacy Act of 2012, its implementing rules and regulations, and pertinent issuances by the National Privacy Commission (NPC). For fintech industry participants, the applications of these regulations will require the following key obligations, at the minimum:

• compliance with the general principles of legitimate purpose, proportionality and transparency in data processing, including consent and/or notification requirements;
• the incorporation of mandatory provisions in agreements involving the outsourcing of collection, processing, sharing, retention or other related activities in respect of personal data; and
• compliance with obligations imposed under Philippine data privacy laws on entities classified as personal information processors, including data breach notification obligations and registration with the NPC under certain conditions.

For cybersecurity, the SEC provides a standardised disclosure regarding cybersecurity risk management, strategy, governance and incidents by public companies that are subject to the reporting requirements of the Exchange. BSP provides policies and regulations to its supervised institutions on a risk-based approach to cybersecurity management.

For social media content, BSP provides guidelines on social media risk management which shall govern the BSFI’s framework to aid in the sound management of risks associated with the use of social media for official purposes or an employee’s personal use, within and outside the organisation.

For software development, BSP’s Open Finance Oversight Committee (OFOC) leads governance matters and regulates the development of application programming interface (API) standards, which includes tiered implementation by sensitivity, data type and data holder type.

Besides the regulators, the following bodies and self-regulatory organisations review the activities of industry participants:

• the Philippine Stock Exchange (PSE) – the country’s national stock exchange that operates and regulates the Philippine stock market and its trading participants. The PSE is subject to the regulation and supervision of the SEC;
• the Philippine Payments Management Inc. (PPMI) – manages the conduct and compliance of bank and non-bank EMI members and their participation with automated clearing houses. PPMI promotes the development of the retail payment systems, and establishes payment system rules, agreements, and standards to ensure that payment transactions are safely and efficiently cleared and settled with finality. The PPMI is subject to the regulation and supervision of the BSP.
• the Open Finance Oversight Committee (OFOC) – governs activities and participants of the Philippine Open Finance Ecosystem. The OFOC is subject to the regulation and supervision of the BSP.

Absent a clear prohibition, unregulated products and services can be offered in the Philippines subject to the confirmation or letter of no objection by a potentially relevant regulator over such an activity. For instance, robo-advisory services, while not subject to present regulations, may fall under investment adviser activities, and hence, may be subject to the rules and regulations of the SEC. Thus, a conservative approach is to secure regulatory confirmation or letter of no objection with respect to a particular unregulated product or service before offering the same in the Philippines. Subject to the regulator’s response, these can be generally offered alongside the same legal entity if it is an extension of such legal entity’s existing business model (which can be covered by the primary or secondary purpose of a corporation’s articles of incorporation).

Fintech companies falling under Covered Persons (which are all institutions issued with a licence or registration by the BSP and SEC) must present capacity to create and implement AML/CFT compliance as early as the licensing stage, and must regularly comply with AML/CFT monitoring, audit, and reporting requirements with the BSP/SEC, in addition to the Anti-Money Laundering Council (AMLC’s) primary jurisdiction over AML/CFT-related compliance. This impacts scalability of operations and resources, which is met by regulated fintech entities’ development of electronic KYC, verification, monitoring/screening, reporting, and fraud controls at par with industry standards.

For unregulated fintech entities, these vary depending on their need to avail of or integrate with the services/facilities of Covered Persons, as well as the regulators’ determination on whether they themselves must comply with AML/CFT requirements. For instance, entities applying under regulatory sandbox frameworks of the BSP/SEC are required to perform AML/CFT gap assessments and create AML/CFT policies and controls. Those that are ultimately not subject to any regulation, even with the regulatory sandbox frameworks, must still comply with the Know-Your-Business (KYB) due diligence and verification of Covered Persons (ie, if they avail of corporate bank accounts). All corporate entities in the Philippines, by the SEC’s mandate, are also required to timely disclose their ultimate beneficial owners (individuals).

