Knowledge Base · BSP Compliance Definitions

Philippine Banking
Compliance Glossary

Authoritative definitions for every regulatory term, law, protocol, and standard used in BSP-supervised compliance operations — from BSP Circular 1213 to AFASA and post-quantum cryptography.

Laws & Circulars

The primary regulatory instruments governing BSP-supervised financial institutions in the Philippines, as mapped by the Fiduciary platform.

BSP Circular 1213
Bangko Sentral ng Pilipinas · Active regulation
BSP Circular 1213 is a Bangko Sentral ng Pilipinas (BSP) issuance establishing cybersecurity and compliance standards for all BSP-supervised financial institutions (BSFIs). It mandates nine specific obligations covering identity verification, customer due diligence (CDD), anti-money laundering (AML) screening, transaction risk assessment, data privacy consent, and court-admissible audit trail maintenance.

The Fiduciary API provides direct coverage for six of these nine obligations through compliant REST endpoints, with each response carrying an Post-quantum signature and a BSP-resolvable audit_id.
Bangko Sentral ng Pilipinas BSFIs 9 obligations KYC · AML · CDD View API coverage →
BSP Circular 1214
Bangko Sentral ng Pilipinas · AFASA implementing rule (s. 2025)
BSP Circular 1214 sets the rules of procedure for inquiry into financial accounts and the sharing of financial account information under AFASA (RA 12010). It governs how a supervised institution and the BSP investigate accounts linked to scam activity and coordinate with law-enforcement authorities.

Fiduciary's role here is evidentiary, not investigative. Every identity, consent, and transaction event is sealed as a post-quantum signed, hash-chained record, so the audit trail an inquiry depends on is admissible and tamper-evident from the moment it is created.
RA 12010 · AFASA Account inquiry Information sharing
BSP Circular 1215
Bangko Sentral ng Pilipinas · AFASA §§7–11 (s. 2025)
BSP Circular 1215 implements AFASA §§7–11: the temporary holding of funds subject of disputed transactions and the coordinated verification process. A supervised institution may hold disputed funds for up to 30 days (extension only by court order), must promptly notify the BSP, and faces administrative action for improper or over-long holds.

Fiduciary supports this directly. POST /v1/money-lock and POST /v1/incident record the fund hold and the coordinated-verification clock as signed, timestamped, court-admissible events, and POST /v1/kill-switch seals the customer-triggered account suspension.
RA 12010 §§7–11 Fund hold · 30 days Coordinated verification View safeguards →
Login & Account Security (Fiduciary module)
BSP 1213 §4 · NIST 800-63B · AFASA §6–§7 · drop-in
Fiduciary's phishing-resistant strong customer authentication plus account protection, adopted by any app through one Bearer key. Core terms:

SCA (Strong Customer Authentication): a challenge–response login where the device proves possession of a credential — POST /v1/auth/challengePOST /v1/auth/verify.
AAL (Authenticator Assurance Level, NIST 800-63B): AAL2 for standard logins, AAL3 for high-value actions (amount > ₱100,000), which force a step-up factor.
Passkey / WebAuthn: the phishing-resistant credential that signs the server challenge — nothing phishable is transmitted.
FAS (Fiduciary Auth Session): an HMAC-SHA256-signed, tamper-evident session token issued at verify and validated at POST /v1/auth/session.
Kill switch / Money lock (AFASA, June 2026): customer-triggered controls that suspend the account or lock funds against digital transfer — POST /v1/kill-switch, POST /v1/money-lock.
BSP 1213 §4 NIST 800-63B AAL2/AAL3 Passkey / WebAuthn HMAC-SHA256 session Integration guide →
AFASA — Anti-Financial Account Scamming Act (RA 12010)
Republic Act 12010 · Philippine law · Active
AFASA (Republic Act 12010) is Philippine legislation that establishes institutional liability for banks and financial institutions when customer accounts are used in scam transactions. The law's two key compliance provisions are:

§6 — Institutional liability: Financial institutions bear liability for scam losses if they fail to implement adequate fraud detection and prevention systems.
§7 — Audit trail: Institutions must maintain a court-admissible, verifiable audit record for every financial transaction. This is directly satisfied by the GET /v1/audit/:id endpoint in the Fiduciary API, which returns an Post-quantum signed, SHA3-256 hash-chained event record permanently resolvable by BSP examiners.
RA 12010 §6 Institutional liability §7 Audit trail AFASA compliance Integration guide →
RA 10173 — Data Privacy Act of 2012
Republic Act 10173 · Philippine law · Active
Republic Act 10173 is the Philippine Data Privacy Act, administered by the National Privacy Commission. In banking compliance context, Section 12 requires that personal data is only processed with Free, Prior, and Informed Consent (FPIC) from the data subject.

