THE Bangko Sentral ng Pilipinas (BSP) has ordered banks and payment firms to strengthen safeguards for QR-enabled payments and merchant accounts amid efforts to curb risks related to money laundering, fraud and illegal financial activities.
In Memorandum M-2026-017, the central bank said that BSP-supervised institutions (BSIs) must ensure that account onboarding, merchant monitoring and payment settlement arrangements remain “effective and commensurate with risk” amid the growing use of digital payments and QR-based transactions.
The BSP said the directive was issued in line with its mandate under Republic Act 11127 or the National Payment Systems Act (NPSA), which authorizes the central bank to safeguard the integrity, safety, security and reliability of the national payment system.
It also cited Republic Act 9160 or the Anti-Money Laundering Act (AMLA), which seeks to prevent the country from being used as a conduit for money laundering and other unlawful activities.
“BSP-supervised institutions (BSls) are enjoined to strictly ensure that their anti-money laundering and countering terrorism and proliferation financing (AML/CTPF) controls, including account onboarding controls and ongoing account monitoring, remain effective and commensurate with risk across all payment activities,” the central bank said.
The BSP said payment activities — including electronic fund transfers and retail payment services such as person-to-person, person-to-merchant and person-to-biller transactions conducted through branches, online platforms, mobile applications, QR-enabled systems and other channels — must be subject to robust monitoring and risk controls.
It stressed that account opening procedures, onboarding practices and continuous account monitoring were critical to ensuring that customer relationships remained consistent with declared purposes and were not misused for illicit activities.
“Integrity controls for payment activities should be underpinned by sound account opening, onboarding, and ongoing account monitoring practices,” the BSP said.
The memorandum also reinforced the responsibilities of financial institutions involved in merchant payment acceptance activities, particularly those working with payment aggregators and similar intermediaries.
Participation of payment aggregators in the payment chain does not transfer or diminish the AML obligations of banks and financial institutions providing settlement accounts, payment rails, or related services.
Payment aggregators, meanwhile, were reminded that they carry “independent and commensurate” AML responsibilities, including merchant due diligence, risk-based onboarding and monitoring, implementation of risk mitigation measures, and suspicious transaction reporting.
At the same time, the BSP said financial institutions remain primarily responsible for overseeing AML risks tied to settlement accounts and ensuring sufficient visibility over underlying merchants and related payment activities.
Among the measures expected from BSIs are maintaining access to sub-merchant information and transaction-level data, applying risk-based onboarding standards, and conducting periodic reviews that could lead to restrictions or termination of relationships involving high-risk or non-compliant sub-merchants.
The central bank likewise directed supervised institutions to ensure the proper use of merchant accounts and maintain clear distinctions between merchant accounts and personal accounts based on the nature and purpose of transactions.
BSIs were also instructed to strengthen ongoing merchant monitoring through periodic reviews of merchant profiles, account usage, and transaction behavior to determine whether activities remain aligned with expected business operations.
The BSP also raised concerns over “mule merchants” and the unauthorized use or misuse of QR codes, directing institutions to adopt risk-based measures to detect and prevent such activities.
In addition, the central bank reiterated existing guidelines requiring financial institutions participating in QR Ph and other QR-enabled payment services to prioritize the safety of both payers and payees by identifying, measuring, monitoring and controlling risks and vulnerabilities associated with QR transactions.
The BSP said institutions participating in QR-enabled payment services under the national QR Code Standard must implement customer and merchant due diligence, transaction monitoring, and other risk control measures consistent with existing regulations.
NIÑA MYKA PAULINE ARCEO