There are currently no Philippine laws or regulations governing the delivery of financial advisory services through AI-based or algorithm-based robo-advisory platforms.

However, the FCPA and the SEC FCPA IRR may broadly capture a robo-advisory platform under the registration requirement for an investment adviser. As defined under the SEC FCPA IRR, an investment adviser shall refer to any person who, for compensation, engages in the business of advising others (whether electronically or in any other form) in investing, purchasing, selling, or analysing investment products.

Legacy players generally internally develop and/or avail of robo-advisory solutions for their own investment/trading activities, but these technologies have not yet been deployed to the retail market. However, please refer to our response in 3.1 Requirements for Different Business Models regarding investment advisers under the FCPA.

As provided under the SRC, the Best Execution Rule provides that “in any transaction for or with a customer, a broker-dealer shall use reasonable diligence to ascertain the best market for the subject security and buy and sell in such market so that the result to the customer is as favourable as possible under the prevailing market conditions”. Factors to be considered in determining whether reasonable diligence has been exercised include the price, the promptness of execution of the order, the size of the transaction, available markets, the settlement cycle and attendant transaction costs.

Under the PSE’s revised Trading Rules, in every transaction, the Best Execution Rule provides that a Trading Participant shall use reasonable diligence to ascertain the best available price for the security so that the resultant price to the client is as favourable as possible under the prevailing market conditions.

Under the Draft DASSP Rules, DASSPs shall exercise reasonable diligence to execute each client order to buy or sell one or more Digital Asset Securities that it receives so as to obtain the most favourable price for the client under the prevailing market conditions, provided that due consideration is also given to costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order to ensure the best possible result for the client.

Industry practice and the speed and reliability of market information dissemination largely affects the compliance with the Best Execution Rule.

Individuals and businesses can avail of loans from both BSP and SEC-regulated institutions, specifically: banks, quasi-banks, lending companies, financing companies, and crowdfunding platforms. They are governed by the following laws and regulations:

• for lending companies – Republic Act No 9474 or the Lending Company Regulation Act (LCRA), its Implementing Rules and Regulations (IRR), and the issuances of the SEC;
• for financing companies – Republic Act No 8556 or the Financing Company Act (FCA), its IRR, and the issuances of the SEC;
• for crowdfunding platforms – SEC Memorandum Circular No 14, Series of 2019 Rules and Regulations Governing Crowdfunding (CF);
• for banks and non-banks – Republic Act No 7653 or the New Central Bank Act, as amended, BSP’s MORB and MORNBFI, and the issuances of the BSP; and
• for all lending/financing institutions – Republic Act No 3765 or the Truth in Lending Act, as well as the FCP.

In terms of granting loans to the public, BSP and SEC are generally uniform as to the AML/CFT components (customer due diligence, risk profiling, transactions monitoring), the financial consumer protection aspects (customer information forms, disclosure statements, and transparency requirements), and loan origination/underwriting processes.

In terms of sourcing of funds for such lending business, for lending and financing companies, the LCRA and the FCA allows funds to be sourced via equity or loan financing from not more than 19 persons in a calendar year. For crowdfunding platforms, the SEC’s Crowdfunding Rules enables equity-based and lending-based funding by registered persons such as brokers, investment houses, funding portal, and issuers and investors who participate in a crowdfunding platform.

The underwriting process used by industry participants is directed by both regulations and industry practice.

At the minimum, SEC and BSP lending institutions are required by AML/CFT laws and regulations to conduct customer due diligence, with an embedded risk-based approach through written and graduated customer acceptance and identification policies and procedures which shall help determine the risk levels of each potential customer. Thereafter, institutions also tap into local credit bureaus duly authorised by the Credit Information Corporation to factor in credit scores of individuals and business as part of the loan underwriting process.