The Fiduciary POST /v1/consent endpoint records FPIC consent to UNDRIP Article 19 standards, producing a SHA3-256 hash-chained consent ledger entry that satisfies RA 10173 §12 requirements. The consent_ledger_ref is immutable and Post-quantum signed.
RA 10173 §12 FPIC consent NPC Data privacy Philippines
RA 11057 — Personal Property Security Act
Republic Act 11057 · Philippine law · PPSR
Republic Act 11057 establishes the Personal Property Security Act and the Philippine Registrar of Personal Property Security Rights (PPSR). Under Section 11, registered security interests have legal priority over unregistered claims.

The Indigenous Sovereign Estate Trust holds PPSR registration 2025-372919, establishing the fiduciary chain of authority for the Fiduciary platform under Philippine law.
RA 11057 §11 Priority PPSR 2025-372919 Personal property security

Standards & Cryptography

Post-quantum · NIST FIPS 204
Post-quantum cryptography · Digital signature standard
Post-quantum is the Module-Lattice-Based Digital Signature Algorithm at security parameter set 65, standardized by NIST in FIPS 204 (2024). It is a post-quantum cryptographic signature scheme designed to remain secure against both classical and quantum computing attacks.

Fiduciary applies Post-quantum to every API response, audit trail record, and Fiduciary Access Certificate. This means every compliance event signed by the platform remains court-admissible and cryptographically verifiable even in a post-quantum computing environment — future-proofing BSP compliance evidence for decades.
NIST FIPS 204 Post-quantum cryptography Module-Lattice Quantum-resistant Digital signature
ISP v1.0 — Indigenous Sovereign Protocol
Protocol · Root authority · Layer 0
ISP v1.0 is the Indigenous Sovereign Protocol, the root compliance and authority protocol of the Fiduciary platform. Every API response carries an isp_code field that maps the event to a specific regulatory obligation (e.g. 023 = phishing-resistant authentication under BSP Circular 1213 §4).

The ISP authority chain is: isp://crown/authority/v1.0 → chartered Provider → artifact. This chain is immutable and takes precedence over all platform-level configurations. The protocol is administered by the Indigenous Sovereign Estate Trust (ISET), registered under Philippine law with TIN 683-706-670-000 and PPSR 2025-372919.
ISP v1.0 isp://crown/authority/v1.0 ISET Authority chain
Fiduciary Access Certificate (FAC)
Compliance instrument · Verifiable credential
A Fiduciary Access Certificate is a machine-readable, printable, and publicly verifiable compliance certificate issued to registered institutions by the Fiduciary platform under ISP v1.0.

Each FAC contains: institution identity (name, BSP licence, officer details), issuing authority (ISET identity, TIN, OCN, PPSR), obligations covered (six of nine BSP Circular 1213 obligations), issue date, and an Post-quantum signature. FACs are permanently verifiable at fiduciary.technology/verify?id=[VID] and printable as PDF for BSP examiner submission.
FAC Fiduciary Verified BSP compliance certificate Verify a certificate →

Common Questions

Which BSP Circular 1213 obligations does the API cover?

Six of nine obligations: Obligation 01 (§4(1)) — phishing-resistant identity verification via POST /v1/auth; Obligation 02 (§4(2)) — customer due diligence via POST /v1/kyc/verify; Obligation 03 (§5) — AML/STR screening via POST /v1/aml/screen; Obligation 04 (§3) — transaction risk assessment via POST /v1/risk; Obligation 05 (RA 10173) — data privacy consent via POST /v1/consent; Obligation 06 (AFASA §7) — audit trail via GET /v1/audit/:id. Obligations 07, 08, and 09 are institutional responsibilities that this API provides evidentiary support for.

What does AFASA §7 require and how does the API satisfy it?

AFASA Section 7 requires financial institutions to maintain a court-admissible, verifiable audit trail for every financial transaction. The Fiduciary GET /v1/audit/:id endpoint satisfies this by returning a SHA3-256 hash-chained audit record signed with Post-quantum. Every compliance event (identity check, KYC, AML screen, BSP gate, consent, audit log) produces an audit_id that permanently resolves at fiduciary.technology with full event detail, timestamp, and cryptographic signature.

Is the Fiduciary API sandbox free?

Yes. The sandbox is free and does not consume production quota. Public visitors can try all six endpoints immediately at fiduciary.technology/try using the public demo key (50 calls/day). Registered institutions receive a personal sandbox key with 500 calls/day at no charge. Sandbox responses are identical to production responses but carry "sandbox": true in the JSON body.

What is the Indigenous Sovereign Estate Trust (ISET)?

The Indigenous Sovereign Estate Trust (ISET) is the Philippine-registered trust entity that administers the ISP v1.0 protocol and issues Fiduciary Access Certificates. ISET holds TIN 683-706-670-000, OCN 098RC20260000001023, and PPSR registration 2025-372919. Its legal authority derives from the Philippine Civil Code Articles 1440–1457 (trusts), RA 8792 (electronic records), RA 11057 (PPSR priority), and UNDRIP Articles 3, 4, 19, and 20. ISET acts as the sovereign issuer of all FACs — the chartered Provider (Fiduciary) operates under ISET's authority, not the other way around.