Regulatory Framework
Laws & Circulars
The primary regulatory instruments governing BSP-supervised financial institutions in the Philippines, as mapped by the Fiduciary platform.
BSP Circular 1213
Bangko Sentral ng Pilipinas · Active regulation
BSP Circular 1213 is a Bangko Sentral ng Pilipinas (BSP) issuance establishing cybersecurity and compliance standards for all BSP-supervised financial institutions (BSFIs). It mandates nine specific obligations covering identity verification, customer due diligence (CDD), anti-money laundering (AML) screening, transaction risk assessment, data privacy consent, and court-admissible audit trail maintenance.
The Fiduciary API provides direct coverage for six of these nine obligations through compliant REST endpoints, with each response carrying an Post-quantum signature and a BSP-resolvable audit_id.
BSP Circular 1214
Bangko Sentral ng Pilipinas · AFASA implementing rule (s. 2025)
BSP Circular 1214 sets the rules of procedure for inquiry into financial accounts and the sharing of financial account information under AFASA (RA 12010). It governs how a supervised institution and the BSP investigate accounts linked to scam activity and coordinate with law-enforcement authorities.
Fiduciary's role here is evidentiary, not investigative. Every identity, consent, and transaction event is sealed as a post-quantum signed, hash-chained record, so the audit trail an inquiry depends on is admissible and tamper-evident from the moment it is created.
RA 12010 · AFASA
Account inquiry
Information sharing
BSP Circular 1215
Bangko Sentral ng Pilipinas · AFASA §§7–11 (s. 2025)
BSP Circular 1215 implements AFASA §§7–11: the temporary holding of funds subject of disputed transactions and the coordinated verification process. A supervised institution may hold disputed funds for up to 30 days (extension only by court order), must promptly notify the BSP, and faces administrative action for improper or over-long holds.
Fiduciary supports this directly. POST /v1/money-lock and POST /v1/incident record the fund hold and the coordinated-verification clock as signed, timestamped, court-admissible events, and POST /v1/kill-switch seals the customer-triggered account suspension.
Login & Account Security (Fiduciary module)
BSP 1213 §4 · NIST 800-63B · AFASA §6–§7 · drop-in
Fiduciary's phishing-resistant strong customer authentication plus account protection, adopted by any app through one Bearer key. Core terms:
SCA (Strong Customer Authentication): a challenge–response login where the device proves possession of a credential — POST /v1/auth/challenge → POST /v1/auth/verify.
AAL (Authenticator Assurance Level, NIST 800-63B): AAL2 for standard logins, AAL3 for high-value actions (amount > ₱100,000), which force a step-up factor.
Passkey / WebAuthn: the phishing-resistant credential that signs the server challenge — nothing phishable is transmitted.
FAS (Fiduciary Auth Session): an HMAC-SHA256-signed, tamper-evident session token issued at verify and validated at POST /v1/auth/session.
Kill switch / Money lock (AFASA, June 2026): customer-triggered controls that suspend the account or lock funds against digital transfer — POST /v1/kill-switch, POST /v1/money-lock.
AFASA — Anti-Financial Account Scamming Act (RA 12010)
Republic Act 12010 · Philippine law · Active
AFASA (Republic Act 12010) is Philippine legislation that establishes institutional liability for banks and financial institutions when customer accounts are used in scam transactions. The law's two key compliance provisions are:
§6 — Institutional liability: Financial institutions bear liability for scam losses if they fail to implement adequate fraud detection and prevention systems.
§7 — Audit trail: Institutions must maintain a court-admissible, verifiable audit record for every financial transaction. This is directly satisfied by the GET /v1/audit/:id endpoint in the Fiduciary API, which returns an Post-quantum signed, SHA3-256 hash-chained event record permanently resolvable by BSP examiners.
RA 10173 — Data Privacy Act of 2012
Republic Act 10173 · Philippine law · Active
Republic Act 10173 is the Philippine Data Privacy Act, administered by the National Privacy Commission. In banking compliance context, Section 12 requires that personal data is only processed with Free, Prior, and Informed Consent (FPIC) from the data subject.
The Fiduciary POST /v1/consent endpoint records FPIC consent to UNDRIP Article 19 standards, producing a SHA3-256 hash-chained consent ledger entry that satisfies RA 10173 §12 requirements. The consent_ledger_ref is immutable and Post-quantum signed.
RA 10173
§12 FPIC consent
NPC
Data privacy Philippines
RA 11057 — Personal Property Security Act
Republic Act 11057 · Philippine law · PPSR
Republic Act 11057 establishes the Personal Property Security Act and the Philippine Registrar of Personal Property Security Rights (PPSR). Under Section 11, registered security interests have legal priority over unregistered claims.
The Indigenous Sovereign Estate Trust holds PPSR registration 2025-372919, establishing the fiduciary chain of authority for the Fiduciary platform under Philippine law.
RA 11057
§11 Priority
PPSR 2025-372919
Personal property security
Protocol & Technology
Standards & Cryptography
Post-quantum · NIST FIPS 204
Post-quantum cryptography · Digital signature standard
Post-quantum is the Module-Lattice-Based Digital Signature Algorithm at security parameter set 65, standardized by NIST in FIPS 204 (2024). It is a post-quantum cryptographic signature scheme designed to remain secure against both classical and quantum computing attacks.
Fiduciary applies Post-quantum to every API response, audit trail record, and Fiduciary Access Certificate. This means every compliance event signed by the platform remains court-admissible and cryptographically verifiable even in a post-quantum computing environment — future-proofing BSP compliance evidence for decades.
NIST FIPS 204
Post-quantum cryptography
Module-Lattice
Quantum-resistant
Digital signature
ISP v1.0 — Indigenous Sovereign Protocol
Protocol · Root authority · Layer 0
ISP v1.0 is the Indigenous Sovereign Protocol, the root compliance and authority protocol of the Fiduciary platform. Every API response carries an isp_code field that maps the event to a specific regulatory obligation (e.g. 023 = phishing-resistant authentication under BSP Circular 1213 §4).
The ISP authority chain is: isp://crown/authority/v1.0 → chartered Provider → artifact. This chain is immutable and takes precedence over all platform-level configurations. The protocol is administered by the Indigenous Sovereign Estate Trust (ISET), registered under Philippine law with TIN 683-706-670-000 and PPSR 2025-372919.
ISP v1.0
isp://crown/authority/v1.0
ISET
Authority chain
Fiduciary Access Certificate (FAC)
Compliance instrument · Verifiable credential
A Fiduciary Access Certificate is a machine-readable, printable, and publicly verifiable compliance certificate issued to registered institutions by the Fiduciary platform under ISP v1.0.
Each FAC contains: institution identity (name, BSP licence, officer details), issuing authority (ISET identity, TIN, OCN, PPSR), obligations covered (six of nine BSP Circular 1213 obligations), issue date, and an Post-quantum signature. FACs are permanently verifiable at fiduciary.technology/verify?id=[VID] and printable as PDF for BSP examiner submission.