For lending and financing companies, under the LCRA and the FCA, the sources of funds for loans should be from loan or equity investments from not more than 19 persons in a given calendar year – this is the 19-lender rule. Any additional investor beyond the 19-lender rule would categorise the investment activity as a public sale of securities, which will fall under the registration requirement of the Philippine Securities Regulation Code (SRC) and its IRR.

In the case of crowdfunding, the SEC’s Crowdfunding Rules enable the offer or sale of securities of a limited scale, usually for start-ups, micro, small and medium enterprises (MSMEs) through a crowdfunding platform. Crowdfunding participants are limited to qualified investors (ie, banks, investment houses, insurance companies, pension funds, investment companies, and other qualified high net worth investors).

For loans from banks and quasi-banks, these can be sourced from the public, subject to the appropriate MORB/MORNBFI regulations for deposits and deposit-substitutes.

Syndication of loans are typically commercial undertakings by lending and financing institutions.

However, insofar as banks and quasi-banks are concerned, the MORB and the MORNBFI prohibits the sale or assignment of loans, such as via syndications, on a without-recourse basis, unless such loans or debt instruments are government securities or are registered with the SEC.

Moreover, when participating in loan syndications, a bank or quasi-bank should not place undue reliance on the credit analysis done by the lead underwriter and shall perform its own analysis and review of syndicate terms. It shall analyse the risk and return on syndicated loans in the same manner as directly sourced loans and ensure that the loan is consistent with its credit risk strategy.

As an aside, BSP’s implementing guidelines on the Agri-Agra Reform Credit Act of 2009 allow banks to grant a syndicated type of loan for agrarian reform credit/agricultural credit in general, either between or among themselves. The mechanics, including the recording of such syndicated type of loan transactions, shall follow existing practices and regulations applicable both to the lead bank and other participating bank.

Payment processors may use existing payment rails or create/implement new ones. However, by industry practice, payment processors generally participate with the following widely-used Automated Clearing Houses (ACHs):

• Philippine Electronic Fund Transfer (EFT) System and Operations Network (PESONet) for batch EFT credit payment scheme; and
• InstaPay for real-time own-value EFT credit push payments,

either directly, if they are participating banks or non-bank EMIs (which are qualified for PPMI membership, being a pre-requisite for participation with Automated Clearing Houses (ACHs)) or indirectly by partnering with such participating banks or non-bank EMIs and being sponsored into ACHs via an aggregated model.

Cross-border payments are regulated under the National Payment Systems Act and the implementing regulations of the BSP, such as BSP Circular 1049 or the OPS Regulations. For remittances, these are covered by both the MORB and the MORNBFI for remittances of banks and non-bank money service businesses (ie, remittance agents).

Under BSP’s Memorandum No M-2023-042, it is worth noting BSP’s clarification that under existing regulations, as a general rule, all virtual asset transfers are considered cross-border wire transfers subject to the Travel Rule requirement.

BSP’s Manual of Regulations for Foreign Exchange Transactions (MORFXT) also governs remittances involving foreign exchange and prescribes supporting documentation and transactional thresholds depending on the underlying purpose of the foreign exchange and cross-border remittance transactions (generally categorised as either trade or non-trade activities).

Fund administrators (or the equivalent) are regulated depending on their activities, as follows.

• Investment managers of a trust entity (whether by a bank or an NBFI through its specifically designated trust business unit) or a trust corporation authorised by the BSP, are regulated by the MORB/MORNBFI for the performance of investment management activities in a trust business. A trust business is defined as any activity resulting from a trustor-trustee relationship (trusteeship) involving the appointment of a trustee by a trustor for the administration, holding, management of funds and/or properties of the trustor by the trustee for the use, benefit or advantage of the trustor or of others called beneficiaries.
• Investment Managers of Personal Equity and Retirement Account (PERA) Market Participants and PERA Investment Products are also regulated by the BSP pursuant to Republic Act No 9505, also known as the PERA Act of 2008 (PERA Act).
• Fund Managers of an Investment Company are regulated under the Investment Company Act and its IRR. Fund Managers, aside from managing a fund, also function as a distributor of the shares or units of the investment company.

For BSP-regulated investment managers, the MORB/MORNBFI prescribes operating and accounting methodology for investment management activities, to wit:

• the investment manager shall administer, hold, or manage the fund or property in accordance with the instrument creating the investment management relationship; and
• funds or property of each client shall be accounted separately and distinctly from those of other clients herein referred to as individual account accounting.

For fund managers of investment companies, the Investment Company Act IRR, prescribes the following obligations:

• manage the investment assets of the investment company and perform its functions in accordance with the disclosures in the RS, prospectus, its agreements with the investors of the investment company, if any, the Act, the SRC and its IRR and the Rules;
• keep or cause to be kept such books and records as will sufficiently explain the transactions and dispositions of the assets of the investment company, including the shares/units cost allocation; and
• maintain records and arrange for participants to receive accounts, reports and statements, among others.

As at the date of writing, trading platforms or exchanges are generally governed by the provisions of the SRC and the issuances of the SEC. An Exchange refers to an organised marketplace or facility that brings together buyers and sellers, and executes trades of securities and/or commodities. An exchange facilitates trading of securities (ie, shares, investment contracts, derivatives). In addition, the SRC also allows the registration and licensing of innovative and other trading markets or exchanges covering trading of innovative securities, securities of small, medium growth and venture enterprises, and technology-based ventures.

The SEC, in 2019, has also issued Draft Rules on the Digital Asset Exchange (DAE). The Draft Rules define DAE as an organised marketplace or facility that brings together buyers and sellers, and executes trades of securities. This includes buying/selling digital assets with fiat (fiat/digital asset pairing) as well as buying/selling digital assets with other digital asset (digital asset/digital asset pairing). They can be viewed as an online marketplace for the entire Digital Asset network.

As a recent development to the DAE Rules, the SEC circulated the Draft DASSP Rules which provide for guidelines on regulation of Digital Asset Securities (DAS) Activities. DAS activities include:

• advisory services;
• broker-dealer services;
• custody services;
• exchange services;
• lending and borrowing services;
• DAS management and investment services; and
• DAS transfer and settlement services. 

The registration, trading and regulation of securities, as defined under the SRC, fall under the regulatory purview of the SEC. Cryptocurrencies being classified as securities pursuant to the Draft DASSP Rules will also be generally subject to the SEC’s registration requirement.

By way of exception, the trading of commodity futures contracts are presently suspended by the SEC.

VASPs, formerly Virtual Currency Exchanges (VCEs), have been regulated by the BSP since 2017 through BSP Circular 944, which was later amended by BSP Circular 1108 in 2021.

Through BSP Memorandum No M-2022-035, BSP has suspended the licensing and registration of new non-bank VASPs for three years or until 1 September 2025. Meanwhile, existing BSFIs who wish to expand operations by offering VASP services, including non-custodial VASPs who wish to offer safekeeping and/or custodial services, may still apply for a VASP licence provided that they have a SAFr composite rating of at least “stable”.

Under the forthcoming DASSP Rules, Exchange Services for cryptocurrencies qualifying under the SRC’s definition of a security will also be subject to registration and regulation requirements.

An Exchange as defined under the SRC, as a Self-Regulatory Organisation (SRO) and subject to SEC approval, can promulgate and enforce its own listing and trading rules for its members and/or participants. By industry practice, listing standards of the PSE as reflected under its Amended Listing Rules generally entail the following criteria:

• track record of profitable operations;
• stockholders’ equity;
• operating history;
• full payment of issued and outstanding shares;
• business plan;
• valuation of Assets;
• minimum offering to the public;
• minimum number of stockholders;
• investor relations programme; and
• reason for exemption from the track record and operating history requirements, if applicable.

Meanwhile, under the Draft DASSP Rules, an entity seeking to obtain approval from the SEC to issue and/or list a Digital Asset Securities will be required to provide all relevant information which may include but is not limited to the following:

• the purpose and/or use of the Digital Asset Security;
• the nature of the business and/or activities for which the Digital Asset Security will be used;
• the white paper;
• the identity, full details and, if applicable, ownership of the issuer, including a description of its experience and whether it, or its relevant individuals, have been the subject of any claims in the past ten years involving dishonesty, fraud, financial crime or an offence under laws relating to companies, banking, insolvency, money laundering and insider dealing;
• the financing of the issuer’s business (including financial statements, if any); and
• whether issuing the Digital Asset Security will be the basis for funding any business or other venture, among others.

There are currently no regulations on the order handling rules in trading platforms in the Philippines. However, part of an Exchange’s obligation, pursuant to the SRC IRR, is to provide transparent, prompt and accurate clearance and settlement of transactions effected on the Exchange.

There are currently no regulations on the conduct of peer-to-peer trading platforms in the Philippines. Decentralised exchanges enabling peer-to-peer trading are currently unregulated in the Philippines. In the absence of clear regulations, the SRC and the SRC IRR applies.

Decentralised trading activities by Decentralised Autonomous Organisations (DAOs) may be prospectively regulated under the Draft DASSP Rules.

Please refer to 3.3 Issues Relating to Best Execution of Customer Trades.

There are no regulations specifically governing the procedures relating to payment for order flow. However, any arrangements of broker-dealers, associated persons and a salesman of a broker-dealer, associated persons and a salesman of a broker dealer involving payment for order flow will need to comply, to the extent applicable, with the Best Execution Rule.

Under the Draft DASSP Rules, DASSPs are mandated to have systems, policies and procedures to provide for fair and expeditious execution of client orders, and restrictions on front-running client orders. Orders should be handled promptly and accurately recorded. The systems policies and procedures should be aligned with existing relevant securities and other regulations (eg, requirements with respect to precedence of client orders and prohibition of front-running). DASSPs are likewise required to comply with the Best Execution Rule.

The SRC prohibits and punishes devices and practices that lead to manipulation of security prices, such as those that:

• create a false or misleading appearance of active trading in any listed security traded in an Exchange or any other trading market;
• in order to effect a series of transactions in securities: (i) raises the price to induce the purchase of a security; (ii) depresses the price to induce the sale of a security; or (iii) creates active trading to induce such a purchase or sale through manipulative devices such as marking the close, painting the tape, squeezing the float, hype and dump, boiler room operations and such other similar devices;
• circulates or disseminates information that the price of any security listed in an Exchange will or is likely to rise or fall because of manipulative market operations;
• makes false or misleading statements with respect to any material fact, for the purpose of inducing the purchase or sale of any security listed or traded in an Exchange; or
• effects any series of transactions for the purchase and/or sale of any security traded in an Exchange for the purpose of pegging, fixing or stabilising the price of such security, unless otherwise allowed by the SRC and/or the SEC.

The Capital Markets Integrity Corporation (CMIC) is in charge of maintaining market integrity and minimising risk by ensuring that trading participants comply with the rules and code of conduct of CMIC and all related legislative and regulatory requirements.

Aside from the above-prohibited acts, the CMIC Rules also explicitly prohibit trading participants from engaging in bribery, market rumours, and gambling.

As at the date of writing, there are no regulations yet for the creation and/or use of high-frequency and algorithmic trading in the Philippines.

However, in September 2023, the Philippines Stock Exchange, as the only operating stock exchange in the Philippines, issued proposed amendments to its Revised Trading Rules to allow the use of algorithmic trading within the Exchange.

See 8.1 Creation and Usage Regulations.

See 8.1 Creation and Usage Regulations.

See 8.1 Creation and Usage Regulations.

There are currently no Philippine regulations specifically governing DeFi. However, the Draft DASSP Rules may prospectively recognise DAOs as entities which can be subject to the registration and regulatory requirements, should they perform DAS activities in the Philippines.

Financial research platforms, per se, are not subject to any specific registration requirements. However, should they engage in analysing investment products for compensation (ie, by the investor, or a fund), they are subject to the registration and licensing requirement under the FCPA and the SEC FCPA for acting as an investment adviser.

The SRC regulates and prevents the dissemination of any fraudulent or misleading information designed to manipulate a stock price. This is further regulated and enforced by the PSE and the CMIC for their respective trading participants. Communications by securities professionals with the public must be based on the principles of fair dealing and good faith, and must provide a sound basis for evaluating facts regarding any particular security, industry or service offers.

The PSE also actively engages in the exploration of information through various means, including examination of newspapers and comprehensive online research. Additionally, PSE proactively communicates with companies, seeking verification and confirmation to ensure the accuracy and reliability of gathered information.

This is not applicable for Exchanges. Access to posting is restricted to the company or issuer, subject to the vetting of the PSE (and prospectively, by DASSPs). All disclosures must present concrete and factual information, avoiding any speculative details.

Furthermore, for listed companies in the PSE, the disclosure is required to be made within ten minutes from the occurrence of the event, ensuring prompt and accurate communications of events that have either taken place or are highly probable.

The Insurance Code of the Philippines provides for general guidelines in determining what may be insured. In general, the Insurance Code provides that “any contingent or unknown event, whether past or future, which may damnify a person having an insurable interest, or create a liability against him, may be insured against”.

With respect to underwriting, the Insurance Commission does not provide for specific guidelines or process to be followed by insurance participants. Insurance companies may provide specific standards in assessing risks associated with potential customers provided that these standards are not inconsistent with the provisions of the law and relevant regulations. Insurance Companies, as covered persons, are also mandated to conduct customer due diligence pursuant to the provisions of the AMLA.

However, with respect to insurance coverage on migrant workers, the Insurance Commission issued the Insurance Guidelines on Omnibus Rules and Regulations Implementing RA 8042 (The Migrant Workers and Overseas Filipinos Act of 1995). Pursuant to the Guidelines, insurance providers shall not distinguish the migrant workers based on occupation, sex, or place of work in underwriting an insurance policy.

The Insurance Commission does not provide for different rules or guidelines with respect to offering insurance products online.

In 2007, the Insurance Commission issued Circular Letter No 15-2007 which provides for guidelines on telemarketing, direct marketing, and selling insurance products through Short Message Sending (SMS) or texting. As per the Circular, insurance products may be sold via SMS, mail, publication by print, radio, or television, provided that the premium payable shall not exceed PHP50,000 for an annual premium or PHP150,000 for a single premium.

In 2020, due to the ongoing pandemic, the Insurance Commission issued two separate guidelines allowing the sale of life insurance products (Circular No 2020-29) and non-life insurance products (Circular No 2020-36) to the public by utilising information and communication technology or any other technology via remote communication (ie, teleconferencing, videoconferencing, computer conferencing, audioconferencing).

Finally, pursuant to Circular No 2020-109, the IC officially institutionalised the use of remote selling initiatives as permanent mode of selling insurance products. Pursuant to the Circular, life and non-life insurance companies may utilise remote selling initiatives in the sale of their products regardless of the amount of premium payable on the policy, thus rendering the amount indicated in Circular No 15-2007 irrelevant.

There are no specific regulations for regtech providers in the Philippines. Should they become vendors of regulated institutions (ie, banks, lending/financing companies), the applicable outsourcing regulations of their client’s regulators (ie, SEC/BSP) shall apply to them.

Further to the response in 11.1 Regulation of Regtech Providers, for vendors of BSP and SEC regulated institutions, please refer to 2.7 Outsourcing of Regulated Functions.

As digitisation efforts in the financial sector in the Philippines remain strong, traditional players like banking institutions are exploring blockchain technology in enhancing their existing service offerings (ie, through the issuance of peso-denominated Tokenized Treasury Bonds). The BSP is also exploring the use of blockchain technology through the issuance of wholesale Central Bank Digital Currency (CBDC) under “Project Agila”. The BSP project has made significant strides in 2023 with the BSP selecting the Hyperledger Fabric as the distributed ledger technology (DLT) provider.

Digital Banks have also explored virtual asset service offerings through their own VASP Licences.

Despite the current stringent enforcement, the Philippines has remained a largely crypto-friendly jurisdiction by regulating and enabling VCEs/VASPs to operate since 2017 through BSP Circular No 944, as amended by BSP Circular No 1108. The SEC also issued the Draft DAO and DAE Rules in 2019 to govern digital asset offerings and digital asset exchange activities in the Philippines.

However, the volatility of the crypto-economy, as well as the collapse of large institutional players holding significant customer assets, have pushed back key regulations and led to VASP licence moratoriums.

Insofar as the BSP is concerned, it is actively auditing and monitoring licensed VASPs, and removing the licences of those which fail to pass its audit requirements and directives. The licences for VASPs are also expected to hold until 2025, which may be further extended depending on BSP’s market studies.

Meanwhile, the SEC has released the Draft DASSP Guidelines which introduced significant compliance requirements for investor protection and liquidity risk management, among others.

In the long term, the Philippines is expected to continue to embrace innovative technologies under a test-and-learn/sandbox regulatory approach. However, licensing and compliance will be stringent to preserve market integrity and liquidity for redemption of customer funds/assets.

There is no uniform definition and classification of blockchain assets in the Philippines.

Under BSP’s VASP regulations, virtual assets are defined as any type of digital unit that can be digitally traded or transferred, and can be used for payment or investment purposes. It can be defined as a “property”, “proceeds”, funds”, “funds or other assets”, and other “corresponding value”. It is used as a medium of exchange or a form of digitally stored value created by agreement within the community of VA users. VAs shall be broadly construed to include digital units of exchange that (i) have a centralised repository or administrator; (ii) are decentralised and have no centralised repository or administrator; or (iii) may be created or obtained by computing or manufacturing effort. VAS are not issued nor guaranteed by any jurisdiction and do not have legal tender status.

Meanwhile, the SEC generally relies on the Howey Test to determine whether a blockchain asset falls under an investment contract (which is a type of security). The Howey Test requires that all of the four elements must be met in order to be classified as an investment contract:

• investment of money;
• common enterprise;
• expectation of profits; and
• derived primarily from the efforts of others.

The Draft DASSP Rules distinguish between digital asset securities (in general) and digital assets falling under a regulatory gap, which separate registration requirements for their issuers.

The issuance of digital asset securities requires prior approval by the SEC, which includes the submission of all relevant information such as:

• the purpose and/or use of the Digital Asset Security;
• the nature of the business and/or activities for which the Digital Asset Security will be used;
• the white paper;
• the identity, full details and, if applicable, ownership of the issuer, including a description of its experience and whether it, or its relevant individuals, have been the subject of any claims in the past ten years involving dishonesty, fraud, financial crime or an offence under laws relating to companies, banking, insolvency, money laundering and insider dealing;
• the financing of the issuer’s business (including financial statements, if any); and
• whether the issuance of the Digital Asset Security will be the basis for funding any business or other venture.

Digital assets falling under a regulatory gap do not require prior SEC approval before being issued by an entity in the Philippines, but will remain subject to registration requirements. These types of assets include:

• free and non-transferable digital assets;
• non-redeemable and non-transferable digital assets; and
• redeemable closed-loop and non-transferable digital assets.

Initial placement and distribution of digital asset securities must already be subject to a DASSP’s written controls to prevent, monitor, manage and disclose any conflicts of interest when placing such digital asset securities with their own clients.

The BSP regulates VASPs, which are only limited to conversion (fiat to crypto), custodian, and sending/receiving virtual asset activities.

Blockchain asset trading platforms are to be prospectively regulated by the DASSP Rules (once finalised). DAS Activities, as defined by the DASSP Rules, will broadly cover all secondary market trading of blockchain assets.

There are no specific regulations in the Philippines applicable to investment of funds in blockchain assets. These are subject to market practice as well as the traditional investment controls of securities and banking laws and regulations.

Please refer to 12.3 Classification of Blockchain Assets for the definition of virtual assets under BSP regulations vis-à-vis digital asset securities to be regulated by the SEC through the SRC and the prospective Draft DASP Rules.

See 8.5 Decentralised Finance (DeFi).

NFTs are not presently explicitly regulated in the Philippines. However, depending on their particular attributes (ie, if used as payments, or meeting the Howey Test which identifies investment contracts), they can be subject to existing regulations (ie, VASPs or OPS regulations for NFTs used as a form of currency; or the SRC and the DASSP Rules, for those falling under investment contracts/securities).

While there are existing efforts from the government to support open finance in the Philippines, regulations regarding the matter are still fairly limited. In 2021, the BSP, in its aim to promote consent-driven data portability and interoperability among various financial institutions and third-party providers, issued Circular No 1122, which provides for guidelines for the adoption of an Open Finance Framework. In line with this, BSP has constituted the Open Finance Oversight Committee, a self-governing body, which shall exercise governance over the activities and participants of the Open Finance ecosystem.

Open Finance is still in the development phase in the Philippines, chiefly driven by the Open Finance Oversight Committee with its Open Finance Pilot, a collaborative undertaking of financial institutions to explore the use of Application Programming Interface (API) technologies in the delivery of financial products and services.

Given the resource and funding constraints for the development of APIs, innovative players operating screen-scraping or robotic process operations have offered interim solutions to bridge financial institutions without present API capabilities to participate in open banking systems.

However, screen-scraping technologies have been largely met with resistance by traditional players due to concerns relating to data privacy and cybersecurity related to access their proprietary data without API integration, notwithstanding user-permissioned activities by screen-scraping providers. The National Privacy Commission has recently issued its Draft Guidelines on Data Scraping, which aims to address such concerns.

Meanwhile the open finance initiative in the Philippines is already proceeding with the launch of the Open Finance API Sandbox, which is designed to accelerate the development and adoption of API capabilities amongst financial institutions.

The elements of fraud as it relates to financial services and fintech is defined by regulators differently, to wit:

• under the FCPA and the SEC FCPA IRR, investment fraud entails the following:
1. “ponzi schemes” and such other scheme involving the promise or offer of profits or returns which are sourced from the investments or contributions made by the investors themselves;
2. boiler-room operations;
3. the offering or selling of investment schemes to the public without a licence or permit form the SEC, unless such offering or selling involves exempt securities or are considered as exempt transactions as provided for under existing laws; or
4. all other similar or analogous schemes; and
• under BSP regulations, financial fraud is an act, expression, omission or concealment that deceives another to the fraudster’s advantage, and scams are fraudulent business schemes to mislead/swindle/victimise a person or persons with the goal of financial gain.

On the policy-side, the SEC is active on developing regulations for lending/financing companies, OLPs, DASSPs, as well on the regulatory sandbox front. On the enforcement-side, the SEC, through its Enforcement and Investor Protection Department (EIPD), is highly active in regulating and issuing enforcement actions against investment scams and activities relating to unregistered issuance of securities or operation of exchanges. The SEC also actively monitors and issues enforcement actions against lending and financing companies for unfair lending practices.

On the policy-side, the BSP focuses on ramping up the public’s adoption of digital banks and banking services, digital/cashless payments (ie, e-wallets), introducing much-needed amendments on existing FX regulations, as well as expanding and defining the licensing and regulatory requirements for merchant acquirers. On the enforcement-side, BSP focuses on monitoring fraud prevention and mitigation compliance amongst BSFIs to protect funds/assets of BSFI’s customers (ie, credit card fraud, identify theft, phishing and hacking).